Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

IE and Firefox keeps redirecting me to google

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: IE and Firefox keeps redirecting me to google

Unread postby amyann13 » May 2nd, 2010, 11:30 am

Hi, when I disable CD emulation drivers with Defogger you said it would ask me to reboot computer but it doesn't...this is the log it put on my desktop ...please let me know if I should continue with GMER instructions...thank you so much
amyann13
Regular Member
 
Posts: 21
Joined: April 26th, 2010, 11:49 am
Advertisement
Register to Remove

Re: IE and Firefox keeps redirecting me to google

Unread postby amyann13 » May 2nd, 2010, 11:31 am

I'm sorry I sent the last post without including the LOG from Defogger here it is

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 10:26 on 02/05/2010 (AMY KOEHN)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-
amyann13
Regular Member
 
Posts: 21
Joined: April 26th, 2010, 11:49 am

Re: IE and Firefox keeps redirecting me to google

Unread postby xixo_12 » May 2nd, 2010, 11:32 am

Please reboot and continue with gmer
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: IE and Firefox keeps redirecting me to google

Unread postby amyann13 » May 3rd, 2010, 11:14 am

Hi, here are my GMER results.... Thanks

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-03 10:03:40
Windows 5.1.2600 Service Pack 1
Running: gmer.exe; Driver: C:\DOCUME~1\AMYKOE~1\LOCALS~1\Temp\ffryypob.sys


---- Threads - GMER 1.0.15 ----

Thread System [4:188] 8317F7AB

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\AccAOL.AccessAOL@ AccessAOL Class
Reg HKLM\SOFTWARE\Classes\AccAOL.AccessAOL\CLSID
Reg HKLM\SOFTWARE\Classes\AccAOL.AccessAOL\CLSID@ {1B28020D-9DE7-11D4-A2D4-001083025146}
Reg HKLM\SOFTWARE\Classes\AccAOL.AccessAOL\CurVer
Reg HKLM\SOFTWARE\Classes\AccAOL.AccessAOL\CurVer@ AccAOL.AccessAOL.1
Reg HKLM\SOFTWARE\Classes\AccAOL.AccessAOL.1@ AccessAOL Class
Reg HKLM\SOFTWARE\Classes\AccAOL.AccessAOL.1\CLSID
Reg HKLM\SOFTWARE\Classes\AccAOL.AccessAOL.1\CLSID@ {1B28020D-9DE7-11D4-A2D4-001083025146}
Reg HKLM\SOFTWARE\Classes\ADM25.ADM25@ ADM25 Class
Reg HKLM\SOFTWARE\Classes\ADM25.ADM25\CurVer
Reg HKLM\SOFTWARE\Classes\ADM25.ADM25\CurVer@ ADM25.ADM25.1
Reg HKLM\SOFTWARE\Classes\ADM25.ADM25.1@ ADM25 Class
Reg HKLM\SOFTWARE\Classes\ADM25.ADM25.1\CLSID
Reg HKLM\SOFTWARE\Classes\ADM25.ADM25.1\CLSID@ {1D3BCE37-7834-4579-8169-E67681420A98}
Reg HKLM\SOFTWARE\Classes\ADM4.ADM4@ ADM4 Class
Reg HKLM\SOFTWARE\Classes\ADM4.ADM4\CurVer
Reg HKLM\SOFTWARE\Classes\ADM4.ADM4\CurVer@ ADM4.ADM4.1
Reg HKLM\SOFTWARE\Classes\ADM4.ADM4.1@ ADM4 Class
Reg HKLM\SOFTWARE\Classes\ADM4.ADM4.1\CLSID
Reg HKLM\SOFTWARE\Classes\ADM4.ADM4.1\CLSID@ {DEF37997-D9C9-4A4B-BF3C-88F99EACEEC2}
Reg HKLM\SOFTWARE\Classes\AOL.MimeController@ AOL MimeController
Reg HKLM\SOFTWARE\Classes\AOL.MimeController\CLSID
Reg HKLM\SOFTWARE\Classes\AOL.MimeController\CLSID@ {E9DD2392-EF9B-4963-BEDF-F86C0A2B762A}
Reg HKLM\SOFTWARE\Classes\AOL.MimeController.1@ AOL MimeController
Reg HKLM\SOFTWARE\Classes\AOL.MimeController.1\CLSID
Reg HKLM\SOFTWARE\Classes\AOL.MimeController.1\CLSID@ {E9DD2392-EF9B-4963-BEDF-F86C0A2B762A}
Reg HKLM\SOFTWARE\Classes\AOLBrand_Client.AOLBrand_Client@ AOLBrand_Client Class
Reg HKLM\SOFTWARE\Classes\AOLBrand_Client.AOLBrand_Client\CLSID
Reg HKLM\SOFTWARE\Classes\AOLBrand_Client.AOLBrand_Client\CLSID@ {79498D83-FEFE-4e36-8B7E-E9CF79F010B0}
Reg HKLM\SOFTWARE\Classes\AOLBrand_Client.AOLBrand_Client\CurVer
Reg HKLM\SOFTWARE\Classes\AOLBrand_Client.AOLBrand_Client\CurVer@ AOLBrand_Client.AOLBrand_Client.2
Reg HKLM\SOFTWARE\Classes\AOLBrand_Client.AOLBrand_Client.1@ AOLBrand_Client Class
Reg HKLM\SOFTWARE\Classes\AOLBrand_Client.AOLBrand_Client.1\CLSID
Reg HKLM\SOFTWARE\Classes\AOLBrand_Client.AOLBrand_Client.1\CLSID@ {752B9690-7A0B-4c67-8A09-AE3885CFCDF4}
Reg HKLM\SOFTWARE\Classes\AOLBrand_Client.AOLBrand_Client.1\CurVer
Reg HKLM\SOFTWARE\Classes\AOLBrand_Client.AOLBrand_Client.1\CurVer@ AOLBrand_Client.AOLBrand_Client.2
Reg HKLM\SOFTWARE\Classes\AOLBrand_Client.AOLBrand_Client.2@ AOLBrand_Client Class
Reg HKLM\SOFTWARE\Classes\AOLBrand_Client.AOLBrand_Client.2\CLSID
Reg HKLM\SOFTWARE\Classes\AOLBrand_Client.AOLBrand_Client.2\CLSID@ {79498D83-FEFE-4e36-8B7E-E9CF79F010B0}
Reg HKLM\SOFTWARE\Classes\AolCalSvr.ACCalendarDCtrl@ ACCalendarDCtrl Class
Reg HKLM\SOFTWARE\Classes\AolCalSvr.ACCalendarDCtrl\CLSID
Reg HKLM\SOFTWARE\Classes\AolCalSvr.ACCalendarDCtrl\CLSID@ {99720901-B635-43bd-83E6-D084A990F15A}
Reg HKLM\SOFTWARE\Classes\AolCalSvr.ACCalendarDCtrl\CurVer
Reg HKLM\SOFTWARE\Classes\AolCalSvr.ACCalendarDCtrl\CurVer@ AolCalSvr.ACCalendarDCtrl.4
Reg HKLM\SOFTWARE\Classes\AolCalSvr.ACCalendarDCtrl.4@ ACCalendarDCtrl Class
Reg HKLM\SOFTWARE\Classes\AolCalSvr.ACCalendarDCtrl.4\CLSID
Reg HKLM\SOFTWARE\Classes\AolCalSvr.ACCalendarDCtrl.4\CLSID@ {99720901-B635-43bd-83E6-D084A990F15A}
Reg HKLM\SOFTWARE\Classes\AOL_Client.AOL_Client@ AOL_Client Class
Reg HKLM\SOFTWARE\Classes\AOL_Client.AOL_Client\CLSID
Reg HKLM\SOFTWARE\Classes\AOL_Client.AOL_Client\CLSID@ {8FC6A820-6BFC-11d6-A10D-0010A49A288A}
Reg HKLM\SOFTWARE\Classes\AOL_Client.AOL_Client\CurVer
Reg HKLM\SOFTWARE\Classes\AOL_Client.AOL_Client\CurVer@ AOL_Client.AOL_Client.3
Reg HKLM\SOFTWARE\Classes\AOL_Client.AOL_Client.1@ AOL_Client Class
Reg HKLM\SOFTWARE\Classes\AOL_Client.AOL_Client.1\CLSID
Reg HKLM\SOFTWARE\Classes\AOL_Client.AOL_Client.1\CLSID@ {225789FB-CCA8-11D2-A719-0060B0B41584}
Reg HKLM\SOFTWARE\Classes\AOL_Client.AOL_Client.1\CurVer
Reg HKLM\SOFTWARE\Classes\AOL_Client.AOL_Client.1\CurVer@ AOL_Client.AOL_Client.2
Reg HKLM\SOFTWARE\Classes\AOL_Client.AOL_Client.2@ AOL_Client Class
Reg HKLM\SOFTWARE\Classes\AOL_Client.AOL_Client.2\CLSID
Reg HKLM\SOFTWARE\Classes\AOL_Client.AOL_Client.2\CLSID@ {AC44023F-D183-4397-9D02-27D34F120CB2}
Reg HKLM\SOFTWARE\Classes\AOL_Client.AOL_Client.3@ AOL_Client Class
Reg HKLM\SOFTWARE\Classes\AOL_Client.AOL_Client.3\CLSID
Reg HKLM\SOFTWARE\Classes\AOL_Client.AOL_Client.3\CLSID@ {8FC6A820-6BFC-11d6-A10D-0010A49A288A}
Reg HKLM\SOFTWARE\Classes\Ares.AresPlayer@ AresPlayer Class
Reg HKLM\SOFTWARE\Classes\Ares.AresPlayer\CLSID
Reg HKLM\SOFTWARE\Classes\Ares.AresPlayer\CLSID@ {4E97BE17-3300-4A4F-B380-5988DD771F1F}
Reg HKLM\SOFTWARE\Classes\Ares.AresPlayer\CurVer
Reg HKLM\SOFTWARE\Classes\Ares.AresPlayer\CurVer@ Ares.AresPlayer.1
Reg HKLM\SOFTWARE\Classes\Ares.AresPlayer.1@ AresPlayer Class
Reg HKLM\SOFTWARE\Classes\Ares.AresPlayer.1\CLSID
Reg HKLM\SOFTWARE\Classes\Ares.AresPlayer.1\CLSID@ {4E97BE17-3300-4A4F-B380-5988DD771F1F}
Reg HKLM\SOFTWARE\Classes\AxTrack.CoAxTrack@ CoAxTrack Class
Reg HKLM\SOFTWARE\Classes\AxTrack.CoAxTrack\CLSID
Reg HKLM\SOFTWARE\Classes\AxTrack.CoAxTrack\CLSID@ {B9F3009B-976B-41C4-A992-229DCCF3367C}
Reg HKLM\SOFTWARE\Classes\AxTrack.CoAxTrack\CurVer
Reg HKLM\SOFTWARE\Classes\AxTrack.CoAxTrack\CurVer@ AxTrack.CoAxTrack.1
Reg HKLM\SOFTWARE\Classes\AxTrack.CoAxTrack.1@ CoAxTrack Class
Reg HKLM\SOFTWARE\Classes\AxTrack.CoAxTrack.1\CLSID
Reg HKLM\SOFTWARE\Classes\AxTrack.CoAxTrack.1\CLSID@ {B9F3009B-976B-41C4-A992-229DCCF3367C}
Reg HKLM\SOFTWARE\Classes\CDDBControlAOL.CddbDisc@ CddbDisc Class
Reg HKLM\SOFTWARE\Classes\CDDBControlAOL.CddbDisc\CLSID
Reg HKLM\SOFTWARE\Classes\CDDBControlAOL.CddbDisc\CLSID@ {229b78d5-38f5-11d5-9001-00c04f4c3b9f}
Reg HKLM\SOFTWARE\Classes\CDDBControlAOL.CddbDisc\CurVer
Reg HKLM\SOFTWARE\Classes\CDDBControlAOL.CddbDisc\CurVer@ CDDBControlAOL.CddbDisc.1
Reg HKLM\SOFTWARE\Classes\CDDBControlAOL.CddbDisc.1@ CddbDisc Class
Reg HKLM\SOFTWARE\Classes\CDDBControlAOL.CddbDisc.1\CLSID
Reg HKLM\SOFTWARE\Classes\CDDBControlAOL.CddbDisc.1\CLSID@ {229b78d5-38f5-11d5-9001-00c04f4c3b9f}
Reg HKLM\SOFTWARE\Classes\Cerberus.CerberusCDPlayer@ CerberusCDPlayer Class
Reg HKLM\SOFTWARE\Classes\Cerberus.CerberusCDPlayer\CLSID
Reg HKLM\SOFTWARE\Classes\Cerberus.CerberusCDPlayer\CLSID@ {5788DAE8-4B72-4BE6-89A0-1E6123E4CBC2}
Reg HKLM\SOFTWARE\Classes\Cerberus.CerberusCDPlayer\CurVer
Reg HKLM\SOFTWARE\Classes\Cerberus.CerberusCDPlayer\CurVer@ Cerberus.CerberusCDPlayer.1
Reg HKLM\SOFTWARE\Classes\Cerberus.CerberusCDPlayer.1@ CerberusCDPlayer Class
Reg HKLM\SOFTWARE\Classes\Cerberus.CerberusCDPlayer.1\CLSID
Reg HKLM\SOFTWARE\Classes\Cerberus.CerberusCDPlayer.1\CLSID@ {5788DAE8-4B72-4BE6-89A0-1E6123E4CBC2}
Reg HKLM\SOFTWARE\Classes\Ebrowser.FatWallet@ FatWallet Class
Reg HKLM\SOFTWARE\Classes\Ebrowser.FatWallet\CLSID
Reg HKLM\SOFTWARE\Classes\Ebrowser.FatWallet\CLSID@ {E13046F7-A5DF-4574-BD7A-6DC12EC10FF5}
Reg HKLM\SOFTWARE\Classes\Ebrowser.FatWallet\CurVer
Reg HKLM\SOFTWARE\Classes\Ebrowser.FatWallet\CurVer@ Ebrowser.FatWallet.1
Reg HKLM\SOFTWARE\Classes\Ebrowser.FatWallet.1@ FatWallet Class
Reg HKLM\SOFTWARE\Classes\Ebrowser.FatWallet.1\CLSID
Reg HKLM\SOFTWARE\Classes\Ebrowser.FatWallet.1\CLSID@ {E13046F7-A5DF-4574-BD7A-6DC12EC10FF5}
Reg HKLM\SOFTWARE\Classes\GetURL.CPlugin@ GetURL.CPlugin
Reg HKLM\SOFTWARE\Classes\GetURL.CPlugin\Clsid
Reg HKLM\SOFTWARE\Classes\GetURL.CPlugin\Clsid@ {19185FCC-75B5-11D5-89D3-000086120FE4}
Reg HKLM\SOFTWARE\Classes\InetCtls.Inet@ Microsoft Internet Transfer Control 6.0 (SP4)
Reg HKLM\SOFTWARE\Classes\InetCtls.Inet\CLSID
Reg HKLM\SOFTWARE\Classes\InetCtls.Inet\CLSID@ {48E59293-9880-11CF-9754-00AA00C00908}
Reg HKLM\SOFTWARE\Classes\InetCtls.Inet\CurVer
Reg HKLM\SOFTWARE\Classes\InetCtls.Inet\CurVer@ InetCtls.Inet.1
Reg HKLM\SOFTWARE\Classes\InetCtls.Inet.1@ Microsoft Internet Transfer Control 6.0 (SP4)
Reg HKLM\SOFTWARE\Classes\InetCtls.Inet.1\CLSID
Reg HKLM\SOFTWARE\Classes\InetCtls.Inet.1\CLSID@ {48E59293-9880-11CF-9754-00AA00C00908}
Reg HKLM\SOFTWARE\Classes\Logger.LogSession@ LogSession Class
Reg HKLM\SOFTWARE\Classes\Logger.LogSession\CLSID
Reg HKLM\SOFTWARE\Classes\Logger.LogSession\CLSID@ {A62FA99E-922E-4ECA-A1D9-B54EF294A3CC}
Reg HKLM\SOFTWARE\Classes\Logger.LogSession\CurVer
Reg HKLM\SOFTWARE\Classes\Logger.LogSession\CurVer@ Logger.LogSession.1
Reg HKLM\SOFTWARE\Classes\Logger.LogSession.1@ LogSession Class
Reg HKLM\SOFTWARE\Classes\Logger.LogSession.1\CLSID
Reg HKLM\SOFTWARE\Classes\Logger.LogSession.1\CLSID@ {A62FA99E-922E-4ECA-A1D9-B54EF294A3CC}
Reg HKLM\SOFTWARE\Classes\MIMEHook.CoMIMEHook@ CoMIMEHook Class
Reg HKLM\SOFTWARE\Classes\MIMEHook.CoMIMEHook\CLSID
Reg HKLM\SOFTWARE\Classes\MIMEHook.CoMIMEHook\CLSID@ {8BBDA254-CE76-11D3-A2CE-00108335731F}
Reg HKLM\SOFTWARE\Classes\MIMEHook.CoMIMEHook\CurVer
Reg HKLM\SOFTWARE\Classes\MIMEHook.CoMIMEHook\CurVer@ MIMEHook.CoMIMEHook.1
Reg HKLM\SOFTWARE\Classes\MIMEHook.CoMIMEHook.1@ CoMIMEHook Class
Reg HKLM\SOFTWARE\Classes\MIMEHook.CoMIMEHook.1\CLSID
Reg HKLM\SOFTWARE\Classes\MIMEHook.CoMIMEHook.1\CLSID@ {8BBDA254-CE76-11D3-A2CE-00108335731F}
Reg HKLM\SOFTWARE\Classes\MyWayToolBar.NetscapeShutdown@ myBarNetscapeShutdown Class
Reg HKLM\SOFTWARE\Classes\MyWayToolBar.NetscapeShutdown\CLSID
Reg HKLM\SOFTWARE\Classes\MyWayToolBar.NetscapeShutdown\CLSID@ {0494D0D5-F8E0-41ad-92A3-14154ECE70AC}
Reg HKLM\SOFTWARE\Classes\MyWayToolBar.NetscapeShutdown\CurVer
Reg HKLM\SOFTWARE\Classes\MyWayToolBar.NetscapeShutdown\CurVer@ MyWayToolBar.NetscapeShutdown.1
Reg HKLM\SOFTWARE\Classes\MyWayToolBar.NetscapeShutdown.1@ myBarNetscapeShutdown Class
Reg HKLM\SOFTWARE\Classes\MyWayToolBar.NetscapeShutdown.1\CLSID
Reg HKLM\SOFTWARE\Classes\MyWayToolBar.NetscapeShutdown.1\CLSID@ {0494D0D5-F8E0-41ad-92A3-14154ECE70AC}
Reg HKLM\SOFTWARE\Classes\MyWayToolBar.NetscapeStartup@ myBarNetscapeStartup Class
Reg HKLM\SOFTWARE\Classes\MyWayToolBar.NetscapeStartup\CLSID
Reg HKLM\SOFTWARE\Classes\MyWayToolBar.NetscapeStartup\CLSID@ {0494D0D7-F8E0-41ad-92A3-14154ECE70AC}
Reg HKLM\SOFTWARE\Classes\MyWayToolBar.NetscapeStartup\CurVer
Reg HKLM\SOFTWARE\Classes\MyWayToolBar.NetscapeStartup\CurVer@ MyWayToolBar.NetscapeStartup.1
Reg HKLM\SOFTWARE\Classes\MyWayToolBar.NetscapeStartup.1@ myBarNetscapeStartup Class
Reg HKLM\SOFTWARE\Classes\MyWayToolBar.NetscapeStartup.1\CLSID
Reg HKLM\SOFTWARE\Classes\MyWayToolBar.NetscapeStartup.1\CLSID@ {0494D0D7-F8E0-41ad-92A3-14154ECE70AC}
Reg HKLM\SOFTWARE\Classes\MyWayToolBar.SettingsPlugin@ My Way Settings Plugin
Reg HKLM\SOFTWARE\Classes\MyWayToolBar.SettingsPlugin\CLSID
Reg HKLM\SOFTWARE\Classes\MyWayToolBar.SettingsPlugin\CLSID@ {0494D0DB-F8E0-41ad-92A3-14154ECE70AC}
Reg HKLM\SOFTWARE\Classes\MyWayToolBar.SettingsPlugin\CurVer
Reg HKLM\SOFTWARE\Classes\MyWayToolBar.SettingsPlugin\CurVer@ MyWayToolBar.SettingsPlugin.1
Reg HKLM\SOFTWARE\Classes\MyWayToolBar.SettingsPlugin.1@ My Way Settings Plugin
Reg HKLM\SOFTWARE\Classes\MyWayToolBar.SettingsPlugin.1\CLSID
Reg HKLM\SOFTWARE\Classes\MyWayToolBar.SettingsPlugin.1\CLSID@ {0494D0DB-F8E0-41ad-92A3-14154ECE70AC}
Reg HKLM\SOFTWARE\Classes\Pathfinder.PathfinderDownload@ PathfinderDownload Class
Reg HKLM\SOFTWARE\Classes\Pathfinder.PathfinderDownload\CLSID
Reg HKLM\SOFTWARE\Classes\Pathfinder.PathfinderDownload\CLSID@ {1167C47F-01F9-4C08-8564-1D6C9BAAFB60}
Reg HKLM\SOFTWARE\Classes\Pathfinder.PathfinderDownload\CurVer
Reg HKLM\SOFTWARE\Classes\Pathfinder.PathfinderDownload\CurVer@ Pathfinder.PathfinderDownload.1
Reg HKLM\SOFTWARE\Classes\Pathfinder.PathfinderDownload.1@ PathfinderDownload Class
Reg HKLM\SOFTWARE\Classes\Pathfinder.PathfinderDownload.1\CLSID
Reg HKLM\SOFTWARE\Classes\Pathfinder.PathfinderDownload.1\CLSID@ {1167C47F-01F9-4C08-8564-1D6C9BAAFB60}
Reg HKLM\SOFTWARE\Classes\Phobos.Player@ Player Class
Reg HKLM\SOFTWARE\Classes\Phobos.Player\CLSID
Reg HKLM\SOFTWARE\Classes\Phobos.Player\CLSID@ {7C9688C3-7279-474D-ABA5-A632373D2CDB}
Reg HKLM\SOFTWARE\Classes\Phobos.Player\CurVer
Reg HKLM\SOFTWARE\Classes\Phobos.Player\CurVer@ Phobos.Player.1
Reg HKLM\SOFTWARE\Classes\Phobos.Player.1@ Player Class
Reg HKLM\SOFTWARE\Classes\Phobos.Player.1\CLSID
Reg HKLM\SOFTWARE\Classes\Phobos.Player.1\CLSID@ {7C9688C3-7279-474D-ABA5-A632373D2CDB}
Reg HKLM\SOFTWARE\Classes\RealArcade.rng.1@ Real Games Package
Reg HKLM\SOFTWARE\Classes\RealArcade.rng.1\DefaultIcon
Reg HKLM\SOFTWARE\Classes\RealArcade.rng.1\DefaultIcon@ C:\PROGRA~1\Real\REALAR~1\RNArcade.exe,0
Reg HKLM\SOFTWARE\Classes\RealArcade.rng.1\shell
Reg HKLM\SOFTWARE\Classes\RealArcade.rng.1\shell\open
Reg HKLM\SOFTWARE\Classes\RealArcade.rng.1\shell\open\command
Reg HKLM\SOFTWARE\Classes\RealArcade.rng.1\shell\open\command@ "C:\PROGRA~1\Real\REALAR~1\RNArcade.exe" /m application/vnd.rn-rn_game_package %1
Reg HKLM\SOFTWARE\Classes\Registry.CPlugin@ Registry.CPlugin
Reg HKLM\SOFTWARE\Classes\Registry.CPlugin\Clsid
Reg HKLM\SOFTWARE\Classes\Registry.CPlugin\Clsid@ {1CCED66A-75B5-11D5-89D3-000086120FE4}
Reg HKLM\SOFTWARE\Classes\SA.SATBMgr@ SATBMgr Class
Reg HKLM\SOFTWARE\Classes\SA.SATBMgr\CLSID
Reg HKLM\SOFTWARE\Classes\SA.SATBMgr\CLSID@ {8AB5F344-B600-11D6-8A15-00E029570A3E}
Reg HKLM\SOFTWARE\Classes\SA.SATBMgr\CurVer
Reg HKLM\SOFTWARE\Classes\SA.SATBMgr\CurVer@ SA.SATBMgr.1
Reg HKLM\SOFTWARE\Classes\SA.SATBMgr.1@ SATBMgr Class
Reg HKLM\SOFTWARE\Classes\SA.SATBMgr.1\CLSID
Reg HKLM\SOFTWARE\Classes\SA.SATBMgr.1\CLSID@ {8AB5F344-B600-11D6-8A15-00E029570A3E}
Reg HKLM\SOFTWARE\Classes\WDMHHost.WTHoster@ WTHoster Class
Reg HKLM\SOFTWARE\Classes\WDMHHost.WTHoster\CLSID
Reg HKLM\SOFTWARE\Classes\WDMHHost.WTHoster\CLSID@ {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A}
Reg HKLM\SOFTWARE\Classes\WDMHHost.WTHoster\CurVer
Reg HKLM\SOFTWARE\Classes\WDMHHost.WTHoster\CurVer@ WDMHHost.WTHoster.1
Reg HKLM\SOFTWARE\Classes\WDMHHost.WTHoster.1@ WTHoster Class
Reg HKLM\SOFTWARE\Classes\WDMHHost.WTHoster.1\CLSID
Reg HKLM\SOFTWARE\Classes\WDMHHost.WTHoster.1\CLSID@ {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A}
Reg HKLM\SOFTWARE\Classes\WinAmpX.IWinAmpActiveX@ IWinAmpActiveX Class
Reg HKLM\SOFTWARE\Classes\WinAmpX.IWinAmpActiveX\CLSID
Reg HKLM\SOFTWARE\Classes\WinAmpX.IWinAmpActiveX\CLSID@ {C28BC286-884C-4a63-8A9C-6F7F5711034F}
Reg HKLM\SOFTWARE\Classes\WinAmpX.IWinAmpActiveX\CurVer
Reg HKLM\SOFTWARE\Classes\WinAmpX.IWinAmpActiveX\CurVer@ WinAmpX.IWinAmpActiveX.1
Reg HKLM\SOFTWARE\Classes\WinAmpX.IWinAmpActiveX.1@ IWinAmpActiveX Class
Reg HKLM\SOFTWARE\Classes\WinAmpX.IWinAmpActiveX.1\CLSID
Reg HKLM\SOFTWARE\Classes\WinAmpX.IWinAmpActiveX.1\CLSID@ {C28BC286-884C-4a63-8A9C-6F7F5711034F}
Reg HKLM\SOFTWARE\Classes\WinAmpX.IWinAmpActiveX.1\Insertable
Reg HKLM\SOFTWARE\Classes\WinAmpXChat.IWinAmpActiveXChat@ IWinAmpActiveXChat Class
Reg HKLM\SOFTWARE\Classes\WinAmpXChat.IWinAmpActiveXChat\CLSID
Reg HKLM\SOFTWARE\Classes\WinAmpXChat.IWinAmpActiveXChat\CLSID@ {E3852604-B619-11d6-94EC-00047521F020}
Reg HKLM\SOFTWARE\Classes\WinAmpXChat.IWinAmpActiveXChat\CurVer
Reg HKLM\SOFTWARE\Classes\WinAmpXChat.IWinAmpActiveXChat\CurVer@ WinAmpXChat.IWinAmpActiveXChat.1
Reg HKLM\SOFTWARE\Classes\WinAmpXChat.IWinAmpActiveXChat.1@ IWinAmpActiveXChat Class
Reg HKLM\SOFTWARE\Classes\WinAmpXChat.IWinAmpActiveXChat.1\CLSID
Reg HKLM\SOFTWARE\Classes\WinAmpXChat.IWinAmpActiveXChat.1\CLSID@ {E3852604-B619-11d6-94EC-00047521F020}
Reg HKLM\SOFTWARE\Classes\WinAmpXChat.IWinAmpActiveXChat.1\Insertable
Reg HKLM\SOFTWARE\Classes\WT.WTMultiplayer@ WildTangent Multiplayer Class
Reg HKLM\SOFTWARE\Classes\WT.WTMultiplayer\CLSID
Reg HKLM\SOFTWARE\Classes\WT.WTMultiplayer\CLSID@ {0c097121-c5d6-47eb-841d-30bff71a71c4}
Reg HKLM\SOFTWARE\Classes\WT.WTMultiplayer\CurVer
Reg HKLM\SOFTWARE\Classes\WT.WTMultiplayer\CurVer@ WT.WTMultiplayer.1
Reg HKLM\SOFTWARE\Classes\WT.WTMultiplayer.1@ WildTangent Multiplayer Class
Reg HKLM\SOFTWARE\Classes\WT.WTMultiplayer.1\CLSID
Reg HKLM\SOFTWARE\Classes\WT.WTMultiplayer.1\CLSID@ {0c097121-c5d6-47eb-841d-30bff71a71c4}
Reg HKLM\SOFTWARE\Classes\WT3D.WT@ WildTangent Control
Reg HKLM\SOFTWARE\Classes\WT3D.WT\CLSID
Reg HKLM\SOFTWARE\Classes\WT3D.WT\CLSID@ {FA13A9FA-CA9B-11D2-9780-00104B242EA3}
Reg HKLM\SOFTWARE\Classes\WT3D.WT\CurVer
Reg HKLM\SOFTWARE\Classes\WT3D.WT\CurVer@ WT3D.WT.1
Reg HKLM\SOFTWARE\Classes\WT3D.WT\Insertable
Reg HKLM\SOFTWARE\Classes\WT3D.WT.1@ WildTangent Control
Reg HKLM\SOFTWARE\Classes\WT3D.WT.1\CLSID
Reg HKLM\SOFTWARE\Classes\WT3D.WT.1\CLSID@ {FA13A9FA-CA9B-11D2-9780-00104B242EA3}
Reg HKLM\SOFTWARE\Classes\Wtdmmpv.WTDMMPVersion@ WTDMMPVersion Class
Reg HKLM\SOFTWARE\Classes\Wtdmmpv.WTDMMPVersion\CLSID
Reg HKLM\SOFTWARE\Classes\Wtdmmpv.WTDMMPVersion\CLSID@ {65E7DB1D-0101-4100-BD66-C5C78C917F93}
Reg HKLM\SOFTWARE\Classes\Wtdmmpv.WTDMMPVersion\CurVer
Reg HKLM\SOFTWARE\Classes\Wtdmmpv.WTDMMPVersion\CurVer@ Wtdmmpv.WTDMMPVersion.1
Reg HKLM\SOFTWARE\Classes\Wtdmmpv.WTDMMPVersion.1@ WTDMMPVersion Class
Reg HKLM\SOFTWARE\Classes\Wtdmmpv.WTDMMPVersion.1\CLSID
Reg HKLM\SOFTWARE\Classes\Wtdmmpv.WTDMMPVersion.1\CLSID@ {65E7DB1D-0101-4100-BD66-C5C78C917F93}
Reg HKLM\SOFTWARE\Classes\WTVis.WTVisSender@ WTVisSender Class
Reg HKLM\SOFTWARE\Classes\WTVis.WTVisSender\CLSID
Reg HKLM\SOFTWARE\Classes\WTVis.WTVisSender\CLSID@ {B9BA256A-075B-49ea-B9E2-7DBC2EF021D5}
Reg HKLM\SOFTWARE\Classes\WTVis.WTVisSender\CurVer
Reg HKLM\SOFTWARE\Classes\WTVis.WTVisSender\CurVer@ WTVis.WTVisSender.1
Reg HKLM\SOFTWARE\Classes\WTVis.WTVisSender.1@ WTVisSender Class
Reg HKLM\SOFTWARE\Classes\WTVis.WTVisSender.1\CLSID
Reg HKLM\SOFTWARE\Classes\WTVis.WTVisSender.1\CLSID@ {B9BA256A-075B-49ea-B9E2-7DBC2EF021D5}

---- EOF - GMER 1.0.15 ----
amyann13
Regular Member
 
Posts: 21
Joined: April 26th, 2010, 11:49 am

Re: IE and Firefox keeps redirecting me to google

Unread postby xixo_12 » May 3rd, 2010, 11:24 am

Hi,
Let's proceed.

First,
ComboFix
Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links)
Save as Combo-Fix.exe <<Please have a look on file name. You have to change.
Link 1
Link 2

**IMPORTANT !!! Save Combo-Fix.exe to your Desktop**

  • Disable your AntiVirus/AntiSpyware/Firewall applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Double click on Combo-Fix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Next,
Next,
Checklist.
Please post.
  • Content of ComboFix.txt
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: IE and Firefox keeps redirecting me to google

Unread postby amyann13 » May 3rd, 2010, 1:00 pm

Hi, I got a message from Combofix saying it detected the presence of Rootkit and needs to reboot...that may be normal but I just wanted you to know...here is me combofix log..

ComboFix 10-05-02.03 - AMY KOEHN 05/03/2010 11:39:44.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.511.313 [GMT -5:00]
Running from: c:\documents and settings\AMY KOEHN\Desktop\Combo-Fix.exe
.
/wow section - STAGE 4


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Starware316
c:\documents and settings\AMY KOEHN\Application Data\020000009eb5a1b6C.manifest
c:\documents and settings\AMY KOEHN\Application Data\020000009eb5a1b6O.manifest
c:\documents and settings\AMY KOEHN\Application Data\020000009eb5a1b6P.manifest
c:\documents and settings\AMY KOEHN\Application Data\020000009eb5a1b6R.manifest
c:\documents and settings\AMY KOEHN\Application Data\020000009eb5a1b6S.manifest
c:\documents and settings\AMY KOEHN\Recent\Meez My Meez ~~ Dress up your 3D avatar with items from Lil Mama, Chris Brown and SouljaBoy.url
c:\documents and settings\BRICELYN\Application Data\020000009eb5a1b6C.manifest
c:\documents and settings\BRICELYN\Application Data\020000009eb5a1b6O.manifest
c:\documents and settings\BRICELYN\Application Data\020000009eb5a1b6P.manifest
c:\documents and settings\BRICELYN\Application Data\020000009eb5a1b6R.manifest
c:\documents and settings\BRICELYN\Application Data\020000009eb5a1b6S.manifest
c:\program files\AntiVermins 3.3
c:\program files\AntiVermins 3.3\AntiVermins 3.3.exe
c:\program files\Starware316
c:\program files\Starware316\icons\star_16.ico
C:\ProgramFiles
c:\windows\BM2770c352.txt
c:\windows\BM2770c352.xml
c:\windows\box boat blue.ico
c:\windows\cookies.ini
c:\windows\Fonts\acrsec.fon
c:\windows\Fonts\acrsecB.fon
c:\windows\Fonts\acrsecI.fon
c:\windows\patch.exe
c:\windows\smdat32m.sys
c:\windows\system32\_002751_.tmp.dll
c:\windows\system32\_002752_.tmp.dll
c:\windows\system32\_002753_.tmp.dll
c:\windows\system32\_002754_.tmp.dll
c:\windows\system32\_002758_.tmp.dll
c:\windows\system32\_002759_.tmp.dll
c:\windows\system32\_002760_.tmp.dll
c:\windows\system32\_002761_.tmp.dll
c:\windows\system32\_002764_.tmp.dll
c:\windows\system32\_002765_.tmp.dll
c:\windows\system32\_002766_.tmp.dll
c:\windows\system32\_002767_.tmp.dll
c:\windows\system32\_002771_.tmp.dll
c:\windows\system32\_002772_.tmp.dll
c:\windows\system32\_002773_.tmp.dll
c:\windows\system32\_002774_.tmp.dll
c:\windows\system32\_002781_.tmp.dll
c:\windows\system32\_002782_.tmp.dll
c:\windows\system32\_002783_.tmp.dll
c:\windows\system32\_002785_.tmp.dll
c:\windows\system32\_002786_.tmp.dll
c:\windows\system32\_002789_.tmp.dll
c:\windows\system32\_002790_.tmp.dll
c:\windows\system32\_002792_.tmp.dll
c:\windows\system32\_002793_.tmp.dll
c:\windows\system32\_002794_.tmp.dll
c:\windows\system32\_002796_.tmp.dll
c:\windows\system32\_002797_.tmp.dll
c:\windows\system32\_002799_.tmp.dll
c:\windows\system32\_002803_.tmp.dll
c:\windows\system32\_002804_.tmp.dll
c:\windows\system32\_002806_.tmp.dll
c:\windows\system32\_002809_.tmp.dll
c:\windows\system32\_002811_.tmp.dll
c:\windows\system32\_002812_.tmp.dll
c:\windows\system32\_002813_.tmp.dll
c:\windows\system32\_002814_.tmp.dll
c:\windows\system32\_002817_.tmp.dll
c:\windows\system32\_002819_.tmp.dll
c:\windows\system32\_002820_.tmp.dll
c:\windows\system32\_002821_.tmp.dll
c:\windows\system32\_002825_.tmp.dll
c:\windows\system32\_002827_.tmp.dll
c:\windows\system32\_003368_.tmp.dll
c:\windows\system32\_003539_.tmp.dll
c:\windows\system32\_003540_.tmp.dll
c:\windows\system32\_003541_.tmp.dll
c:\windows\system32\_003542_.tmp.dll
c:\windows\system32\_003549_.tmp.dll
c:\windows\system32\_003550_.tmp.dll
c:\windows\system32\_003551_.tmp.dll
c:\windows\system32\_003553_.tmp.dll
c:\windows\system32\_003554_.tmp.dll
c:\windows\system32\_003557_.tmp.dll
c:\windows\system32\_003558_.tmp.dll
c:\windows\system32\_003560_.tmp.dll
c:\windows\system32\_003561_.tmp.dll
c:\windows\system32\_003562_.tmp.dll
c:\windows\system32\_003564_.tmp.dll
c:\windows\system32\_003565_.tmp.dll
c:\windows\system32\_003567_.tmp.dll
c:\windows\system32\_003571_.tmp.dll
c:\windows\system32\_003572_.tmp.dll
c:\windows\system32\_003574_.tmp.dll
c:\windows\system32\_003577_.tmp.dll
c:\windows\system32\_003579_.tmp.dll
c:\windows\system32\_003580_.tmp.dll
c:\windows\system32\_003581_.tmp.dll
c:\windows\system32\_003582_.tmp.dll
c:\windows\system32\_003585_.tmp.dll
c:\windows\system32\_003587_.tmp.dll
c:\windows\system32\_003588_.tmp.dll
c:\windows\system32\_003589_.tmp.dll
c:\windows\system32\_003593_.tmp.dll
c:\windows\system32\_003595_.tmp.dll
c:\windows\system32\42KJE738.ocx
c:\windows\system32\adebrhal.ini
c:\windows\system32\btwgqnvr.ini
c:\windows\system32\cqbuwytt.ini
c:\windows\system32\dnunoldx.ini
c:\windows\system32\doiefbnt.ini
c:\windows\system32\eiitctua.ini
c:\windows\system32\gahujkqs.ini
c:\windows\system32\gmgnjghx.ini
c:\windows\system32\gmyxhjpx.ini
c:\windows\system32\huhspsuh.ini
c:\windows\system32\iebtpncn.ini
c:\windows\system32\jrawlhds.ini
c:\windows\system32\jwhqnpqt.ini
c:\windows\system32\lyumrtvf.ini
c:\windows\system32\oeaqrhms.ini
c:\windows\system32\oeudgdmm.ini
c:\windows\system32\sljhiocf.ini
c:\windows\system32\uninstall.exe
c:\windows\system32\wnkeawlc.ini
c:\windows\system32\yydyiemr.ini
C:\xcrashdump.dat

.
original MBR restored successfully !
.
((((((((((((((((((((((((( Files Created from 2010-04-03 to 2010-05-03 )))))))))))))))))))))))))))))))
.

2010-05-01 02:18 . 2010-05-01 02:18 -------- d-----w- C:\_OTM
2010-05-01 02:07 . 2010-05-01 02:07 -------- d-----w- c:\program files\ERUNT
2010-04-30 23:54 . 2010-04-30 23:54 -------- d-----w- C:\rsit
2010-04-30 16:35 . 2010-04-30 16:35 -------- d-----w- c:\documents and settings\AMY KOEHN\Application Data\Malwarebytes
2010-04-30 16:34 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-30 16:34 . 2010-04-30 17:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-30 16:34 . 2010-04-30 16:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-30 16:34 . 2010-04-29 20:39 19288 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-30 14:56 . 2010-04-30 14:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-01 00:51 . 2008-03-09 16:26 0 ----a-w- C:\UnInstall.dat
2010-04-27 22:01 . 2006-08-14 05:16 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-26 15:23 . 2009-08-12 23:59 -------- d-----w- c:\program files\Trend Micro
2010-04-14 02:59 . 2009-08-12 23:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-09 06:58 . 2004-03-07 08:12 -------- d-----w- c:\program files\Cow Hunter
2010-03-31 03:09 . 2010-03-31 03:09 241977 ----a-w- c:\documents and settings\AMY KOEHN\Application Data\Sony Online Entertainment\npsoeact.dll
2010-03-31 03:09 . 2010-03-31 03:09 -------- d-----w- c:\documents and settings\AMY KOEHN\Application Data\Sony Online Entertainment
2010-03-16 21:40 . 2010-03-31 03:08 151864 ----a-w- c:\documents and settings\AMY KOEHN\Application Data\Mozilla\Firefox\Profiles\arfwbx96.default\extensions\{38AB6A6C-CC4C-4f9e-A3DD-3C5681EF18A1}\plugins\npsoe.dll
2010-02-22 18:48 . 2010-03-31 03:09 29184 ----a-w- c:\documents and settings\AMY KOEHN\Application Data\Sony Online Entertainment\Installed Games\Free Realms\!CheckMinSpec.dll
2007-01-28 01:54 . 2007-01-28 01:54 774144 ----a-w- c:\program files\RngInterstitial.dll
.

------- Sigcheck -------

[7] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\wscntfy.exe

[7] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\xmlprov.dll

c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\xmlprov.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2002-11-20 51200]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprecovr \SystemRoot\sprecovr.txt

[HKLM\~\startupfolder\C:^Documents and Settings^AMY KOEHN^Start Menu^Programs^Startup^Morpheus.lnk]
path=c:\documents and settings\AMY KOEHN\Start Menu\Programs\Startup\Morpheus.lnk
backup=c:\windows\pss\Morpheus.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 22:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
2003-09-02 12:46 106574 ----a-w- c:\program files\ATI Multimedia\main\LaunchPd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperFreeEdition]
2003-04-29 15:40 524288 ----a-w- c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-08-14 00:38 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2004-08-06 20:33 2502656 ----a-w- c:\program files\Yahoo!\Messenger\YPager.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop

S3 CCCP106;CIF USB Camera (2110A);c:\windows\System32\DRIVERS\cccp106.sys --> c:\windows\System32\DRIVERS\cccp106.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys [4/30/2010 11:34 AM 38224]
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;c:\windows\SYSTEM32\DRIVERS\mr97310v.sys [7/18/2006 1:40 PM 99840]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\SYSTEM32\DRIVERS\wg111v2.sys [1/15/2004 11:11 PM 167808]
S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-05-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: &eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: Open using &Advanced JPEG Compressor - c:\program files\Advanced JPEG Compressor\ajcieex.htm
Trusted Zone: musicmatch.com\online
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\AMY KOEHN\Application Data\Mozilla\Firefox\Profiles\arfwbx96.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\AMY KOEHN\Application Data\Mozilla\Firefox\Profiles\arfwbx96.default\extensions\{38AB6A6C-CC4C-4f9e-A3DD-3C5681EF18A1}\plugins\npsoe.dll
FF - plugin: c:\documents and settings\AMY KOEHN\Application Data\Mozilla\Firefox\Profiles\arfwbx96.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-MoneyAgent - c:\program files\Microsoft Money\System\mnyexpr.exe
MSConfigStartUp-Morpheus - c:\program files\StreamCast\Morpheus\Morpheus.exe
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\msnmsgr.exe
AddRemove-Super SpongeBob Collapse! - c:\progra~1\YAHOOL~1\SUPERS~1\UNWISE.EXE
AddRemove-TBON - c:\program files\TBONBin\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-03 11:49
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)
c:\windows\system32\ODBC32.dll
c:\windows\System32\msctfime.ime

- - - - - - - > 'lsass.exe'(692)
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(2008)
c:\windows\System32\msctfime.ime
c:\windows\System32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\wdfmgr.exe
c:\windows\system32\fxssvc.exe
.
**************************************************************************
.
Completion time: 2010-05-03 11:53:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-03 16:53

Pre-Run: 102,196,891,648 bytes free
Post-Run: 102,012,211,200 bytes free

winxpsp1_en_hom_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

- - End Of File - - 6B1964D1F385BC3943BE767E9519EFD5
amyann13
Regular Member
 
Posts: 21
Joined: April 26th, 2010, 11:49 am

Re: IE and Firefox keeps redirecting me to google

Unread postby xixo_12 » May 4th, 2010, 7:41 am

Hi,
Let's proceed.

First,
CFScript
  • Close any open browsers.
  • Open notepad and copy/paste the text in the code box below into it:
    Code: Select all
    FCopy::
    c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\wscntfy.exe | c:\windows\System32\wscntfy.exe
    c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\xmlprov.dll | c:\windows\System32\xmlprov.dll
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"=-
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Disable your AntiVirus/AntiSpyware/Firewall applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. A guide to do this can be found here
    Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Next,
Malwarebytes' Anti-Malware - Run
Please update and run it again.
Provide the log for my review.

Next,
Checklist.
Please post.
  • Content of ComboFix.txt
  • Content of MBAM log
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: IE and Firefox keeps redirecting me to google

Unread postby amyann13 » May 4th, 2010, 9:45 am

Hi, do you want me to go ahead and uncheck the C:\system volume information folder and then remove selected
amyann13
Regular Member
 
Posts: 21
Joined: April 26th, 2010, 11:49 am

Re: IE and Firefox keeps redirecting me to google

Unread postby xixo_12 » May 4th, 2010, 9:55 am

Yes, please follow previous instruction. Don't touch C:\system volume information folder. Other than that, remove it.
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: IE and Firefox keeps redirecting me to google

Unread postby amyann13 » May 4th, 2010, 10:35 am

Here is my combofix.txt and mbam log......

ComboFix 10-05-03.06 - AMY KOEHN 05/04/2010 8:31.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.511.272 [GMT -5:00]
Running from: c:\documents and settings\AMY KOEHN\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\AMY KOEHN\Desktop\CFScript.txt
.
/wow section - STAGE 4


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\wscntfy.exe --> c:\windows\System32\wscntfy.exe
c:\windows\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\xmlprov.dll --> c:\windows\System32\xmlprov.dll
.
((((((((((((((((((((((((( Files Created from 2010-04-04 to 2010-05-04 )))))))))))))))))))))))))))))))
.

2010-05-04 13:31 . 2004-08-04 07:56 13824 ----a-w- c:\windows\system32\wscntfy.exe
2010-05-01 02:18 . 2010-05-01 02:18 -------- d-----w- C:\_OTM
2010-05-01 02:07 . 2010-05-01 02:07 -------- d-----w- c:\program files\ERUNT
2010-04-30 23:54 . 2010-04-30 23:54 -------- d-----w- C:\rsit
2010-04-30 16:35 . 2010-04-30 16:35 -------- d-----w- c:\documents and settings\AMY KOEHN\Application Data\Malwarebytes
2010-04-30 16:34 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-30 16:34 . 2010-04-30 17:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-30 16:34 . 2010-04-30 16:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-30 16:34 . 2010-04-29 20:39 19288 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-30 14:56 . 2010-04-30 14:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-01 00:51 . 2008-03-09 16:26 0 ----a-w- C:\UnInstall.dat
2010-04-27 22:01 . 2006-08-14 05:16 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-26 15:23 . 2009-08-12 23:59 -------- d-----w- c:\program files\Trend Micro
2010-04-14 02:59 . 2009-08-12 23:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-09 06:58 . 2004-03-07 08:12 -------- d-----w- c:\program files\Cow Hunter
2010-03-31 03:09 . 2010-03-31 03:09 241977 ----a-w- c:\documents and settings\AMY KOEHN\Application Data\Sony Online Entertainment\npsoeact.dll
2010-03-31 03:09 . 2010-03-31 03:09 -------- d-----w- c:\documents and settings\AMY KOEHN\Application Data\Sony Online Entertainment
2010-03-16 21:40 . 2010-03-31 03:08 151864 ----a-w- c:\documents and settings\AMY KOEHN\Application Data\Mozilla\Firefox\Profiles\arfwbx96.default\extensions\{38AB6A6C-CC4C-4f9e-A3DD-3C5681EF18A1}\plugins\npsoe.dll
2010-02-22 18:48 . 2010-03-31 03:09 29184 ----a-w- c:\documents and settings\AMY KOEHN\Application Data\Sony Online Entertainment\Installed Games\Free Realms\!CheckMinSpec.dll
2007-01-28 01:54 . 2007-01-28 01:54 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2002-11-20 51200]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprecovr \SystemRoot\sprecovr.txt

[HKLM\~\startupfolder\C:^Documents and Settings^AMY KOEHN^Start Menu^Programs^Startup^Morpheus.lnk]
path=c:\documents and settings\AMY KOEHN\Start Menu\Programs\Startup\Morpheus.lnk
backup=c:\windows\pss\Morpheus.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 22:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
2003-09-02 12:46 106574 ----a-w- c:\program files\ATI Multimedia\main\LaunchPd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperFreeEdition]
2003-04-29 15:40 524288 ----a-w- c:\progra~1\PANICW~1\POP-UP~1\PSFree.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-08-14 00:38 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2004-08-06 20:33 2502656 ----a-w- c:\program files\Yahoo!\Messenger\YPager.exe

S3 CCCP106;CIF USB Camera (2110A);c:\windows\System32\DRIVERS\cccp106.sys --> c:\windows\System32\DRIVERS\cccp106.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys [4/30/2010 11:34 AM 38224]
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;c:\windows\SYSTEM32\DRIVERS\mr97310v.sys [7/18/2006 1:40 PM 99840]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\SYSTEM32\DRIVERS\wg111v2.sys [1/15/2004 11:11 PM 167808]
S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-05-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: &eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: Open using &Advanced JPEG Compressor - c:\program files\Advanced JPEG Compressor\ajcieex.htm
Trusted Zone: musicmatch.com\online
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\AMY KOEHN\Application Data\Mozilla\Firefox\Profiles\arfwbx96.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\AMY KOEHN\Application Data\Mozilla\Firefox\Profiles\arfwbx96.default\extensions\{38AB6A6C-CC4C-4f9e-A3DD-3C5681EF18A1}\plugins\npsoe.dll
FF - plugin: c:\documents and settings\AMY KOEHN\Application Data\Mozilla\Firefox\Profiles\arfwbx96.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-04 08:36
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)
c:\windows\system32\ODBC32.dll
c:\windows\System32\msctfime.ime

- - - - - - - > 'lsass.exe'(692)
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(808)
c:\windows\System32\msctfime.ime
c:\windows\System32\msi.dll
.
Completion time: 2010-05-04 08:39:35
ComboFix-quarantined-files.txt 2010-05-04 13:39
ComboFix2.txt 2010-05-03 16:53

Pre-Run: 102,063,640,576 bytes free
Post-Run: 102,043,947,008 bytes free

- - End Of File - - 78AC411163B0CE4C965BBA71D6F8407A

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4064

Windows 5.1.2600 Service Pack 1
Internet Explorer 6.0.2800.1106

5/4/2010 9:28:53 AM
mbam-log-2010-05-04 (09-28-53).txt

Scan type: Full scan (C:\|)
Objects scanned: 230610
Time elapsed: 30 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 44
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{0be385a3-85a5-4722-b677-68dae891ff21} (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{272c0d60-0561-4c83-b3db-eb0a71f9d2eb} (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{284477e4-a7cb-4055-9e1b-0ea7cba28945} (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{70ca4938-6a0f-4641-a9a9-c936e4c1e7de} (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7468213e-010e-4ec6-a17d-642e909ba7ec} (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{85e06077-c824-43d0-a8dc-5efb17bc348a} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{89dc33a2-f86f-42a1-8b5f-d4d1943efc9c} (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b86f4810-19a9-4050-9ac9-b5cf60b5799a} (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bb5b7e14-f8b4-4365-a24d-f4965c33e1ee} (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c13d4627-02f5-4b03-897a-bf6a90022dd2} (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c636f1fc-6ae4-4e6a-90ab-6d61d821a0dd} (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cb971ac0-6408-40da-a540-92f9f256f51f} (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d5694dfe-43b6-4e05-aa29-8c556c968973} (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e2032ec2-a9ac-4ed7-9bdb-ebecacf076f2} (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ebab4a71-8c34-461a-b57d-dd041d439555} (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f06fea43-0cc3-4bf6-a85b-5efb1c07aa4b} (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fc94a0f7-9c7c-4ae2-9106-5c212332b209} (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{2850bdc7-2330-4e31-9fa0-88268846539a} (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{fca425b9-1e46-43b1-846c-7307ae0a739d} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{27df7a3f-b53b-40bf-9f96-ee4e026e32e6} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2f9d4f30-f02b-43fe-aa01-a62a6c882c2a} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3316dce6-846a-4e84-ac6d-29737d61803a} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{346cf0eb-ca4a-4e13-b8b1-cef201918dd9} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e020c44-a715-4880-a23e-9e01cd641556} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{408d76cd-39cf-48d1-83ca-3a9b967a2d73} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4728ff96-3f19-4e1d-b081-652b37e500bb} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{53da69f7-ef43-4f01-a78c-8860f0d1dab8} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8ca835a0-8545-4cfe-8119-edb959255872} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8d413fa2-2a9c-47c3-8248-9ae465a8fa2f} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{97d5ea7d-0a67-4313-a4ca-877131972b0e} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bb0dda99-2332-44fb-966c-c5370b23ba46} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c89a23d8-cf60-41eb-9717-41059fef6042} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d9c1a129-9e77-4848-9054-7d9d09800892} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f1e324b8-3c38-4008-a344-085e68e5f3d6} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fb1ff24f-7a24-43f3-98ab-1c7ea82a77ac} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywaytoolbar.netscapeshutdown (Adware.MyWaySearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywaytoolbar.netscapeshutdown.1 (Adware.MyWaySearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywaytoolbar.netscapestartup (Adware.MyWaySearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywaytoolbar.netscapestartup.1 (Adware.MyWaySearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywaytoolbar.settingsplugin (Adware.MyWaySearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywaytoolbar.settingsplugin.1 (Adware.MyWaySearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\HelpAssistant\Application Data\Awola (Rogue.Awola) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Start Menu\Programs\Awola (Rogue.Awola) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\AntiVermins 3.7\AntiVermins 3.7.exe (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\AntiVermins 3.3\AntiVermins 3.3.exe.vir (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1673\A0640522.exe (Rogue.VirusHeat) -> Not selected for removal.
C:\Documents and Settings\HelpAssistant\Application Data\Awola\Awola.exe (Rogue.Awola) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Application Data\Awola\settings.ini (Rogue.Awola) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Start Menu\Programs\Awola\Awola Anti-Spyware 6.0.lnk (Rogue.Awola) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Start Menu\Programs\Awola\Uninstall Awola Anti-Spyware 6.0.lnk (Rogue.Awola) -> Quarantined and deleted successfully.
C:\WinstonPokerInst.exe (Trojan.Agent) -> Quarantined and deleted successfully.
amyann13
Regular Member
 
Posts: 21
Joined: April 26th, 2010, 11:49 am

Re: IE and Firefox keeps redirecting me to google

Unread postby xixo_12 » May 4th, 2010, 11:21 am

Hi,
I'm pretty surprise with the infection. That's so a lot. :shock:
Let's move.

First,
exeHelper by raktor
Please download from HERE and save to the desktop.
  • Double-click on exeHelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Next,
HAMeb_Check by noahdfear
Please download from HERE and save to the desktop.
  • Double-click on HAMeb_check.exe to run it.
  • Post the contents of HAlog.txt.

Next,
Checklist.
Please post.
  • Content of exehelperlog.txt
  • Content of HAlog.txt
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: IE and Firefox keeps redirecting me to google

Unread postby amyann13 » May 4th, 2010, 11:35 am

Here is my exehelperlog.txt and HAlog.txt.....

exeHelper by Raktor
Build 20100414
Run at 10:32:28 on 05/04/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--


C:\Documents and Settings\AMY KOEHN\Desktop\HAMeb_check.exe
Tue 05/04/2010 at 10:33:18.68

Account active Yes
Local Group Memberships *Administrators

~~ Checking profile list ~~

S-1-5-21-4201926726-3219803983-3860816162-1006
%SystemDrive%\Documents and Settings\HelpAssistant

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0DF83CBD
malicious code @ sector 0x0DF83CC0 !
PE file found in sector at 0x0DF83CD6 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~
amyann13
Regular Member
 
Posts: 21
Joined: April 26th, 2010, 11:49 am

Re: IE and Firefox keeps redirecting me to google

Unread postby xixo_12 » May 4th, 2010, 12:01 pm

Hi,
Let's proceed.

First,
HelpAsst_mebroot_fix by noahdfear
Please download from HERE and save it to your desktop.
  • Close out all other open programs and windows.
  • Double click the file to run it and follow any prompts.
  • If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
  • Upon restarting, please wait about 5 minutes, copy the code as below by highlight > right click > copy:
    Code: Select all
    helpasst -mbrt
  • Click on start > Run....
  • Paste the code into the box and click OK.
  • When it completes, a log will open.
  • Please post the contents of that log.

In the event the tool does not detect an mbr infection and completes
  • Copy the code as below by highlight > right click > copy:
    Code: Select all
    mbr -f
  • Click on start > Run....
  • Paste the code into the box and click OK.
  • Please repeat the steps once again for mbr -f
  • Shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
  • Please wait about 5 minutes, copy the code as below by highlight > right click > copy:
    Code: Select all
    helpasst -mbrt
  • Click on start > Run....
  • Paste the code into the box and click OK.
  • When it completes, a log will open.
  • Please post the contents of that log.


**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

Next,
Checklist.
Please post.
  • Content of log
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: IE and Firefox keeps redirecting me to google

Unread postby amyann13 » May 4th, 2010, 12:32 pm

I hope I did this right...I guess it did find an MBR infection, here is the log I got....

C:\Documents and Settings\AMY KOEHN\Desktop\HelpAsst_mebroot_fix.exe
Tue 05/04/2010 at 11:16:52.17

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"3389:TCP"=-

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-4201926726-3219803983-3860816162-1006
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Tue 05/04/2010 at 11:29:43.04

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0DF83CBD
malicious code @ sector 0x0DF83CC0 !
PE file found in sector at 0x0DF83CD6 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Tue 05/04/2010 at 11:30:30.56

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0DF83CBD
malicious code @ sector 0x0DF83CC0 !
PE file found in sector at 0x0DF83CD6 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~
amyann13
Regular Member
 
Posts: 21
Joined: April 26th, 2010, 11:49 am

Re: IE and Firefox keeps redirecting me to google

Unread postby xixo_12 » May 4th, 2010, 12:40 pm

Hi,
Let's proceed.
Looking good :)

First,
Malwarebytes' Anti-Malware - Run
Please run it again (full scan) .. as previous ;)

Next,
ATF by Atribune
Please download HERE and save to the desktop. Double-click ATF Cleaner.exe to open it.
Under Main choose:
    choose: Select All
    Click the Empty Selected button.
if you use Firefox:
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
if you use Opera:
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program

Next,
Kaspersky Online AV Scan
Note: Internet Explorer should be used.
Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan and then put the kettle on!
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Copy and paste the report into your next.

Next,
Discussion
How is your system now?

Next,
Checklist.
Please post.
  • Content of MBAM log
  • Content of Kaspersky scan log
  • Respond to our discussion
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 60 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware