Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

FIREFOX redirection problem

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

FIREFOX redirection problem

Unread postby alsopb » September 24th, 2009, 7:19 am

Thanks for getting to this.

FIREFOX chokes with JAVASCRIPT enabled when clicking on a link. Other browsers unaffected.
6 different virus scanners including SPYBOT, AVG,SAS... show no infection Best guess is there is some virus generated JAVASCRIPT trying to redirect the link elsewhere (Chinese sex site?) doing this. It appears that the ISP has blocked the site thus the FIREFOX choke.
HIJACK LOG attached.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:27, on 9/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\PROGRAM FILES\Java\jre6\bin\jusched.exe
C:\PROGRAM FILES\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Windows Media Components\Encoder\Wmencagt.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\PROGRAM FILES\AVG\AVG8\avgcsrvx.exe
C:\Win-EQF\Win-EQF.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\BLANK.HTM
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\PROGRAM FILES\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.gloryroad.net"); (C:\Program Files\Netscape\Users\alsopb\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\COMMON FILES\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\PROGRAM FILES\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRAM FILES\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\PROGRAM FILES\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\PROGRAM FILES\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\PROGRAM FILES\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\PROGRAM FILES\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\PROGRAM FILES\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\PROGRAM FILES\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\PROGRAM FILES\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - Global Startup: d.lnk = C:\WINDOWS\SYSTEM\Show Desktop.scf
O4 - Global Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRAM FILES\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRAM FILES\Messenger\msmsgs.exe
O13 - WWW. Prefix: http://
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\PROGRAM FILES\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\PROGRAM FILES\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

--
End of file - 5671 bytes
alsopb
Regular Member
 
Posts: 18
Joined: September 23rd, 2009, 4:57 am
Advertisement
Register to Remove

Re: FIREFOX redirection problem

Unread postby jmw3 » October 1st, 2009, 10:29 am

Hello & Welcome to Malware Removal

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this ensure Notify me when a reply is posted is ticked on the POST A REPLY page.

In the meantime please note the following:
  • Any recommendations made are for your computer problems only and should NOT be used on any other computer.
  • Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
    1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
    2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
  • If you get stuck or are unsure of something please ask for a further explanation, do not guess.
  • It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.
Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Thanks

DDS
Download DDS.scr by sUBs from one of the following links & save it to your desktop.
Link 1
Link 2
  • Double-Click on dds.scr and a command window will appear. This is normal
  • Shortly after two logs will appear, DDS.txt & Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply
Gmer
Download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.

To post in next reply:
Contents of DDS log
Contents of Attach.txt
Contents of Gmer log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: FIREFOX redirection problem

Unread postby alsopb » October 1st, 2009, 1:22 pm

Tried twice cutting and pasting the three files here.
The post reported "uploading". However the content does not appear here. I may have exceeded the 100000 character limit.
May I break them up into separate postings?
alsopb
Regular Member
 
Posts: 18
Joined: September 23rd, 2009, 4:57 am

Re: FIREFOX redirection problem

Unread postby jmw3 » October 1st, 2009, 6:43 pm

Hi
May I break them up into separate postings?
Yes.. that's fine :)
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: FIREFOX redirection problem

Unread postby alsopb » October 1st, 2009, 6:53 pm

DDS and ATTACH file contents
DDS (Ver_09-09-29.01) - FAT32x86
Run by alsopb at 16:48:18.83 on Thu 10/01/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2040.1595 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRAM FILES\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRAM FILES\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Windows Media Components\Encoder\Wmencagt.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\PROGRAM FILES\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\DOWNLOAD\dds.scr
C:\DOWNLOAD\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
mLocal Page = c:\windows\system\BLANK.HTM
mSearch Bar = hxxp://home.netscape.com/home/winsearch200.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - c:\windows\system32\BROWSEUI.DLL
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\d.lnk - c:\windows\system\Show Desktop.scf
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\encode~1.lnk - c:\program files\windows media components\encoder\Wmencagt.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\Osa.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes - FILE://c:\windows\system\DAJAVA.CAB
DPF: Internet Explorer Classes for Java - FILE://c:\windows\system\IEJAVA.CAB
DPF: Microsoft XML Parser for Java - FILE://c:\windows\java\classes\XMLDSO4.CAB
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/ ... mvadvd.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/ ... mv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/C ... 4297569444
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4 ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shoc ... wflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alsopb\applic~1\mozilla\firefox\profiles\j7t5whpq.brian 2\
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/sear ... -web_us&p=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-28 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-12-24 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-28 108552]
R1 hwinterface;hwinterface;c:\windows\system32\drivers\hwinterface.sys [2006-12-23 3026]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-4-28 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-28 297752]
R2 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\drivers\DLPortIO.SYS [2006-11-29 3584]
R3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [2006-11-28 9344]
S2 USB2000;JDI USB PC TO PC Network Bridge USB Driver;c:\windows\system32\drivers\usb2000.sys [2000-1-25 15712]
S3 iteio;iteio;c:\windows\system32\drivers\Iteio.sys [2006-12-30 3680]
S3 usb18prg;usb18prg;c:\windows\system32\drivers\usb18prg.sys [2007-12-13 20608]
S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [2006-12-26 40788]
S3 Winacusb;Winacusb;c:\windows\system32\drivers\winacusb.sys [2006-11-28 902860]

=============== Created Last 30 ================

2009-09-30 22:48 754 a------- c:\windows\WORDPAD.INI
2009-09-24 09:40 <DIR> --d----- c:\program files\DDSFreq
2009-09-24 09:40 73,216 a------- c:\windows\temp.001
2009-09-24 09:40 <DIR> --d----- C:\ddsvfo2
2009-09-23 15:07 <DIR> --d----- c:\program files\DDS_Controller
2009-09-23 15:07 73,216 a------- c:\windows\temp.000
2009-09-23 15:06 <DIR> --d----- C:\New Folder
2009-09-23 15:05 <DIR> --d----- C:\ddsvfo
2009-09-22 18:34 <DIR> --d----- c:\program files\Trend Micro
2009-09-22 11:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-09-22 11:58 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-09-22 11:58 <DIR> --d----- c:\docume~1\alsopb\applic~1\SUPERAntiSpyware.com
2009-09-21 09:56 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-09-21 09:56 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-09-20 20:33 <DIR> --d----- c:\windows\system32\drivers\Avg(2)
2009-09-20 20:33 <DIR> --d----- c:\program files\AVG(2)
2009-09-20 20:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8(2)
2009-09-20 20:05 <DIR> --d----- C:\AVGTemp
2009-09-20 18:06 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-09-20 18:06 <DIR> --d----- c:\program files\MSECACHE
2009-09-20 17:46 <DIR> --d----- c:\docume~1\alsopb\applic~1\AVG8
2009-09-20 16:48 3 a------- C:\FFJCEXT.XUL
2009-09-20 02:44 <DIR> --dsh--- C:\Recycled
2009-09-19 21:50 <DIR> --d----- C:\ComboFix
2009-09-19 21:50 388,608 a------- c:\windows\system32\CF30149.exe
2009-09-19 21:14 388,608 a------- c:\windows\system32\cmd.execf
2009-09-19 20:26 <DIR> a-dshr-- C:\cmdcons
2009-09-19 14:46 229,888 a------- c:\windows\PEV.exe
2009-09-19 14:46 161,792 a------- c:\windows\SWREG.exe
2009-09-19 14:46 98,816 a------- c:\windows\sed.exe
2009-09-18 22:08 <DIR> --d----- c:\docume~1\alsopb\applic~1\Malwarebytes
2009-09-18 22:07 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-18 22:07 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-18 22:07 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-18 22:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-18 19:11 <DIR> --d----- C:\FOUND.000
2009-09-18 19:11 <DIR> --d----- C:\KPCMS
2009-09-18 18:19 <DIR> --d----- C:\Kodak
2009-09-18 16:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ArcSoft
2009-09-18 16:00 <DIR> --d----- c:\windows\$hf_mig$
2009-09-10 23:55 54,156 a---h--- c:\windows\QTFont.qfn
2009-09-10 23:55 1,409 a------- c:\windows\QTFont.for

==================== Find3M ====================

2009-09-24 09:40 249,856 -------- c:\windows\Setup1.exe
2009-08-30 01:22 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-16 11:41 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-16 11:41 11,952 a------- c:\windows\system32\avgrsstx.dll
2007-01-13 18:50 81,392 -------- c:\docume~1\alsopb\applic~1\GDIPFONTCACHEV1.DAT
2005-03-02 20:53 3,870,057 -------- c:\program files\n1mmlo1
2002-08-15 16:54 3,198,976 -------- c:\program files\ViewSonicregistration.exe
2001-06-21 19:35 266 ---sh--- c:\program files\desktop.ini
2001-06-21 19:35 11,079 ----h--- c:\program files\folder.htt

============= FINISH: 16:49:04.63 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-09-29.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 11/28/2006 17:45:49
System Uptime: 10/1/2009 16:34:00 (0 hours ago)

Motherboard: soyocomputer | | 845PE/GV
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Socket 775 | 2800/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (FAT32) - 186 GiB total, 158.047 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP801: 7/2/2009 18:38:55 - System Checkpoint
RP802: 7/3/2009 21:08:53 - System Checkpoint
RP803: 7/5/2009 16:44:27 - System Checkpoint
RP804: 7/6/2009 12:00:29 - pretqsl111
RP805: 7/7/2009 14:53:23 - System Checkpoint
RP806: 7/8/2009 15:00:02 - System Checkpoint
RP807: 7/9/2009 16:57:45 - System Checkpoint
RP808: 7/10/2009 23:27:45 - System Checkpoint
RP809: 7/12/2009 10:19:31 - System Checkpoint
RP810: 7/13/2009 15:02:02 - System Checkpoint
RP811: 7/14/2009 16:20:35 - System Checkpoint
RP812: 7/15/2009 16:41:02 - System Checkpoint
RP813: 7/16/2009 16:52:28 - System Checkpoint
RP814: 7/17/2009 12:01:01 - Avg8 Update
RP815: 7/17/2009 12:02:03 - Avg8 Update
RP816: 7/18/2009 16:01:16 - System Checkpoint
RP817: 7/20/2009 20:17:48 - System Checkpoint
RP818: 7/21/2009 21:08:06 - System Checkpoint
RP819: 7/22/2009 21:18:06 - System Checkpoint
RP820: 7/23/2009 21:23:31 - System Checkpoint
RP821: 7/24/2009 22:45:07 - System Checkpoint
RP822: 7/25/2009 23:49:07 - System Checkpoint
RP823: 7/27/2009 10:37:47 - System Checkpoint
RP824: 7/27/2009 23:17:08 - coms34fixed
RP825: 7/29/2009 12:35:18 - System Checkpoint
RP826: 7/30/2009 13:16:54 - System Checkpoint
RP827: 7/31/2009 03:08:52 - prepicprobasic
RP828: 8/1/2009 10:32:39 - System Checkpoint
RP829: 8/2/2009 20:06:11 - Spybot-S&D Spyware removal
RP830: 8/3/2009 20:51:31 - System Checkpoint
RP831: 8/5/2009 14:25:29 - System Checkpoint
RP832: 8/6/2009 15:57:39 - System Checkpoint
RP833: 8/7/2009 18:23:43 - System Checkpoint
RP834: 8/9/2009 11:02:38 - System Checkpoint
RP835: 8/10/2009 14:25:49 - System Checkpoint
RP836: 8/11/2009 14:50:51 - System Checkpoint
RP837: 8/12/2009 15:37:47 - System Checkpoint
RP838: 8/13/2009 15:58:33 - System Checkpoint
RP839: 8/14/2009 16:59:42 - System Checkpoint
RP840: 8/15/2009 18:21:10 - System Checkpoint
RP841: 8/16/2009 11:41:01 - Avg8 Update
RP842: 8/16/2009 11:42:09 - Avg8 Update
RP843: 8/16/2009 14:04:07 - Removed SatScape
RP844: 8/16/2009 14:36:11 - PREBANDMASTER
RP845: 8/17/2009 21:03:33 - System Checkpoint
RP846: 8/19/2009 09:55:33 - System Checkpoint
RP847: 8/20/2009 13:35:21 - System Checkpoint
RP848: 8/21/2009 17:17:56 - System Checkpoint
RP849: 8/22/2009 17:35:26 - System Checkpoint
RP850: 8/23/2009 13:08:47 - Installed ARCP-480
RP851: 8/23/2009 13:14:21 - Configured ARCP-480
RP852: 8/24/2009 16:05:40 - System Checkpoint
RP853: 8/25/2009 16:22:17 - System Checkpoint
RP854: 8/26/2009 17:27:36 - System Checkpoint
RP855: 8/27/2009 19:16:36 - System Checkpoint
RP856: 8/27/2009 20:23:42 - Spybot-S&D Spyware removal
RP857: 8/28/2009 21:24:41 - System Checkpoint
RP858: 8/30/2009 01:21:33 - pre java update
RP859: 8/30/2009 01:22:47 - Installed Java(TM) 6 Update 15
RP860: 8/31/2009 01:53:39 - prethunderbird
RP861: 9/1/2009 13:19:14 - System Checkpoint
RP862: 9/2/2009 13:48:53 - System Checkpoint
RP863: 9/2/2009 22:10:31 - sept3com
RP864: 9/7/2009 21:16:51 - System Checkpoint
RP865: 9/8/2009 21:24:28 - System Checkpoint
RP866: 9/9/2009 22:20:49 - System Checkpoint
RP867: 9/11/2009 13:04:07 - System Checkpoint
RP868: 9/12/2009 16:01:57 - System Checkpoint
RP869: 9/13/2009 16:15:35 - System Checkpoint
RP870: 9/13/2009 16:52:12 - Spybot-S&D Spyware removal
RP871: 9/17/2009 18:00:36 - System Checkpoint
RP872: 9/18/2009 16:00:06 - Installed Windows Installer KB893803v2.
RP873: 9/18/2009 16:00:35 - Installed Windows XP WIC.
RP874: 9/18/2009 16:00:48 - Installed Windows XP KB932716-v2.
RP875: 9/18/2009 16:01:02 - Installed Windows XP KB945060-v3.
RP876: 9/18/2009 16:04:45 - Installed Print Creations
RP877: 9/18/2009 16:05:48 - Installed Connect Service
RP878: 9/18/2009 19:10:18 - Restore Operation
RP879: 9/19/2009 15:01:12 - post combofix
RP880: 9/19/2009 19:57:07 - Spybot-S&D Spyware removal
RP881: 9/19/2009 19:57:26 - Spybot-S&D Spyware removal
RP882: 9/19/2009 20:41:34 - after combofix for FF
RP883: 9/20/2009 17:09:35 - Removed AVG 8.5
RP884: 9/20/2009 17:10:13 - Removed AVG 8.5
RP885: 9/20/2009 17:19:27 - Configured AVG Free 8.5
RP886: 9/20/2009 17:21:54 - Configured AVG Free 8.5
RP887: 9/20/2009 17:42:19 - Restore Operation
RP888: 9/20/2009 17:48:22 - Restore Operation
RP889: 9/20/2009 18:06:41 - Installed Windows Installer Clean Up
RP890: 9/20/2009 18:21:12 - Removed AVG 8.5
RP891: 9/20/2009 20:21:33 - Installed AVG Free 8.5
RP892: 9/20/2009 20:33:04 - Installed AVG Free 8.5
RP893: 9/20/2009 22:44:41 - Installed Java(TM) 6 Update 16
RP894: 9/20/2009 22:50:13 - Avg8 Update
RP895: 9/21/2009 09:55:22 - Restore Operation
RP896: 9/21/2009 11:29:35 - Spybot-S&D Spyware removal
RP897: 9/21/2009 12:59:53 - Configured AVG Free 8.5
RP898: 9/21/2009 13:05:57 - Configured AVG Free 8.5
RP899: 9/21/2009 19:02:14 - Avg8 Update
RP900: 9/22/2009 11:58:44 - Installed SUPERAntiSpyware Free Edition
RP901: 9/22/2009 16:07:56 - Removed SUPERAntiSpyware Free Edition
RP902: 9/23/2009 18:21:02 - Spybot-S&D Spyware removal
RP903: 9/24/2009 19:59:45 - System Checkpoint
RP904: 9/25/2009 21:11:14 - System Checkpoint
RP905: 9/27/2009 13:49:40 - System Checkpoint
RP906: 9/28/2009 20:39:18 - System Checkpoint
RP907: 9/29/2009 21:32:11 - System Checkpoint

==== Installed Programs ======================

2000 Toolbox
Adobe Flash Player Plugin
Adobe Reader 8.1.6
Antenna Book Software
ArcSoft PhotoImpression 6
ArcSoft Print Creations
AVG Free 8.5
BASIC Stamp Editor v2.4
C-Media 3D Audio
C-Media WDM Audio Driver
CardRd81
CCHelp
CCScore
Corel WordPerfect Suite 8
CR2
DDS VFO
DigiPan
DigiPan 2.0
Dimension 4 v5.0
Direct Digital Synthesis (DDS) Control Program
DjVu Browser Plug-in 4.1
DM9XInst
DPlot Graph Software version 2.2.6.6
DX4WIN version 7.02
Elecraft K3 Utility 1.2.8.10
EPSON CX7400 User's Guide
EPSON Printer Software
EPSON Scan
EPSON Stylus CX7400 Series Scanner Driver Update
EPSON USB Printer Devices
ESSAdpt
ESSANUP
ESSBrwr
ESSCAM
ESSCDBK
ESScore
ESSCT
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTUTOR
ESSvpaht
ESSvpot
EZNEC v. 5.0
Filter Design 4.4
First Aid 2000
Free MP3 Sound Recorder v1.9
Google Earth
Google Updater
Ham Radio Deluxe
Hi-Speed USB-to-IDE Win98 Driver
HijackThis 2.0.2
HLPCCTR
HLPIndex
HLPPDOCK
HLPRFO
HP Image Zone 4.0
hp instant support
HP Memories Disc
HP Scanjet 4600
HP Software Update
ImageDock
Intel A/V Codecs V2.0
Intel Application Accelerator
Intel USB Video Camera III
Intel(R) 536EP Modem Drivers and Utilities
Intel(R) Extreme Graphics Driver
IZ8BLY Stream
Java 2 Runtime Environment, SE v1.4.1_02
Java Web Start
Java(TM) 6 Update 15
Java(TM) 6 Update 5
JVComm32
K3 Filter Tools
K3 Filter Tools (C:\PROGRAM FILES\K3 Filter Tools\)
KB408682
KENWOOD ARCP-480
Kodak EasyShare software
KSU
LAB Fit
Live Express
Log-EQF
Logitech MouseWare 9.24
Logitech User's Guide
Macromedia Flash Player 8
MailWasher
Malwarebytes' Anti-Malware
MaxBlast 4
McAfee VirusScan
McAfee VirusScan v4.0.2 (Retail/OEM)
Meter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Office 97, Professional Edition
Microsoft Visual C++ 2005 Redistributable
mikroBasic (remove only)
mikroBasic PRO for PIC (remove only)
MMTTY
MMTTY Ver. 1.65
Mozilla Firefox (3.5.3)
Mozilla Thunderbird (2.0.0.23)
N1MM logger
Nero Suite
Netscape (7.1)
Netscape (7.2)
Netscape Browser (remove only)
Netscape Navigator (9.0.0.5)
Notifier
Nuts & Bolts
Omni-Rig 1.9
OTtBP
OTtBPSDK
Pad2Pad 1.8.1
PC Camera (6005 CIF)
PCDLNCH
PDS Lite 3.1.1
Picasa 3
PICFLASH with mikroICD (remove only)
PictureMall PictureFun!
PL-2303 USB-to-Serial
QuickTime
RealPlayer 7 Basic
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver
RefManager 1.0
Satscape
SFR
SFR2
ShareIns
SiS IDE Driver
SiS PCI IRQ Routing Miniport
SmartCamera Ver 2.1
SOYO HW Monitor
Spectrogram 16
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
Starry Night Bundle Edition
TrustedQSL 1.11
Tweak UI
U.S. Robotics 56K Faxmodem USB
U.S. Robotics ControlCenter
U232 P9/P25
UMSD 1.0
Uninstall Windows 9x USB 2.0 Support
Uninstaller
USB-IDE Bridge Driver
USB 2.0 Card Reader
USB PC TO PC Network Bridge Driver v1.2
USB Super Link
VB Runtime
VCAMCEN
Viewpoint Media Player (Remove Only)
VPRINTOL
WebFldrs XP
Win-EQF
Winamp (remove only)
WinBoard PCB
Windows Backup Utility
Windows Driver Package - FTDI CDM Driver Package (06/27/2007 2.02.04)
WinDraft Schematics
WinZip
WSJT Version 5.9.7 r381

==== Event Viewer Messages From Past Week ========

9/27/2009 02:01:10, error: Service Control Manager [7000] - The JDI USB PC TO PC Network Bridge USB Driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

==== End Of File ===========================
alsopb
Regular Member
 
Posts: 18
Joined: September 23rd, 2009, 4:57 am

Re: FIREFOX redirection problem

Unread postby alsopb » October 1st, 2009, 7:07 pm

GMER log contents with Sections, IAT/EAT, and show all unchecked. Only C:\
GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-10-01 23:03:13
Windows 5.1.2600 Service Pack 2
Running: 62geqp9w.exe; Driver: C:\DOCUME~1\alsopb\LOCALS~1\Temp\fxldipob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----
alsopb
Regular Member
 
Posts: 18
Joined: September 23rd, 2009, 4:57 am

Re: FIREFOX redirection problem

Unread postby jmw3 » October 1st, 2009, 7:53 pm

Hi

View Hidden Files & Folders Windows XP
To view Hidden Files & Folders do the following:
Click Start
Open My Computer
Select the Tools menu and click Folder Options
Select the View Tab
Under the Hidden files and folders heading select Show hidden files and folders
Uncheck the Hide protected operating system files (recommended) option
Click Yes to confirm
Click OK

Upload Files for Scanning
Go to VirSCAN & upload the following File/s for scanning.
  • Copy & paste the following File & Path in the text box next to the Browse button.
    Code: Select all
    c:\windows\system32\drivers\Iteio.sys
  • Click Upload.
  • Wait for scans to finish then copy & paste the results into your next reply.
Remove Programs
Click Start > Control Panel > Add/Remove Programs
Remove these programs by clicking Remove

Java 2 Runtime Environment, SE v1.4.1_02
Java(TM) 6 Update 5


If some programs listed are not present, please do not panic

GooredFix
Download GooredFix from one of the locations below & save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed
  • To run the tool, double-click it (XP), or right-click & select Run As Administrator (Vista)
  • When prompted to run the scan, click Yes
  • GooredFix will check for infections, then a log will appear. Post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt)
ComboFix
Delete the copy of ComboFix you have then download it again from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):
Link 1
Link 2

**IMPORTANT !!! Save ComboFix.exe to your Desktop**

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


To post in next reply:
Results from VirSCAN
GooredFix log
ComboFix log
New HijackThis log
Update on how the computer is running
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: FIREFOX redirection problem

Unread postby alsopb » October 2nd, 2009, 8:50 am

OK. Attached are the outputs.
1) removal of JAVA2 runtime Environment prompted a flag. "msvcrt.dll may no longer be needed... you can delete it but doing so may present other apps from running". Deleted it. It can be restored from backup if necessary.
2) At first it appeared that FIREFOX was browsing without problems. Then after 20 minutes the familiar failure appeared "FIREFOX has encountered a probem and needs to close. We are sorry for the inconvenience. " It appears it took 20 minutes for whatever virus is doing this to reinfect things. Now this message pops up after clicking on a few links.

This is a frustrating virus. Thanks for helping.
Regards
Brian

VirSCAN.org Scanned Report :
Scanned time : 2009/06/05 00:31:50 (EDT)
Scanner results: 79% Scanner(30/38) found malware!
File Name : 1.html
File Size : 4037 byte
File Type : Sendmail frozen configuration - version body bgcolor=
MD5 : 4a2514195555a43458b4e087d29124be
SHA1 : e96f20c01c95b12a6cf9992b1e16deaac5ca025c
Online report : http://virscan.org/report/e8541b64f8b1b ... fd4d2.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090604013225 2009-06-04 2.05 Virus.Win32.Killmbr.D!IK
AhnLab V3 2009.06.05.00 2009.06.05 2009-06-05 0.74 Win-Trojan/Dialer.712704.B
AntiVir 8.2.0.180 7.1.4.59 2009-06-04 0.55 KIT/GhostDial.1
Antiy 2.0.18 20090604.2498051 2009-06-04 0.15 Trojan/Win32.Dialer.gvg
Arcavir 2009 200906041608 2009-06-04 0.39 Dialer.Bib
Authentium 5.1.1 200906041652 2009-06-04 1.18 W32/Trojan2.DOJN (Exact)
AVAST! 4.7.4 090604-0 2009-06-04 0.05 Win32:Dialer-1314 [Trj]
AVG 8.5.286 270.12.53/2155 2009-06-05 0.37 Dialer.KNV
BitDefender 7.81008.3335505 7.25811 2009-06-05 0.75 Trojan.Generic.1004008
CA (VET) 9.0.0.143 31.6.6539 2009-06-05 9.17 -
ClamAV 0.95.1 9421 2009-06-05 0.18 Dialer-3765
Comodo 3.9 1259 2009-06-04 0.74 ApplicUnwnt.Win32.PornTool.Agent.fi
CP Secure 1.1.0.715 2009.06.03 2009-06-03 9.97 -
Dr.Web 4.44.0.9170 2009.06.05 2009-06-05 4.85 BackDoor.Pigeon.12989
F-Prot 4.4.4.56 20090604 2009-06-04 1.15 W32/Trojan2.DOJN (exact)
F-Secure 5.51.6100 2009.06.05.03 2009-06-05 5.79 -
Fortinet 2.81-3.117 10.466 2009-06-04 0.35 Suspicious
GData 19.5615/19.353 20090605 2009-06-05 4.39 Win32:Dialer-1313 [Trj] [Engine:B]
ViRobot 20090604 2009.06.04 2009-06-04 0.42 -
Ikarus T3.1.01.57 2009.06.03.72814 2009-06-03 3.11 Virus.Win32.Killmbr.D
JiangMin 11.0.706 2009.06.03 2009-06-03 2.07 Trojan/Dialer.gnc
Kaspersky 5.5.10 2009.06.05 2009-06-05 0.08 not-a-virus:Porn-Dialer.Win32.Agent.fi
KingSoft 2009.2.5.15 2009.6.4.21 2009-06-04 0.51 Win32.Hack.ReSSDT.c.716800
McAfee 5.3.00 5636 2009-06-04 2.97 BackDoor-DSQ
Microsoft 1.4701 2009.06.04 2009-06-04 4.29 Backdoor:Win32/Farfli.J
mks_vir 2.01 2009.06.05 2009-06-05 3.35 -
Norman 6.01.05 6.01.00 2009-06-02 4.01 W32/Dialer.DHRP
Panda 9.05.01 2009.06.04 2009-06-04 1.86 -
Trend Micro 8.700-1004 6.170.08 2009-06-04 0.06 TROJ_DIAL.RHB
Quick Heal 10.00 2009.06.05 2009-06-05 1.37 -
Rising 20.0 21.32.34.00 2009-06-04 0.99 Backdoor.Win32.Drwolf.axh
Sophos 2.87.1 4.42 2009-06-05 2.44 Mal/Whybo-A
Sunbelt 5170 5170 2009-06-04 0.94 Porn-Dialer.Win32.Agent.fi
Symantec 1.3.0.24 20090604.002 2009-06-04 0.06 -
nProtect 20090604.01 4070376 2009-06-04 5.23 Trojan/W32.Dialer.712704
The Hacker 6.3.4.3 v00340 2009-06-04 0.63 Trojan/Dialer.Agent.fi
VBA32 3.12.10.6 20090604.1412 2009-06-04 1.96 Porn-Dialer.Win32.Agent.fi
VirusBuster 4.5.11.10 10.107.2/1575686 2009-06-04 1.90

GooredFix by jpshortstuff (24.09.09.1)
Log created at 11:51 on 02/10/2009 (alsopb)
Firefox version 3.5.3 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\PROGRAM FILES\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [14:49 22/09/2009]
{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [01:23 30/08/2009]
{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [22:44 20/09/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\PROGRAM FILES\AVG\AVG8\Firefox" [09:56 21/09/2009]
"avg@igeared"="C:\PROGRAM FILES\AVG\AVG8\Toolbar\Firefox\avg@igeared" [13:06 21/09/2009]
"jqs@sun.com"="C:\PROGRAM FILES\Java\jre6\lib\deploy\jqs\ff" [01:22 30/08/2009]

-=E.O.F=-

ComboFix 09-10-01.01 - alsopb 10/02/2009 12:03.3.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2040.1507 [GMT 0:00]
Running from: c:\documents and settings\alsopb\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\11903b.msi

.
((((((((((((((((((((((((( Files Created from 2009-09-02 to 2009-10-02 )))))))))))))))))))))))))))))))
.

2009-09-24 09:40 . 2009-09-24 09:40 -------- d-----w- c:\program files\DDSFreq
2009-09-24 09:40 . 2009-09-24 09:40 -------- d-----w- C:\ddsvfo2
2009-09-23 15:07 . 2009-09-23 15:07 -------- d-----w- c:\program files\DDS_Controller
2009-09-23 15:06 . 2009-09-23 15:06 -------- d-----w- C:\New Folder
2009-09-23 15:05 . 2009-09-23 15:05 -------- d-----w- C:\ddsvfo
2009-09-22 18:34 . 2009-09-22 18:34 -------- d-----w- c:\program files\Trend Micro
2009-09-22 11:58 . 2009-09-22 11:58 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-22 11:58 . 2009-09-22 11:58 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-22 11:58 . 2009-09-22 11:58 -------- d-----w- c:\documents and settings\alsopb\Application Data\SUPERAntiSpyware.com
2009-09-21 09:56 . 2009-09-21 09:56 -------- d-----w- c:\windows\system32\wbem\Repository
2009-09-21 09:56 . 2009-09-21 09:56 -------- d-----w- c:\windows\system32\drivers\Avg
2009-09-20 20:33 . 2009-09-20 20:33 -------- d-----w- c:\windows\system32\drivers\Avg(2)
2009-09-20 20:33 . 2009-09-20 20:33 -------- d-----w- c:\program files\AVG(2)
2009-09-20 20:33 . 2009-09-20 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8(2)
2009-09-20 20:05 . 2009-09-20 20:05 -------- d-----w- C:\AVGTemp
2009-09-20 18:06 . 2009-09-20 18:06 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-09-20 18:06 . 2009-09-20 18:06 -------- d-----w- c:\program files\MSECACHE
2009-09-20 17:46 . 2009-09-20 17:46 -------- d-----w- c:\documents and settings\alsopb\Application Data\AVG8
2009-09-20 17:46 . 2009-09-20 17:46 -------- d-----w- c:\program files\Alwil Software
2009-09-18 22:08 . 2009-09-18 22:08 -------- d-----w- c:\documents and settings\alsopb\Application Data\Malwarebytes
2009-09-18 22:07 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-18 22:07 . 2009-09-18 22:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-18 22:07 . 2009-09-18 22:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-18 22:07 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-18 19:11 . 2009-09-18 19:11 -------- d-----w- C:\FOUND.000
2009-09-18 19:11 . 2009-09-18 19:11 -------- d-----w- C:\KPCMS
2009-09-18 18:19 . 2009-09-18 18:19 -------- d-----w- C:\Kodak
2009-09-18 16:05 . 2009-09-18 16:05 -------- d-----w- c:\documents and settings\alsopb\Local Settings\Application Data\ArcSoft
2009-09-18 16:05 . 2009-09-18 16:05 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2009-09-18 16:00 . 2009-09-18 16:00 -------- d-----w- c:\windows\$hf_mig$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-24 09:40 . 2006-04-08 23:40 249856 ------w- c:\windows\Setup1.exe
2009-08-31 01:55 . 2009-08-31 01:55 -------- d-----w- c:\documents and settings\alsopb\Application Data\Thunderbird
2009-08-31 01:55 . 2009-08-31 01:55 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-08-30 01:22 . 2009-08-30 01:23 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-23 13:08 . 2009-08-23 13:08 -------- d-----w- c:\program files\KENWOOD
2009-08-17 01:43 . 2009-08-17 01:43 -------- d-----w- c:\program files\N1MMP38
2009-08-16 14:38 . 2009-08-16 14:38 -------- d-----w- c:\documents and settings\alsopb\Application Data\Afreet
2009-08-16 11:41 . 2009-04-28 02:37 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-16 11:41 . 2009-04-28 02:37 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-16 11:41 . 2007-12-24 14:03 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-13 17:36 . 2004-11-11 15:33 14 ----a-w- c:\windows\srl1.sys
2009-08-13 17:35 . 2004-11-11 15:33 14 ----a-w- c:\windows\reglbft.reg
2009-08-13 17:35 . 2004-11-11 15:33 112 ----a-w- c:\windows\nmuse1.sys
2005-03-02 20:53 . 2005-03-02 20:52 3870057 ------w- c:\program files\n1mmlo1
2002-08-15 16:54 . 2004-11-12 20:51 3198976 ------w- c:\program files\ViewSonicregistration.exe
2001-06-21 19:35 . 2001-06-21 19:35 11079 ---h--w- c:\program files\folder.htt
2003-07-29 00:15 . 2003-08-21 10:49 307200 ------w- c:\program files\internet explorer\plugins\djvu0407.dll
2003-07-29 00:15 . 2003-08-21 10:49 303104 ------w- c:\program files\internet explorer\plugins\djvu0409.dll
2003-07-29 00:15 . 2003-08-21 10:49 311296 ------w- c:\program files\internet explorer\plugins\djvu040c.dll
2003-07-29 00:15 . 2003-08-21 10:49 299008 ------w- c:\program files\internet explorer\plugins\djvu0411.dll
2003-07-29 00:15 . 2003-08-21 10:49 299008 ------w- c:\program files\internet explorer\plugins\djvu0412.dll
2003-07-29 00:15 . 2003-08-21 10:49 290816 ------w- c:\program files\internet explorer\plugins\djvu0804.dll
2003-07-29 00:15 . 2003-08-21 10:49 122880 ------w- c:\program files\internet explorer\plugins\DjVuCntl.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-19_14.54.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-11-29 04:47 . 2009-09-21 09:56 3403696 c:\windows\SYSTEM32\Restore\rstrlog.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 09:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2004-08-04 12:00 8384000 ----a-w- c:\windows\SYSTEM32\shell32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-16 2007832]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-30 149280]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2005-05-17 77824]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
d.lnk - c:\windows\System\Show Desktop.scf [2001-6-21 81]
Encoder Agent.lnk - c:\program files\Windows Media Components\Encoder\Wmencagt.exe [2004-3-22 53248]
Office Startup.lnk - c:\program files\Microsoft Office\Office\Osa.exe [2001-6-21 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-16 11:41 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"5-2-100-199"=c:\program files\Webdialer\sddlr.exe -m
"li-speed00199"=c:\program files\Webdialer\dlres.exe -m
"Delphi 3#Autostart"="c:\wdisplay\WEATHERD.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VsStatEXE"=c:\progra~1\MCAFEE\MCAFEE~1\VSSTAT.EXE /SHOWWARNING
"nwiz"=nwiz.exe /install
"Alogserv"=c:\program files\McAfee\McAfee VirusScan\alogserv.exe
"QuickTime Task"="c:\windows\SYSTEM32\qttask.exe" -atboottime
"KodakCCS"=c:\windows\System32\Drivers\KodakCCS.exe
"98SafeRemove"=c:\windows\98SafeRemove.exe
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Share-to-Web Namespace Daemon"=c:\program files\Accessories\HP Share-to-Web\hpgs2wnd.exe
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe"
"HP Component Manager"="c:\program files\HP\HPCORETECH\HPCMPMGR.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"Tweak UI"=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
"StillImageMonitor"=c:\windows\SYSTEM32\STIMON.EXE
"MSVXD"=c:\windows\MSVXD.EXE 1632
"Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd
"NvCplDaemon"=RUNDLL32.EXE c:\windows\SYSTEM32\nvcpl.dll,NvStartup
"SetIcon"=c:\program files\Generic\Seticon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\D4\\D4.exe"=
"c:\\WINDOWS\\System32\\fxsclnt.exe"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"c:\\Program Files\\Netscape\\Netscape\\Netscp.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [4/28/2009 02:37 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [4/28/2009 02:37 108552]
R1 hwinterface;hwinterface;c:\windows\SYSTEM32\DRIVERS\hwinterface.sys [12/23/2006 18:22 3026]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [4/28/2009 02:37 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/28/2009 02:37 297752]
R2 DLPortIO;DriverLINX Port I/O Driver;c:\windows\SYSTEM32\DRIVERS\DLPortIO.SYS [11/29/2006 13:11 3584]
R3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\SYSTEM32\DRIVERS\NtApm.sys [11/28/2006 17:29 9344]
S2 USB2000;JDI USB PC TO PC Network Bridge USB Driver;c:\windows\SYSTEM32\DRIVERS\usb2000.sys [1/25/2000 08:57 15712]
S3 iteio;iteio;c:\windows\SYSTEM32\DRIVERS\Iteio.sys [12/30/2006 22:47 3680]
S3 usb18prg;usb18prg;c:\windows\SYSTEM32\DRIVERS\usb18prg.sys [12/13/2007 19:24 20608]
S3 Usblink;Usblink Driver;c:\windows\SYSTEM32\DRIVERS\ulink.sys [12/26/2006 15:31 40788]
S3 Winacusb;Winacusb;c:\windows\SYSTEM32\DRIVERS\winacusb.sys [11/28/2006 22:25 902860]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"c:\program files\OUTLOOK EXPRESS\SETUP50.EXE" /APP:OE /CALLER:WIN9X /USER /INSTALL

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"c:\program files\OUTLOOK EXPRESS\SETUP50.EXE" /APP:OE /CALLER:WIN9X /USER /INSTALL
"c:\program files\OUTLOOK EXPRESS\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"c:\program files\OUTLOOK EXPRESS\SETUP50.EXE" /APP:WAB /CALLER:WIN9X /USER /INSTALL

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"c:\program files\OUTLOOK EXPRESS\SETUP50.EXE" /APP:WAB /CALLER:WIN9X /USER /INSTALL
"c:\program files\OUTLOOK EXPRESS\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
c:\windows\SYSTEM32\updcrl.exe -e -u c:\windows\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder

2009-10-01 c:\windows\Tasks\WebReg 20050630200914.job
- c:\program files\HP\DIGITAL IMAGING\BIN\hpqwrg.exe [2004-05-14 17:31]

2009-10-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-02-21 21:11]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
mLocal Page = c:\windows\SYSTEM\BLANK.HTM
mSearch Bar = hxxp://home.netscape.com/home/winsearch200.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes - FILE://c:\windows\SYSTEM\DAJAVA.CAB
DPF: Internet Explorer Classes for Java - FILE://c:\windows\SYSTEM\IEJAVA.CAB
DPF: Microsoft XML Parser for Java - FILE://c:\windows\JAVA\CLASSES\XMLDSO4.CAB
FF - ProfilePath - c:\documents and settings\alsopb\Application Data\Mozilla\Firefox\Profiles\j7t5whpq.BRIAN 2\
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/sear ... -web_us&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-02 12:10
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-10-02 12:12
ComboFix 09-10-01.01 - alsopb 10/02/2009 12:03.3.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2040.1507 [GMT 0:00]
Running from: c:\documents and settings\alsopb\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\11903b.msi

.
((((((((((((((((((((((((( Files Created from 2009-09-02 to 2009-10-02 )))))))))))))))))))))))))))))))
.

2009-09-24 09:40 . 2009-09-24 09:40 -------- d-----w- c:\program files\DDSFreq
2009-09-24 09:40 . 2009-09-24 09:40 -------- d-----w- C:\ddsvfo2
2009-09-23 15:07 . 2009-09-23 15:07 -------- d-----w- c:\program files\DDS_Controller
2009-09-23 15:06 . 2009-09-23 15:06 -------- d-----w- C:\New Folder
2009-09-23 15:05 . 2009-09-23 15:05 -------- d-----w- C:\ddsvfo
2009-09-22 18:34 . 2009-09-22 18:34 -------- d-----w- c:\program files\Trend Micro
2009-09-22 11:58 . 2009-09-22 11:58 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-22 11:58 . 2009-09-22 11:58 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-22 11:58 . 2009-09-22 11:58 -------- d-----w- c:\documents and settings\alsopb\Application Data\SUPERAntiSpyware.com
2009-09-21 09:56 . 2009-09-21 09:56 -------- d-----w- c:\windows\system32\wbem\Repository
2009-09-21 09:56 . 2009-09-21 09:56 -------- d-----w- c:\windows\system32\drivers\Avg
2009-09-20 20:33 . 2009-09-20 20:33 -------- d-----w- c:\windows\system32\drivers\Avg(2)
2009-09-20 20:33 . 2009-09-20 20:33 -------- d-----w- c:\program files\AVG(2)
2009-09-20 20:33 . 2009-09-20 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8(2)
2009-09-20 20:05 . 2009-09-20 20:05 -------- d-----w- C:\AVGTemp
2009-09-20 18:06 . 2009-09-20 18:06 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-09-20 18:06 . 2009-09-20 18:06 -------- d-----w- c:\program files\MSECACHE
2009-09-20 17:46 . 2009-09-20 17:46 -------- d-----w- c:\documents and settings\alsopb\Application Data\AVG8
2009-09-20 17:46 . 2009-09-20 17:46 -------- d-----w- c:\program files\Alwil Software
2009-09-18 22:08 . 2009-09-18 22:08 -------- d-----w- c:\documents and settings\alsopb\Application Data\Malwarebytes
2009-09-18 22:07 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-18 22:07 . 2009-09-18 22:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-18 22:07 . 2009-09-18 22:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-18 22:07 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-18 19:11 . 2009-09-18 19:11 -------- d-----w- C:\FOUND.000
2009-09-18 19:11 . 2009-09-18 19:11 -------- d-----w- C:\KPCMS
2009-09-18 18:19 . 2009-09-18 18:19 -------- d-----w- C:\Kodak
2009-09-18 16:05 . 2009-09-18 16:05 -------- d-----w- c:\documents and settings\alsopb\Local Settings\Application Data\ArcSoft
2009-09-18 16:05 . 2009-09-18 16:05 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2009-09-18 16:00 . 2009-09-18 16:00 -------- d-----w- c:\windows\$hf_mig$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-24 09:40 . 2006-04-08 23:40 249856 ------w- c:\windows\Setup1.exe
2009-08-31 01:55 . 2009-08-31 01:55 -------- d-----w- c:\documents and settings\alsopb\Application Data\Thunderbird
2009-08-31 01:55 . 2009-08-31 01:55 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-08-30 01:22 . 2009-08-30 01:23 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-23 13:08 . 2009-08-23 13:08 -------- d-----w- c:\program files\KENWOOD
2009-08-17 01:43 . 2009-08-17 01:43 -------- d-----w- c:\program files\N1MMP38
2009-08-16 14:38 . 2009-08-16 14:38 -------- d-----w- c:\documents and settings\alsopb\Application Data\Afreet
2009-08-16 11:41 . 2009-04-28 02:37 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-16 11:41 . 2009-04-28 02:37 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-16 11:41 . 2007-12-24 14:03 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-13 17:36 . 2004-11-11 15:33 14 ----a-w- c:\windows\srl1.sys
2009-08-13 17:35 . 2004-11-11 15:33 14 ----a-w- c:\windows\reglbft.reg
2009-08-13 17:35 . 2004-11-11 15:33 112 ----a-w- c:\windows\nmuse1.sys
2005-03-02 20:53 . 2005-03-02 20:52 3870057 ------w- c:\program files\n1mmlo1
2002-08-15 16:54 . 2004-11-12 20:51 3198976 ------w- c:\program files\ViewSonicregistration.exe
2001-06-21 19:35 . 2001-06-21 19:35 11079 ---h--w- c:\program files\folder.htt
2003-07-29 00:15 . 2003-08-21 10:49 307200 ------w- c:\program files\internet explorer\plugins\djvu0407.dll
2003-07-29 00:15 . 2003-08-21 10:49 303104 ------w- c:\program files\internet explorer\plugins\djvu0409.dll
2003-07-29 00:15 . 2003-08-21 10:49 311296 ------w- c:\program files\internet explorer\plugins\djvu040c.dll
2003-07-29 00:15 . 2003-08-21 10:49 299008 ------w- c:\program files\internet explorer\plugins\djvu0411.dll
2003-07-29 00:15 . 2003-08-21 10:49 299008 ------w- c:\program files\internet explorer\plugins\djvu0412.dll
2003-07-29 00:15 . 2003-08-21 10:49 290816 ------w- c:\program files\internet explorer\plugins\djvu0804.dll
2003-07-29 00:15 . 2003-08-21 10:49 122880 ------w- c:\program files\internet explorer\plugins\DjVuCntl.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-19_14.54.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-11-29 04:47 . 2009-09-21 09:56 3403696 c:\windows\SYSTEM32\Restore\rstrlog.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 09:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2004-08-04 12:00 8384000 ----a-w- c:\windows\SYSTEM32\shell32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-16 2007832]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-30 149280]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2005-05-17 77824]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
d.lnk - c:\windows\System\Show Desktop.scf [2001-6-21 81]
Encoder Agent.lnk - c:\program files\Windows Media Components\Encoder\Wmencagt.exe [2004-3-22 53248]
Office Startup.lnk - c:\program files\Microsoft Office\Office\Osa.exe [2001-6-21 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-16 11:41 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"5-2-100-199"=c:\program files\Webdialer\sddlr.exe -m
"li-speed00199"=c:\program files\Webdialer\dlres.exe -m
"Delphi 3#Autostart"="c:\wdisplay\WEATHERD.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VsStatEXE"=c:\progra~1\MCAFEE\MCAFEE~1\VSSTAT.EXE /SHOWWARNING
"nwiz"=nwiz.exe /install
"Alogserv"=c:\program files\McAfee\McAfee VirusScan\alogserv.exe
"QuickTime Task"="c:\windows\SYSTEM32\qttask.exe" -atboottime
"KodakCCS"=c:\windows\System32\Drivers\KodakCCS.exe
"98SafeRemove"=c:\windows\98SafeRemove.exe
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Share-to-Web Namespace Daemon"=c:\program files\Accessories\HP Share-to-Web\hpgs2wnd.exe
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe"
"HP Component Manager"="c:\program files\HP\HPCORETECH\HPCMPMGR.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"Tweak UI"=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
"StillImageMonitor"=c:\windows\SYSTEM32\STIMON.EXE
"MSVXD"=c:\windows\MSVXD.EXE 1632
"Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd
"NvCplDaemon"=RUNDLL32.EXE c:\windows\SYSTEM32\nvcpl.dll,NvStartup
"SetIcon"=c:\program files\Generic\Seticon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\D4\\D4.exe"=
"c:\\WINDOWS\\System32\\fxsclnt.exe"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"c:\\Program Files\\Netscape\\Netscape\\Netscp.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [4/28/2009 02:37 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [4/28/2009 02:37 108552]
R1 hwinterface;hwinterface;c:\windows\SYSTEM32\DRIVERS\hwinterface.sys [12/23/2006 18:22 3026]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [4/28/2009 02:37 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/28/2009 02:37 297752]
R2 DLPortIO;DriverLINX Port I/O Driver;c:\windows\SYSTEM32\DRIVERS\DLPortIO.SYS [11/29/2006 13:11 3584]
R3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\SYSTEM32\DRIVERS\NtApm.sys [11/28/2006 17:29 9344]
S2 USB2000;JDI USB PC TO PC Network Bridge USB Driver;c:\windows\SYSTEM32\DRIVERS\usb2000.sys [1/25/2000 08:57 15712]
S3 iteio;iteio;c:\windows\SYSTEM32\DRIVERS\Iteio.sys [12/30/2006 22:47 3680]
S3 usb18prg;usb18prg;c:\windows\SYSTEM32\DRIVERS\usb18prg.sys [12/13/2007 19:24 20608]
S3 Usblink;Usblink Driver;c:\windows\SYSTEM32\DRIVERS\ulink.sys [12/26/2006 15:31 40788]
S3 Winacusb;Winacusb;c:\windows\SYSTEM32\DRIVERS\winacusb.sys [11/28/2006 22:25 902860]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"c:\program files\OUTLOOK EXPRESS\SETUP50.EXE" /APP:OE /CALLER:WIN9X /USER /INSTALL

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"c:\program files\OUTLOOK EXPRESS\SETUP50.EXE" /APP:OE /CALLER:WIN9X /USER /INSTALL
"c:\program files\OUTLOOK EXPRESS\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"c:\program files\OUTLOOK EXPRESS\SETUP50.EXE" /APP:WAB /CALLER:WIN9X /USER /INSTALL

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"c:\program files\OUTLOOK EXPRESS\SETUP50.EXE" /APP:WAB /CALLER:WIN9X /USER /INSTALL
"c:\program files\OUTLOOK EXPRESS\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
c:\windows\SYSTEM32\updcrl.exe -e -u c:\windows\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder

2009-10-01 c:\windows\Tasks\WebReg 20050630200914.job
- c:\program files\HP\DIGITAL IMAGING\BIN\hpqwrg.exe [2004-05-14 17:31]

2009-10-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-02-21 21:11]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
mLocal Page = c:\windows\SYSTEM\BLANK.HTM
mSearch Bar = hxxp://home.netscape.com/home/winsearch200.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes - FILE://c:\windows\SYSTEM\DAJAVA.CAB
DPF: Internet Explorer Classes for Java - FILE://c:\windows\SYSTEM\IEJAVA.CAB
DPF: Microsoft XML Parser for Java - FILE://c:\windows\JAVA\CLASSES\XMLDSO4.CAB
FF - ProfilePath - c:\documents and settings\alsopb\Application Data\Mozilla\Firefox\Profiles\j7t5whpq.BRIAN 2\
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/sear ... -web_us&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-02 12:10
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-10-02 12:12
ComboFix-quarantined-files.txt 2009-10-02 12:12

Pre-Run: 169,904,275,456 bytes free
Post-Run: 170,261,708,800 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout = 30
default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

221

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:12, on 10/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Windows Media Components\Encoder\Wmencagt.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\PROGRAM FILES\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\BLANK.HTM
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\PROGRAM FILES\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.gloryroad.net"); (C:\Program Files\Netscape\Users\alsopb\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\COMMON FILES\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\PROGRAM FILES\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRAM FILES\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\PROGRAM FILES\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\PROGRAM FILES\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\PROGRAM FILES\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\PROGRAM FILES\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\PROGRAM FILES\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\PROGRAM FILES\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\PROGRAM FILES\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\PROGRAM FILES\Java\jre6\bin\jusched.exe"
O4 - Global Startup: d.lnk = C:\WINDOWS\SYSTEM\Show Desktop.scf
O4 - Global Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\Java\jre6\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRAM FILES\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRAM FILES\Messenger\msmsgs.exe
O13 - WWW. Prefix: http://
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\PROGRAM FILES\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\PROGRAM FILES\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

--
End of file - 5819 bytes
alsopb
Regular Member
 
Posts: 18
Joined: September 23rd, 2009, 4:57 am

Re: FIREFOX redirection problem

Unread postby jmw3 » October 2nd, 2009, 2:33 pm

Hi
Not sure what happened with the file I asked you to upload. From the scan results you posted:
File Name : 1.html
Scanned time : 2009/06/05

We'll try it agin with another site... along with a couple of other files.

Upload Files for Scanning
Go to VirusTotal & upload the following File/s for scanning.
  • Copy & paste the following File & Path in the text box next to the Browse button.
    Code: Select all
    c:\windows\system32\drivers\Iteio.sys
  • Click Send File.
  • Wait for scans to finish then copy & paste the results into your next reply.
Following the instructions above do the same for:
c:\windows\srl1.sys
c:\windows\nmuse1.sys

Fix HiJackThis Entries
  • Open HiJackThis
  • Click on Do a system scan only
  • Place a checkmark next to these lines(if still present):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -


  • Close all windows except Hijackthis and click Fix Checked
  • Click Yes when prompted
  • Close HijackThis.

CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code: Select all
Folder::
c:\program files\Webdialer
Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"5-2-100-199"=-
"li-speed00199"=-

Save this as CFScript.txt, in the same location as ComboFix.exe

Image

Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


RootRepeal
Download RootRepeal.zip from here & unzip it to your Desktop.
  • Double click RootRepeal.exe to start the program
  • Click the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:
      Drivers
      Files
      Processes
      SSDT
      Stealth Objects
      Hidden Services
  • Click the OK button
  • In the next dialog, select all drives showing
  • Click OK to start the scan
Note: The scan can take some time. DO NOT run any other programs while the scan is running
  • When the scan is complete, the Save Report button will become available
  • Click this and save the report to your Desktop as RootRepeal.txt
  • Go to File then Exit to close the program
To post in next reply:
Results from VirusTotal
ComboFix log
RootRepeal log
New HijackThis log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: FIREFOX redirection problem

Unread postby alsopb » October 2nd, 2009, 3:43 pm

OK here are the files.

I wish to note that in the last HIJACK log one of the items I was told to fix reappeared.
I checked that it was gone after fixing it. Is it the culprit?

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\PROGRAM FILES\AVG\AVG8\Toolbar\IEToolbar.dll

The other two are gone.

File Iteio.sys received on 2009.08.31 11:22:23 (UTC)
Current status: finished
Result: 0/41 (0.00%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.08.31 -
AhnLab-V3 5.0.0.2 2009.08.29 -
AntiVir 7.9.1.7 2009.08.31 -
Antiy-AVL 2.0.3.7 2009.08.31 -
Authentium 5.1.2.4 2009.08.31 -
Avast 4.8.1335.0 2009.08.30 -
AVG 8.5.0.406 2009.08.31 -
BitDefender 7.2 2009.08.31 -
CAT-QuickHeal 10.00 2009.08.31 -
ClamAV 0.94.1 2009.08.31 -
Comodo 2124 2009.08.31 -
DrWeb 5.0.0.12182 2009.08.31 -
eSafe 7.0.17.0 2009.08.30 -
eTrust-Vet 31.6.6712 2009.08.31 -
F-Prot 4.5.1.85 2009.08.29 -
F-Secure 8.0.14470.0 2009.08.31 -
Fortinet 3.120.0.0 2009.08.31 -
GData 19 2009.08.31 -
Ikarus T3.1.1.68.0 2009.08.31 -
Jiangmin 11.0.800 2009.08.31 -
K7AntiVirus 7.10.831 2009.08.29 -
Kaspersky 7.0.0.125 2009.08.31 -
McAfee 5725 2009.08.30 -
McAfee+Artemis 5725 2009.08.30 -
McAfee-GW-Edition 6.8.5 2009.08.31 -
Microsoft 1.5005 2009.08.31 -
NOD32 4383 2009.08.31 -
Norman 2009.08.29 -
nProtect 2009.1.8.0 2009.08.31 -
Panda 10.0.2.2 2009.08.31 -
PCTools 4.4.2.0 2009.08.30 -
Prevx 3.0 2009.08.31 -
Rising 21.45.03.00 2009.08.31 -
Sophos 4.45.0 2009.08.31 -
Sunbelt 3.2.1858.2 2009.08.31 -
Symantec 1.4.4.12 2009.08.31 -
TheHacker 6.3.4.3.392 2009.08.31 -
TrendMicro 8.950.0.1094 2009.08.30 -
VBA32 3.12.10.10 2009.08.30 -
ViRobot 2009.8.31.1908 2009.08.31 -
VirusBuster 4.6.5.0 2009.08.30 -
Additional information
File size: 3680 bytes
MD5 : 3a495271ce703ebff717c66b6fcdd16a
SHA1 : c04ea1706587843f26395f61bb6ba429cfda21ee
SHA256: 4b94bf4f32dd485ca648bc8e1a3e840722e0fbb7df158115f1aa314229e207bf
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3BE
timedatestamp.....: 0x37CBB353 (Tue Aug 31 12:49:55 1999)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x260 0x29C 0x2A0 5.17 4d244cecd597e812cd99b11188644631
.data 0x500 0x4 0x20 0.00 70bc8f4b72a86921468bf8e8441dce51
INIT 0x520 0x162 0x180 4.52 c73e8b587075bf75ab66dc2f48976fbc
.reloc 0x6A0 0x62 0x80 2.89 e572c1de573cf9a27589c9e7e80dd887

( 1 imports )

> ntoskrnl.exe: IoGetCurrentProcess, IoDeleteSymbolicLink, RtlInitUnicodeString, MmFreeNonCachedMemory, Ke386SetIoAccessMap, Ke386IoSetAccessProcess, IoDeleteDevice, IofCompleteRequest, IoCreateSymbolicLink, IoCreateDevice, MmAllocateNonCachedMemory

( 0 exports )
TrID : File type identification
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
ssdeep: 48:KTWTXf+ewd3ueDG04ulaXRmz6GmOpfAiwWDp+bxVC5OsZ3CRqz69/aJjGKRQz6R:KCWecmWcf0AiwW9GCgmCLyH
PEiD : -
RDS : NSRL Reference Data Set
-

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

Scan another file
VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com - Terms of Service & Privacy


File srl1.sys received on 2009.10.02 18:51:28 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/41 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.10.02 -
AhnLab-V3 5.0.0.2 2009.10.02 -
AntiVir 7.9.1.27 2009.10.02 -
Antiy-AVL 2.0.3.7 2009.10.02 -
Authentium 5.1.2.4 2009.10.02 -
Avast 4.8.1351.0 2009.10.02 -
AVG 8.5.0.412 2009.10.02 -
BitDefender 7.2 2009.10.02 -
CAT-QuickHeal 10.00 2009.10.01 -
ClamAV 0.94.1 2009.10.02 -
Comodo 2493 2009.10.02 -
DrWeb 5.0.0.12182 2009.10.02 -
eSafe 7.0.17.0 2009.10.01 -
eTrust-Vet 31.6.6773 2009.10.02 -
F-Prot 4.5.1.85 2009.10.02 -
F-Secure 8.0.14470.0 2009.10.02 -
Fortinet 3.120.0.0 2009.10.02 -
GData 19 2009.10.02 -
Ikarus T3.1.1.72.0 2009.10.02 -
Jiangmin 11.0.800 2009.09.27 -
K7AntiVirus 7.10.858 2009.10.01 -
Kaspersky 7.0.0.125 2009.10.02 -
McAfee 5759 2009.10.02 -
McAfee+Artemis 5759 2009.10.02 -
McAfee-GW-Edition 6.8.5 2009.10.02 -
Microsoft 1.5101 2009.10.02 -
NOD32 4477 2009.10.02 -
Norman 6.01.09 2009.10.02 -
nProtect 2009.1.8.0 2009.10.02 -
Panda 10.0.2.2 2009.10.02 -
PCTools 4.4.2.0 2009.10.02 -
Prevx 3.0 2009.10.02 -
Rising 21.49.22.00 2009.09.30 -
Sophos 4.45.0 2009.10.02 -
Sunbelt 3.2.1858.2 2009.10.02 -
Symantec 1.4.4.12 2009.10.02 -
TheHacker 6.5.0.2.026 2009.10.02 -
TrendMicro 8.950.0.1094 2009.10.02 -
VBA32 3.12.10.11 2009.09.30 -
ViRobot 2009.10.2.1968 2009.10.02 -
VirusBuster 4.6.5.0 2009.10.02 -
Additional information
File size: 14 bytes
MD5...: 4bcd357f0808f535752aa232bf5e668f
SHA1..: dcffba36692703de28dabd2d5b0225031bed5b5a
SHA256: 72aee4d070433abd5cf432b7640a1d7f133657d91d5e0e9a56238da9291bcc73
ssdeep: 3:N/CXNn:yN
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
trid..: Unknown!

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

Scan another file


File nmuse1.sys received on 2009.10.02 18:54:52 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/41 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.10.02 -
AhnLab-V3 5.0.0.2 2009.10.02 -
AntiVir 7.9.1.27 2009.10.02 -
Antiy-AVL 2.0.3.7 2009.10.02 -
Authentium 5.1.2.4 2009.10.02 -
Avast 4.8.1351.0 2009.10.02 -
AVG 8.5.0.412 2009.10.02 -
BitDefender 7.2 2009.10.02 -
CAT-QuickHeal 10.00 2009.10.01 -
ClamAV 0.94.1 2009.10.02 -
Comodo 2493 2009.10.02 -
DrWeb 5.0.0.12182 2009.10.02 -
eSafe 7.0.17.0 2009.10.01 -
eTrust-Vet 31.6.6773 2009.10.02 -
F-Prot 4.5.1.85 2009.10.02 -
F-Secure 8.0.14470.0 2009.10.02 -
Fortinet 3.120.0.0 2009.10.02 -
GData 19 2009.10.02 -
Ikarus T3.1.1.72.0 2009.10.02 -
Jiangmin 11.0.800 2009.09.27 -
K7AntiVirus 7.10.858 2009.10.01 -
Kaspersky 7.0.0.125 2009.10.02 -
McAfee 5759 2009.10.02 -
McAfee+Artemis 5759 2009.10.02 -
McAfee-GW-Edition 6.8.5 2009.10.02 -
Microsoft 1.5101 2009.10.02 -
NOD32 4477 2009.10.02 -
Norman 6.01.09 2009.10.02 -
nProtect 2009.1.8.0 2009.10.02 -
Panda 10.0.2.2 2009.10.02 -
PCTools 4.4.2.0 2009.10.02 -
Prevx 3.0 2009.10.02 -
Rising 21.49.22.00 2009.09.30 -
Sophos 4.45.0 2009.10.02 -
Sunbelt 3.2.1858.2 2009.10.02 -
Symantec 1.4.4.12 2009.10.02 -
TheHacker 6.5.0.2.026 2009.10.02 -
TrendMicro 8.950.0.1094 2009.10.02 -
VBA32 3.12.10.11 2009.09.30 -
ViRobot 2009.10.2.1968 2009.10.02 -
VirusBuster 4.6.5.0 2009.10.02 -
Additional information
File size: 112 bytes
MD5...: db575f7d10439e8033a030e38f1c94e9
SHA1..: 97d530381ad53c8ada171ef267f7700a242aab0f
SHA256: 423c5549f2ce9ac8c957db5ae8735467b6852f3ffade6245d753bbc714732129
ssdeep: 3:NgNFnYUy:NANi
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Unknown!
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

Scan another file
VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com - Terms of Service & Privacy

ComboFix 09-10-01.05 - alsopb 10/02/2009 19:08.4.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2040.1615 [GMT 0:00]
Running from: c:\documents and settings\alsopb\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\alsopb\Desktop\cfscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-09-02 to 2009-10-02 )))))))))))))))))))))))))))))))
.

2009-09-24 09:40 . 2009-09-24 09:40 -------- d-----w- c:\program files\DDSFreq
2009-09-24 09:40 . 2009-09-24 09:40 -------- d-----w- C:\ddsvfo2
2009-09-23 15:07 . 2009-09-23 15:07 -------- d-----w- c:\program files\DDS_Controller
2009-09-23 15:06 . 2009-09-23 15:06 -------- d-----w- C:\New Folder
2009-09-23 15:05 . 2009-09-23 15:05 -------- d-----w- C:\ddsvfo
2009-09-22 18:34 . 2009-09-22 18:34 -------- d-----w- c:\program files\Trend Micro
2009-09-22 11:58 . 2009-09-22 11:58 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-22 11:58 . 2009-09-22 11:58 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-22 11:58 . 2009-09-22 11:58 -------- d-----w- c:\documents and settings\alsopb\Application Data\SUPERAntiSpyware.com
2009-09-21 09:56 . 2009-09-21 09:56 -------- d-----w- c:\windows\system32\wbem\Repository
2009-09-21 09:56 . 2009-09-21 09:56 -------- d-----w- c:\windows\system32\drivers\Avg
2009-09-20 20:33 . 2009-09-20 20:33 -------- d-----w- c:\windows\system32\drivers\Avg(2)
2009-09-20 20:33 . 2009-09-20 20:33 -------- d-----w- c:\program files\AVG(2)
2009-09-20 20:33 . 2009-09-20 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8(2)
2009-09-20 20:05 . 2009-09-20 20:05 -------- d-----w- C:\AVGTemp
2009-09-20 18:06 . 2009-09-20 18:06 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-09-20 18:06 . 2009-09-20 18:06 -------- d-----w- c:\program files\MSECACHE
2009-09-20 17:46 . 2009-09-20 17:46 -------- d-----w- c:\documents and settings\alsopb\Application Data\AVG8
2009-09-20 17:46 . 2009-09-20 17:46 -------- d-----w- c:\program files\Alwil Software
2009-09-18 22:08 . 2009-09-18 22:08 -------- d-----w- c:\documents and settings\alsopb\Application Data\Malwarebytes
2009-09-18 22:07 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-18 22:07 . 2009-09-18 22:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-18 22:07 . 2009-09-18 22:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-18 22:07 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-18 19:11 . 2009-09-18 19:11 -------- d-----w- C:\FOUND.000
2009-09-18 19:11 . 2009-09-18 19:11 -------- d-----w- C:\KPCMS
2009-09-18 18:19 . 2009-09-18 18:19 -------- d-----w- C:\Kodak
2009-09-18 16:05 . 2009-09-18 16:05 -------- d-----w- c:\documents and settings\alsopb\Local Settings\Application Data\ArcSoft
2009-09-18 16:05 . 2009-09-18 16:05 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2009-09-18 16:00 . 2009-09-18 16:00 -------- d-----w- c:\windows\$hf_mig$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-24 09:40 . 2006-04-08 23:40 249856 ------w- c:\windows\Setup1.exe
2009-08-31 01:55 . 2009-08-31 01:55 -------- d-----w- c:\documents and settings\alsopb\Application Data\Thunderbird
2009-08-31 01:55 . 2009-08-31 01:55 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-08-30 01:22 . 2009-08-30 01:23 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-23 13:08 . 2009-08-23 13:08 -------- d-----w- c:\program files\KENWOOD
2009-08-17 01:43 . 2009-08-17 01:43 -------- d-----w- c:\program files\N1MMP38
2009-08-16 14:38 . 2009-08-16 14:38 -------- d-----w- c:\documents and settings\alsopb\Application Data\Afreet
2009-08-16 11:41 . 2009-04-28 02:37 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-16 11:41 . 2009-04-28 02:37 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-16 11:41 . 2007-12-24 14:03 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-13 17:36 . 2004-11-11 15:33 14 ----a-w- c:\windows\srl1.sys
2009-08-13 17:35 . 2004-11-11 15:33 14 ----a-w- c:\windows\reglbft.reg
2009-08-13 17:35 . 2004-11-11 15:33 112 ----a-w- c:\windows\nmuse1.sys
2005-03-02 20:53 . 2005-03-02 20:52 3870057 ------w- c:\program files\n1mmlo1
2002-08-15 16:54 . 2004-11-12 20:51 3198976 ------w- c:\program files\ViewSonicregistration.exe
2001-06-21 19:35 . 2001-06-21 19:35 11079 ---h--w- c:\program files\folder.htt
2003-07-29 00:15 . 2003-08-21 10:49 307200 ------w- c:\program files\internet explorer\plugins\djvu0407.dll
2003-07-29 00:15 . 2003-08-21 10:49 303104 ------w- c:\program files\internet explorer\plugins\djvu0409.dll
2003-07-29 00:15 . 2003-08-21 10:49 311296 ------w- c:\program files\internet explorer\plugins\djvu040c.dll
2003-07-29 00:15 . 2003-08-21 10:49 299008 ------w- c:\program files\internet explorer\plugins\djvu0411.dll
2003-07-29 00:15 . 2003-08-21 10:49 299008 ------w- c:\program files\internet explorer\plugins\djvu0412.dll
2003-07-29 00:15 . 2003-08-21 10:49 290816 ------w- c:\program files\internet explorer\plugins\djvu0804.dll
2003-07-29 00:15 . 2003-08-21 10:49 122880 ------w- c:\program files\internet explorer\plugins\DjVuCntl.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-19_14.54.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-02 12:12 . 2009-10-02 19:01 32768 c:\windows\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-29 04:47 . 2009-09-21 09:56 3403696 c:\windows\SYSTEM32\Restore\rstrlog.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 09:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2004-08-04 12:00 8384000 ----a-w- c:\windows\SYSTEM32\shell32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-16 2007832]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-30 149280]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2005-05-17 77824]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
d.lnk - c:\windows\System\Show Desktop.scf [2001-6-21 81]
Encoder Agent.lnk - c:\program files\Windows Media Components\Encoder\Wmencagt.exe [2004-3-22 53248]
Office Startup.lnk - c:\program files\Microsoft Office\Office\Osa.exe [2001-6-21 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-16 11:41 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Delphi 3#Autostart"="c:\wdisplay\WEATHERD.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VsStatEXE"=c:\progra~1\MCAFEE\MCAFEE~1\VSSTAT.EXE /SHOWWARNING
"nwiz"=nwiz.exe /install
"Alogserv"=c:\program files\McAfee\McAfee VirusScan\alogserv.exe
"QuickTime Task"="c:\windows\SYSTEM32\qttask.exe" -atboottime
"KodakCCS"=c:\windows\System32\Drivers\KodakCCS.exe
"98SafeRemove"=c:\windows\98SafeRemove.exe
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Share-to-Web Namespace Daemon"=c:\program files\Accessories\HP Share-to-Web\hpgs2wnd.exe
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe"
"HP Component Manager"="c:\program files\HP\HPCORETECH\HPCMPMGR.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"Tweak UI"=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
"StillImageMonitor"=c:\windows\SYSTEM32\STIMON.EXE
"MSVXD"=c:\windows\MSVXD.EXE 1632
"Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd
"NvCplDaemon"=RUNDLL32.EXE c:\windows\SYSTEM32\nvcpl.dll,NvStartup
"SetIcon"=c:\program files\Generic\Seticon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\D4\\D4.exe"=
"c:\\WINDOWS\\System32\\fxsclnt.exe"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"c:\\Program Files\\Netscape\\Netscape\\Netscp.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [4/28/2009 02:37 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [4/28/2009 02:37 108552]
R1 hwinterface;hwinterface;c:\windows\SYSTEM32\DRIVERS\hwinterface.sys [12/23/2006 18:22 3026]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [4/28/2009 02:37 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/28/2009 02:37 297752]
R2 DLPortIO;DriverLINX Port I/O Driver;c:\windows\SYSTEM32\DRIVERS\DLPortIO.SYS [11/29/2006 13:11 3584]
R3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\SYSTEM32\DRIVERS\NtApm.sys [11/28/2006 17:29 9344]
S2 USB2000;JDI USB PC TO PC Network Bridge USB Driver;c:\windows\SYSTEM32\DRIVERS\usb2000.sys [1/25/2000 08:57 15712]
S3 iteio;iteio;c:\windows\SYSTEM32\DRIVERS\Iteio.sys [12/30/2006 22:47 3680]
S3 usb18prg;usb18prg;c:\windows\SYSTEM32\DRIVERS\usb18prg.sys [12/13/2007 19:24 20608]
S3 Usblink;Usblink Driver;c:\windows\SYSTEM32\DRIVERS\ulink.sys [12/26/2006 15:31 40788]
S3 Winacusb;Winacusb;c:\windows\SYSTEM32\DRIVERS\winacusb.sys [11/28/2006 22:25 902860]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"c:\program files\OUTLOOK EXPRESS\SETUP50.EXE" /APP:OE /CALLER:WIN9X /USER /INSTALL

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"c:\program files\OUTLOOK EXPRESS\SETUP50.EXE" /APP:OE /CALLER:WIN9X /USER /INSTALL
"c:\program files\OUTLOOK EXPRESS\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"c:\program files\OUTLOOK EXPRESS\SETUP50.EXE" /APP:WAB /CALLER:WIN9X /USER /INSTALL

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"c:\program files\OUTLOOK EXPRESS\SETUP50.EXE" /APP:WAB /CALLER:WIN9X /USER /INSTALL
"c:\program files\OUTLOOK EXPRESS\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
c:\windows\SYSTEM32\updcrl.exe -e -u c:\windows\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder

2009-10-01 c:\windows\Tasks\WebReg 20050630200914.job
- c:\program files\HP\DIGITAL IMAGING\BIN\hpqwrg.exe [2004-05-14 17:31]

2009-10-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-02-21 21:11]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
mLocal Page = c:\windows\SYSTEM\BLANK.HTM
mSearch Bar = hxxp://home.netscape.com/home/winsearch200.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes - FILE://c:\windows\SYSTEM\DAJAVA.CAB
DPF: Internet Explorer Classes for Java - FILE://c:\windows\SYSTEM\IEJAVA.CAB
DPF: Microsoft XML Parser for Java - FILE://c:\windows\JAVA\CLASSES\XMLDSO4.CAB
FF - ProfilePath - c:\documents and settings\alsopb\Application Data\Mozilla\Firefox\Profiles\j7t5whpq.BRIAN 2\
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/sear ... -web_us&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-02 19:15
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-10-02 19:17
ComboFix-quarantined-files.txt 2009-10-02 19:17
ComboFix2.txt 2009-10-02 12:12

Pre-Run: 170,281,238,528 bytes free
Post-Run: 170,236,149,760 bytes free

210

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/02 19:25
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\DOCUME~1\alsopb\LOCALS~1\Temp\catchme.sys
Address: 0xB14AC000 Size: 31744 File Visible: No Signed: -
Status: -

Name: dump_IdeChnDr.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_IdeChnDr.sys
Address: 0xB19D5000 Size: 98304 File Visible: No Signed: -
Status: -

Name: PCI_HAL
Image Path: \Driver\PCI_HAL
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: PROCEXP90.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Address: 0xF79A1000 Size: 6464 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB115D000 Size: 49152 File Visible: No Signed: -
Status: -

==EOF==
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:31:46, on 10/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRAM FILES\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Windows Media Components\Encoder\Wmencagt.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\BLANK.HTM
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\PROGRAM FILES\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.gloryroad.net"); (C:\Program Files\Netscape\Users\alsopb\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\COMMON FILES\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\PROGRAM FILES\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRAM FILES\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\PROGRAM FILES\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\PROGRAM FILES\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\PROGRAM FILES\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\PROGRAM FILES\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\PROGRAM FILES\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\PROGRAM FILES\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\PROGRAM FILES\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\PROGRAM FILES\Java\jre6\bin\jusched.exe"
O4 - Global Startup: d.lnk = C:\WINDOWS\SYSTEM\Show Desktop.scf
O4 - Global Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\Java\jre6\bin\jp2iexp.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\Java\jre6\bin\jp2iexp.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRAM FILES\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRAM FILES\Messenger\msmsgs.exe
O13 - WWW. Prefix: http://
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\PROGRAM FILES\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\PROGRAM FILES\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

--
End of file - 5722 bytes
alsopb
Regular Member
 
Posts: 18
Joined: September 23rd, 2009, 4:57 am

Re: FIREFOX redirection problem

Unread postby alsopb » October 2nd, 2009, 6:51 pm

OOps, cut and pasted wrong item

The item I was told to delete was
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

It has reappeared.
Brian
alsopb
Regular Member
 
Posts: 18
Joined: September 23rd, 2009, 4:57 am

Re: FIREFOX redirection problem

Unread postby jmw3 » October 2nd, 2009, 9:14 pm

Hi

I wish to note that in the last HIJACK log one of the items I was told to fix reappeared.
I checked that it was gone after fixing it. Is it the culprit?
I don't believe it's the culprit... but it's not correct. The asterisk at the front of the CLSID should not be there.

Warning: Please note that this fix is specific for this poster & should not be used by anyone else.

Backup Your Registry with ERUNT
  • Download ERUNT from here & follow the installation prompts
  • Uncheck Create NTREGOPT desktop icon at the Additional Tasks screen. Click No when prompted to create an ERUNT entry in the startup folder.
  • Double click the Erunt icon on your desktop to open the program then click OK at the prompt
  • Use the default settings unless there is more than one user account. (If more the one user account tick Other open user registries in Backup Options)
  • Click OK
The following instruction should only be carried out if you need to restore the registry backup:
Navigate to the folder where the backup is saved
Double click on ERDNT.exe then OK
When the program opens click OK

OTM
Download OTM by OldTimer Here & save it to your desktop.
  • Double click on OTM.exe to run it
  • Copy & paste the contents of the Code box below into Paste Instructions for Items to be Moved
Note: Do not type it out to minimize the risk of typo error
Code: Select all
:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"*{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=-
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""
:Commands
[Purity]
[EmptyTemp]
[Reboot]

  • Click on MoveIt!
  • When done, click on Exit
Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.
A log will be produced at C:\_OTM\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply.

Malwarebytes' Anti-Malware
  • Open Malwarebytes Anti-Malware, click the Update tab then Check for Updates
  • If an update is found, it will download and install the latest version & data base version
  • Once the program has updated click the Scanner tab, select Perform full scan then click Scan
  • When the scan is complete, click OK, then Show Results to view the results
  • Check all items except items in the C:\System Volume Information folder... then click on Remove Selected
  • When completed, a log will open in Notepad. Please copy & paste the log back into your next reply
    Note:
  • The log is automatically saved by Malwarebytes' Anti-Malware & can be viewed by clicking the Logs tab
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either & let Malwarebytes' Anti-Malware proceed with the disinfection process.
If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.
If you receive an (Error Loading) error on reboot please reboot a second time . It is normal for this error to occur once & does not need to be reported unless it returns on future reboots.


Kaspersky Online Scan
Do an online scan with >Kaspersky Online Scanner<
  • Read through the requirements and privacy statement and click on Accept button
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
  • When the downloads have finished, click on Settings
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan
  • Once the scan is complete, it will display the results. Click on View Scan Report
  • You will see a list of infected items there. Click on Save Report As...
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
  • Please post this log in your next reply
If you have any issues with the Kaspersky scan or it fails for any reason then try this one:

ESET Online Scanner
Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic
To post in next reply:
OTM log
Malwarebytes' log
Kaspersky or Eset Online scan log
New HijackThis log
Update on how the computer is running
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: FIREFOX redirection problem

Unread postby alsopb » October 3rd, 2009, 7:55 am

Attached are the files for OTM,MALWARE,ESET and a new Hijack log.
Unable to run Kaspersky due to an error (certificate expired) in loading of virus data.

ESET (remove threats unticked) uncovered 8 threats. (took almost 4 hours!)

Computer still running. In view of the ESET results, I though perhaps it would be better to disposition the items before playing around with FIREFOX more. Be glad to play around with FIREFOX if you want.

OTM log
All processes killed
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\\*{CFBFAE00-17A6-11D0-99CB-00C04FD64497} deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\\"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"|"" /E : value set successfully!
========== COMMANDS ==========

[EMPTYTEMP]

User: Default User
->Temp folder emptied: 0 bytes

User: All Users

User: alsopb
->Temp folder emptied: 115049 bytes
->Java cache emptied: 28169956 bytes
->FireFox cache emptied: 99872947 bytes

User: NetworkService
->Temp folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
C:\WINDOWS\msdownld.tmp folder deleted successfully.
%systemroot% .tmp files removed: 65290746 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 0 bytes
Session Manager Temp folder emptied: 0 bytes
Session Manager Tmp folder emptied: 0 bytes
RecycleBin emptied: 9554532 bytes

Total Files Cleaned = 193.60 mb


OTM by OldTimer - Version 3.0.0.6 log created on 10032009_020856

Files moved on Reboot...

Registry entries deleted on Reboot...


Malwarebytes' Anti-Malware 1.41
Database version: 2897
Windows 5.1.2600 Service Pack 2

10/3/2009 02:39:25
mbam-log-2009-10-03 (02-39-25).txt

Scan type: Full Scan (C:\|)
Objects scanned: 186407
Time elapsed: 22 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{3492792A-6816-4A00-897C-0BFFA4EC7295}\RP910\A0085495.sys (Worm.Agent) -> Not selected for removal.
C:\System Volume Information\_restore{3492792A-6816-4A00-897C-0BFFA4EC7295}\RP910\A0085736.sys (Worm.Agent) -> Not selected for removal.
C:\System Volume Information\_restore{3492792A-6816-4A00-897C-0BFFA4EC7295}\RP910\A0085835.sys (Worm.Agent) -> Not selected for removal.
C:\System Volume Information\_restore{3492792A-6816-4A00-897C-0BFFA4EC7295}\RP910\A0085976.sys (Worm.Agent) -> Not selected for removal.
C:\System Volume Information\_restore{3492792A-6816-4A00-897C-0BFFA4EC7295}\RP878\A0082194.sys (Worm.Agent) -> Not selected for removal.
C:\System Volume Information\_restore{3492792A-6816-4A00-897C-0BFFA4EC7295}\RP881\A0082575.sys (Worm.Agent) -> Not selected for removal.
C:\System Volume Information\_restore{3492792A-6816-4A00-897C-0BFFA4EC7295}\RP887\A0082745.sys (Worm.Agent) -> Not selected for removal.
C:\System Volume Information\_restore{3492792A-6816-4A00-897C-0BFFA4EC7295}\RP887\A0082990.sys (Worm.Agent) -> Not selected for removal.
C:\System Volume Information\_restore{3492792A-6816-4A00-897C-0BFFA4EC7295}\RP887\A0083101.sys (Worm.Agent) -> Not selected for removal.
C:\System Volume Information\_restore{3492792A-6816-4A00-897C-0BFFA4EC7295}\RP888\A0083216.sys (Worm.Agent) -> Not selected for removal.
C:\System Volume Information\_restore{3492792A-6816-4A00-897C-0BFFA4EC7295}\RP888\A0083461.sys (Worm.Agent) -> Not selected for removal.
C:\System Volume Information\_restore{3492792A-6816-4A00-897C-0BFFA4EC7295}\RP888\A0083572.sys (Worm.Agent) -> Not selected for removal.
C:\OLD_C\WINDOWS\SYSTEM\MSRLE.DRV (Trojan.Downloader) -> Quarantined and deleted successfully.


ESETSmartInstaller@High as downloader log:
all ok
# version=6
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=202487cb574ee349adfe96887074641a
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-10-03 11:39:46
# local_time=2009-10-03 11:39:46 (+0000, Greenwich Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1026 37 83 95 10316248289008
# compatibility_mode=3586 62 20 29 3499732068289008
# scanned=93461
# found=8
# cleaned=0
# scan_time=11402
C:\Program Files\Netscape\Users\alsopb\Mail\Trash multiple threats 00000000000000000000000000000000 I
C:\Program Files\Netscape\Users\alsopb\Mail\Sent Win32/Klez.J worm 00000000000000000000000000000000 I
C:\Program Files\Netscape\Users\alsopb\Mail\Inbox multiple threats 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Start Menu\Programs\Disabled Startup Items\PowerReg Scheduler.exe Win32/PowerReg application 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Start Menu\Programs\Disabled Startup Items\PowerReg SchedulerV2.exe Win32/PowerReg application 00000000000000000000000000000000 I
C:\Documents and Settings\alsopb\Application Data\Mozilla\Profiles\alsopb\e9nia0ki.slt\Mail\gloryroad.net\Trash multiple threats 00000000000000000000000000000000 I
C:\Documents and Settings\alsopb\Application Data\Mozilla\Profiles\alsopb\e9nia0ki.slt\Mail\gloryroad.net\Sent Win32/Klez.J worm 00000000000000000000000000000000 I
C:\Documents and Settings\alsopb\Application Data\Mozilla\Profiles\alsopb\e9nia0ki.slt\Mail\gloryroad.net\Inbox multiple threats 00000000000000000000000000000000 I


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:42:20, on 10/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRAM FILES\Java\jre6\bin\jusched.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\PROGRAM FILES\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Media Components\Encoder\Wmencagt.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRAM FILES\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\BLANK.HTM
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\PROGRAM FILES\AVG\AVG8\Toolbar\IEToolbar.dll
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.gloryroad.net"); (C:\Program Files\Netscape\Users\alsopb\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\COMMON FILES\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\PROGRAM FILES\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRAM FILES\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\PROGRAM FILES\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\PROGRAM FILES\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\PROGRAM FILES\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\PROGRAM FILES\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\PROGRAM FILES\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\PROGRAM FILES\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\PROGRAM FILES\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\PROGRAM FILES\Java\jre6\bin\jusched.exe"
O4 - Global Startup: d.lnk = C:\WINDOWS\SYSTEM\Show Desktop.scf
O4 - Global Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\Java\jre6\bin\jp2iexp.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\Java\jre6\bin\jp2iexp.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRAM FILES\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRAM FILES\Messenger\msmsgs.exe
O13 - WWW. Prefix: http://
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\PROGRAM FILES\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\PROGRAM FILES\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

--
End of file - 5805 bytes
alsopb
Regular Member
 
Posts: 18
Joined: September 23rd, 2009, 4:57 am

Re: FIREFOX redirection problem

Unread postby jmw3 » October 3rd, 2009, 12:23 pm

Hi

Eset scan is flagging what appears to be infected emails from various accounts & programs:
C:\Program Files\Netscape\Users\alsopb\Mail\Trash multiple threats
C:\Program Files\Netscape\Users\alsopb\Mail\Sent Win32/Klez.J worm
C:\Program Files\Netscape\Users\alsopb\Mail\Inbox multiple threats
C:\Documents and Settings\alsopb\Application Data\Mozilla\Profiles\alsopb\e9nia0ki.slt\Mail\gloryroad.net\Trash multiple threats
C:\Documents and Settings\alsopb\Application Data\Mozilla\Profiles\alsopb\e9nia0ki.slt\Mail\gloryroad.net\Sent Win32/Klez.J worm
C:\Documents and Settings\alsopb\Application Data\Mozilla\Profiles\alsopb\e9nia0ki.slt\Mail\gloryroad.net\Inbox multiple threats

Unfortunately it does not show us which emails are infected. I would recommend clearing out all the relevant folders ie Trash, Sent Items etc., keeping only the emails you deem important. Anything with attachments such as movies, unknown links etc., would have to be considered suspect.

Other logs look OK, so if you want to give Firefox another go to see what happens, feel free. Is it only Firefox you are experiencing problems with? What happens when you browse with Internet Explorer?
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: FIREFOX redirection problem

Unread postby alsopb » October 3rd, 2009, 2:21 pm

Thanks.

I was able to clean out all of the above. Old email program stuff and stuff left over from dial up days!

The problem seemed to only impact the FIREFOX browser and only when JavaScript was on. Spent about 10 minutes in FIREFOX clicking on links and so far no problems. Will know better in a day or so.

I can't say about browsing with IE. Have never used it since it was such a big target for hackers. I've been using NETSCAPE 9 as the backup browser throughout this. It never suffered from this problem even with JavaScript on.

I'll get back to you in a day or so to report hopefully good news.

Brian
alsopb
Regular Member
 
Posts: 18
Joined: September 23rd, 2009, 4:57 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 49 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware