Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Browser Hijacker giving 404 errors, redirects, etc.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Browser Hijacker giving 404 errors, redirects, etc.

Unread postby Dakeyras » December 1st, 2009, 7:07 pm

Hi. :)

Congratulations your computer now appears to be malware free!

Now I have some tasks for your good self to carry out as part of a clean up process and some advice about online safety.

Importance of Regular System Maintenance:

I advice you read both of the below listed topics as this will go a long way to keeping your Computer performing well.

Help! My computer is slow!

Also so is this:

What to do if your Computer is running slowly

Clean up with OTM:

  • Double-click OTM to start the program.
  • Close all other programs apart from OTM as this step will require a reboot
  • On the OTM main screen, press the CleanUp! button
  • Say Yes to the prompt and then allow the program to reboot your computer.

The above process should clean up and remove the vast majority of scanners used and logs created etc.

Any left over merely delete yourself and empty the Recycle Bin.

Reset the System Restore points:

  • Create a new, clean System Restore point which you can use in case of future system problems:
  • Press Start >> All Programs >> Accessories >>System Tools >> System Restore
  • Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close
  • Now remove old, infected System Restore points:
  • Next click Start >> Run and type cleanmgr in the box and press OK
  • Ensure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
  • Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
  • Press OK and Yes to confirm

Now some advice for on-line safety:

Malwarebyte's Anti-Malware:

This is a excellent application and I advise you keep this installed. Check for updates and run a scan once a week.

Other installed security software:

Your presently installed security application, Avira AntiVir automatically checks for updates and downloads/installs them with every system reboot and or periodically if the machine is left running providing a internet connection is active.

I advise you also run a complete scan with this also once per week.

Erunt:

Emergency Recovery Utility NT, I advice you keep this installed as a means to keep a complete backup of your registry and restore it when needed.

Myself I would actually create a new back up once per week as this along with System Restore may prove to be invaluable if something unforeseen occurs!

Keep your system updated:

Microsoft releases patches for Windows and other products regularly:


Be careful when opening attachments and downloading files:

  • Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
  • Never open emails from unknown senders.
  • Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
  • Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

Stop malicious scripts:

Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript by Symantec or Script Defender by AnalogX to handle these scripts.

Avoid Peer to Peer software:

P2P may be a great way to get lots of seemingly freeware, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. My advice avoid these types of software applications.

Hosts File:

A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your computer will look up the website's IP address before you can view the website.

Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

Here are some Hosts files:


Only use one of the above.

Finally a educational source:

To learn more about how to protect yourself while on the internet read this article by Tony Klein:

So how did I get infected in the first place?

Some consider this article outdated, personally I still think it bares relevance and the author is well respected in the Anti-Malware community and by myself also!

Any questions? Feel free to ask, if not stay safe!
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra
Advertisement
Register to Remove

Re: Browser Hijacker giving 404 errors, redirects, etc.

Unread postby rg6 » December 1st, 2009, 7:28 pm

Thank you!

I'll work through the rest of this.

Your help is extremely appreciated!
rg6
Regular Member
 
Posts: 33
Joined: October 2nd, 2009, 7:56 am

Re: Browser Hijacker giving 404 errors, redirects, etc.

Unread postby Dakeyras » December 1st, 2009, 7:56 pm

You're welcome! :)
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Browser Hijacker giving 404 errors, redirects, etc.

Unread postby rg6 » December 2nd, 2009, 2:08 pm

%#&**(_&*)(&*&%!

I just got a misdirect to Google and then a 404 error on a subsequent try. Something is still wrong. Where do I go from here? The website I tried to go to is real, it is a business and I can get to the cached site.
rg6
Regular Member
 
Posts: 33
Joined: October 2nd, 2009, 7:56 am

Re: Browser Hijacker giving 404 errors, redirects, etc.

Unread postby Dakeyras » December 2nd, 2009, 3:18 pm

Hi. :)

Which browser were you using when this occurred and have you installed a Host File and which particular website was this?

Please post a example so I can check it out as follows in a safe manner as shown below:-

hXXp://www.google.com

Substitute http:// with hXXp:// this way if it is a malicious site it will not be a active link.

Next:

Download at your desktop DDS from one of the links below:

Link1
Link2

  • Disable any script blocking protection.
  • Double click the tool to run it.
  • A black Screen will open, just read the contents and do nothing.
  • When the tool finish it will open a report.
  • The tool will also ask you to create a 2nd report. Please do it.
  • Copy/paste both reports back here and remove DDS from your desktop.

When completed the above, please post back the following in the order asked for:

  • How is you computer performing now, any further symptoms and or problems encountered?
  • Answers to my questions.
  • Both DDS logs. <-- Post them individually please, IE: one Log per post/reply.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Browser Hijacker giving 404 errors, redirects, etc.

Unread postby rg6 » December 3rd, 2009, 10:50 am

Last part first...

When I attempt to download DDS from either of the links provided, I get this message...

Hey <IP Address>!!

Please stop requesting pages that don't exist.

You requested /sUBs/dds. Well it doesn't exist. Maybe it did once. I dunno. Please Check the address and try again.

Cheers

(the hard working server admin bod)

bluetack.co.uk

404

---------------------
The browser I was using was Firefox 3.5.5. The first occurance was while going to a corporate (business) website. I don't remember which one. Later, it happened while attempting to go to Facebook and it was redirected to MySpace. This has happened before. Sometimes it is a 404 error, sometimes a redirect to another site.
--------------------

Thanks!
rg6
Regular Member
 
Posts: 33
Joined: October 2nd, 2009, 7:56 am

Re: Browser Hijacker giving 404 errors, redirects, etc.

Unread postby Dakeyras » December 3rd, 2009, 11:15 am

Hi. :)

Thanks for the update, in light of this lets proceed as follows:-

GooredFix:

Please download GooredFix from one of the locations below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Scan with GMER:

Please download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    Image
    Click the image to enlarge it

  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.

When completed the above, please post back the following:

  • How is you computer performing now? Any problems encountered and or any further symptoms?
  • GooredFix Log.
  • GMER Log.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

GooredFix and GMER logs

Unread postby rg6 » December 3rd, 2009, 4:54 pm

Attached are the GooredFix and GMER logs. There hasn't really been any opportunity to see a difference thus far. Thanks!
-------------------------
GooredFix by jpshortstuff (26.11.09.1)
Log created at 12:26 on 03/12/2009 (Rick)
Firefox version 3.5.5 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [01:16 07/08/2009]
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [17:02 01/12/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [12:09 08/08/2009]

-=E.O.F=-

*********************************************************
*********************************************************
*********************************************************
GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-03 15:36:52
Windows 5.1.2600 Service Pack 3
Running: h20kvs87.exe; Driver: C:\DOCUME~1\Rick\LOCALS~1\Temp\fxtdypog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xF47D4FC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xF47D1C80]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF73C9D72]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xF47D5580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xF47E9900]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xF47E9B10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xF47EDB10]
SSDT F7BD82F4 ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xF47D5670]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xF47D2210]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF73CA568]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF73CA820]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xF47E9280]
SSDT F7BD8312 ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xF47ECF90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xF47D2070]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF73C8A80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xF47EB180]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xF47EAF40]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF73CAC8A]
SSDT F7BD831C ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xF47D4BE0]
SSDT F7BD8317 ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xF47D5190]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xF47D2440]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF73CA036]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xF47EA200]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xF47EA080]

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip bckd.sys

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp bckd.sys
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Udp bckd.sys
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\RawIp bckd.sys
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{1A67FD06-7264-0181-C3D4-FF11B7F305AB}\CurVer@ Zb_ui.ZBUI_HelpAboutUI.1
Reg HKLM\SOFTWARE\Classes\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E}\InprocServer32@ C:\WINDOWS\system32\msvidctl.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E}\TypeLib@ {B0EDF154-910A-11D2-B632-00C04F79498E}

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\spool\PRINTERS\FP00000.SHD 0 bytes
File C:\WINDOWS\system32\spool\PRINTERS\FP00000.SPL 0 bytes

---- EOF - GMER 1.0.15 ----
rg6
Regular Member
 
Posts: 33
Joined: October 2nd, 2009, 7:56 am

Re: Browser Hijacker giving 404 errors, redirects, etc.

Unread postby Dakeyras » December 3rd, 2009, 6:29 pm

Hi. :)

Do you use a Router at all?

Download/Run ComboFix:

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please include the C:\ComboFix.txt in your next reply for further review.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper


When completed the above, please post back the following in the order asked for:

  • How is you computer performing now, any other symptoms and or problems encountered?
  • Answer to my Router query.
  • ComboFix Log.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Browser Hijacker giving 404 errors, redirects, etc.

Unread postby rg6 » December 3rd, 2009, 10:45 pm

The computer is connected to a wireless router with one other computer via Ethernet and wireless use by a couple of other computers. However, there really is no inter-computer activity, just Internet connectivity.

Should I still run ComboFix? What does it do (yes I will read the directions).

Thanks!
rg6
Regular Member
 
Posts: 33
Joined: October 2nd, 2009, 7:56 am

Re: Browser Hijacker giving 404 errors, redirects, etc.

Unread postby Dakeyras » December 4th, 2009, 4:54 am

Sure go ahead and run ComboFix. Then afterwards reset your Router and apply a new admin password. :)
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

ComboFix Log

Unread postby rg6 » December 4th, 2009, 10:50 am

ComboFix 09-12-03.05 - Rick 12/04/2009 9:01.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.476 [GMT -5:00]
Running from: c:\documents and settings\Rick\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
ADS - WINDOWS: deleted 0 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Recycle

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2009-11-04 to 2009-12-04 )))))))))))))))))))))))))))))))
.

2009-12-01 17:01 . 2009-12-01 17:01 -------- d-----w- c:\program files\Java
2009-11-30 00:32 . 2009-06-30 14:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-11-30 00:31 . 2009-11-30 00:31 -------- d-----w- c:\program files\Panda Security
2009-11-28 00:58 . 2009-11-28 00:58 -------- d-----w- c:\program files\ERUNT
2009-11-23 03:55 . 2009-11-23 04:01 -------- d-----w- c:\documents and settings\Rick\Application Data\Mobipocket
2009-11-23 03:53 . 2009-11-23 03:53 50008 ----a-r- c:\documents and settings\Rick\Application Data\Microsoft\Installer\{342126E1-173C-4585-BFBE-3EBDD20E3E9E}\_6FEFF9B68218417F98F549.exe
2009-11-23 03:53 . 2009-11-23 03:53 -------- d-----w- c:\program files\Mobipocket.com
2009-11-15 22:30 . 2009-11-15 22:30 -------- d-----w- C:\ADOBEAPP
2009-11-15 02:51 . 2009-11-15 02:51 -------- d-----w- c:\program files\Common Files\Intel
2009-11-07 15:18 . 2009-11-07 15:18 -------- d-----w- c:\windows\Performance
2009-11-07 15:18 . 2009-11-07 15:18 -------- d-----w- c:\documents and settings\Rick\Local Settings\Application Data\Microsoft Corporation

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-04 14:21 . 2007-04-09 20:38 -------- d-----w- c:\program files\Blue Coat K9 Web Protection
2009-12-04 13:22 . 2008-09-30 22:03 -------- d-----w- c:\program files\Thunderbird
2009-12-04 13:06 . 2009-12-04 13:08 280576 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2009-12-03 17:12 . 2009-09-11 11:28 5258442 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-12-03 17:11 . 2009-12-03 17:12 1783296 ----a-w- c:\windows\Internet Logs\xDBD.tmp
2009-12-02 18:16 . 2009-12-02 18:18 1763328 ----a-w- c:\windows\Internet Logs\xDBC.tmp
2009-12-02 02:18 . 2009-12-02 02:19 1766400 ----a-w- c:\windows\Internet Logs\xDBB.tmp
2009-12-02 02:18 . 2009-12-02 02:19 899584 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2009-12-01 17:01 . 2009-01-18 19:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-01 16:24 . 2009-12-01 16:25 1768448 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2009-11-29 10:21 . 2007-08-04 16:35 -------- d-----w- c:\program files\Google
2009-11-28 22:08 . 2004-11-18 23:01 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-28 08:54 . 2009-11-28 08:55 1547264 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2009-11-28 08:54 . 2009-11-28 08:55 1744384 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2009-11-28 04:01 . 2006-12-15 14:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-27 05:48 . 2008-08-23 02:31 -------- d-----w- c:\program files\Spyware Doctor
2009-11-26 22:17 . 2009-11-26 22:18 1716736 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2009-11-24 18:35 . 2009-11-24 18:36 1700864 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2009-11-23 18:22 . 2009-11-23 18:24 1708544 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2009-11-23 00:52 . 2009-11-23 00:53 1703936 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-11-20 18:20 . 2009-11-20 18:21 1694208 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-11-20 12:39 . 2009-11-20 12:40 1695232 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-11-20 02:42 . 2008-08-14 02:33 -------- d-----w- c:\program files\JKDefrag
2009-11-18 16:39 . 2004-11-17 20:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-18 16:31 . 2008-07-21 21:41 -------- d-----w- c:\program files\MediaComplete
2009-11-18 16:08 . 2009-08-18 02:12 -------- d-----w- c:\program files\Cisco Systems
2009-11-18 16:06 . 2004-11-18 22:36 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2009-11-18 16:03 . 2009-09-10 12:44 -------- d-----w- c:\documents and settings\Rick\Application Data\Amazon
2009-11-12 02:45 . 2009-09-01 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-05 14:47 . 2004-11-17 21:00 202752 -c--a-w- c:\documents and settings\Rick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-03 16:10 . 2009-09-01 17:05 -------- d-----w- c:\program files\Microsoft Works
2009-10-03 03:15 . 2009-09-18 15:27 479604 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aerdl.dll
2009-10-03 03:15 . 2009-09-18 15:27 393587 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aeemu.dll
2009-09-29 12:37 . 2009-09-29 12:37 4045528 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-09-15 20:58 . 2009-09-18 15:27 106867 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aevdf.dll
2009-09-15 20:57 . 2009-09-18 15:26 184693 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aecore.dll
2009-09-11 14:18 . 2002-09-03 16:46 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 18:54 . 2009-09-06 12:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-09-06 12:17 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 19:49 . 2009-09-08 19:49 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-09-08 18:21 . 2009-09-08 18:21 167376 ----a-w- c:\documents and settings\Rick\Application Data\Mozilla\Firefox\Profiles\ybb7qck1.default\FlashGot.exe
2006-01-23 23:15 . 2005-06-01 02:06 30 -c--a-w- c:\program files\Exiferupdate.ini
2003-07-25 16:38 . 2004-11-19 02:19 132096 -c--a-w- c:\program files\Common Files\PCSBoff.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cobian Backup 7"="c:\program files\Cobian Backup 7\CobBU.exe" [2006-02-28 127488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-01 149280]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Parallel Arbitrator]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Sonic RecordNow! Deluxe"=
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroCheck"=c:\windows\system32\\NeroCheck.exe
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"SunJavaUpdateSched"=c:\program files\Java\jre1.5.0_06\bin\jusched.exe
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /install
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/29/2009 7:32 PM 28552]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/1/2009 6:53 AM 206256]
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [1/13/2009 6:39 PM 72992]
R1 cdrblock;cdrblock;c:\windows\system32\drivers\cdrblock.sys [1/3/2008 10:09 PM 20864]
R1 cdrport;cdrport;c:\windows\system32\drivers\cdrport.sys [1/3/2008 10:09 PM 4608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/6/2009 7:42 AM 108289]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\Blue Coat K9 Web Protection\k9filter.exe [5/23/2006 1:45 PM 1078560]
R3 FTD2XX;LogTag USB Interface driver;c:\windows\system32\drivers\FTD2XX.sys [2/1/2004 2:00 AM 29292]
S2 gupdate1c9b943662457d8;Google Update Service (gupdate1c9b943662457d8);c:\program files\Google\Update\GoogleUpdate.exe [4/9/2009 1:45 PM 133104]
S2 PIEUsb;Single Frame Film Scanner;c:\windows\system32\drivers\usbscan.sys [11/18/2004 5:34 PM 15104]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\DRIVERS\CSVirtA.sys --> c:\windows\system32\DRIVERS\CSVirtA.sys [?]
S3 efipsk;efipsk;\??\c:\docume~1\BRAD~1.STU\LOCALS~1\Temp\efipsk.sys --> c:\docume~1\BRAD~1.STU\LOCALS~1\Temp\efipsk.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\B.tmp --> c:\windows\system32\B.tmp [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [10/26/2009 8:21 PM 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [1/28/2009 7:43 PM 8320]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [4/1/2009 6:52 AM 348752]
S4 AloPar;AloPar;c:\windows\system32\drivers\AloPar.sys [11/19/2004 9:06 PM 5056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2009-12-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-09 18:45]

2009-12-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-09 18:45]

2009-12-04 c:\windows\Tasks\jucheck.job
- c:\program files\Java\jre6\bin\jucheck.exe [2009-12-01 17:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Rick\Application Data\Mozilla\Firefox\Profiles\ybb7qck1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig|http://mail.go ... 3Ftab%3Dmc
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nptgeqplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-NVIDIA Drivers - c:\windows\system32\nvudisp.exe UninstallGUI
AddRemove-PictureItPrem_v12 - c:\program files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe ADDREMOVE=1 SKU=PREM VERSION=12
AddRemove-{2FCE4FC5-6930-40E7-A4F1-F862207424EF} - c:\program files\InstallShield Installation Information\{2FCE4FC5-6930-40E7-A4F1-F862207424EF}\setup.exe REMOVEALL
AddRemove-{98E8A2EF-4EAE-43B8-A172-74842B764777} - c:\program files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe REMOVEALL



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-04 09:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\B.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3420)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\windows\System32\tcpsvcs.exe
c:\windows\System32\snmp.exe
c:\program files\Cobian Backup 7\cobui.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-04 09:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-04 14:25

Pre-Run: 43,481,362,432 bytes free
Post-Run: 43,334,299,648 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - A3237E78324295564B5ED6B657415591
rg6
Regular Member
 
Posts: 33
Joined: October 2nd, 2009, 7:56 am

Re: Browser Hijacker giving 404 errors, redirects, etc.

Unread postby rg6 » December 4th, 2009, 11:44 am

Still having problems after ComboFix run. Thanks for your help.
rg6
Regular Member
 
Posts: 33
Joined: October 2nd, 2009, 7:56 am

Re: Browser Hijacker giving 404 errors, redirects, etc.

Unread postby Dakeyras » December 4th, 2009, 2:44 pm

Hi,

I have bad news I'm afraid. :(

One or more of the identified infections is a Backdoor Trojan, plus evidence of a Keylogger program.

OK since we are dealing with the aforementioned infection(s) I would be providing your good self with a disservice if I did not make you aware of the ramifications below:

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Although an attempt could be made to clean this machine, it could never be considered to be truly clean, secure, or trustworthy. We could not say definitively that unknown and unseen malware will have been removed, nor will your system be restored to its pre-infection state. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, nor can we repair the damage it may possibly have caused to vital system files. Additionally, it is quite possible that changes made to the system by the malware may impact negatively on your computer during the removal process. In short, your system may never regain its former stability or its full functionality without a reformat. Therefore, your best and safest course of action is a reformat and reinstallation of the Windows operating system, and that is the course we strongly recommend.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

I can attempt to clean this machine but I can't guarantee that it will be at all secure afterwords.

Should you have any questions, please feel free to ask.

Please let myself know what you have decided to do in your next post.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Browser Hijacker giving 404 errors, redirects, etc.

Unread postby rg6 » December 5th, 2009, 3:38 pm

I'm going to reformat and start over. I may even do some upgrades and go to Windows7.

Questions on saving files and programs...

* Are there any issues with reinstalling programs from setup files on the computer?
* Asked another way, are the problems all in the OS files in my current setup?
* Any issues with saving data files? If the non-executables scan clean is that sufficient?

Thank you.
rg6
Regular Member
 
Posts: 33
Joined: October 2nd, 2009, 7:56 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 305 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware