Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

2 issues: 1)Google redirect 2) ads running w/o browser

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

2 issues: 1)Google redirect 2) ads running w/o browser

Unread postby imthinking » August 5th, 2009, 7:43 pm

I am currently experiencing 2 issues with the infected computer:

1) All links to Google search results redirect to advertisement websites.

2) It appears that (or, rather, sounds like) there are ads running in the background while ALL windows are closed. I can hear sound from the advertisement coming through the speaker even after all browser windows have been closed.


***Copy of hijackthis logfile***

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:13:25 PM, on 8/5/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\Iexplore.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [net] "C:\WINDOWS\System32\net.net"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe

--
End of file - 1788 bytes
imthinking
Active Member
 
Posts: 7
Joined: August 5th, 2009, 7:23 pm
Advertisement
Register to Remove

Re: 2 issues: 1)Google redirect 2) ads running w/o browser

Unread postby Shaba » August 8th, 2009, 5:06 am

Hi imthinking

  1. Please download this tool from Microsoft.
  2. Double click on MGADiag.exe to run it.
  3. Click Continue.
  4. The program will run. It takes a while to finish the diagnosis, please be patient.
  5. Once done, click on Copy.
  6. Open Notepad and paste the contents in. Save this file and post it in your next reply.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: 2 issues: 1)Google redirect 2) ads running w/o browser

Unread postby imthinking » August 8th, 2009, 8:14 pm

I ran the Microsoft Genuine Advantage Diagnostic Tool and the it finished in less than a minute. Here are the results:

Diagnostic Report (1.9.0011.0):
-----------------------------------------
WGA Data-->
Validation Status: Validation Control not Installed
Validation Code: 0

Cached Validation Code: N/A
Windows Product Key: *****-*****-GD6GR-K6DP3-4C8MT
Windows Product Key Hash: s2kt66ZJWfV4nS1wFD5F9bxTSDw=
Windows Product ID: 55277-OEM-2111907-00102
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.1.0.hom
ID: {F973BF10-51CC-442C-9038-0011E16544E8}(1)
Is Admin: Yes
TestCab: 0x0
WGA Version: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-543-80070002_025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\WINDOWS\system32\crypt32.dll[5.131.2600.1152]
File Mismatch: C:\WINDOWS\system32\oembios.bin[hr = 0x80070714]
File Mismatch: C:\WINDOWS\system32\oembios.dat[hr = 0x80070714]
File Mismatch: C:\WINDOWS\system32\oembios.sig[hr = 0x80070714]

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{F973BF10-51CC-442C-9038-0011E16544E8}</UGUID><Version>1.9.0011.0</Version><OS>5.1.2600.2.00010300.1.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-4C8MT</PKey><PID>55277-OEM-2111907-00102</PID><PIDType>2</PIDType><SID>S-1-5-21-746137067-1078145449-839522115</SID><SYSTEM><Manufacturer>Dell Computer Corporation</Manufacturer><Model>Dimension 2400 </Model></SYSTEM><BIOS><Manufacturer>Dell Computer Corporation</Manufacturer><Version>A05</Version><SMBIOSVersion major="2" minor="3"/><Date>20031202******.******+***</Date><SLPBIOS>Dell System,Dell Computer,Dell System,Dell System</SLPBIOS></BIOS><HWID>8E42334F01842042</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData> <Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Licensing Data-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1B285:Dell Inc|1B285:Microsoft Corporation
Marker string from OEMBIOS.DAT: Dell System,Dell Computer,Dell System,Dell System

OEM Activation 2.0 Data-->
N/A
imthinking
Active Member
 
Posts: 7
Joined: August 5th, 2009, 7:23 pm

Re: 2 issues: 1)Google redirect 2) ads running w/o browser

Unread postby Shaba » August 9th, 2009, 5:17 am

Please go here and tell me what it said.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: 2 issues: 1)Google redirect 2) ads running w/o browser

Unread postby imthinking » August 9th, 2009, 12:29 pm

This is what it said after the test completed:

Microsoft Genuine Advantage Diagnostic Results
Passed Active scripting allowed
Passed Display images enabled
Passed Computer time and date correct
Passed Cookies enabled
Passed ActiveX enabled
Passed Windows validation ActiveX loaded
Passed Office validation ActiveX loaded
Passed Validation Self-help ActiveX loaded
Passed Validation Self-help: Data.dat Corruption check
Passed Validation Self-help: Cryptography check
Passed Validation Self-help: Product Activation check
imthinking
Active Member
 
Posts: 7
Joined: August 5th, 2009, 7:23 pm

Re: 2 issues: 1)Google redirect 2) ads running w/o browser

Unread postby imthinking » August 9th, 2009, 12:33 pm

Not sure if this helps but I ran the mga tool again from the desktop and it said this:

Diagnostic Report (1.9.0011.0):
-----------------------------------------
WGA Data-->
Validation Status: Genuine
Validation Code: 0

Cached Validation Code: N/A
Windows Product Key: *****-*****-GD6GR-K6DP3-4C8MT
Windows Product Key Hash: s2kt66ZJWfV4nS1wFD5F9bxTSDw=
Windows Product ID: 55277-OEM-2111907-00102
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.1.0.hom
ID: {F973BF10-51CC-442C-9038-0011E16544E8}(3)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.9.9.1
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: Registered, 1.7.111.0
Signed By: Microsoft
Office Diagnostics: B4D0AA8B-543-80070002_025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\WINDOWS\system32\crypt32.dll[5.131.2600.1152]
File Mismatch: C:\WINDOWS\system32\oembios.bin[hr = 0x80070714]
File Mismatch: C:\WINDOWS\system32\oembios.dat[hr = 0x80070714]
File Mismatch: C:\WINDOWS\system32\oembios.sig[hr = 0x80070714]

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{F973BF10-51CC-442C-9038-0011E16544E8}</UGUID><Version>1.9.0011.0</Version><OS>5.1.2600.2.00010300.1.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-4C8MT</PKey><PID>55277-OEM-2111907-00102</PID><PIDType>2</PIDType><SID>S-1-5-21-746137067-1078145449-839522115</SID><SYSTEM><Manufacturer>Dell Computer Corporation</Manufacturer><Model>Dimension 2400 </Model></SYSTEM><BIOS><Manufacturer>Dell Computer Corporation</Manufacturer><Version>A05</Version><SMBIOSVersion major="2" minor="3"/><Date>20031202******.******+***</Date><SLPBIOS>Dell System,Dell Computer,Dell System,Dell System</SLPBIOS></BIOS><HWID>8E42334F01842042</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData> <Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Licensing Data-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1B285:Dell Inc|1B285:Microsoft Corporation
Marker string from OEMBIOS.DAT: Dell System,Dell Computer,Dell System,Dell System

OEM Activation 2.0 Data-->
N/A
imthinking
Active Member
 
Posts: 7
Joined: August 5th, 2009, 7:23 pm

Re: 2 issues: 1)Google redirect 2) ads running w/o browser

Unread postby Shaba » August 9th, 2009, 1:53 pm

Good.

Download at your desktop DDS from one of the links below:

Link 1
Link 2
  • Double click the tool to run it.
  • A black Screen will open, just read the contents and do nothing.
  • When the tool finish it will open 2 reports.
  • Copy/paste both reports back here and remove DDS from your desktop.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: 2 issues: 1)Google redirect 2) ads running w/o browser

Unread postby imthinking » August 9th, 2009, 8:07 pm

results from dds:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 7/16/2009 8:04:43 AM
System Uptime: 8/9/2009 4:30:35 PM (0 hours ago)

Motherboard: Dell Computer Corp. | | 0G1548
Processor: Intel(R) Pentium(R) 4 CPU 2.66GHz | Microprocessor | 2658/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 37 GiB total, 34.073 GiB free.
D: is Removable
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Photo AIO Printer 966
Device ID: USB\VID_413C&PID_5117&MI_00\6&F19CC50&0&0000
Manufacturer:
Name: Photo AIO Printer 966
PNP Device ID: USB\VID_413C&PID_5117&MI_00\6&F19CC50&0&0000
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&3B1CAF2B&0&28F0
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&3B1CAF2B&0&28F0
Service:

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Advertisement Service
Broadcom 440x 10/100 Integrated Controller
Dell ResourceCD
GoToAssist 8.0.0.514
HijackThis 2.0.2
Intel(R) Extreme Graphics Driver
Mozilla Firefox (3.5.1)
Napster
Napster Burn Engine
PC Antispyware 2010
SoundMAX
Update for Windows XP (KB898461)
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB842773

==== Event Viewer Messages From Past Week ========

8/8/2009 3:35:33 AM, error: System Error [1003] - Error code 000000d1, parameter1 e150f000, parameter2 00000002, parameter3 00000000, parameter4 f07fc0a5.
8/7/2009 5:54:10 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\scecli.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.1106.

==== End Of File ===========================
You do not have the required permissions to view the files attached to this post.
imthinking
Active Member
 
Posts: 7
Joined: August 5th, 2009, 7:23 pm

Re: 2 issues: 1)Google redirect 2) ads running w/o browser

Unread postby Shaba » August 9th, 2009, 11:59 pm

Please copy/paste both logs from DDS to your reply :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: 2 issues: 1)Google redirect 2) ads running w/o browser

Unread postby imthinking » August 10th, 2009, 2:26 am

My apologies. Here is the second report:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 16:54:28.65 on Sun 08/09/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.254.123 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sdra64.exe
C:\Program Files\Napster\napster.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe
C:\WINDOWS\System32\braviax.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\install.exe
svchost
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: c:\windows\system32\hs7f3uhduhfukde.dll: {bd56a320-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\hs7f3uhduhfukde.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [braviax] c:\windows\system32\braviax.exe
uRun: [Windows System Recover!] c:\docume~1\owner\locals~1\temp\install.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [NapsterShell] c:\program files\napster\napster.exe /systray
mRun: [net] "c:\windows\system32\net.net"
mRun: [PC Antispyware 2010] "c:\program files\pc_antispyware2010\PC_Antispyware2010.exe" /hide
mRun: [braviax] braviax.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-system: EnableProfileQuota = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} - hxxp://go.microsoft.com/fwlink/?LinkId=82580
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\cru629.dat
STS: c:\windows\system32\hs7f3uhduhfukde.dll: {bd56a320-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\hs7f3uhduhfukde.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\ymlxmd40.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npstrlnk.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-08-09 15:51 19,650 a------- c:\windows\qacexev.scr
2009-08-09 15:51 17,916 a------- c:\windows\jukakyk.vbs
2009-08-09 15:51 15,690 a------- c:\windows\system32\enepoqunov.reg
2009-08-09 15:51 15,104 a------- c:\docume~1\alluse~1\applic~1\iwutu.com
2009-08-09 15:51 14,886 a------- c:\windows\ymiqab.inf
2009-08-09 15:51 13,988 a------- c:\windows\bycyfoteto._dl
2009-08-09 15:51 13,796 a------- c:\windows\ucil.com
2009-08-09 15:51 12,378 a------- c:\docume~1\owner\applic~1\rodukobehi.reg
2009-08-09 15:51 10,604 a------- c:\windows\system32\tebyxogyfi._dl
2009-08-09 15:50 <DIR> --d----- c:\program files\PC_Antispyware2010
2009-08-08 21:16 <DIR> --d----- c:\windows\pss
2009-08-08 18:05 32,256 a------- c:\windows\winkpst.exe
2009-08-07 13:10 19,926 a------- c:\docume~1\owner\applic~1\omevibaq.bin
2009-08-07 13:10 19,650 a------- c:\windows\pogukig.vbs
2009-08-07 13:10 19,553 a------- c:\docume~1\alluse~1\applic~1\tufuv.vbs
2009-08-07 13:10 17,858 a------- c:\docume~1\owner\applic~1\atyxowew.sys
2009-08-07 13:10 16,707 a------- c:\windows\ohateso.inf
2009-08-07 13:10 16,496 a------- c:\docume~1\alluse~1\applic~1\ygoz.scr
2009-08-07 13:10 15,858 a------- c:\docume~1\owner\applic~1\xapej.sys
2009-08-07 13:10 14,435 a------- c:\windows\rawyr.db
2009-08-07 13:10 13,914 a------- c:\windows\afof.pif
2009-08-07 13:10 13,629 a------- c:\windows\system32\wewy.exe
2009-08-07 13:10 11,917 a------- c:\program files\common files\orulyx.scr
2009-08-07 13:10 11,477 a------- c:\windows\system32\gikab.reg
2009-08-07 13:10 10,885 a------- c:\windows\ifipaqucaz.dat
2009-08-07 13:10 347,739 a------- c:\windows\system32\_scui.cpl
2009-08-07 12:50 <DIR> --d----- c:\windows\system32\CatRoot
2009-08-07 12:50 12,288 a------- c:\windows\braviax.exe
2009-08-07 12:50 6,144 a------- c:\windows\system32\cru629.dat
2009-08-07 12:50 6,144 a------- c:\windows\cru629.dat
2009-08-05 16:13 <DIR> --d----- c:\program files\Trend Micro
2009-07-29 06:18 67,072 a------- c:\windows\system32\drivers\vsfoceibvyapma.sys
2009-07-29 06:16 36,864 a------- c:\windows\system32\net.net
2009-07-27 22:32 20,480 a------- c:\windows\system32\setb2.tmp
2009-07-27 22:32 20,480 a------- c:\windows\system32\setb1.tmp
2009-07-27 22:31 316,640 a------- c:\windows\WMSysPr9.prx
2009-07-27 22:31 <DIR> --d----- c:\windows\RegisteredPackages
2009-07-27 22:13 <DIR> --d----- c:\program files\common files\Napster Shared
2009-07-27 22:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Napster
2009-07-27 22:13 <DIR> --d----- c:\program files\Napster
2009-07-25 10:04 <DIR> --d----- c:\windows\system32\bits
2009-07-25 10:03 <DIR> --d----- c:\windows\system32\PreInstall
2009-07-25 10:03 22,752 a------- c:\windows\system32\spupdsvc.exe
2009-07-25 10:03 <DIR> --d-h--- c:\windows\$hf_mig$
2009-07-23 21:15 65,536 a------- c:\windows\system32\drivers\vsfocenyrsmnge.sys
2009-07-19 10:18 361,984 ac------ c:\windows\system32\dllcache\qmgr.dll
2009-07-19 10:18 331,776 ac------ c:\windows\system32\dllcache\winhttp.dll
2009-07-19 10:18 17,408 ac------ c:\windows\system32\dllcache\qmgrprxy.dll
2009-07-19 10:18 331,776 a------- c:\windows\system32\winhttp.dll
2009-07-19 10:18 17,408 a------- c:\windows\system32\qmgrprxy.dll
2009-07-19 10:18 7,680 -c------ c:\windows\system32\dllcache\bitsprx2.dll
2009-07-19 10:18 7,168 -c------ c:\windows\system32\dllcache\bitsprx3.dll
2009-07-19 10:18 158,720 -------- c:\windows\system32\xpob2res.dll
2009-07-19 10:18 7,680 -------- c:\windows\system32\bitsprx2.dll
2009-07-19 10:18 7,168 -------- c:\windows\system32\bitsprx3.dll
2009-07-19 10:14 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-07-19 10:12 213,528 a------- c:\windows\system32\wuaucpl.cpl
2009-07-19 10:12 186,136 a------- c:\windows\system32\wuaueng1.dll
2009-07-19 10:12 167,704 a------- c:\windows\system32\wuauclt1.exe
2009-07-17 01:44 <DIR> --ds---- c:\documents and settings\owner\UserData
2009-07-16 16:02 155,648 a------- c:\windows\system32\igfxres.dll
2009-07-16 16:01 <DIR> --ds---- c:\windows\system32\Microsoft
2009-07-16 15:58 319,488 a------- c:\windows\system32\igfxsrvc.dll
2009-07-16 15:57 5,888 ac------ c:\windows\system32\dllcache\splitter.sys
2009-07-16 15:56 7,040 ac------ c:\windows\system32\dllcache\mskssrv.sys
2009-07-16 15:56 <DIR> --d----- c:\program files\Analog Devices
2009-07-16 15:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Citrix
2009-07-16 15:50 <DIR> --d----- c:\program files\Citrix
2009-07-16 15:42 43,136 a----r-- c:\windows\system32\drivers\bcm4sbxp.sys
2009-07-16 15:42 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-07-16 15:39 <DIR> --d----- c:\windows\LastGood.Tmp
2009-07-16 15:39 <DIR> --d----- c:\program files\Broadcom
2009-07-16 15:32 446,464 a----r-- c:\windows\system32\hhactivex.dll
2009-07-16 15:32 1,064,456 a------- c:\windows\system32\MSCOMCTL.OCX
2009-07-16 15:32 645,616 a------- c:\windows\system32\MSCOMCT2.OCX
2009-07-16 15:32 414,944 a------- c:\windows\system32\COMCT332.OCX
2009-07-16 15:32 176,128 a------- c:\windows\system32\RcdScan.dll
2009-07-16 15:32 328,480 a------- c:\windows\system32\ssa3d30.ocx
2009-07-16 15:32 171,967 a------- c:\windows\system32\Odbcjet.hlp
2009-07-16 15:32 7,348 a------- c:\windows\system32\Odbcjet.cnt
2009-07-16 15:32 89,360 a------- c:\windows\system32\VB5DB.DLL
2009-07-16 15:32 13,632 -------- c:\windows\system32\drivers\omci.sys
2009-07-16 15:06 <DIR> --dsh--- c:\windows\Installer
2009-07-16 15:06 <DIR> --d----- c:\documents and settings\Owner
2009-07-16 15:05 8,192 a------- c:\windows\REGLOCS.OLD
2009-07-16 15:03 1,875,968 ac------ c:\windows\system32\dllcache\msir3jp.lex
2009-07-16 15:02 312,832 ac------ c:\windows\system32\dllcache\EXCH_aqueue.dll
2009-07-16 15:00 24,576 a------- c:\windows\system32\xpsp1hfm.exe
2009-07-16 14:57 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-07-16 14:57 488 a---hr-- c:\windows\system32\WindowsLogon.manifest
2009-07-16 14:56 <DIR> --d----- c:\program files\common files\MSSoap
2009-07-16 14:55 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-07-16 14:55 <DIR> --d----- c:\program files\Online Services
2009-07-16 14:55 <DIR> --d----- c:\program files\Messenger
2009-07-16 14:55 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-07-16 14:54 <DIR> --d----- c:\program files\Windows NT
2009-07-16 07:45 <DIR> --d----- c:\program files\common files\ODBC
2009-07-16 07:45 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-07-16 07:45 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-08-09 15:51 18,822 a------- c:\program files\common files\ikukygyrat.ban
2009-08-07 13:20 12,288 a------- c:\windows\system32\braviax.exe
2009-08-07 12:49 90,624 a------- C:\criqmsck.exe
2009-08-07 12:48 27,136 a------- C:\ibts.exe
2009-08-07 12:48 91,648 a------- C:\phheq.exe
2009-08-07 12:48 0 a------- C:\vkywt.exe
2009-08-07 12:48 15,000 a------- c:\windows\system32\hs7f3uhduhfukde.dll
2009-08-07 12:48 9,728 a------- C:\umoikchf.exe
2009-08-07 12:48 19,456 a------- C:\niawndos.exe
2009-08-07 12:48 19,456 a------- C:\hcel.exe
2009-08-07 12:48 190,307 a------- c:\windows\system32\wisdstr.exe
2009-08-07 12:48 75,776 a------- C:\yedfjdy.exe
2009-08-07 12:48 19,456 a------- C:\rcvbm.exe
2009-08-07 12:48 30,208 a------- c:\windows\system32\drivers\beep.sys
2009-08-07 12:48 111,616 a------- C:\zxhK.exe
2009-07-17 15:10 71,627 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-07-16 14:56 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 16:55:51.26 ===============
imthinking
Active Member
 
Posts: 7
Joined: August 5th, 2009, 7:23 pm

Re: 2 issues: 1)Google redirect 2) ads running w/o browser

Unread postby Shaba » August 10th, 2009, 2:29 am

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review along with a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: 2 issues: 1)Google redirect 2) ads running w/o browser

Unread postby imthinking » August 10th, 2009, 3:04 am

I downloaded ComboFix to the Desktop but when I click on the executable nothing happens :-(
imthinking
Active Member
 
Posts: 7
Joined: August 5th, 2009, 7:23 pm

Re: 2 issues: 1)Google redirect 2) ads running w/o browser

Unread postby Shaba » August 10th, 2009, 10:37 am

Then please rename combofix.exe and try again :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: 2 issues: 1)Google redirect 2) ads running w/o browser

Unread postby Shaba » August 13th, 2009, 3:40 pm

Due to lack of response this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 287 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware