Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

firefox google redirects

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

firefox google redirects

Unread postby djewok » August 27th, 2009, 6:04 am

I accidentally clicked on what looked like a blank section of the webpage but linked me to this:Link Removed

now on firefox whenever i google search, whichever link i click on ends up taking me to a search site that redirects me to another search site and so on...

Any help would be greatly appreciated

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:57:09 AM, on 8/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20815)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Ralink\Common\RaUI.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (file missing)
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (file missing)
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (file missing)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Logo Calibration Loader.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\Ralink\Common\RaUI.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

--
End of file - 6892 bytes
Last edited by LDTate on September 6th, 2009, 4:28 pm, edited 2 times in total.
Reason: Removed Link
djewok
Active Member
 
Posts: 5
Joined: August 27th, 2009, 6:00 am
Advertisement
Register to Remove

Re: firefox google redirects

Unread postby 2Ton » August 30th, 2009, 3:21 pm

Hi, Welcome to the Malware Removal.
My name is 2Ton, and I'll be helping you with your malware problems.
HijackThis logs can take a while to research, so please be patient.

Before we begin...please note the following important guidelines.
  1. The instructions being given are for YOUR computer and system only!.
    Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
  2. Please, if you have questions about something...ASK, don't guess or assume.
  3. Please -only- post your problem at one help site. Applying fixes from multiple help sites can cause problems.
  4. Please -only- reply to this thread, do not start another!
  5. Please do not run any other fix/removal tools unless instructed to do so!
  6. Print each set of instructions...if possible...your Internet connection will not be available during some fix processes.
  7. Please, continue responding, until I give you the "All Clean"

If you follow these guidelines, things should proceed smoothly. :)
I am currently reviewing your log and will return, as soon as possible, with your instructions.

Also, as I am an Undergrad, my responses will be approved by an Expert/Teacher before I post to you; therefore it may take a little more time to reply.

Thanks for your patience.


--------------------------------------------------------------------

In the meantime.....

Make an Uninstall List
I need you to create an uninstall list so I can further analyze your situation.

  • Start HijackThis.
  • Click Open the Misc Tools section
  • Click Open Uninstall Manager
  • Click Save list...
  • Save the list to your desktop, or any other convenient place and post it in your next reply.

In your next reply:

Uninstall list.
User avatar
2Ton
Regular Member
 
Posts: 378
Joined: October 11th, 2007, 1:14 pm

Re: firefox google redirects

Unread postby djewok » August 31st, 2009, 1:47 pm

Hey thanks for taking up the problem. Here is my uninstall list

Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Media Player
Adobe Media Player
Adobe Reader 9.1.3
Adobe Setup
Adobe Shockwave Player 11
AirPort
Alky for Applications (Windows XP)
Apple Mobile Device Support
Apple Software Update
AVG Free 8.5
Bonjour
CASHFLOW® 202 THE E-GAME
CASHFLOW® THE E-GAME
CCleaner (remove only)
CyberLink BD Advisor 2.0
CyberLink PowerDVD 9
CyberLink PowerDVD 9
DAMN NFO Viewer v2.10.0032.RC3 (Remove Only)
Eye-One Match 3.6.1
FileZilla Client 3.2.7.1
FrostWire 4.18.1
GTK+ Runtime 2.14.7 rev a (remove only)
HijackThis 2.0.2
HP Imaging Device Functions 7.0
HP Photosmart and Deskjet 7.0.A
HP Photosmart Essential
HP Software Update
HP Solution Center 7.0
HT OMEGA STRIKER7.1
IconPackager
iTunes
Java(TM) 6 Update 6
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 SP1 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30304
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.5.2)
Mozilla Thunderbird (2.0.0.22)
MSXML 6.0 Parser
Nero 7 Demo
NVIDIA Drivers
NVIDIA PhysX
OCR Software by I.R.I.S 7.0
Pidgin
QuickTime
Ralink RT6x Wireless LAN Card
Resource Hacker 3.4.0
Right Click Image Converter
Rosetta Stone Version 3
Styler
System Requirements Lab
Unlocker 1.8.5
Vim 6.4 (self-installing)
Web Easy Professional 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
WinRAR archiver
XAMPP 1.7.1
XviD & MP3 Codec Pack (remove only)
XviD MPEG-4 Video Codec
djewok
Active Member
 
Posts: 5
Joined: August 27th, 2009, 6:00 am

Re: firefox google redirects

Unread postby 2Ton » August 31st, 2009, 4:09 pm

MRU P2P Policy


IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

BitTorrent

I'd like you to read the MRU policy for P2P Programs.
Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).



Download DDS


Please disable any anti-malware program that will block scripts from running before running DDS.

Please download DDS from one of the links below and save it to your desktop:

Image
Download DDS and save it to your desktop from Link1
Link2
Link3
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop.

In your next reply, please post:

  • DDS.txt
  • Attach.txt
User avatar
2Ton
Regular Member
 
Posts: 378
Joined: October 11th, 2007, 1:14 pm

Re: firefox google redirects

Unread postby djewok » September 1st, 2009, 3:24 am

DDS.txt

DDS (Ver_09-07-30.01) - NTFSx86
Run by Dante at 0:19:59.45 on Tue 09/01/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2680 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ralink\Common\RaUI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Dante\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: StylerToolBar: {d2f8f919-690b-4ea2-9fa7-a203d1e04f75} - c:\program files\styler\tb\StylerTB.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logoca~1.lnk - c:\program files\gretagmacbeth\i1\eye-one match 3\calibrationloader\CalibrationLoader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\common\RaUI.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dante\applic~1\mozilla\firefox\profiles\p7nedt3o.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\dante\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2008-6-19 143360]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-30 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-30 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-30 108552]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/08/11 22:23:24];c:\program files\cyberlink\powerdvd9\000.fcl [2009-5-7 87536]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-8-30 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-30 297752]
R2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [2009-5-14 14416]
S3 i1display;i1 Display;c:\windows\system32\drivers\i1display.sys [2009-5-14 44344]
S3 RAPIProtocol;Ralink RAPI Protocol Driver;c:\windows\system32\drivers\RAPIProtocol.sys [2009-8-18 16512]
S4 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\ralink\common\RalinkRegistryWriter.exe [2009-8-19 75040]

=============== Created Last 30 ================

2009-08-30 12:07 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-08-30 01:33 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-30 01:33 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-08-30 01:33 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-30 01:33 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-08-30 01:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-08-30 01:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-08-27 18:22 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-27 18:21 <DIR> --d----- c:\docume~1\dante\applic~1\AVG8
2009-08-27 13:20 <DIR> --d----- c:\program files\Rosetta Stone
2009-08-27 13:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Rosetta Stone
2009-08-27 03:58 108,144 a------- c:\windows\system32\CmdLineExt.dll
2009-08-26 18:32 <DIR> --d----- c:\program files\Trend Micro
2009-08-25 23:31 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-08-25 22:52 <DIR> --d----- c:\program files\CASHFLOW 202
2009-08-25 16:36 <DIR> --d----- c:\program files\CASHFLOW
2009-08-25 16:34 81,920 a------- c:\windows\system32\ImageDrive.cpl
2009-08-25 16:17 4,178,264 a------- c:\windows\system32\D3DX9_41.dll
2009-08-25 16:17 1,846,632 a------- c:\windows\system32\D3DCompiler_41.dll
2009-08-25 16:17 453,456 a------- c:\windows\system32\d3dx10_41.dll
2009-08-25 16:17 517,448 a------- c:\windows\system32\XAudio2_4.dll
2009-08-25 16:17 235,352 a------- c:\windows\system32\xactengine3_4.dll
2009-08-25 16:17 69,448 a------- c:\windows\system32\XAPOFX1_3.dll
2009-08-25 16:17 <DIR> --d----- c:\windows\system32\DirectX
2009-08-25 16:17 <DIR> --d----- c:\windows\Logs
2009-08-20 00:45 <DIR> --d----- c:\program files\Bonjour
2009-08-20 00:45 <DIR> --d----- c:\program files\AirPort
2009-08-19 00:03 1,093,632 a------- c:\windows\system32\libeay32.dll
2009-08-19 00:03 315,510 a------- c:\windows\system32\RAPI.dll
2009-08-19 00:03 200,704 a------- c:\windows\system32\ssleay32.dll
2009-08-19 00:03 21,361 a------- c:\windows\system32\drivers\AegisP.sys
2009-08-19 00:03 495,104 a------- c:\windows\system32\drivers\rt61.sys
2009-08-19 00:03 <DIR> --d----- c:\program files\Ralink
2009-08-19 00:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Ralink Driver
2009-08-18 23:34 16,512 a------- c:\windows\system32\drivers\RAPIProtocol.sys
2009-08-18 23:31 376,832 a------- c:\windows\system32\AegisI5Installer.exe
2009-08-18 23:31 8,192 a------- c:\windows\system32\rt2661.bin
2009-08-18 23:31 8,192 a------- c:\windows\system32\rt2561s.bin
2009-08-18 23:31 8,192 a------- c:\windows\system32\rt2561.bin
2009-08-11 22:23 <DIR> --d----- c:\program files\common files\CyberLink
2009-08-11 22:22 29,480 a------- c:\windows\system32\msxml3a.dll
2009-08-11 16:22 315,392 a------- c:\windows\system32\AegisI5.exe
2009-08-11 16:22 295,028 a------- c:\windows\system32\Install6x.dll
2009-08-11 16:22 8,192 a------- c:\windows\system32\drivers\RT2661.bin
2009-08-11 16:22 8,192 a------- c:\windows\system32\drivers\RT2561s.bin
2009-08-11 16:22 8,192 a------- c:\windows\system32\drivers\RT2561.bin
2009-08-11 16:22 78 a------- c:\windows\filespec6x
2009-08-11 16:18 <DIR> --d----- c:\program files\HT OMEGA STRIKER7.1
2009-08-11 01:24 <DIR> --d----- c:\program files\Vim
2009-08-04 17:01 <DIR> --d----- C:\xampp

==================== Find3M ====================

2009-08-11 22:24 49,448 a------- c:\windows\system32\msxml3r.dll
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2006-06-23 15:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe

============= FINISH: 0:21:16.89 ===============








Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/14/2009 9:43:28 PM
System Uptime: 8/31/2009 8:42:25 PM (4 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5K PRO
Processor: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz | LGA775 | 2405/266mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 417 GiB total, 226.672 GiB free.
D: is CDROM ()
F: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Marvell Yukon 88E8056 PCI-E Gigabit Ethernet Controller
Device ID: PCI\VEN_11AB&DEV_4364&SUBSYS_81F81043&REV_12\4&625283&0&00E5
Manufacturer: Marvell
Name: Marvell Yukon 88E8056 PCI-E Gigabit Ethernet Controller
PNP Device ID: PCI\VEN_11AB&DEV_4364&SUBSYS_81F81043&REV_12\4&625283&0&00E5
Service: yukonwxp

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Microsoft PS/2 Mouse
Device ID: ACPI\PNP0F03\4&B6AFFD&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Mouse
PNP Device ID: ACPI\PNP0F03\4&B6AFFD&0
Service: i8042prt

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: MAC Bridge Miniport
Device ID: ROOT\NET\0000
Manufacturer: Microsoft
Name: MAC Bridge Miniport
PNP Device ID: ROOT\NET\0000
Service: BridgeMP

==== System Restore Points ===================

RP1: 8/27/2009 11:57:17 PM - System Checkpoint

==== Installed Programs ======================

Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Media Player
Adobe Reader 9.1.3
Adobe Setup
Adobe Shockwave Player 11
AiO_Scan_CDA
AiOSoftwareNPI
AirPort
Alky for Applications (Windows XP)
Apple Mobile Device Support
Apple Software Update
AVG Free 8.5
Bonjour
BufferChm
C3100
c3100_Help
CASHFLOW® 202 THE E-GAME
CASHFLOW® THE E-GAME
CCleaner (remove only)
CyberLink BD Advisor 2.0
CyberLink PowerDVD 9
DAMN NFO Viewer v2.10.0032.RC3 (Remove Only)
Destinations
DeviceManagementQFolder
DocProc
DocProcQFolder
eSupportQFolder
Eye-One Match 3.6.1
Fax_CDA
FileZilla Client 3.2.7.1
Google Chrome
GTK+ Runtime 2.14.7 rev a (remove only)
HijackThis 2.0.2
HP Imaging Device Functions 7.0
HP Photosmart and Deskjet 7.0.A
HP Photosmart Essential
HP Software Update
HP Solution Center 7.0
HPPhotoSmartExpress
HPProductAssistant
HT OMEGA STRIKER7.1
IconPackager
InstantShareDevicesMFC
iTunes
Java(TM) 6 Update 6
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 SP1 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30304
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.5.2)
Mozilla Thunderbird (2.0.0.22)
MSXML 6.0 Parser
Nero 7 Demo
NewCopy_CDA
NVIDIA Drivers
NVIDIA PhysX
OCR Software by I.R.I.S 7.0
PanoStandAlone
Pidgin
ProductContextNPI
QuickTime
Ralink RT6x Wireless LAN Card
Readme
Resource Hacker 3.4.0
Right Click Image Converter
Rosetta Stone Version 3
Scan
ScannerCopy
SolutionCenter
Status
Styler
System Requirements Lab
Toolbox
TrayApp
Unload
Unlocker 1.8.5
Vim 6.4 (self-installing)
Web Easy Professional
Web Easy Professional 7
WebFldrs XP
WebReg
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver
XAMPP 1.7.1
XML Paper Specification Shared Components Pack 1.0
XviD & MP3 Codec Pack (remove only)
XviD MPEG-4 Video Codec

==== Event Viewer Messages From Past Week ========

8/26/2009 10:17:14 AM, error: Service Control Manager [7000] - The adfs service failed to start due to the following error: The system cannot find the file specified.
8/25/2009 9:18:16 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/25/2009 9:18:10 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
8/25/2009 9:12:48 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
8/25/2009 8:35:59 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD ASPI32 AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
8/25/2009 8:35:59 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
8/25/2009 8:35:59 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/25/2009 8:35:59 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/25/2009 8:35:59 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
8/25/2009 8:35:59 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/25/2009 8:35:43 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
8/25/2009 4:10:57 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
8/25/2009 11:07:11 AM, error: Print [6161] - The document emailreceipt_20080912R0825134266.pdf owned by Dante failed to print on printer HP Photosmart C3100 series (2). Data type: NT EMF 1.008. Size of the spool file in bytes: 394584. Number of bytes printed: 0. Total number of pages in the document: 1. Number of pages printed: 0. Client machine: \\DANTE-4B9DC57FB. Win32 error code returned by the print processor: 1241 (0x4d9).

==== End Of File ===========================
djewok
Active Member
 
Posts: 5
Joined: August 27th, 2009, 6:00 am

Re: firefox google redirects

Unread postby 2Ton » September 1st, 2009, 8:39 am

Hi djewok, thank you for the logs. I am researching them and will get back to you with the next set of instructions. Please be patient.
User avatar
2Ton
Regular Member
 
Posts: 378
Joined: October 11th, 2007, 1:14 pm

Re: firefox google redirects

Unread postby 2Ton » September 2nd, 2009, 12:28 am

Hi djewok!


Please download GMER Rootkit Scanner from Here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in your next reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.


Post back:

Gmer.txt
User avatar
2Ton
Regular Member
 
Posts: 378
Joined: October 11th, 2007, 1:14 pm

Re: firefox google redirects

Unread postby djewok » September 4th, 2009, 3:35 am

Hey I downloaded and restarted my computer, and ran the .exe without any other applications running and twice I've gotten a bluescreen talking about

aujasnkj.sys trying to write to read only memory
djewok
Active Member
 
Posts: 5
Joined: August 27th, 2009, 6:00 am

Re: firefox google redirects

Unread postby 2Ton » September 5th, 2009, 2:11 am

Hi, djewok. Let us use another scanner.


Download RootRepeal.zip and unzip it to your Desktop.

  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Clickthe Scan button
  • In the Select Scan dialog, check:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan

    The scan can take some time. DO NOT run any other programs while the scan is running
  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
  • Go to File, then Exit to close the program
  • Copy and paste the contents of RootRepeal.txt in your next reply


Post back

RootRepeal.txt
User avatar
2Ton
Regular Member
 
Posts: 378
Joined: October 11th, 2007, 1:14 pm

Re: firefox google redirects

Unread postby djewok » September 5th, 2009, 2:11 pm

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/09/05 11:05
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB6773000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5E4000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB5B98000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\kbiwkmfowktlid.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmfujpyapm.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmsdpakcdo.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmybslgxui.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\kbiwkmfaoetewb.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log
Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\avg8\Log\avglng.log
Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\avg8\Log\avgns.log
Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log
Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\avg8\Log\avgsched.log
Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log
Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: kbiwkmsdpakcdo.dll]
Process: svchost.exe (PID: 844) Address: 0x10000000 Size: 57344

Object: Hidden Module [Name: kbiwkmfujpyapm.dll]
Process: Explorer.EXE (PID: 2136) Address: 0x10000000 Size: 32768

Hidden Services
-------------------
Service Name: kbiwkmtjkoorut
Image Path: C:\WINDOWS\system32\drivers\kbiwkmfaoetewb.sys

==EOF==
djewok
Active Member
 
Posts: 5
Joined: August 27th, 2009, 6:00 am

Re: firefox google redirects

Unread postby 2Ton » September 6th, 2009, 2:18 pm

Hi djewok!



Run ComboFix

Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):
Link 1
Link 2

**IMPORTANT !!! Save ComboFix.exe to your Desktop**

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper





---------------------------------------------------------------


Run Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

* Open Malwarebytes' Anti-Malware
* Select the Update tab
* Click Check for Updates
* After the update have been completed, Select the Scanner tab.
* Select Perform full scan, then click on Scan
* Leave the default options as it is and click on Start Scan
* When done, you will be prompted. Click OK, then click on Show Results
* Checked (ticked) all items and click on Remove Selected
* After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest


-------------------------------------------------------------------


Post back:

ComboFix log
Malwarebytes' Anti-Malware log
Update on how the computer is running
User avatar
2Ton
Regular Member
 
Posts: 378
Joined: October 11th, 2007, 1:14 pm

Re: firefox google redirects

Unread postby 2Ton » September 11th, 2009, 1:47 pm

Hi djewok.

Do you still need assistance? It has been 5 days.

Thanks.

2Ton
User avatar
2Ton
Regular Member
 
Posts: 378
Joined: October 11th, 2007, 1:14 pm

Re: firefox google redirects

Unread postby random/random » September 20th, 2009, 1:31 pm

Due to lack of response this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
random/random
Developer
Developer
 
Posts: 7733
Joined: December 18th, 2005, 3:30 pm
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 485 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware