Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

search rediects

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

search rediects

Unread postby tillyjr » July 5th, 2010, 2:40 pm

hi :) im having the same porblem as a lot of people of here to be honest. Im using Mozilla firefox, but everytime i use google, yahoo etc and click on a link from the search results, its takes me to something completely different, most times searchingandclick37 or something like that, or just random other websites. im hoping you can help!

here is the hi-jack this log :

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 19:36:52, on 05/07/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdxserv.exe
C:\WINDOWS\system32\lxdxcoms.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe
C:\Program Files\Belkin\F5D8055\v1\Belkinwcui.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skybroadband.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8484
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: NCH Toolbar - {c2db4fe6-8409-45ce-8010-189a7b5cce86} - C:\Program Files\NCH\tbNCH.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,c:\windows\system32\d3dg98.exe,,c:\windows\temp\13e.tmp
O1 - Hosts: 89.149.193.137 www.google.com
O1 - Hosts: 89.149.193.137 us.search.yahoo.com
O1 - Hosts: 89.149.193.137 uk.search.yahoo.com
O1 - Hosts: 89.149.193.137 search.yahoo.com
O1 - Hosts: 89.149.193.137 www.google.com.br
O1 - Hosts: 89.149.193.137 www.google.it
O1 - Hosts: 89.149.193.137 www.google.es
O1 - Hosts: 89.149.193.137 www.google.co.jp
O1 - Hosts: 89.149.193.137 www.google.com.mx
O1 - Hosts: 89.149.193.137 www.google.ca
O1 - Hosts: 89.149.193.137 www.google.com.au
O1 - Hosts: 89.149.193.137 www.google.nl
O1 - Hosts: 89.149.193.137 www.google.co.za
O1 - Hosts: 89.149.193.137 www.google.be
O1 - Hosts: 89.149.193.137 www.google.gr
O1 - Hosts: 89.149.193.137 www.google.at
O1 - Hosts: 89.149.193.137 www.google.se
O1 - Hosts: 89.149.193.137 www.google.ch
O1 - Hosts: 89.149.193.137 www.google.pt
O1 - Hosts: 89.149.193.137 www.google.dk
O1 - Hosts: 89.149.193.137 www.google.fi
O1 - Hosts: 89.149.193.137 www.google.ie
O1 - Hosts: 89.149.193.137 www.google.no
O1 - Hosts: 89.149.193.137 www.google.de
O1 - Hosts: 89.149.193.137 www.google.fr
O1 - Hosts: 89.149.193.137 www.google.co.uk
O1 - Hosts: 89.149.193.137 www.bing.com
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: NCH Toolbar - {c2db4fe6-8409-45ce-8010-189a7b5cce86} - C:\Program Files\NCH\tbNCH.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: XBTBPos00 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: Fast Browser Search Toolbar - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll
O3 - Toolbar: NCH Toolbar - {c2db4fe6-8409-45ce-8010-189a7b5cce86} - C:\Program Files\NCH\tbNCH.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [IDTSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [lxdxmon.exe] "C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe"
O4 - HKLM\..\Run: [lxdxamon] "C:\Program Files\Lexmark 3600-4600 Series\lxdxamon.exe"
O4 - HKLM\..\Run: [F5D8055v1] C:\Program Files\Belkin\F5D8055\v1\Belkinwcui.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [sysftray2] C:\windows\bolivar22.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [(ehSched) ] "C:\Program Files\NetMeeting\bin\msdtcuiu.exe" /set
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [{50548291-FCFF-5DD1-6D73-0C74452AECE2}] "C:\Documents and Settings\home\Application Data\Xuid\ifef.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - .DEFAULT User Startup: oflufu.exe (User 'Default user')
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... ader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\0051.DLL
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service aspnet_statestisvc (aspnet_statestisvc) - Unknown owner - C:\WINDOWS\system32\adsldpcw.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe (file missing)
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdxCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdxserv.exe
O23 - Service: lxdx_device - - C:\WINDOWS\system32\lxdxcoms.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
O23 - Service: Smart Card SCardSvrccEvtMgr (SCardSvrccEvtMgr) - Unknown owner - C:\WINDOWS\system32\accessp.exe (file missing)
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: Windows Image Acquisition (WIA) stisvcTrkWks (stisvcTrkWks) - Unknown owner - C:\WINDOWS\system32\6to4svcb.exe (file missing)

--
End of file - 13107 bytes


this is the uninstall list :)


ABBYY FineReader 6.0 Sprint
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Avanquest update
AVG 9.0
Belkin N+ Wireless USB Adapter
Betfair Poker
Bonjour
Codec Pack - All In 1 6.0.3.0
Convert AVI to MP4 1.3
CoralPoker (remove only)
eMusic - 50 Free MP3 offer
ESPNMotion
Fast Browser Search (My Tattoons)
Football Manager 2008
Football Manager 2009
Full Tilt Poker
GemMaster Mystic
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB942288-v3)
INQ1 Modem
INQ1 PCSync
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
iPod for Windows 2005-03-23
iTunes
Java(TM) 6 Update 20
Java(TM) 6 Update 7
Junk Mail filter update
Lexmark 3600-4600 Series
Lexmark Toolbar
LimeWire 5.4.6
McAfee Security Scan Plus
Media Go
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Choice Guard
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.6)
MSVC80_x86_v2
MSVCRT
NCH Toolbar
Nero 6 Ultra Edition
Nokia Connectivity Cable Driver
Otto
PC Connectivity Solution
PC Suite
PKR
PlayStation(R)Network Downloader
Power Tab Editor 1.7
QuickTime
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows XP (KB923789)
Segoe UI
SigmaTel Audio
Sky Broadband
Sonic Encoders
Sony ACID Pro 5.0c
Sony Ericsson PC Suite 6.011.00
Sony Media Manager 2.0
Spotify
Stamp ID3 Tag Editor
Steam
Theme Hospital
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update Rollup 2 for Windows XP Media Center Edition 2005
Vuze
Winamp (remove only)
Windows Driver Package - Amoi Incorporated (INQ1usbser) Modem (01/01/2007 2.0.5.0)
Windows Driver Package - Amoi Incorporated (INQ1usbser) Ports (01/01/2007 2.0.5.0)
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Format Runtime
Windows XP Media Center Edition 2005 KB908250
WinZip
Yahoo! Toolbar




thanks very much for looking :)
tillyjr
Active Member
 
Posts: 3
Joined: July 5th, 2010, 2:28 pm
Advertisement
Register to Remove

Re: search rediects

Unread postby melboy » July 8th, 2010, 6:32 pm

Hi and welcome to the MR forums. :)

I'm melboy and I am going to try to help you with your problem. Please take note of the following:

  1. I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  2. The fixes are specific to your problem and should only be used for this issue on this machine.
  3. If you don't know or understand something, please don't hesitate to ask.
  4. Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc...)
  5. Please DO NOT run any other tools or scans whilst I am helping you.
  6. It is important that you reply to this thread. Do not start a new topic.
  7. DO NOT attach logs unless requested to. Please copy/paste all requested logs into your replies.
  8. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  9. Absence of symptoms does not mean that everything is clear.


NOTE: Please take time to read the Malware Removal Forum Guidelines and Rules where the conditions for receiving help at this forum are explained.


IMPORTANT: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.



No Reply Within 3 Days Will Result In Your Topic Being Closed!! If you need more time, please inform me.


==============================


With reference to Malware Removal's P2P Programs Policy, please uninstall the following programs before we continue:
LimeWire 5.4.6
Vuze
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.
We see no purpose in cleaning your machine if you use P2P programmes, as it is pretty much certain that if you continue to use them then you will get infected again.


  • Click on Start > Control Panel and double click on Add/Remove Programs.
  • Locate LimeWire 5.4.6 and click on the Change/Remove button to uninstall it.
  • Repeat for Vuze .
  • Close Add/Remove Programs and Control Panel when done.



DDS

Please disable any anti-malware program that will block scripts from running before running DDS.

Please download DDS from one of the links below and save it to your desktop:

Link1
Link2
Link3

Disable any script blocker, and then double click dds.scr to run the tool. A command window will appear, this is normal.

Image
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop.

Please copy & paste the contents of :
  • DDS.txt
  • Attach.txt
And post them in your next reply.



WVCheck

Please download WVCheck by Artellos from Here and save it to your desktop.

  • Double click WVCheck.exe to run it.
  • As prompted, press enter on your keyboard to continue. The program can take a while depending on your hard drive space.
  • When the program is finished, notepad will open, copy the contents of the notepad file as a reply.
  • The log can be found on your desktop named WVCheck_Time_DD-MM-Year.txt



CKScanner
Download CKScanner from here
  • Important - Save it to your desktop.
  • Doubleclick CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify the file saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.




In your next reply:
  1. DDS.txt
  2. Attach.txt
  3. WVCheck log
  4. CKFiles.txt
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: search rediects

Unread postby tillyjr » July 9th, 2010, 12:59 pm

thanks very much, ive removed the two programmes :)

here are the first two scans :

DDS (Ver_10-03-17.01) - NTFSx86
Run by home at 17:51:38.81 on 09/07/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.496 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdxserv.exe
C:\WINDOWS\system32\lxdxcoms.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe
C:\Program Files\Belkin\F5D8055\v1\Belkinwcui.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\home\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.skybroadband.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = Internet Explorer Provided By Sky Broadband
uDefault_Page_URL = hxxp://www.skybroadband.com
uInternet Settings,ProxyServer = http=127.0.0.1:8484
uInternet Settings,ProxyOverride = *.local;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: NCH Toolbar: {c2db4fe6-8409-45ce-8010-189a7b5cce86} - c:\program files\nch\tbNCH.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,c:\windows\system32\d3dg98.exe,,c:\windows\temp\13e.tmp
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: NCH Toolbar: {c2db4fe6-8409-45ce-8010-189a7b5cce86} - c:\program files\nch\tbNCH.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Fast Browser Search Toolbar Helper: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\fast browser search\ie\FBStoolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: Fast Browser Search Toolbar: {1bb22d38-a411-4b13-a746-c2a4f4ec7344} - c:\program files\fast browser search\ie\FBStoolbar.dll
TB: NCH Toolbar: {c2db4fe6-8409-45ce-8010-189a7b5cce86} - c:\program files\nch\tbNCH.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [(ehSched) ] "c:\program files\netmeeting\bin\msdtcuiu.exe" /set
uRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
uRun: [{50548291-FCFF-5DD1-6D73-0C74452AECE2}] "c:\documents and settings\home\application data\xuid\ifef.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [IDTSysTrayApp] sttray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [lxdxmon.exe] "c:\program files\lexmark 3600-4600 series\lxdxmon.exe"
mRun: [lxdxamon] "c:\program files\lexmark 3600-4600 series\lxdxamon.exe"
mRun: [F5D8055v1] c:\program files\belkin\f5d8055\v1\Belkinwcui.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [sysftray2] c:\windows\bolivar22.exe
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstall ... gAwAC0AUwA"&"inst=NwA4AC0AMgA4ADQAMgAwADIAMAA4ADUA"&"prod=92"&"ver=9.0.839
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [9df2c2ad-131b-4747-b9bd-1cee7fc82c67_42] rundll32.exe "c:\windows\system32\config\systemprofile\application data\9df2c2ad-131b-4747-b9bd-1cee7fc82c67_42.avi", start
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/200 ... oader5.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/200 ... ader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/fl ... rashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\0051.DLL
Hosts: 89.149.193.137 www.google.com
Hosts: 89.149.193.137 us.search.yahoo.com
Hosts: 89.149.193.137 uk.search.yahoo.com
Hosts: 89.149.193.137 search.yahoo.com
Hosts: 89.149.193.137 www.google.com.br

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\home\applic~1\mozilla\firefox\profiles\h9bdlp7k.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-7-2 218592]
R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
R2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdxserv.exe [2009-2-24 98984]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\sony ericsson\sony ericsson pc suite\SupServ.exe [2010-6-28 90112]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-5-24 27632]
R4 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys --> c:\windows\system32\drivers\avgrkx86.sys [?]
R4 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]
S?4 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys --> c:\windows\system32\drivers\avgmfx86.sys [?]
S2 aspnet_statestisvc;ASP.NET State Service aspnet_statestisvc;c:\windows\system32\adsldpcw.exe srv --> c:\windows\system32\adsldpcw.exe srv [?]
S2 Browser Defender Update Service;Browser Defender Update Service;"c:\program files\pc tools security\bdt\bdtupdateservice.exe" --> c:\program files\pc tools security\bdt\BDTUpdateService.exe [?]
S2 SCardSvrccEvtMgr;Smart Card SCardSvrccEvtMgr;c:\windows\system32\accessp.exe srv --> c:\windows\system32\accessp.exe srv [?]
S2 stisvcTrkWks;Windows Image Acquisition (WIA) stisvcTrkWks;c:\windows\system32\6to4svcb.exe srv --> c:\windows\system32\6to4svcb.exe srv [?]
S3 INQ1usbser;INQ1 USB Device for Legacy Serial Communication;c:\windows\system32\drivers\INQ1usbser.sys [2009-6-5 103680]
S3 rt2870;Belkin N+ Wireless USB Adapter Driver;c:\windows\system32\drivers\rt2870.sys [2009-3-16 619136]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [2010-5-19 86824]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [2010-5-19 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [2010-5-19 114728]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [2010-5-19 106208]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [2010-5-19 26024]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [2010-5-19 104744]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [2010-5-19 109864]
S3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgwhsdiag.sys [2009-9-26 105216]
S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys [2009-9-26 105216]
S3 zgwhsnmea;WCDMA Handset NMEA Port;c:\windows\system32\drivers\zgwhsnmea.sys [2009-9-26 105216]

=============== Created Last 30 ================

2010-07-05 18:35:42 0 d-----w- c:\program files\Trend Micro
2010-07-04 09:30:15 0 d-sh--w- c:\windows\system32\lowsec
2010-07-03 13:21:05 0 d--h--w- C:\$AVG
2010-07-03 11:52:08 12536 ------w- c:\windows\system32\avgrsstx.dll.install_backup
2010-07-03 11:47:23 0 d-----w- c:\program files\AVG
2010-07-03 11:46:51 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-07-03 10:25:56 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-02 00:36:34 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-07-02 00:36:34 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-07-02 00:36:34 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-07-02 00:36:34 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-07-02 00:36:15 0 d-----w- c:\program files\common files\PC Tools
2010-07-01 23:58:07 0 d-----w- c:\docume~1\home\applic~1\SUPERAntiSpyware.com
2010-06-28 22:54:58 0 d-----w- c:\windows\system32\NtmsData
2010-06-28 22:39:51 0 d-----w- c:\program files\common files\Sony Shared
2010-06-28 22:38:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Sony Corporation
2010-06-28 21:47:21 148736 ----a-w- c:\docume~1\alluse~1\applic~1\hpe3B.dll
2010-06-28 21:10:28 148736 ----a-w- c:\docume~1\alluse~1\applic~1\hpeEB.dll
2010-06-28 21:09:59 0 d-----w- c:\program files\Sony Ericsson
2010-06-17 22:35:47 737280 ----a-w- c:\windows\iun6002.exe
2010-06-17 22:35:41 0 d-----w- c:\program files\Codec Pack - All In 1
2010-06-16 09:04:31 3255 ----a-w- c:\windows\system32\wbem\Outlook_01cb0d32eee6af14.mof
2010-06-16 09:04:04 0 ---ha-w- c:\windows\system32\wupd.dat
2010-06-15 23:22:48 1902 ------w- c:\windows\system32\SetupBD.din
2010-06-15 23:21:44 0 d-----w- C:\drvrtmp
2010-06-15 22:44:52 0 d-----w- c:\program files\Sky Broadband
2010-06-15 21:08:48 135168 ----a-r- c:\windows\system32\igfxres.dll
2010-06-14 12:23:32 73728 -c--a-w- c:\windows\system32\dllcache\ehresja.dll
2010-06-14 12:23:32 69632 -c--a-w- c:\windows\system32\dllcache\ehresko.dll
2010-06-14 12:23:32 69632 -c--a-w- c:\windows\system32\dllcache\ehresfr.dll
2010-06-14 12:23:31 69632 -c--a-w- c:\windows\system32\dllcache\ehresde.dll
2010-06-14 12:23:20 61440 -c--a-w- c:\windows\system32\dllcache\ehreschs.dll
2010-06-14 12:23:04 28288 -c--a-w- c:\windows\system32\dllcache\xjis.nls
2010-06-14 12:23:00 221184 -c--a-w- c:\windows\system32\dllcache\wmpns.dll
2010-06-14 12:21:58 23040 -c--a-w- c:\windows\system32\dllcache\EXCH_regtrace.exe
2010-06-14 12:20:59 9216 -c--a-w- c:\windows\system32\dllcache\iwrps.dll
2010-06-14 12:19:59 66594 -c--a-w- c:\windows\system32\dllcache\c_864.nls
2010-06-14 12:10:39 488 ---ha-r- c:\windows\system32\logonui.exe.manifest
2010-06-14 12:10:29 749 ---ha-r- c:\windows\WindowsShell.Manifest
2010-06-14 12:10:29 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest
2010-06-14 12:10:29 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest
2010-06-14 12:10:29 749 ---ha-r- c:\windows\system32\nwc.cpl.manifest
2010-06-14 12:10:29 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest
2010-06-14 12:09:58 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-06-14 12:09:24 32768 -c--a-w- c:\windows\system32\dllcache\icwdl.dll
2010-06-14 12:09:23 86016 -c--a-w- c:\windows\system32\dllcache\icwconn2.exe
2010-06-14 12:09:23 214528 -c--a-w- c:\windows\system32\dllcache\icwconn1.exe
2010-06-14 12:09:23 20480 -c--a-w- c:\windows\system32\dllcache\inetwiz.exe
2010-06-14 11:58:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-06-12 12:41:44 0 d-sh--w- c:\windows\system32\l0wsic

==================== Find3M ====================

2010-06-14 12:05:43 34284 ----a-w- c:\windows\system32\emptyregdb.dat
2010-05-19 10:01:15 148736 ----a-w- c:\docume~1\alluse~1\applic~1\hpeC9.dll
2010-05-18 22:20:58 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2010-05-18 22:20:56 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-10-24 12:15:32 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102420081025\index.dat

============= FINISH: 17:53:24.29 ===============




and


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 14/06/2010 13:23:36
System Uptime: 07/09/2010 17:19:57 (-1440 hours ago)

Motherboard: Dell Inc. | | 0JC474
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | Microprocessor | 2992/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 233 GiB total, 168.979 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&10BD256C&0&10F0
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&10BD256C&0&10F0
Service:

==== System Restore Points ===================

RP1: 14/06/2010 13:47:28 - System Checkpoint
RP2: 15/06/2010 23:19:06 - Installed Windows XP KB915865.
RP3: 15/06/2010 23:20:07 - Installed Windows NLSDownlevelMapping.
RP4: 15/06/2010 23:20:41 - Installed Windows IDNMitigationAPIs.
RP5: 15/06/2010 23:23:14 - Installed Windows Internet Explorer 7.
RP6: 16/06/2010 09:48:59 - Installed Windows XP KB915865.
RP7: 16/06/2010 09:49:55 - Installed Windows NLSDownlevelMapping.
RP8: 16/06/2010 09:50:27 - Installed Windows IDNMitigationAPIs.
RP9: 16/06/2010 09:52:43 - Installed Windows Internet Explorer 7.
RP10: 17/06/2010 22:43:48 - System Checkpoint
RP11: 19/06/2010 14:40:05 - System Checkpoint
RP12: 20/06/2010 15:17:46 - System Checkpoint
RP13: 21/06/2010 15:18:16 - System Checkpoint
RP14: 22/06/2010 21:50:06 - System Checkpoint
RP15: 24/06/2010 12:52:18 - System Checkpoint
RP16: 25/06/2010 19:16:11 - System Checkpoint
RP17: 26/06/2010 19:33:44 - System Checkpoint
RP18: 27/06/2010 19:37:56 - System Checkpoint
RP19: 28/06/2010 23:07:27 - Installed Windows XP KB942288-v3.
RP20: 28/06/2010 23:11:21 - Removed PlayStation(R)Network Downloader.
RP21: 28/06/2010 23:13:31 - Removed PlayStation(R)Network Downloader.
RP22: 28/06/2010 23:15:59 - Removed PlayStation(R)Network Downloader.
RP23: 28/06/2010 23:36:45 - Removed Media Go
RP24: 28/06/2010 23:37:18 - Removed PlayStation(R)Network Downloader.
RP25: 30/06/2010 00:19:05 - System Checkpoint
RP26: 02/07/2010 06:45:07 - System Checkpoint
RP27: 02/07/2010 10:18:48 - PC Tools AntiVirus Free: Cleaning Threats
RP28: 03/07/2010 11:24:57 - Installed Java(TM) 6 Update 20
RP29: 03/07/2010 12:46:50 - Installed AVG 9.0
RP30: 04/07/2010 10:06:59 - Avg Update
RP31: 05/07/2010 19:35:39 - Installed HiJackThis
RP32: 06/07/2010 20:08:54 - System Checkpoint
RP33: 07/07/2010 22:18:50 - System Checkpoint
RP34: 09/07/2010 17:47:06 - Removed AVG 9.0

==== Hosts File Hijack ======================

Hosts: 89.149.193.137 www.google.com
Hosts: 89.149.193.137 us.search.yahoo.com
Hosts: 89.149.193.137 uk.search.yahoo.com
Hosts: 89.149.193.137 search.yahoo.com
Hosts: 89.149.193.137 www.google.com.br
Hosts: 89.149.193.137 www.google.it
Hosts: 89.149.193.137 www.google.es
Hosts: 89.149.193.137 www.google.co.jp
Hosts: 89.149.193.137 www.google.com.mx
Hosts: 89.149.193.137 www.google.ca
Hosts: 89.149.193.137 www.google.com.au
Hosts: 89.149.193.137 www.google.nl
Hosts: 89.149.193.137 www.google.co.za
Hosts: 89.149.193.137 www.google.be
Hosts: 89.149.193.137 www.google.gr
Hosts: 89.149.193.137 www.google.at
Hosts: 89.149.193.137 www.google.se
Hosts: 89.149.193.137 www.google.ch
Hosts: 89.149.193.137 www.google.pt
Hosts: 89.149.193.137 www.google.dk
Hosts: 89.149.193.137 www.google.fi
Hosts: 89.149.193.137 www.google.ie
Hosts: 89.149.193.137 www.google.no
Hosts: 89.149.193.137 www.google.de
Hosts: 89.149.193.137 www.google.fr
Hosts: 89.149.193.137 www.google.co.uk
Hosts: 89.149.193.137 www.bing.com

==== Installed Programs ======================

ABBYY FineReader 6.0 Sprint
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Avanquest update
Belkin N+ Wireless USB Adapter
Betfair Poker
Bonjour
Codec Pack - All In 1 6.0.3.0
Convert AVI to MP4 1.3
CoralPoker (remove only)
eMusic - 50 Free MP3 offer
ESPNMotion
Fast Browser Search (My Tattoons)
Football Manager 2008
Football Manager 2009
Full Tilt Poker
GemMaster Mystic
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB942288-v3)
INQ1 Modem
INQ1 PCSync
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
iPod for Windows 2005-03-23
iTunes
Java Auto Updater
Java(TM) 6 Update 20
Java(TM) 6 Update 7
Junk Mail filter update
Lexmark 3600-4600 Series
Lexmark Toolbar
Media Go
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.6)
MSVC80_x86_v2
MSVCRT
NCH Toolbar
Nero 6 Ultra Edition
Nokia Connectivity Cable Driver
Otto
PC Connectivity Solution
PC Suite
PKR
PlayStation(R)Network Downloader
Power Tab Editor 1.7
QuickTime
Security Update for CAPICOM (KB931906)
Security Update for Windows XP (KB923789)
Segoe UI
SigmaTel Audio
Sky Broadband
Sonic Encoders
Sony ACID Pro 5.0c
Sony Ericsson PC Suite 6.011.00
Sony Media Manager 2.0
Spotify
Stamp ID3 Tag Editor
Steam
Theme Hospital
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update Rollup 2 for Windows XP Media Center Edition 2005
WebFldrs XP
Winamp (remove only)
Windows Driver Package - Amoi Incorporated (INQ1usbser) Modem (01/01/2007 2.0.5.0)
Windows Driver Package - Amoi Incorporated (INQ1usbser) Ports (01/01/2007 2.0.5.0)
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Format Runtime
Windows XP Media Center Edition 2005 KB908250
WinZip
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

09/07/2010 17:44:29, error: Service Control Manager [7031] - The AVG WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
02/07/2010 18:22:18, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
02/07/2010 18:22:15, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
02/07/2010 01:23:32, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
02/07/2010 01:22:56, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
02/07/2010 01:22:56, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.

==== End Of File ===========================




wvcheck :

Windows Validation Check
Log Created On: 1755_09-07-2010
------------------------

Windows Information
-----------------------
Windows Version: Windows XP Service Pack 2
Windows Mode: Normal


WVCheck's Auto Update Check
-----------------------
Auto-Update Option: Download updates and install them automatically.
------------------------------
Last Success Time for Update Detection: 2010-04-04 09:52:49
Last Success Time for Update Download: 2010-03-31 15:29:32
Last Success Time for Update Installation: 2010-06-02 23:45:48


WVCheck's File Dump
-------------------
WVCheck found no known bad files.


WVCheck's Missing File Check
-------------------
WVCheck found no missing Windows files.


WVCheck's HOSTS File Check
-------------------
WVCheck found no bad lines in the hosts file.


WVCheck's MD5 Check
EXPERIMENTAL!!
-------------------
user32.dll - c72661f8552ace7c5c85e16a3cf505c4


-------- End of File, program close at 1757_09-07-2010 --------


and


CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\home\my documents\my music\acid pro 7.0 serial crack serial key.zip
c:\documents and settings\home\my documents\my music\lg 5000 hack crack.zip
c:\documents and settings\home\my documents\my music\sony acid pro 5.0 crack serial key.txt
c:\documents and settings\home\my documents\my music\the sims 2 - fully working crack - build mode on ([eng + ita] instructions + daemon tools + sims2.zip
c:\documents and settings\home\my documents\unzipped\lg 5000 hack crack\setup.exe
c:\documents and settings\home\my documents\unzipped\sony.acid.pro.v5.0c.incl.keygen-ssg[1]\readme.html
c:\documents and settings\home\my documents\unzipped\sony.acid.pro.v5.0c.incl.keygen-ssg[1]\sony.acid.pro.v5.0c.incl.keygen-ssg\file_id.diz
c:\documents and settings\home\my documents\unzipped\sony.acid.pro.v5.0c.incl.keygen-ssg[1]\sony.acid.pro.v5.0c.incl.keygen-ssg\keygen.rar
c:\documents and settings\home\my documents\unzipped\sony.acid.pro.v5.0c.incl.keygen-ssg[1]\sony.acid.pro.v5.0c.incl.keygen-ssg\ssg.nfo
scanner sequence 3.CF.11
----- EOF -----



thanks very much :)
tillyjr
Active Member
 
Posts: 3
Joined: July 5th, 2010, 2:28 pm

Re: search rediects

Unread postby melboy » July 9th, 2010, 2:05 pm

Hi

Your computer has multiple infections, including a Password Stealer that grants backdoor access to your computer. A backdoor gives intruders complete control of your computer to log your keystrokes and steal personal information.

http://www.threatexpert.com/report.aspx?md5=9b86ebdb3ca56a7f8133ac229311b44f

This also allows hackers to steal critical system information and Download and Execute files

    If the Computer has been used for any important data, you are strongly advised to do the following, immediately:
  • Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
  • If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being: Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
  • Take any other steps you think appropriate for an attempted identity theft.


Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

I can attempt to clean this machine but I can't guarantee that it will be at all secure afterwards.



Cracks, Keygens, Warez etc.

As the log(s) you've posted indicate, you've used one or more of the above.

>> Forum Policy <<

Should you wish to attempt to clean this machine, the software will have to be removed before we can continue. Be aware that the tools we use can and will detect such software. If there are more such new findings after this, the topic will also be closed.

Along with P2P filesharing, this is undoubtably how you got infected. Downloading cracks via P2P or visiting crack sites/warez sites - and other questionable/illegal sites is always a risk. Even a single click on the site can drop multiple forms of very serious malware.

If you install the cracked software, you are running executable files from these dubious, unknown sources. You are in effect giving these sources access to information on your hard disk, and potential control over the operation of your computer.
In 2006, a study revealed that 59% of keygens and crack tools downloaded from peer-to-peer networks contained malicious or "unwanted" software.

Additionally, cracked programs are illegal. In using the crack, the 'cracker' has broken the 'End User Licence Agreement' (EULA) of the product concerned.

The distribution and use of cracked copies is illegal in almost every developed country.


Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: search rediects

Unread postby melboy » July 12th, 2010, 12:53 pm

Hi tillyjr

It has been over two days since my last post.

  • Do you still need help?
  • Do you need more time?
  • Are you having problems following my instructions?
  • According to Malware Removal's latest policy, topics can be closed after 3 days without a response. If you do not reply within the next 24 hours, this topic will be closed.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: search rediects

Unread postby NonSuch » July 13th, 2010, 5:33 pm

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 22 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware