Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

google search hijacked in firefox

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

google search hijacked in firefox

Unread postby jyossarian » March 18th, 2011, 7:16 am

My google search results send me to undesired links (ie flurry search, bOOkmarks). It is also fairly slow on startup.

LOG:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:08:21 AM, on 3/18/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.19019)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\wpcumi.exe
C:\Windows\System32\rundll32.exe
C:\Windows\sttray.exe
C:\Windows\WindowsMobile\wmdcBase.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\admin\Downloads\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Windows Mobile-based device management] %WINDIR%\WindowsMobile\wmdcBase.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Futuremark SystemInfo Service - Futuremark Corporation - C:\Program Files\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6683 bytes
jyossarian
Active Member
 
Posts: 8
Joined: March 18th, 2011, 7:10 am
Advertisement
Register to Remove

Re: google search hijacked in firefox

Unread postby Gizzy » March 18th, 2011, 8:50 am

Hello jyossarian and Welcome to Malware Removal! :)
My name is Gizzy and I'll be glad to help you with your malware problems.

Please note the following while we work:
  • The fixes are specific to your problem and should only be used for this issue on this computer.
  • Perform all actions in the order given.
  • If you don't know or understand something stop and ask! Don't keep going on.
  • Please DO NOT uninstall/install any programs unless asked to. It is more difficult when files/programs appear or disappear from the logs.
  • Please DO NOT run any tools or scans unless I ask you to.
  • It is important that you reply to this thread. Do not start a new topic.
  • Your security programs may give warnings for some of the tools I will ask you to use, Be assured, any links I give are safe.
  • The process is not instant, Please continue to respond to this thread until I give you the All Clean!. Absence of symptoms does not mean that everything is clear.


UAC Advice
  • All applications I ask to be used will require to be run in Administrator mode. i.e. Right-click on and select Run as administrator.
  • The Operating System (Windows Vista) in use comes with an inbuilt utility called User Account Control (UAC).
  • When prompted by this with anything I ask you to carry out please select the option Allow.


Download and Run DDS
Please download DDS by sUBs from one of the links below and save it to your desktop

Link 1
Link 2
Link 3

  1. Disable any script blocker, Then right-click the dds file and select Run as administrator to run the tool, A command window will appear, This is normal
  2. Once DDS has finished, Two logs will appear:
    • DDS.txt
    • Attach.txt
  3. A window will open instructing you save & post the logs
  4. Save the logs to a convenient place such as your desktop
  5. Copy & paste the contents of both logs in your next reply
User avatar
Gizzy
Retired Graduate
 
Posts: 1101
Joined: December 30th, 2008, 9:54 pm
Location: NJ, USA

Re: google search hijacked in firefox

Unread postby jyossarian » March 18th, 2011, 10:12 am

DDS:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by admin at 10:05:15.26 on Fri 03/18/2011
Internet Explorer: 8.0.6001.19019 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.958.452 [GMT -4:00]
.
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\wpcumi.exe
C:\Windows\System32\rundll32.exe
C:\Windows\sttray.exe
C:\Windows\WindowsMobile\wmdcBase.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\vssvc.exe
C:\Windows\system32\msfeedssync.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\admin\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uWindow Title = Internet Explorer provided by Dell
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [Windows Mobile-based device management] %WINDIR%\WindowsMobile\wmdcBase.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\windows\system32\wpclsp.dll
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\admin\appdata\roaming\mozilla\firefox\profiles\tdh02g7j.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - Ext: Sxipper: sxipper@sxip.com - %profile%\extensions\sxipper@sxip.com
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: XULRunner: {D33A2D11-A656-4FA0-AE8C-3D2F451DC63C} - c:\users\admin\appdata\local\{D33A2D11-A656-4FA0-AE8C-3D2F451DC63C}
.
============= SERVICES / DRIVERS ===============
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-21 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-21 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-25 61960]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-12 21504]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-12-20 1153368]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files\common files\futuremark shared\futuremark systeminfo\FMSISvc.exe [2011-2-18 129440]
S3 libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2007-11-14 28672]
S3 OlCamudp;OLYMPUS Digital Camera;c:\windows\system32\drivers\olcamudp.sys [2007-4-14 10379]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-03-18 13:50:04 5943120 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{62682f07-c576-4518-9178-13320f6e0d86}\mpengine.dll
2011-03-18 11:07:49 388096 ----a-r- c:\users\admin\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-03-18 11:07:48 -------- d-----w- c:\program files\Trend Micro
2011-03-16 13:13:15 -------- d-----w- c:\users\admin\appdata\roaming\Malwarebytes
2011-03-16 13:13:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-16 13:13:02 -------- d-----w- c:\progra~2\Malwarebytes
2011-03-16 13:12:59 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-16 13:12:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-10 02:11:20 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-10 02:11:20 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-10 02:11:20 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-10 02:11:20 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-10 02:11:17 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-10 02:11:17 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-01 19:09:54 749832 ----a-w- c:\progra~2\microsoft\ehome\packages\mcespotlight\mcespotlight\SpotlightResources.dll
2011-02-24 12:09:14 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2011-02-18 15:04:13 -------- d-----w- c:\program files\common files\Futuremark Shared
.
==================== Find3M ====================
.
2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24:32 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-20 13:44:05 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-01-20 13:44:03 797184 ----a-w- c:\windows\system32\FntCache.dll
2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57:01 2039808 ----a-w- c:\windows\system32\win32k.sys
2010-12-28 15:55:03 413696 ----a-w- c:\windows\system32\odbc32.dll
.
============= FINISH: 10:05:56.50 ===============



AND Attach:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 4/12/2007 6:50:29 AM
System Uptime: 3/18/2011 6:44:04 AM (4 hours ago)
.
Motherboard: Dell Inc | |
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 3800+ | Socket M2 | 1800/1000mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 139 GiB total, 69.684 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 6.005 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1281: 3/4/2011 6:39:06 PM - Scheduled Checkpoint
RP1282: 3/9/2011 9:00:04 PM - Windows Update
RP1283: 3/10/2011 7:54:43 AM - Windows Update
RP1284: 3/11/2011 11:34:41 AM - Windows Update
RP1285: 3/13/2011 9:06:00 PM - Scheduled Checkpoint
RP1286: 3/14/2011 11:23:31 AM - Scheduled Checkpoint
RP1287: 3/15/2011 7:16:51 AM - Windows Update
RP1288: 3/16/2011 6:58:20 AM - Windows Update
RP1289: 3/16/2011 11:00:44 AM - Installed HiJackThis
RP1290: 3/17/2011 7:37:00 AM - Scheduled Checkpoint
RP1291: 3/18/2011 9:48:26 AM - Windows Update
RP1293: 3/18/2011 9:59:35 AM - Windows Defender Checkpoint
.
==== Installed Programs ======================
.
7-Zip 4.65
Acrobat.com
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 9.1
Adobe Setup
Adobe Shockwave Player
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AGEIA PhysX v7.07.09
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft Print Creations
Avira AntiVir Personal - Free Antivirus
Bonjour
CCleaner
Conexant D850 PCI V.92 Modem
Dell System Customization Wizard
DellConnect
Digital Line Detect
Documentation & Support Launcher
DVD Decrypter (Remove Only)
EPSON CX7400 User's Guide
EPSON Printer Software
EPSON Scan
EPSON Stylus CX7400 Series Scanner Driver Update
Foxit Creator
Foxit Reader
Futuremark SystemInfo
Garmin Communicator Plugin
Garmin USB Drivers
GNU Privacy Guard
Google SketchUp 8
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iTunes
Java Auto Updater
Java(TM) 6 Update 16
Java(TM) 6 Update 20
Java(TM) 6 Update 4
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
Modem Diagnostic Tool
Moneydance 2007
MozBackup 1.4.10
Mozilla Firefox (3.6.15)
Mozilla Thunderbird (3.1.9)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
neroxml
NetWaiting
NVIDIA Drivers
OpenOffice.org 3.1
Opera 11.00
PDF Settings
Picasa 3
QuickTime
Sansa Updater
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
SigmaTel Audio
Skype™ 3.8
Sonic Activation Module
Spybot - Search & Destroy
upapp
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
User's Guides
Winamp
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
Windows Media Player Firefox Plugin
.
==== Event Viewer Messages From Past Week ========
.
3/17/2011 8:47:06 AM, Error: Service Control Manager [7034] - The Windows Image Acquisition (WIA) service terminated unexpectedly. It has done this 1 time(s).
3/16/2011 6:54:56 AM, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{120E0AB6-5F8E-45F9-9184-97DE8994349D} because another computer on the network has the same name. The server could not start.
.
==== End Of File ===========================


Thanks!
You do not have the required permissions to view the files attached to this post.
jyossarian
Active Member
 
Posts: 8
Joined: March 18th, 2011, 7:10 am

Re: google search hijacked in firefox

Unread postby Gizzy » March 19th, 2011, 1:12 am

Hi jyossarian,
No need to Attach any of the logs, Just post them in your reply. :)

I see you have Malwarebytes' Anti-Malware installed, Did you run a scan with it recently? If so please post the log if it removed anything.
It can be found here:
  • C:\Users\Username\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


Disable Windows Defender
  1. Go to Start > All Programs > Windows Defender.
  2. Click on Tools at the top, Then under Settings, click on Options.
  3. Under Automatic scanning, uncheck (untick) Automatically scan my computer (recommended).
  4. Under Real-time protection options, uncheck (untick) Use real-time protection (recommended).
  5. Click on the Save button at the bottom right hand corner.

Note: Please do not Re-enable this until I tell you to do so.


Uninstall Programs
  1. Go to Start > Control Panel > Programs and Features
  2. Right click on each instance of:

    • Java Auto Updater
    • Java(TM) 6 Update 16
    • Java(TM) 6 Update 4
    • Java(TM) 6 Update 5
    • Java(TM) 6 Update 7
    • Java(TM) SE Runtime Environment 6

  3. Click Uninstall & then follow the prompts to remove it.


Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  1. Ensure all Firefox windows are closed.
  2. To run the tool, right-click it and select Run as administrator.
  3. When prompted to run the scan, click Yes.
  4. GooredFix will check for infections, and then a log will appear.
  5. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).


Gmer Rootkit Scanner
Download GMER Rootkit Scanner from here & save it to your desktop.
  1. Right-click the .exe file and select Run as administrator. If asked to allow gmer.sys driver to load, please consent
  2. If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  3. In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
      Image
      Click the image to enlarge it
  4. Then click the Scan button & wait for it to finish
  5. Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  6. Save it where you can easily find it, such as your desktop, and post it in your next reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Do not run any programs while Gmer is running.


Please reply with:
  • GooredFix log
  • Gmer log
  • Update on your computer's performance
User avatar
Gizzy
Retired Graduate
 
Posts: 1101
Joined: December 30th, 2008, 9:54 pm
Location: NJ, USA

Re: google search hijacked in firefox

Unread postby jyossarian » March 19th, 2011, 2:47 pm

Gizzy,

Thanks for the help so far. I continue to have problems with hijacked search results, but as I found out yesterday, they are not limited to google. I had a yahoo search result that directed me to another odd website.

Here's what I've done:

1) Disable Windows Defender - DONE

2) Uninstall Programs
* Java Auto Updater CANNOT FIND ON LIST OF PROGRAMS TO UNINSTALL
* Java(TM) 6 Update 16 - DONE
* Java(TM) 6 Update 4 - DONE
* Java(TM) 6 Update 5 - DONE
* Java(TM) 6 Update 7 - DONE
* Java(TM) SE Runtime Environment 6 - DONE

3) GooredFix

GooredFix by jpshortstuff (03.07.10.1)
Log created at 13:28 on 19/03/2011 (admin)
Firefox version 3.6.15 (en-US)

========== GooredScan ==========

Removing Orphan:
"{7BA52691-1876-45ce-9EE6-54BCB3B04BBC}"="C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\" -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [15:08 08/06/2007]
{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} [10:31 08/03/2009]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [12:04 30/03/2009]
{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [14:01 29/08/2009]
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [19:39 09/11/2009]
{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [16:25 05/05/2010]

C:\Users\admin\Application Data\Mozilla\Firefox\Profiles\tdh02g7j.default\extensions\
enquiries@retailmenot.com [13:55 19/07/2010]
sxipper@sxip.com [13:55 19/07/2010]
{20a82645-c095-46ed-80e3-08825760534b} [13:55 19/07/2010]
{37E4D8EA-8BDA-4831-8EA1-89053939A250} [13:56 17/02/2011]
{3d7eb24f-2740-49df-8937-200b1cc08f8a} [11:40 16/11/2010]
{44d0a1b4-9c90-4f86-ac92-8680b5d6549e} [11:40 16/11/2010]
{888d99e7-e8b5-46a3-851e-1ec45da1e644} [13:56 17/02/2011]
{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [13:56 17/02/2011]
{fce36c1e-58d8-498a-b2a5-66ad1cedebbb} [00:14 19/09/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [14:21 30/07/2009]

-=E.O.F=-


4) Gmer Rootkit Scanner:

GMER 1.0.15.15565 - http://www.gmer.net
Rootkit scan 2011-03-19 14:35:57
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\0000004a ST316081 rev.3.AD
Running: kh8rb5er.exe; Driver: C:\Users\admin\AppData\Local\Temp\fxldipow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x89803340, 0x2926E7, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{61F07937-C480-210B-F1E8-74C308A1B372}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{61F07937-C480-210B-F1E8-74C308A1B372}@nalkpmkminpdomcghfebmifeggij 0x6A 0x61 0x69 0x61 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{61F07937-C480-210B-F1E8-74C308A1B372}@oaflfmijeebmapfihdmlaanbkephfb 0x69 0x61 0x65 0x65 ...

---- EOF - GMER 1.0.15 ----

5) Malwarebytes results:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6075

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19019

3/16/2011 10:55:59 AM
mbam-log-2011-03-16 (10-55-59).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 352206
Time elapsed: 1 hour(s), 39 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


J.
jyossarian
Active Member
 
Posts: 8
Joined: March 18th, 2011, 7:10 am

Re: google search hijacked in firefox

Unread postby Gizzy » March 20th, 2011, 3:31 am

Hi jyossarian,
jyossarian wrote:Thanks for the help so far.
You're welcome. :)


Disable Avira anti-virus
  1. Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Image )
  2. right click it-> untick the option AntiVir Guard enable.
  3. You should now see a closed, white umbrella on a red background (looks to this: Image )
  4. Note: Don't forget to re-enable it after the fix.


Download and run Combofix
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools.
  • If you need help to disable your protection programs see here.
  • Right-click on ComboFix.exe and select Run as administrator then follow the prompts.
  • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please reply with:
  • ComboFix log
  • Update on computer's performance
User avatar
Gizzy
Retired Graduate
 
Posts: 1101
Joined: December 30th, 2008, 9:54 pm
Location: NJ, USA

Re: google search hijacked in firefox

Unread postby jyossarian » March 20th, 2011, 9:18 am

Gizzy,

Should I be concerned that I am unable to find and delete Java Auto Updater per your previous instructions? The only Java in the list of programs now is Java(TM) 6 Update 20.

Computer is running fine and I have not seen a hijacked search result yet this morning, but it was not an every time problem.

Here is the Combofix result:

ComboFix 11-03-19.03 - admin 03/20/2011 8:41.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.958.359 [GMT -4:00]
Running from: c:\users\admin\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\admin\AppData\Local\{D33A2D11-A656-4FA0-AE8C-3D2F451DC63C}
c:\users\admin\AppData\Local\{D33A2D11-A656-4FA0-AE8C-3D2F451DC63C}\chrome.manifest
c:\users\admin\AppData\Local\{D33A2D11-A656-4FA0-AE8C-3D2F451DC63C}\chrome\content\_cfg.js
c:\users\admin\AppData\Local\{D33A2D11-A656-4FA0-AE8C-3D2F451DC63C}\chrome\content\overlay.xul
c:\users\admin\AppData\Local\{D33A2D11-A656-4FA0-AE8C-3D2F451DC63C}\install.rdf
c:\users\admin\ntuser.pol
c:\users\Kids\ntuser.pol
.
.
((((((((((((((((((((((((( Files Created from 2011-02-20 to 2011-03-20 )))))))))))))))))))))))))))))))
.
.
2011-03-18 13:50 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{62682F07-C576-4518-9178-13320F6E0D86}\mpengine.dll
2011-03-18 11:07 . 2011-03-18 11:07 388096 ----a-r- c:\users\admin\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-03-18 11:07 . 2011-03-18 11:07 -------- d-----w- c:\program files\Trend Micro
2011-03-16 13:13 . 2011-03-16 13:13 -------- d-----w- c:\users\admin\AppData\Roaming\Malwarebytes
2011-03-16 13:13 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-16 13:13 . 2011-03-16 13:13 -------- d-----w- c:\programdata\Malwarebytes
2011-03-16 13:12 . 2011-03-16 13:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-16 13:12 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-10 02:11 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-10 02:11 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-10 02:11 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-10 02:11 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-10 02:11 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-10 02:11 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-01 19:09 . 2011-03-01 19:09 749832 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-02-24 12:09 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2011-02-18 15:04 . 2011-02-18 15:04 -------- d-----w- c:\program files\Common Files\Futuremark Shared
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-18 13:41 . 2010-12-21 20:57 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-02-02 22:11 . 2009-10-02 17:59 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-20 16:37 . 2011-02-09 23:33 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-01-20 16:08 . 2011-02-09 23:33 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08 . 2011-02-09 23:33 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08 . 2011-02-09 23:33 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08 . 2011-02-09 23:33 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:08 . 2011-02-09 23:33 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:07 . 2011-02-09 23:33 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07 . 2011-02-09 23:33 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07 . 2011-02-09 23:33 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06 . 2011-02-09 23:33 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06 . 2011-02-09 23:33 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04 . 2011-02-09 23:33 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 16:04 . 2011-02-09 23:33 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 14:28 . 2011-02-09 23:33 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27 . 2011-02-09 23:33 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26 . 2011-02-09 23:33 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25 . 2011-02-09 23:33 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24 . 2011-02-09 23:33 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-01-20 14:24 . 2011-02-09 23:33 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15 . 2011-02-09 23:33 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14 . 2011-02-09 23:33 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14 . 2011-02-09 23:33 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14 . 2011-02-09 23:33 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12 . 2011-02-09 23:33 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11 . 2011-02-09 23:33 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47 . 2011-02-09 23:33 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-20 13:44 . 2011-02-09 23:33 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-01-20 13:44 . 2011-02-09 23:33 797184 ----a-w- c:\windows\system32\FntCache.dll
2011-01-08 08:47 . 2011-02-09 23:32 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28 . 2011-02-09 23:32 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57 . 2011-02-09 23:33 2039808 ----a-w- c:\windows\system32\win32k.sys
2010-12-31 13:56 . 2010-12-21 20:13 0 ----a-w- c:\users\admin\AppData\Local\Igajokara.bin
2010-12-28 15:55 . 2011-01-12 13:40 413696 ----a-w- c:\windows\system32\odbc32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-12-08 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-12-08 7766016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-12-08 81920]
"SigmatelSysTrayApp"="sttray.exe" [2007-01-12 303104]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 648072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-4-12 45056]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^admin^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^admin^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX7400 Series]
2007-02-15 11:00 179200 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\E_FATICDA.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 05:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 22:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2008-11-18 21:31 21633320 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-03-09 15:49 37888 ----a-w- c:\program files\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 cpuz135;cpuz135;c:\windows\TEMP\cpuz135\cpuz135_x32.sys [x]
R3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe [2011-01-13 129440]
R3 libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1;c:\windows\system32\DRIVERS\libusb0.sys [2007-03-21 28672]
R3 OlCamudp;OLYMPUS Digital Camera;c:\windows\system32\Drivers\olcamudp.sys [2000-02-10 10379]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-12-13 135336]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-20 c:\windows\Tasks\User_Feed_Synchronization-{07C367A4-6388-4B67-80AD-F0000DF84653}.job
- c:\windows\system32\msfeedssync.exe [2011-02-09 04:47]
.
2011-03-20 c:\windows\Tasks\User_Feed_Synchronization-{254C98C2-2790-4580-97EA-548D83BF9042}.job
- c:\windows\system32\msfeedssync.exe [2011-02-09 04:47]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
FF - ProfilePath - c:\users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdh02g7j.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Sxipper: sxipper@sxip.com - %profile%\extensions\sxipper@sxip.com
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
MSConfigStartUp-HPDJ Taskbar Utility - c:\windows\system32\spool\drivers\w32x86\3\hpztsb06.exe
MSConfigStartUp-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-Windows Mobile Device Center - c:\windows\WindowsMobile\wmdc.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-20 08:49
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\S-1-5-21-3735952739-2736596948-855393503-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{61F07937-C480-210B-F1E8-74C308A1B372}*]
"nalkpmkminpdomcghfebmifeggij"=hex:6a,61,69,61,6c,69,63,67,68,62,66,64,6e,6b,
62,64,6d,6a,61,6d,00,ea
"oaflfmijeebmapfihdmlaanbkephfb"=hex:69,61,65,65,69,6a,6d,6b,65,6c,70,6a,6a,69,
64,6e,6b,67,00,77
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-03-20 08:53:31
ComboFix-quarantined-files.txt 2011-03-20 12:53
.
Pre-Run: 90,828,820,480 bytes free
Post-Run: 90,768,621,568 bytes free
.
- - End Of File - - 3DC5D23551F8300A2E17A823166E1A38
jyossarian
Active Member
 
Posts: 8
Joined: March 18th, 2011, 7:10 am

Re: google search hijacked in firefox

Unread postby jyossarian » March 20th, 2011, 10:18 am

Gizzy,

Sorry I forgot to mention that before running Combofix, I was prompted to update the software. I updated the software and then ran the scan. I hope this was correct.

Thanks again,
J.
jyossarian
Active Member
 
Posts: 8
Joined: March 18th, 2011, 7:10 am

Re: google search hijacked in firefox

Unread postby Gizzy » March 20th, 2011, 2:02 pm

Hi jyossarian, :)

jyossarian wrote:Should I be concerned that I am unable to find and delete Java Auto Updater per your previous instructions? The only Java in the list of programs now is Java(TM) 6 Update 20.
No need to be concerned about Java Auto Updater, And we're going to update that remaining Java now in the instructions below.

jyossarian wrote:Sorry I forgot to mention that before running Combofix, I was prompted to update the software. I updated the software and then ran the scan. I hope this was correct.
Yes, That's fine.


Update Adobe Reader
Your version of Adobe Reader is out of date,
Older versions have vulnerabilities that can be used to infect your system,
Go Here to download and install Adobe Reader X.
Note: Uncheck Free McAfee® Security Scan Plus (optional)


Update Java
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason it's extremely important that you keep the program up to date and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 24.

  1. Go Here
  2. Click the Windows 7, XP Offline link to download it, Save this to a convenient location.
  3. Go to Start > Control Panel > Programs and Features
  4. Uninstall all old versions of Java (Java(TM) 6 Update 20)
  5. Reboot your computer
  6. Delete the folder C:\Program Files\Java if present
  7. Install the new version by right-clicking the downloaded file jre-6u24-windows-i586-s.exe and select Run as administrator then follow the on-screen instructions.
  8. Reboot your computer


Disable Avira anti-virus
  1. Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Image )
  2. right click it-> untick the option AntiVir Guard enable.
  3. You should now see a closed, white umbrella on a red background (looks to this: Image )
  4. Note: Don't forget to re-enable it after the fix.


COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

  1. Please open Notepad (Start > Run > type notepad in the Open field > OK) and copy and paste the text present inside the code box below:

    Code: Select all
    Registry::
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
    [-HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
    [-HKLM\~\startupfolder\C:^Users^admin^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    [-HKLM\~\startupfolder\C:^Users^admin^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX7400 Series]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=dword:00000000
    
    Regnull::
    [HKEY_USERS\S-1-5-21-3735952739-2736596948-855393503-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{61F07937-C480-210B-F1E8-74C308A1B372}*]
    
    

  2. Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  3. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  4. If you need help to disable your protection programs see here.
  5. Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  6. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  7. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Please reply with:
  • Combofix log
User avatar
Gizzy
Retired Graduate
 
Posts: 1101
Joined: December 30th, 2008, 9:54 pm
Location: NJ, USA

Re: google search hijacked in firefox

Unread postby jyossarian » March 20th, 2011, 9:05 pm

Gizzy,

Adobe updated
Java updated
Combofix run as instructed / log posted below

Thanks,
J.

ComboFix 11-03-19.03 - admin 03/20/2011 20:36:15.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.958.401 [GMT -4:00]
Running from: c:\users\admin\Desktop\ComboFix.exe
Command switches used :: c:\users\admin\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-02-21 to 2011-03-21 )))))))))))))))))))))))))))))))
.
.
2011-03-21 00:46 . 2011-03-21 00:46 -------- d-----w- c:\users\admin\AppData\Local\temp
2011-03-21 00:46 . 2011-03-21 00:46 -------- d-----w- c:\users\Kids\AppData\Local\temp
2011-03-21 00:46 . 2011-03-21 00:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-21 00:14 . 2011-03-21 00:14 -------- d-----w- c:\program files\Common Files\Java
2011-03-21 00:13 . 2011-03-21 00:13 -------- d-----w- c:\program files\Java
2011-03-18 13:50 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{62682F07-C576-4518-9178-13320F6E0D86}\mpengine.dll
2011-03-18 11:07 . 2011-03-18 11:07 388096 ----a-r- c:\users\admin\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-03-18 11:07 . 2011-03-18 11:07 -------- d-----w- c:\program files\Trend Micro
2011-03-16 13:13 . 2011-03-16 13:13 -------- d-----w- c:\users\admin\AppData\Roaming\Malwarebytes
2011-03-16 13:13 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-16 13:13 . 2011-03-16 13:13 -------- d-----w- c:\programdata\Malwarebytes
2011-03-16 13:12 . 2011-03-16 13:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-16 13:12 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-10 02:11 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-10 02:11 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-10 02:11 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-10 02:11 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-10 02:11 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-10 02:11 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-01 19:09 . 2011-03-01 19:09 749832 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-02-24 12:09 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-21 00:13 . 2010-05-05 16:25 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-18 13:41 . 2010-12-21 20:57 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-02-02 22:11 . 2009-10-02 17:59 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-20 16:37 . 2011-02-09 23:33 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-01-20 16:08 . 2011-02-09 23:33 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08 . 2011-02-09 23:33 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08 . 2011-02-09 23:33 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08 . 2011-02-09 23:33 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:08 . 2011-02-09 23:33 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:07 . 2011-02-09 23:33 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07 . 2011-02-09 23:33 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07 . 2011-02-09 23:33 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06 . 2011-02-09 23:33 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06 . 2011-02-09 23:33 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04 . 2011-02-09 23:33 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 16:04 . 2011-02-09 23:33 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 14:28 . 2011-02-09 23:33 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27 . 2011-02-09 23:33 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26 . 2011-02-09 23:33 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25 . 2011-02-09 23:33 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24 . 2011-02-09 23:33 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-01-20 14:24 . 2011-02-09 23:33 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15 . 2011-02-09 23:33 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14 . 2011-02-09 23:33 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14 . 2011-02-09 23:33 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14 . 2011-02-09 23:33 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12 . 2011-02-09 23:33 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11 . 2011-02-09 23:33 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47 . 2011-02-09 23:33 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-20 13:44 . 2011-02-09 23:33 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-01-20 13:44 . 2011-02-09 23:33 797184 ----a-w- c:\windows\system32\FntCache.dll
2011-01-08 08:47 . 2011-02-09 23:32 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28 . 2011-02-09 23:32 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57 . 2011-02-09 23:33 2039808 ----a-w- c:\windows\system32\win32k.sys
2010-12-31 13:56 . 2010-12-21 20:13 0 ----a-w- c:\users\admin\AppData\Local\Igajokara.bin
2010-12-28 15:55 . 2011-01-12 13:40 413696 ----a-w- c:\windows\system32\odbc32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-12-08 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-12-08 7766016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-12-08 81920]
"SigmatelSysTrayApp"="sttray.exe" [2007-01-12 303104]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 648072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-4-12 45056]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 cpuz135;cpuz135;c:\windows\TEMP\cpuz135\cpuz135_x32.sys [x]
R3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe [2011-01-13 129440]
R3 libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1;c:\windows\system32\DRIVERS\libusb0.sys [2007-03-21 28672]
R3 OlCamudp;OLYMPUS Digital Camera;c:\windows\system32\Drivers\olcamudp.sys [2000-02-10 10379]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-12-13 135336]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-21 c:\windows\Tasks\User_Feed_Synchronization-{07C367A4-6388-4B67-80AD-F0000DF84653}.job
- c:\windows\system32\msfeedssync.exe [2011-02-09 04:47]
.
2011-03-21 c:\windows\Tasks\User_Feed_Synchronization-{254C98C2-2790-4580-97EA-548D83BF9042}.job
- c:\windows\system32\msfeedssync.exe [2011-02-09 04:47]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
FF - ProfilePath - c:\users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\tdh02g7j.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Sxipper: sxipper@sxip.com - %profile%\extensions\sxipper@sxip.com
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-20 20:46
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-03-20 20:48:37
ComboFix-quarantined-files.txt 2011-03-21 00:48
ComboFix2.txt 2011-03-20 12:53
.
Pre-Run: 88,223,363,072 bytes free
Post-Run: 88,203,485,184 bytes free
.
- - End Of File - - 4CA4F0E8317C6EB548206B07AEACC65B
jyossarian
Active Member
 
Posts: 8
Joined: March 18th, 2011, 7:10 am

Re: google search hijacked in firefox

Unread postby Gizzy » March 21st, 2011, 4:32 am

Hi jyossarian,
After doing the following, Let me know if you're still not getting redirects, Feel free to give it a day or so to be sure.


TFC (Temp File Cleaner)
  1. Please download TFC from here and save it to your desktop.
  2. Right-click TFC.exe and select Run as administrator to run the program.
  3. Click the Start button in the bottom left of TFC
  4. If prompted, click Yes to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.


Disable Avira anti-virus
  1. Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Image )
  2. right click it-> untick the option AntiVir Guard enable.
  3. You should now see a closed, white umbrella on a red background (looks to this: Image )
  4. Note: Don't forget to re-enable it after the fix.


ESET Online Scanner
Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

You will need to to right-click on either the Internet Explorer or Firefox icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as administrator from the context menu.

  1. Please go here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  2. Select the option YES, I accept the Terms of Use then click on: Image
  3. When prompted allow the Add-On/Active X to install.
  4. Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  5. Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  6. Now click on: Image
  7. The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  8. When completed the Online Scan will begin automatically, Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  9. When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  10. Now click on: Image
  11. Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  12. Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!


Run DDS
Should stil be on your computer.

  1. Disable any script blocker, Then right-click the dds file and select Run as administrator to run the tool, A command window will appear, This is normal
  2. Once DDS has finished, Two logs will appear:
    • DDS.txt
    • Attach.txt
  3. A window will open instructing you save & post the logs
  4. Save the logs to a convenient place such as your desktop
  5. Copy & paste the contents of both logs in your next reply


Please reply with:
  • Eset log
  • DDS logs
  • Update on computer's performance
User avatar
Gizzy
Retired Graduate
 
Posts: 1101
Joined: December 30th, 2008, 9:54 pm
Location: NJ, USA

Re: google search hijacked in firefox

Unread postby jyossarian » March 21st, 2011, 9:38 am

Gizzy,

I will post in a few days as to the success of the fixes. I'm curious as to whether you saw the offending malware removed or if you assume it was removed in the process. I also see that this seems to be a common problem in the forum. Is there something I did or failed to do that allowed this malware to take hold?

I did not seen any redirects yesterday.

TFC was run
ESET scanner run (results posted below)
DDS rerun (results posted below)

I really appreciate your time,
J.





ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=712906504c720047a9d309c07a71caf7
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-03-21 01:13:59
# local_time=2011-03-21 09:13:59 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775165 100 94 0 36299786 0 0
# compatibility_mode=5892 16776637 100 100 0 137313965 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=188445
# found=0
# cleaned=0
# scan_time=6802

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by admin at 9:26:56.56 on Mon 03/21/2011
Internet Explorer: 8.0.6001.19019 BrowserJavaVersion: 1.6.0_24
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.958.220 [GMT -4:00]
.
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Windows\System32\wpcumi.exe
C:\Windows\sttray.exe
C:\Windows\WindowsMobile\wmdcBase.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\explorer.exe
C:\Users\admin\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [Windows Mobile-based device management] %WINDIR%\WindowsMobile\wmdcBase.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\windows\system32\wpclsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\admin\appdata\roaming\mozilla\firefox\profiles\tdh02g7j.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Sxipper: sxipper@sxip.com - %profile%\extensions\sxipper@sxip.com
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
.
============= SERVICES / DRIVERS ===============
.
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-25 61960]
S3 libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2007-11-14 28672]
S3 OlCamudp;OLYMPUS Digital Camera;c:\windows\system32\drivers\olcamudp.sys [2007-4-14 10379]
.
=============== Created Last 30 ================
.
2011-03-21 00:48:39 -------- d-----w- c:\users\admin\appdata\local\temp
2011-03-21 00:48:03 -------- d-sh--w- C:\$RECYCLE.BIN
2011-03-21 00:33:23 -------- d-----w- C:\ComboFix
2011-03-20 12:36:41 98816 ----a-w- c:\windows\sed.exe
2011-03-20 12:36:41 89088 ----a-w- c:\windows\MBR.exe
2011-03-20 12:36:41 256512 ----a-w- c:\windows\PEV.exe
2011-03-20 12:36:41 161792 ----a-w- c:\windows\SWREG.exe
2011-03-18 13:50:04 5943120 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{62682f07-c576-4518-9178-13320f6e0d86}\mpengine.dll
2011-03-18 11:07:49 388096 ----a-r- c:\users\admin\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-03-18 11:07:48 -------- d-----w- c:\program files\Trend Micro
2011-03-16 13:13:15 -------- d-----w- c:\users\admin\appdata\roaming\Malwarebytes
2011-03-16 13:13:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-16 13:13:02 -------- d-----w- c:\progra~2\Malwarebytes
2011-03-16 13:12:59 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-16 13:12:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-10 02:11:20 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-10 02:11:20 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-10 02:11:20 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-10 02:11:20 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-10 02:11:17 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-10 02:11:17 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-01 19:09:54 749832 ----a-w- c:\progra~2\microsoft\ehome\packages\mcespotlight\mcespotlight\SpotlightResources.dll
2011-02-24 12:09:14 2048 ----a-w- c:\windows\system32\winrsmgr.dll
.
==================== Find3M ====================
.
2011-03-21 00:13:57 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24:32 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-20 13:44:05 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-01-20 13:44:03 797184 ----a-w- c:\windows\system32\FntCache.dll
2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57:01 2039808 ----a-w- c:\windows\system32\win32k.sys
2010-12-28 15:55:03 413696 ----a-w- c:\windows\system32\odbc32.dll
.
============= FINISH: 9:33:39.94 ===============

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 4/12/2007 6:50:29 AM
System Uptime: 3/21/2011 6:55:56 AM (3 hours ago)
.
Motherboard: Dell Inc | |
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 3800+ | Socket M2 | 1800/1000mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 139 GiB total, 81.851 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 6.005 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
7-Zip 4.65
Acrobat.com
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader X (10.0.1)
Adobe Setup
Adobe Shockwave Player
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AGEIA PhysX v7.07.09
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft Print Creations
Avira AntiVir Personal - Free Antivirus
Bonjour
CCleaner
Conexant D850 PCI V.92 Modem
Dell System Customization Wizard
DellConnect
Digital Line Detect
Documentation & Support Launcher
DVD Decrypter (Remove Only)
EPSON CX7400 User's Guide
EPSON Printer Software
EPSON Scan
EPSON Stylus CX7400 Series Scanner Driver Update
Foxit Creator
Foxit Reader
Futuremark SystemInfo
Garmin Communicator Plugin
Garmin USB Drivers
GNU Privacy Guard
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iTunes
Java Auto Updater
Java(TM) 6 Update 24
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
Modem Diagnostic Tool
Moneydance 2007
MozBackup 1.4.10
Mozilla Firefox (3.6.15)
Mozilla Thunderbird (3.1.9)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
neroxml
NetWaiting
NVIDIA Drivers
OpenOffice.org 3.1
Opera 11.00
PDF Settings
Picasa 3
QuickTime
Sansa Updater
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
SigmaTel Audio
Skype™ 3.8
Sonic Activation Module
Spybot - Search & Destroy
upapp
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
User's Guides
Winamp
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
Windows Media Player Firefox Plugin
.
==== End Of File ===========================
jyossarian
Active Member
 
Posts: 8
Joined: March 18th, 2011, 7:10 am

Re: google search hijacked in firefox

Unread postby Gizzy » March 21st, 2011, 2:48 pm

Hi jyossarian,

jyossarian wrote:I'm curious as to whether you saw the offending malware removed or if you assume it was removed in the process.
I saw it get removed, Looks like the redirects were caused by a malicious extension in Firefox which was removed by combofix.

jyossarian wrote:I also see that this seems to be a common problem in the forum. Is there something I did or failed to do that allowed this malware to take hold?
Redirects are caused by many different malware that require different procedures to remove, Though yes the symptom is common these days.
It's almost impossible for me to say what you did or didn't do that caused the malware to get on your computer as it can happen a number of ways, But here is a great guide I recommend you read that will help you be more secure in the future,
COMPUTER SECURITY - a short guide to staying safer online


After you post back confirming the redirects are gone we can finish up. :)
User avatar
Gizzy
Retired Graduate
 
Posts: 1101
Joined: December 30th, 2008, 9:54 pm
Location: NJ, USA

Re: google search hijacked in firefox

Unread postby jyossarian » March 22nd, 2011, 9:19 pm

Gizzy,

I'm happy to report that there have been no redirects in the past 3 days. Thank you so much for your expertise.

J.
jyossarian
Active Member
 
Posts: 8
Joined: March 18th, 2011, 7:10 am

Re: google search hijacked in firefox

Unread postby Gizzy » March 23rd, 2011, 10:51 am

jyossarian wrote:I'm happy to report that there have been no redirects in the past 3 days. Thank you so much for your expertise.
You're most welcome. :)

Congratulations your machine appears to be clean! :cheers:
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure.

Remove Tools
Let's remove the programs we've been using to clean up your computer, They are not suitable for general malware removal and could cause damage if used inappropriately.

The following steps will remove the tools and logs we used to clean your computer.
Any left over merely delete yourself and empty the Recycle Bin.

Uninstall ComboFix
  1. Click on Start > Run
  2. Type ComboFix /Uninstall into the box and click OK
  3. Note the space between the x and /Uninstall it needs to be there.

CleanUp with OTC
Download OTC by Old Timer and save it to your Desktop. This tool will remove all the tools we used to clean your pc.

  1. Right-click OTC.exe And select Run as administrator to run it.
  2. Click the CleanUp! button
  3. Select Yes when the Begin cleanup Process? Prompt appears
  4. If you are prompted to Reboot during the cleanup, select Yes
  5. The tool will delete itself once it finishes, if not delete it by yourself

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

TFC is a great tool for you to keep and use on a regular basis.


Protection Programs
Don't forget to re-enable any protection programs we disabled during your fix.
You can now re-enable:

  • Windows Defender


Keep your programs up to date
Vulnerabilities are sometimes found in programs that can be used to infect your computer,
So it's a good idea to always use the most up to date version of programs,
Below are 2 sites that can be used to check if any of your installed programs are in need of updates.
Secunia Software Inspector
F-secure Health Check


Keep your system updated
Microsoft releases patches for Windows and other products regularly:

  1. I advise you visit: http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us
  2. Install the Active X
  3. Once installed it will advise you set Auto-Updates if not set and you then will be able to manually check for updates also via:
  4. Start > All Programs > Microsoft Updates


Below are some free programs I recommend that could help you improve your computer's security.

Spyware Blaster
Download it from Here
Find a tutorial on how to use Spyware Blaster Here

WinPatrol
Download it from Here
You can find information about how WinPatrol works Here

Update all these programs regularly
Make sure you update all the programs I have listed regularly, Without regular updates you will NOT be protected when new malicious programs are released.


I'd be grateful if you could reply to this post so that I know you have read it, and if you have no other questions, the thread can be closed.

Happy surfing and stay clean! :thumbright:
User avatar
Gizzy
Retired Graduate
 
Posts: 1101
Joined: December 30th, 2008, 9:54 pm
Location: NJ, USA
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 27 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware