Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Antivir virus and Firefox redirect

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Antivir virus and Firefox redirect

Unread postby bc0167 » July 25th, 2010, 10:20 pm

Experienced Antivir false prompts that XXX.exe is infected; do you want to start your anti-virus software. Removed (I think) using the following:

boot in Safe w/ Networking mode. Run Rkill.exe. Then run Malwarebytes, twice. Gone, but not for sure. Rkill,exe returned no processes stopped other than Rkill.exe itself.

Now experiencing Firefox redirect to sites like "Quick Check" etc.

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:57:57 PM, on 7/25/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5643
O1 - Hosts: 74.208.10.249 gs.apple.com
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - (no file)
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Foxit Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [CarboniteSetupLite] "C:\Program Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=1800
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {1FC81B67-3FC3-4FEF-8F50-9E24847141B7} (SP.WIADriver.Scan) - https://ssl.selectpayment.com/dp/Instal ... rSetup.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Fac ... oader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 5272040921
O16 - DPF: {A389050E-8049-4D7D-BA71-A96BA286D0D6} (CSPTiffActiveX Object) - https://ssl.selectpayment.com/dp/Instal ... Viewer.CAB
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Fac ... der4_5.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crl ... crlocx.ocx
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://24.155.191.235/,DanaInfo=man-gr ... +dwa7W.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://24.155.191.235/dana-cached/setu ... tupSP1.cab
O16 - DPF: {E7DA7F8D-27AB-4EE9-8FC0-3FEC9ECFE758} (DynamicWebTwain Class) - https://ssl.selectpayment.com/dp/Instal ... bTWAIN.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E164547-E591-4600-91A9-A4AA623FC423}: NameServer = 207.69.188.185,207.69.188.186
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c99a1d96e7eee2) (gupdate1c99a1d96e7eee2) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 12817 bytes

+++++++++++++++++++++++++++++++++++++++++++++++++
Uninstall List:

Acrobat.com
Acrobat.com
Ad-Aware
Ad-Aware
Adobe Acrobat 6.0 Professional - English, Français, Deutsch
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.3
Adobe Shockwave Player
Adobe SVG Viewer 3.0
AoA Audio Extractor 1.0
AOL Uninstaller (Choose which Products to Remove)
AOLIcon
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft ShowBiz
Ask Toolbar
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
Autodesk Mechanical Desktop 2006
AVG Free 8.5
Backyard Football
Backyard Soccer 2004
Better Homes and Gardens Landscaping and Deck Designer 7.0
Bonjour
Call of Duty(R) 4 - Modern Warfare(TM)
Carbonite Online Backup Setup
Catalyst Control Center - Branding
CinepPlayer 30 Update
Click'N Design 3D
CodeStuff Starter
Compatibility Pack for the 2007 Office system
Conexant D850 56K V.9x DFVc Modem
Corel Photo Album 6
Creative System Information
Creative Zen Nano
Critical Update for Windows Media Player 11 (KB959772)
CutePDF Writer 2.6
Dell CinePlayer
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell Support Center
DellSupport
Digital Content Portal
Digital Line Detect
Digital Photo Navigator 1.5
Diskeeper 2007 Pro Premier
DivX Converter
DivX Player
DivX Web Player
Documentation & Support Launcher
DrawPad 0.8
DVD Solution
DVD43 v3.7.0
EarthLink setup files
EducateU
ELIcon
EPSON SMART PANEL for Scanner
EPSON TWAIN 5
Eudora
ExtractNow
ffdshow (remove only)
FileZilla (remove only)
Finale NotePad 2009
FLV Converter 2.4
Foxit Reader
Free CD to MP3 Converter
Free Window Registry Repair
Games, Music, & Photos Launcher
Garmin City Navigator North America NT 2009.11 Update
Garmin Communicator Plugin
Garmin USB Drivers
Garmin WebUpdater
Google Earth
Google Earth
Google SketchUp 7
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
High Definition Audio Driver Package - KB835221
HiJackThis
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HxD Hex Editor version 1.7.7.0
Image Resizer Powertoy for Windows XP
ImageMixer VCD/DVD2 for OLYMPUS
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
Internet Service Offers Launcher
iPhoneBrowser
ISO Recorder
iTunes
Java(TM) 6 Update 20
Java(TM) 6 Update 7
KeePass Password Safe 1.17
K-Lite Codec Pack 4.1.6 (Full)
Magic ISO Maker v5.4 (build 0251)
Malwarebytes' Anti-Malware
MCU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Bootvis
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Web Components
Microsoft Office Basic Edition 2003
Microsoft Office PowerPoint Viewer 2003
Microsoft Office XP Professional with FrontPage
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Miro 0.9.8
Modem Helper
MOV Converter 1.01
Mozilla Firefox (3.5.8)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Multiple Image Resizer .NET
MWSnap 3
MyDVD
Nero - Burning Rom (Web installer)
NetWaiting
OLYMPUS Master
OpenAL
Panda ActiveScan
Panda ActiveScan 2.0
PDMWorks Clients 2006 sp0
Photodex Presenter
PhotoNow! 1.0
PowerDirector
PowerDVD
PowerISO
PowerProducer
project dogwaffle
QuickTime
RealPlayer
ReNamer
Riva FLV Encoder 2.0
Roxio DLA
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Roxio Update Manager
Search Assist
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Shareaza 2.3.1.0
Sibelius Scorch Plugin
Simple Family Tree (remove only)
SmartSound Quicktracks Plugin
SnagIt 8
SolidWorks 2008 SP0
SolveigMM AVI Trimmer
Sonic Activation Module
SPPTiffImageViewer
SUPERAntiSpyware
Sygate Personal Firewall
TaxACT 2006
TaxACT 2007
TaxACT 2008
TaxACT 2009
TextBridge Pro 8.0
TUGZip 3.4
Ultra Video Splitter 5.4.0822
Unlocker 1.8.7
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
URGE
URL Assistant
Vegas Movie Studio Platinum 9.0
Videora iPod touch Converter 3.08
Viewpoint Toolbar
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebCyberCoach 3.2 Dell
WIADriverSetup
Windows Defender
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix - KB895316
Windows Media Player 11
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
winpwn 2.0.0.4
WinRAR archiver
WinSCP 4.1.7
WinXMedia AVI/WMV MP4 Converter 3.05
WinZip 11.1
XnView 1.82.2

Thanks,

Bill
bc0167
Active Member
 
Posts: 12
Joined: July 25th, 2010, 10:03 pm
Advertisement
Register to Remove

Re: Antivir virus and Firefox redirect

Unread postby askey127 » July 29th, 2010, 3:50 pm

bc0167,
-----------------------------------------------------------
There are some Issues with infections in relation to PunkBuster:
Your computer has installed gaming tools. Some of these, like Punkbuster, use spyware techniques to engage in the anti-piracy battle.
In the process, they take control of much of your PC, and they actually meet the definition of spyware/malware.
They are sometimes designed to prevent orderly removal or modification, and they have only limited respect for retaining the overall security and integrity of your machine.
It is not a certainty that your computer can be cleaned without breaking or removing some of these programs, and this could result in not being able to play the associated games, or corruption of your system.
Since we are dedicated to causing No Harm, we won't normally work on machines with this type of program installed without explicit permission from the owner.
If you want to continue using the machine in this way, you should consider using imaging software like Norton Ghost or Acronis TrueImage, or Terabyte Image, which can put your entire C: drive back into an earlier state whenever the infections or malfunctions get too severe.

If you really want to clean this machine, I will help, but if you so choose, understand there is NO assurance you will be able to do games afterwards.
-----------------------------------------------------------
Remove Registry items with HighjackThis. Start HijackThis.
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - (no file)
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Foxit Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
-----------------------------------------------------------
Remove Programs Using Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :

Ad-Aware
Ask Toolbar
Search Assist
URL Assistant
Java(TM) 6 Update 7
Internet Service Offers Launcher
Free Window Registry Repair

Take extra care in answering questions posed by any Uninstaller.
-----------------------------------------------------------
Double Click RKill
------------------------------------------------------------
Please download the GMER Rootkit Scanner from Here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than the System drive (which is typically C:\)
    • Show All (don't miss this one)
      See image below
      Image
  • Then click the Scan button & wait for it to finish
    **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in your next reply
Note: Do not run any other programs while Gmer is running.

Let me know how it goes.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Antivir virus and Firefox redirect

Unread postby bc0167 » July 30th, 2010, 7:40 am

I followed all instructions exept for uninstalling Ask Toolbar. It was not an available option in Control Panel.

Gmer locked up in regular mode, but ran complete in Windows Safe Mode.

Here is the Gmer Log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-30 06:32:17
Windows 5.1.2600 Service Pack 3
Running: 60iti653.exe; Driver: C:\DOCUME~1\BILLCO~1\LOCALS~1\Temp\awldqpow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwAllocateVirtualMemory [0xF76E4B30]
SSDT sptd.sys ZwCreateKey [0xF73A80D0]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwCreateThread [0xF76E46F0]
SSDT sptd.sys ZwEnumerateKey [0xF73ADFB2]
SSDT sptd.sys ZwEnumerateValueKey [0xF73AE340]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xF76E4470]
SSDT sptd.sys ZwOpenKey [0xF73A80B0]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwProtectVirtualMemory [0xF76E4C50]
SSDT sptd.sys ZwQueryKey [0xF73AE418]
SSDT sptd.sys ZwQueryValueKey [0xF73AE298]
SSDT sptd.sys ZwSetValueKey [0xF73AE4AA]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xF76E4990]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwTerminateProcess [0xF76E48D0]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwWriteVirtualMemory [0xF76E4D60]

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F71148AC 5 Bytes JMP 86F71770
? System32\Drivers\aqnpv3jg.SYS The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[444] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[444] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C5000A
.text C:\WINDOWS\Explorer.EXE[444] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C
.text C:\WINDOWS\system32\svchost.exe[1176] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00D5000A

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 871CF1E8

AttachedDevice \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBPDO-0 86F9E1E8
Device \Driver\usbuhci \Device\USBPDO-1 86F9E1E8
Device \Driver\usbuhci \Device\USBPDO-2 86F9E1E8
Device \Driver\usbehci \Device\USBPDO-3 86F941E8
Device \Driver\usbuhci \Device\USBPDO-4 86F9E1E8

AttachedDevice \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\AvgTdiX \Device\AvgTdi wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Ftdisk \Device\HarddiskVolume1 871601E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 871601E8
Device \Driver\Cdrom \Device\CdRom0 86F3E1E8
Device \Driver\Cdrom \Device\CdRom1 86F3E1E8
Device \Driver\atapi \Device\Ide\IdePort0 [F7322B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [F7322B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [F7322B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [F7322B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [F7322B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Ftdisk \Device\HarddiskVolume3 871601E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 86C41790
Device \Driver\NetBT \Device\NetbiosSmb 86C41790
Device \Driver\PCI_NTPNP4662 \Device\0000004e sptd.sys

AttachedDevice \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBFDO-0 86F9E1E8
Device \Driver\usbuhci \Device\USBFDO-1 86F9E1E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86B631E8
Device \Driver\usbuhci \Device\USBFDO-2 86F9E1E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 86B631E8
Device \Driver\usbuhci \Device\USBFDO-3 86F9E1E8
Device \Driver\usbehci \Device\USBFDO-4 86F941E8
Device \Driver\Ftdisk \Device\FtControl 871601E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{7E164547-E591-4600-91A9-A4AA623FC423} 86C41790
Device \Driver\aqnpv3jg \Device\Scsi\aqnpv3jg1 86F381E8
Device \FileSystem\Fastfat \Fat 8667D790
Device \FileSystem\Fastfat \Fat F62A8297
Device \FileSystem\Cdfs \Cdfs 86B5C6B8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x35 0xE5 0xC1 0x2C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x0A 0xAC 0xD5 0x24 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x9C 0x21 0x9E 0x6A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x35 0xE5 0xC1 0x2C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x0A 0xAC 0xD5 0x24 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x9C 0x21 0x9E 0x6A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x35 0xE5 0xC1 0x2C ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x50 0xF9 0xF6 0xCF ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xE9 0x28 0x7B 0x71 ...

---- EOF - GMER 1.0.15 ----


Thanks,
Bill
bc0167
Active Member
 
Posts: 12
Joined: July 25th, 2010, 10:03 pm

Re: Antivir virus and Firefox redirect

Unread postby askey127 » July 30th, 2010, 12:20 pm

bc0167,
-----------------------------------------------------------
Download and Run ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without guidance.
ComboFix uses very forceful tactics to remove malware from your system. Your antivirus software may warn you about the file.
You will need to disable all your antivirus software BEFORE running ComboFix.
.
  • Download ComboFix from here
  • Rename it while saving the download to zzz.exe and save it to your Desktop. Do not try to rename it after it has been saved to your desktop, or the infection may prevent you from using it.
    **Note: It is important that it is saved directly to your desktop and run from the desktop, not from any other folder on your computer**
  • DISABLE AVG
    Please open the AVG Control Center, by right clicking on the AVG icon in the task bar.
    • Click on Tools.
    • Select Advanced.
    • In the left hand pane, scroll down to "Resident Shield".
    • In the main pane, DESELECT the option to "Enable Resident Shield."
  • Now please disable the Sygate Firewall (usually you can right click the icon in the system tray and Exit or Disable).
  • Now start ComboFix (zzz.exe)
  • The tool will check whether the Recovery Console is present on your system. If it is not, ComboFix will prompt you whether you would like to install it. (You would).
  • If it is not, make sure you are connected to the internet as ComboFix needs to download a file. When you are connected to the internet, click Yes and follow the prompts. When asked whether to continue scanning or to exit, click Yes to continue scanning (no need to disconnect from the internet as ComboFix breaks your internet connection for you).
  • Do not touch the computer AT ALL while ComboFix is running.
  • When finished, the report will open. Reenable your protection software and post the log in your next reply
A copy of the log will be located here -> C:\ComboFix.txt
If you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.

The Recovery Console produces a brief (2 second) black screen at bootup which allows an additional technical resource for repair in case of a major failure. In regular operation, you can ignore it.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Antivir virus and Firefox redirect

Unread postby bc0167 » July 31st, 2010, 6:13 pm

ComboFix 10-07-30.01 - Bill xxxxxxxxx 07/31/2010 14:30:06.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.360 [GMT -5:00]
Running from: c:\documents and settings\Bill xxxxxxxxx\Desktop\zzz.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Sygate Personal Firewall *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-31 )))))))))))))))))))))))))))))))
.

2010-07-26 01:56 . 2010-07-26 01:56 388096 ----a-r- c:\documents and settings\Bill xxxxxxxxx\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-26 01:56 . 2010-07-26 01:56 -------- d-----w- c:\program files\Trend Micro
2010-07-25 18:59 . 2010-05-21 19:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-07-25 18:59 . 2010-04-12 22:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-25 18:48 . 2010-07-25 18:48 -------- d-----w- c:\program files\Windows Defender
2010-07-25 15:04 . 2010-07-25 15:04 63488 ----a-w- c:\documents and settings\Bill xxxxxxxxx\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-25 15:04 . 2010-07-25 15:04 52224 ----a-w- c:\documents and settings\Bill xxxxxxxxx\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-25 15:04 . 2010-07-25 15:04 117760 ----a-w- c:\documents and settings\Bill xxxxxxxxx\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-25 15:03 . 2010-07-25 15:03 -------- d-----w- c:\documents and settings\Bill xxxxxxxxx\Application Data\SUPERAntiSpyware.com
2010-07-25 15:03 . 2010-07-25 15:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-25 15:02 . 2010-07-25 15:03 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-24 22:10 . 2010-07-24 22:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\AskToolbar
2010-07-24 21:58 . 2010-07-25 04:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\mssyqmapb
2010-07-24 15:24 . 2010-07-24 15:24 -------- d-----w- C:\found.000
2010-07-21 09:49 . 2010-07-21 09:52 26641904 ----a-w- c:\documents and settings\Bill xxxxxxxxx\Application Data\Real\Update\setup3.12\rp\RealPlayerSPGold.exe
2010-07-21 09:49 . 2010-07-21 09:49 220272 ----a-w- c:\documents and settings\Bill xxxxxxxxx\Application Data\Real\Update\setup3.12\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-07-21 09:48 . 2010-07-21 09:48 149000 ----a-w- c:\documents and settings\Bill xxxxxxxxx\Application Data\Real\Update\setup3.12\chr_helper\LaunchHelper.exe
2010-07-21 09:48 . 2010-07-21 09:48 13407072 ----a-w- c:\documents and settings\Bill xxxxxxxxx\Application Data\Real\Update\setup3.12\chr\ChromeInstaller.exe
2010-07-21 09:47 . 2010-07-21 09:47 79368 ----a-w- c:\documents and settings\Bill xxxxxxxxx\Application Data\Real\Update\setup3.12\RUP\vista.exe
2010-07-21 09:47 . 2010-07-21 09:47 73344 ----a-w- c:\documents and settings\Bill xxxxxxxxx\Application Data\Real\Update\setup3.12\RUP\inst_config\gtapi_v6.dll
2010-07-21 09:47 . 2010-07-21 09:47 64000 ----a-w- c:\documents and settings\Bill xxxxxxxxx\Application Data\Real\Update\setup3.12\RUP\inst_config\gcapi_dll.dll
2010-07-21 09:47 . 2010-07-21 09:47 52288 ----a-w- c:\documents and settings\Bill xxxxxxxxx\Application Data\Real\Update\setup3.12\RUP\inst_config\gtapi.dll
2010-07-21 09:47 . 2010-07-21 09:47 122880 ----a-w- c:\documents and settings\Bill xxxxxxxxx\Application Data\Real\Update\setup3.12\RUP\inst_config\compat.dll
2010-07-21 01:46 . 2010-07-28 01:47 452104 ----a-w- c:\documents and settings\Bill xxxxxxxxx\Application Data\Real\Update\setup3.12\setup.exe
2010-07-20 05:21 . 2010-07-21 01:30 -------- d-----w- c:\documents and settings\Bill xxxxxxxxx\Local Settings\Application Data\eotarvcrs
2010-07-18 04:16 . 2010-07-18 04:16 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-14 02:27 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-07 20:19 . 2010-07-07 20:19 -------- d-----w- c:\program files\iPod
2010-07-07 20:19 . 2010-07-07 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-07-07 20:14 . 2010-07-07 20:14 -------- d-----w- c:\program files\Apple Software Update
2010-07-07 20:11 . 2010-07-07 20:11 -------- d-----w- c:\program files\Bonjour
2010-07-03 15:28 . 2010-07-01 18:52 1496064 ----a-w- c:\documents and settings\Bill xxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\hp3csg12.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-07-03 15:28 . 2010-07-01 18:51 43008 ----a-w- c:\documents and settings\Bill xxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\hp3csg12.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-07-03 15:28 . 2010-07-01 18:51 338944 ----a-w- c:\documents and settings\Bill xxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\hp3csg12.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-07-03 15:28 . 2010-07-01 18:51 346112 ----a-w- c:\documents and settings\Bill xxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\hp3csg12.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-07-03 01:56 . 2010-07-20 23:04 -------- d-----w- c:\documents and settings\Bill xxxxxxxxx\Local Settings\Application Data\AskToolbar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-30 01:44 . 2010-01-23 14:04 -------- d-----w- c:\program files\Free Window Registry Repair
2010-07-30 01:43 . 2006-08-08 03:30 -------- d-----w- c:\program files\Java
2010-07-30 01:43 . 2008-09-28 23:16 -------- d-----w- c:\program files\Common Files\Java
2010-07-30 01:41 . 2006-08-08 03:35 -------- d-----w- c:\program files\Dell
2010-07-30 01:40 . 2009-04-12 00:38 -------- d-----w- c:\program files\Lavasoft
2010-07-30 01:40 . 2009-04-12 00:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-30 01:37 . 2010-06-25 02:26 -------- d-----w- c:\program files\Ask.com
2010-07-24 21:59 . 2010-05-30 04:32 1324 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.dat
2010-07-21 01:45 . 2009-12-31 14:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Rosetta Stone
2010-07-20 23:58 . 2008-09-13 22:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-20 23:48 . 2008-08-09 21:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-18 15:29 . 2008-02-08 03:49 78816 ---ha-w- c:\windows\system32\mlfcache.dat
2010-07-18 04:15 . 2008-01-20 16:20 -------- d-----w- c:\documents and settings\Bill xxxxxxxxx\Application Data\uTorrent
2010-07-07 20:20 . 2008-08-20 01:27 -------- d-----w- c:\program files\iTunes
2010-07-07 20:19 . 2007-09-13 02:32 -------- d-----w- c:\program files\Common Files\Apple
2010-07-07 20:16 . 2006-08-08 03:40 -------- d-----w- c:\program files\QuickTime
2010-07-04 00:56 . 2010-05-18 00:44 439816 ----a-w- c:\documents and settings\Bill xxxxxxxxx\Application Data\Real\Update\setup3.10\setup.exe
2010-06-26 19:37 . 2010-06-26 19:37 -------- d-----w- c:\documents and settings\Bill xxxxxxxxx\Application Data\Foxit Software
2010-06-26 03:47 . 2010-06-26 03:47 2944904 ----a-w- c:\documents and settings\Bill xxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\hp3csg12.default\extensions\toolbar@ask.com\chrome\temp\askToolbar.exe
2010-06-20 01:23 . 2010-06-20 01:23 2605008 ----a-w- c:\documents and settings\Bill xxxxxxxxx\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-06-18 02:14 . 2006-08-12 21:53 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-16 01:01 . 2010-06-16 01:01 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-14 14:31 . 2004-08-10 18:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-05-24 15:34 . 2010-05-24 15:34 503808 ----a-w- c:\documents and settings\Bill xxxxxxxxx\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-76a600ce-n\msvcp71.dll
2010-05-24 15:34 . 2010-05-24 15:34 499712 ----a-w- c:\documents and settings\Bill xxxxxxxxx\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-76a600ce-n\jmc.dll
2010-05-24 15:34 . 2010-05-24 15:34 348160 ----a-w- c:\documents and settings\Bill xxxxxxxxx\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-76a600ce-n\msvcr71.dll
2010-05-24 15:34 . 2010-05-24 15:34 61440 ----a-w- c:\documents and settings\Bill xxxxxxxxx\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4e8cb594-n\decora-sse.dll
2010-05-24 15:34 . 2010-05-24 15:34 12800 ----a-w- c:\documents and settings\Bill xxxxxxxxx\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4e8cb594-n\decora-d3d.dll
2010-05-18 21:35 . 2010-05-18 21:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35 . 2010-05-18 21:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 21:35 . 2010-05-18 21:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-04 17:20 . 2004-08-10 17:51 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2004-08-10 17:50 17408 ----a-w- c:\windows\system32\corpol.dll
2004-08-10 04:30 . 2006-08-26 03:25 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2009-12-20 20:56 . 2006-08-12 02:07 88 --sh--r- c:\windows\system32\C4AF8CDC58.sys
2009-12-20 20:56 . 2006-08-12 02:07 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 68856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-19 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-16 2577632]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 98304]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-08 2048352]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2010-03-09 283792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-10-18 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-7 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\progra~1\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-18 17:57 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [9/17/2008 10:10 PM 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/23/2008 7:17 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/23/2008 7:17 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\documents and settings\Bill xxxxxxxxx\My Documents\Bills Salary\VCdRom.sys [12/19/2001 12:45 PM 8576]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/4/2008 10:49 AM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/4/2008 10:49 AM 297752]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/4/2008 11:01 PM 685816]
S2 gupdate1c99a1d96e7eee2;Google Update Service (gupdate1c99a1d96e7eee2);c:\program files\Google\Update\GoogleUpdate.exe [2/28/2009 10:27 PM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-01 03:26]

2010-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-01 03:26]

2010-07-31 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2010-07-31 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 20:23]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: {7E164547-E591-4600-91A9-A4AA623FC423} = 207.69.188.185,207.69.188.186
DPF: {1FC81B67-3FC3-4FEF-8F50-9E24847141B7} - hxxps://ssl.selectpayment.com/dp/Instal ... rSetup.cab
DPF: {A389050E-8049-4D7D-BA71-A96BA286D0D6} - hxxps://ssl.selectpayment.com/dp/Instal ... Viewer.CAB
DPF: {E7DA7F8D-27AB-4EE9-8FC0-3FEC9ECFE758} - hxxps://ssl.selectpayment.com/dp/Instal ... bTWAIN.cab
FF - ProfilePath - c:\documents and settings\Bill xxxxxxxxx\Application Data\Mozilla\Firefox\Profiles\hp3csg12.default\
FF - plugin: c:\documents and settings\Bill xxxxxxxxx\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-31 14:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3484)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-31 14:47:23
ComboFix-quarantined-files.txt 2010-07-31 19:47
ComboFix2.txt 2010-07-31 19:12

Pre-Run: 15,791,988,736 bytes free
Post-Run: 15,775,760,384 bytes free

- - End Of File - - FC0955B529FC78060AE16E092B4201F1
bc0167
Active Member
 
Posts: 12
Joined: July 25th, 2010, 10:03 pm

Re: Antivir virus and Firefox redirect

Unread postby askey127 » August 1st, 2010, 8:14 am

bc0167,
The use of utorrent and Shareaza are the likely reason your computer is infected.
The shared files are loaded with planted infections.
-----------------------------------------------------------
Remove Programs Using Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :

Shareaza 2.3.1.0

Take extra care in answering questions posed by any Uninstaller.
------------------------------------------------------------
Backup Your Registry with ERUNT:
  • Download erunt.zip to your Desktop from here:
    http://aumha.org/downloads/erunt.zip
  • Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to your Desktop. It will create a new folder.
  • Inside the new folder, if you have XP, double click ERUNT.exe. If you have Vista, right click ERUNT.exe and choose "Run as administrator"
  • OK all the prompts to back up your registry to the default location.
Note: If you ever need to restore your registry later, you would go to the default backup folder and start ERDNT.exe
(The default backup folder is C:\Windows\ERDNT\ and the backups are saved according to date stamp)
-------------------------------------------------------------
Run a CF Script
  • Open a new Notepad window (Start>All programs>accessories>notepad). Choose File, New.
  • Highlight the contents of the codebox below and press Ctrl+C to copy it to the clipboard. Do Not copy the word "Code".
    Code: Select all
    Folder::
    c:\program files\Ask.com
    c:\Program Files\Shareaza
    c:\Program Files\uTorrent
    c:\program files\Free Window Registry Repair
    c:\program files\Lavasoft
    
  • Paste the contents of the clipboard into the Notepad window by pressing Ctrl+V or Edit, Paste
  • Save it to your desktop as CFScript.txt

    Image
  • Now drag and drop the CFScript.txt icon onto combofix.exe (zzz.exe) as in the picture above, and follow the prompts.
  • Then post the resultant log, C:\ComboFix.txt, in your next reply.
----------------------------------------------
Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Now Ensure all Firefox windows are closed.
  • To run the tool, double-click it.
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

So we are looking for the log from Combofix, and the log from Gooredfix. Use separate posts if you prefer.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Antivir virus and Firefox redirect

Unread postby bc0167 » August 1st, 2010, 4:30 pm

Thanks!

+++++++++++++++++++++
ComboFix 10-07-30.01 - Bill xxxxxxxx 08/01/2010 14:58:21.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.297 [GMT -5:00]
Running from: c:\documents and settings\Bill xxxxxxxx\Desktop\zzz.exe
Command switches used :: c:\documents and settings\Bill xxxxxxxx\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Sygate Personal Firewall *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Ask.com
c:\program files\Ask.com\cb_4a.ico
c:\program files\Ask.com\cobrand.ico
c:\program files\Ask.com\config.xml
c:\program files\Ask.com\favicon.ico
c:\program files\Ask.com\fv_49.ico
c:\program files\Ask.com\mupcfg.xml
c:\program files\Ask.com\SaUpdate.exe
c:\program files\Ask.com\UpdateTask.exe
c:\program files\Free Window Registry Repair
c:\program files\Free Window Registry Repair\Backup\2010_01_23_081144.reg
c:\program files\Free Window Registry Repair\Settings.dat
c:\program files\Lavasoft

.
((((((((((((((((((((((((( Files Created from 2010-07-01 to 2010-08-01 )))))))))))))))))))))))))))))))
.

2010-07-26 01:56 . 2010-07-26 01:56 -------- d-----w- c:\program files\Trend Micro
2010-07-25 18:59 . 2010-05-21 19:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-07-25 18:59 . 2010-04-12 22:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-25 18:48 . 2010-07-25 18:48 -------- d-----w- c:\program files\Windows Defender
2010-07-25 15:03 . 2010-07-25 15:03 -------- d-----w- c:\documents and settings\Bill xxxxxxxx\Application Data\SUPERAntiSpyware.com
2010-07-25 15:03 . 2010-07-25 15:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-25 15:02 . 2010-07-25 15:03 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-24 22:10 . 2010-07-24 22:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\AskToolbar
2010-07-24 21:58 . 2010-07-25 04:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\mssyqmapb
2010-07-24 15:24 . 2010-07-24 15:24 -------- d-----w- C:\found.000
2010-07-20 05:21 . 2010-07-21 01:30 -------- d-----w- c:\documents and settings\Bill xxxxxxxx\Local Settings\Application Data\eotarvcrs
2010-07-18 04:16 . 2010-07-18 04:16 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-14 02:27 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-07 20:19 . 2010-07-07 20:19 -------- d-----w- c:\program files\iPod
2010-07-07 20:19 . 2010-07-07 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-07-07 20:14 . 2010-07-07 20:14 -------- d-----w- c:\program files\Apple Software Update
2010-07-07 20:11 . 2010-07-07 20:11 -------- d-----w- c:\program files\Bonjour
2010-07-03 01:56 . 2010-07-20 23:04 -------- d-----w- c:\documents and settings\Bill xxxxxxxx\Local Settings\Application Data\AskToolbar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-01 19:43 . 2008-01-17 05:32 -------- d-----w- c:\documents and settings\Bill xxxxxxxx\Application Data\Shareaza
2010-07-30 01:43 . 2006-08-08 03:30 -------- d-----w- c:\program files\Java
2010-07-30 01:43 . 2008-09-28 23:16 -------- d-----w- c:\program files\Common Files\Java
2010-07-30 01:41 . 2006-08-08 03:35 -------- d-----w- c:\program files\Dell
2010-07-30 01:40 . 2009-04-12 00:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-28 01:47 . 2010-07-21 01:46 452104 ----a-w- c:\documents and settings\Bill xxxxxxxx\Application Data\Real\Update\setup3.12\setup.exe
2010-07-26 01:56 . 2010-07-26 01:56 388096 ----a-r- c:\documents and settings\Bill xxxxxxxx\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-25 15:04 . 2010-07-25 15:04 63488 ----a-w- c:\documents and settings\Bill xxxxxxxx\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-25 15:04 . 2010-07-25 15:04 52224 ----a-w- c:\documents and settings\Bill xxxxxxxx\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-25 15:04 . 2010-07-25 15:04 117760 ----a-w- c:\documents and settings\Bill xxxxxxxx\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-24 21:59 . 2010-05-30 04:32 1324 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.dat
2010-07-21 09:52 . 2010-07-21 09:49 26641904 ----a-w- c:\documents and settings\Bill xxxxxxxx\Application Data\Real\Update\setup3.12\rp\RealPlayerSPGold.exe
2010-07-21 09:49 . 2010-07-21 09:49 220272 ----a-w- c:\documents and settings\Bill xxxxxxxx\Application Data\Real\Update\setup3.12\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-07-21 09:48 . 2010-07-21 09:48 149000 ----a-w- c:\documents and settings\Bill xxxxxxxx\Application Data\Real\Update\setup3.12\chr_helper\LaunchHelper.exe
2010-07-21 09:48 . 2010-07-21 09:48 13407072 ----a-w- c:\documents and settings\Bill xxxxxxxx\Application Data\Real\Update\setup3.12\chr\ChromeInstaller.exe
2010-07-21 09:47 . 2010-07-21 09:47 79368 ----a-w- c:\documents and settings\Bill xxxxxxxx\Application Data\Real\Update\setup3.12\RUP\vista.exe
2010-07-21 09:47 . 2010-07-21 09:47 73344 ----a-w- c:\documents and settings\Bill xxxxxxxx\Application Data\Real\Update\setup3.12\RUP\inst_config\gtapi_v6.dll
2010-07-21 09:47 . 2010-07-21 09:47 64000 ----a-w- c:\documents and settings\Bill xxxxxxxx\Application Data\Real\Update\setup3.12\RUP\inst_config\gcapi_dll.dll
2010-07-21 09:47 . 2010-07-21 09:47 52288 ----a-w- c:\documents and settings\Bill xxxxxxxx\Application Data\Real\Update\setup3.12\RUP\inst_config\gtapi.dll
2010-07-21 09:47 . 2010-07-21 09:47 122880 ----a-w- c:\documents and settings\Bill xxxxxxxx\Application Data\Real\Update\setup3.12\RUP\inst_config\compat.dll
2010-07-21 01:45 . 2009-12-31 14:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Rosetta Stone
2010-07-20 23:58 . 2008-09-13 22:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-20 23:48 . 2008-08-09 21:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-18 15:29 . 2008-02-08 03:49 78816 ---ha-w- c:\windows\system32\mlfcache.dat
2010-07-07 20:20 . 2008-08-20 01:27 -------- d-----w- c:\program files\iTunes
2010-07-07 20:19 . 2007-09-13 02:32 -------- d-----w- c:\program files\Common Files\Apple
2010-07-07 20:16 . 2006-08-08 03:40 -------- d-----w- c:\program files\QuickTime
2010-07-04 00:56 . 2010-05-18 00:44 439816 ----a-w- c:\documents and settings\Bill xxxxxxxx\Application Data\Real\Update\setup3.10\setup.exe
2010-07-01 18:52 . 2010-07-03 15:28 1496064 ----a-w- c:\documents and settings\Bill xxxxxxxx\Application Data\Mozilla\Firefox\Profiles\hp3csg12.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-07-01 18:51 . 2010-07-03 15:28 43008 ----a-w- c:\documents and settings\Bill xxxxxxxx\Application Data\Mozilla\Firefox\Profiles\hp3csg12.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-07-01 18:51 . 2010-07-03 15:28 338944 ----a-w- c:\documents and settings\Bill xxxxxxxx\Application Data\Mozilla\Firefox\Profiles\hp3csg12.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-07-01 18:51 . 2010-07-03 15:28 346112 ----a-w- c:\documents and settings\Bill xxxxxxxx\Application Data\Mozilla\Firefox\Profiles\hp3csg12.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-06-26 19:37 . 2010-06-26 19:37 -------- d-----w- c:\documents and settings\Bill xxxxxxxx\Application Data\Foxit Software
2010-06-26 03:47 . 2010-06-26 03:47 2944904 ----a-w- c:\documents and settings\Bill xxxxxxxx\Application Data\Mozilla\Firefox\Profiles\hp3csg12.default\extensions\toolbar@ask.com\chrome\temp\askToolbar.exe
2010-06-20 01:23 . 2010-06-20 01:23 2605008 ----a-w- c:\documents and settings\Bill xxxxxxxx\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-06-18 02:14 . 2006-08-12 21:53 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-16 01:01 . 2010-06-16 01:01 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-14 14:31 . 2004-08-10 18:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-05-24 15:34 . 2010-05-24 15:34 503808 ----a-w- c:\documents and settings\Bill xxxxxxxx\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-76a600ce-n\msvcp71.dll
2010-05-24 15:34 . 2010-05-24 15:34 499712 ----a-w- c:\documents and settings\Bill xxxxxxxx\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-76a600ce-n\jmc.dll
2010-05-24 15:34 . 2010-05-24 15:34 348160 ----a-w- c:\documents and settings\Bill xxxxxxxx\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-76a600ce-n\msvcr71.dll
2010-05-24 15:34 . 2010-05-24 15:34 61440 ----a-w- c:\documents and settings\Bill xxxxxxxx\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4e8cb594-n\decora-sse.dll
2010-05-24 15:34 . 2010-05-24 15:34 12800 ----a-w- c:\documents and settings\Bill xxxxxxxx\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4e8cb594-n\decora-d3d.dll
2010-05-18 21:35 . 2010-05-18 21:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35 . 2010-05-18 21:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 21:35 . 2010-05-18 21:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-04 17:20 . 2004-08-10 17:51 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2004-08-10 17:50 17408 ----a-w- c:\windows\system32\corpol.dll
2004-08-10 04:30 . 2006-08-26 03:25 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2009-12-20 20:56 . 2006-08-12 02:07 88 --sh--r- c:\windows\system32\C4AF8CDC58.sys
2009-12-20 20:56 . 2006-08-12 02:07 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-07-31_19.01.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-01 19:52 . 2010-08-01 19:52 458752 c:\windows\erdnt\8-1-2010\Users\00000002\UsrClass.dat
+ 2010-08-01 19:52 . 2005-10-20 17:02 163328 c:\windows\erdnt\8-1-2010\ERDNT.EXE
+ 2010-08-01 19:52 . 2010-08-01 19:52 13889536 c:\windows\erdnt\8-1-2010\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 68856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-19 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-16 2577632]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 98304]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-08 2048352]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2010-03-09 283792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-10-18 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-7 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\progra~1\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-18 17:57 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [9/17/2008 10:10 PM 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/23/2008 7:17 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/23/2008 7:17 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\documents and settings\Bill xxxxxxxx\My Documents\Bills Salary\VCdRom.sys [12/19/2001 12:45 PM 8576]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/4/2008 10:49 AM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/4/2008 10:49 AM 297752]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/4/2008 11:01 PM 685816]
S2 gupdate1c99a1d96e7eee2;Google Update Service (gupdate1c99a1d96e7eee2);c:\program files\Google\Update\GoogleUpdate.exe [2/28/2009 10:27 PM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-01 03:26]

2010-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-01 03:26]

2010-08-01 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: {7E164547-E591-4600-91A9-A4AA623FC423} = 207.69.188.185,207.69.188.186
DPF: {1FC81B67-3FC3-4FEF-8F50-9E24847141B7} - hxxps://ssl.selectpayment.com/dp/Instal ... rSetup.cab
DPF: {A389050E-8049-4D7D-BA71-A96BA286D0D6} - hxxps://ssl.selectpayment.com/dp/Instal ... Viewer.CAB
DPF: {E7DA7F8D-27AB-4EE9-8FC0-3FEC9ECFE758} - hxxps://ssl.selectpayment.com/dp/Instal ... bTWAIN.cab
FF - ProfilePath - c:\documents and settings\Bill xxxxxxxx\Application Data\Mozilla\Firefox\Profiles\hp3csg12.default\
FF - plugin: c:\documents and settings\Bill xxxxxxxx\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-01 15:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-08-01 15:16:39
ComboFix-quarantined-files.txt 2010-08-01 20:16
ComboFix2.txt 2010-07-31 19:47
ComboFix3.txt 2010-07-31 19:12

Pre-Run: 15,713,452,032 bytes free
Post-Run: 15,723,401,216 bytes free

- - End Of File - - 5BF9D90E6B9616A74708643AD905CF64

++++++++++++++++++++++++++++++++++
GooredFix by jpshortstuff (03.07.10.1)
Log created at 15:21 on 01/08/2010 (Bill xxxxxxxx)
Firefox version 3.5.8 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [04:46 11/08/2006]
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [12:56 09/12/2008]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [02:21 03/05/2009]
{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [22:10 20/06/2009]
{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} [00:08 05/04/2010]
{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [18:59 25/07/2010]

C:\Documents and Settings\Bill xxxxxxxx\Application Data\Mozilla\Firefox\Profiles\hp3csg12.default\extensions\
addon@tv-manager.org [04:08 15/01/2010]
mark@areyouwatchingthis.com [00:00 27/12/2009]
moveplayer@movenetworks.com [13:53 15/03/2009]
toolbar@ask.com [02:26 25/06/2010]
videodowloader@videodownloader.net [05:35 08/03/2008]
zotero@chnm.gmu.edu [02:16 03/12/2009]
{20a82645-c095-46ed-80e3-08825760534b} [00:22 03/09/2009]
{3112ca9c-de6d-4884-a869-9855de68056c} [15:28 03/07/2010]
{37E4D8EA-8BDA-4831-8EA1-89053939A250} [17:41 19/12/2009]
{46551EC9-40F0-4e47-8E18-8E5CF550CFB8} [04:17 15/01/2010]
{5a2b4e34-ce62-42e9-a658-06ba4490adf8} [03:41 09/10/2007]
{635abd67-4fe9-1b23-4f01-e679fa7484c1} [11:11 04/05/2009]
{6C4BAFB6-2AC2-4405-A98D-546B55B3AE92} [01:35 25/01/2010]
{77b819fa-95ad-4f2c-ac7c-486b356188a9} [17:41 19/12/2009]
{88060a48-addf-4060-87db-c9aec3e5615a} [23:25 17/09/2007]
{a7c6cf7f-112c-4500-a7ea-39801a327e5f} [17:41 19/12/2009]
{c7d1f80d-de65-49ee-852b-2b00b3b19a5d} [17:31 19/12/2009]
{fe0258ab-4f74-43a1-8781-bcdf340f9ee9} [19:14 25/07/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [03:22 08/08/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [00:07 05/04/2010]

-=E.O.F=-
++++++++++++++++++++++++++++++++++++++++++++++++++
bc0167
Active Member
 
Posts: 12
Joined: July 25th, 2010, 10:03 pm

Re: Antivir virus and Firefox redirect

Unread postby askey127 » August 3rd, 2010, 6:09 am

bc0167,
One of your firefox extensions is this : toolbar@ask.com
You should delete it; and staying away from ask.com altogether is a good idea.

Tell me how it's running.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Antivir virus and Firefox redirect

Unread postby bc0167 » August 3rd, 2010, 11:36 pm

Running fantastic. Thanks so much for your help. No more brwser/Google hijacks.

Again, thanks so much for your time!

Bill
bc0167
Active Member
 
Posts: 12
Joined: July 25th, 2010, 10:03 pm

Re: Antivir virus and Firefox redirect

Unread postby askey127 » August 4th, 2010, 6:25 am

Good idea to delete Combofix.exe (zzz.exe) and GooredFix from your desktop.
If those were ever needed in the future, you would need new ones anyway.
Glad we could help.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Antivir virus and Firefox redirect

Unread postby askey127 » August 7th, 2010, 8:01 am

this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 20 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware