Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Redirect malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Redirect malware

Unread postby askey127 » October 11th, 2010, 2:30 pm

Sutman04
Do you use the Roxio Service upload/download, etc. on a regular basis?
-----------------------------------------------------------
Remove Registry items with HighjackThis. Start HijackThis. (Right-click and "Run as administrator" in Vista/Win7)
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
-----------------------------------------------------------
REBOOT (RESTART) Your Machine
-----------------------------------------------------------
Replace the Current HOSTS File with MVPs
You can read about HOSTS files here : http://www.mvps.org/winhelp2002/hosts.htm

  • Disable DNS Client Service. This is necessary when installing a large HOSTS file.
    From Start, or Start, Run
    Type services.msc in the box and hit <Enter>
    Give permission to continue if necessary.
    Scroll down to DNS Client on the list, Right Click it and choose Properties.
    Under Service Status, click Stop. Wait until it reports the service stopped.
    Under Startup Type, choose Disabled.
    Then click Apply, OK
  • Use HostsXpert to Install the HOSTS File
    Download HostsXpert and unzip (extract) it to your computer, somewhere where you can find it.
    • Double click on HostsXpert.exe to launch the program. Give whatever Permissions are required.
    • In the bottom half of the left pane, click on File Handling
    • If the first button at the top is labeled Make Writeable?, click on it so the label changes to Make Read Only
    • Click third button from the bottom, labeled Download. A couple new buttons will appear at the top.
    • Click on the top button labeled MVPs Hosts and choose Replace
    • When asked to verify if you want to Replace present Hosts file, click OK.
    • When it finishes, click on File Handling again.
    • Click the button at the top labeled Make Read Only, so the label changes to Make Writeable?
    • Hit the X in the upper right corner to exit HostsXpert

Let me know how it goes, and whether that "address redirector"could be the source of redirects.
It's not supposed to, but there have been some reports of it under certain conditions..
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

Re: Redirect malware

Unread postby sutman04 » October 11th, 2010, 3:06 pm

askey127,

Fixed problems with HJT and downloaded and ran HostsXpert with no problems.

I do not ever use Roxio Service.

After running through HJT and HostsXpert I rebooted and still am getting redirects in yahoo! searches with both IE and FF. Not getting any in google in IE or FF. Now none of the redirects load though, they stall out and have a blank screen with 'done' in the bottom left of the browser or says 'page can not be found'

Thanks for all the help so far.

What's next?!?! Looking forward to your next post.

-Sutman04
sutman04
Active Member
 
Posts: 14
Joined: October 5th, 2010, 11:37 pm

Re: Redirect malware

Unread postby askey127 » October 11th, 2010, 5:48 pm

sutman04,
The new HOSTS file will prevent accidental connections to a few tens of thousand of know malicious websites.
I don't like the looks of this driver in your list, so it's out of here:
-------------------------------------------------------------
  • Open a new Notepad window (Start>All programs>accessories>notepad). Choose File, New.
  • Highlight the contents of the codebox below and press Ctrl+C to copy it to the clipboard. Do Not copy the word "Code".
    Code: Select all
    Driver::
    rexfbzybdlh 
    
    File::
    C:\WINDOWS\system32\drivers\jdukxgpovlspg.sys
    
  • Paste the contents of the clipboard into the Notepad window by pressing Ctrl+V or Edit, Paste
  • Save it to your desktop as CFScript.txt

    Image
  • Now drag and drop the CFScript.txt icon onto combofix.exe (zzz.exe) as in the picture above, and follow the prompts.
  • Then post the resultant log, C:\ComboFix.txt, in your next reply.
-----------------------------------------------------------
REBOOT (RESTART) Your Machine

Let's have a look at that log, and also tell me what you see.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Redirect malware

Unread postby sutman04 » October 12th, 2010, 8:40 am

askey127,

Ran Combofix with no problems. I am still getting the same problems. Yahoo! search results are still being redirected in IE and FF. Google search results have no problems. Below is the log.


ComboFix 10-10-11.03 - Owner 10/12/2010 8:16.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.540 [GMT -4:00]
Running from: c:\documents and settings\Owner.Sutter\Desktop\zzz.exe
Command switches used :: c:\documents and settings\Owner.Sutter\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\windows\system32\drivers\jdukxgpovlspg.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_REXFBZYBDLH
-------\Service_rexfbzybdlh


((((((((((((((((((((((((( Files Created from 2010-09-12 to 2010-10-12 )))))))))))))))))))))))))))))))
.

2010-10-11 15:32 . 2010-10-11 15:32 -------- d-----w- C:\rsit
2010-10-11 12:52 . 2010-10-11 12:52 -------- d-----w- c:\program files\Common Files\Adobe
2010-10-08 20:07 . 2010-10-08 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Driver Boost
2010-10-08 19:59 . 2010-10-08 19:59 -------- d-----w- c:\program files\Microsoft
2010-10-08 19:59 . 2010-10-08 19:59 -------- d-----w- c:\program files\MSN Toolbar
2010-10-08 19:58 . 2010-10-08 20:00 -------- d-----w- c:\program files\MSN Toolbar Installer
2010-10-08 19:58 . 2010-10-08 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Driver Whiz
2010-10-08 19:53 . 2010-10-08 19:53 -------- d-----w- c:\documents and settings\Owner.Sutter\Application Data\ElevatedDiagnostics
2010-10-08 19:47 . 2004-08-04 02:32 231552 -c--a-w- c:\windows\system32\dllcache\ac97ali.sys
2010-10-08 19:47 . 2004-08-04 02:32 231552 ----a-w- c:\windows\system32\drivers\ac97ali.sys
2010-10-08 19:37 . 2005-12-29 03:42 634880 ------w- c:\windows\system32\stlang.dll
2010-10-08 12:46 . 2010-10-08 12:46 -------- d-----w- c:\documents and settings\Owner.Sutter\Application Data\Avira
2010-10-08 12:39 . 2010-10-08 12:39 -------- d-----w- c:\program files\Avira
2010-10-08 12:39 . 2010-10-08 12:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-10-08 12:39 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-10-08 12:39 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-10-08 12:39 . 2009-05-11 16:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-10-08 12:39 . 2009-05-11 16:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-10-06 03:36 . 2010-10-06 03:36 388096 ----a-r- c:\documents and settings\Owner.Sutter\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-06 02:25 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-06 02:25 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-06 00:19 . 2010-10-06 00:19 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-06 00:18 . 2010-10-06 00:18 -------- d-----w- c:\documents and settings\Owner.Sutter\Application Data\abelhadigital.com
2010-10-05 13:58 . 2010-10-06 00:18 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-05 13:57 . 2010-10-06 00:18 -------- d-----w- c:\program files\HostsMan(2)
2010-10-05 13:53 . 2010-10-06 02:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-05 03:42 . 2010-10-11 15:32 -------- d-----w- c:\program files\Trend Micro
2010-10-01 17:25 . 2010-10-01 17:25 -------- d-----w- C:\spoolerlogs
2010-10-01 01:53 . 2010-10-01 01:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-01 01:53 . 2010-10-01 01:52 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-01 01:53 . 2010-10-01 01:52 423656 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-09-30 19:47 . 2010-09-30 19:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-30 07:11 . 2010-09-30 07:11 -------- d-----w- c:\documents and settings\Owner.Sutter\Application Data\SUPERAntiSpyware.com
2010-09-30 05:54 . 2010-09-30 05:54 -------- d-----w- c:\documents and settings\Owner.Sutter\Application Data\Malwarebytes
2010-09-30 05:52 . 2010-09-30 05:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-30 05:29 . 2010-10-05 13:57 -------- d-----w- c:\documents and settings\All Users\Application Data\abelhadigital.com
2010-09-30 04:55 . 2010-09-30 04:55 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-09-30 04:53 . 2010-09-30 04:53 -------- d-----w- c:\program files\MSSOAP
2010-09-30 04:53 . 2010-09-30 04:53 -------- d-----w- c:\program files\Webroot
2010-09-30 04:02 . 2010-09-30 04:02 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-09-22 22:10 . 2010-09-22 22:10 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-09-22 22:10 . 2010-09-22 22:10 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0417.0\mswinext.exe" [2010-07-06 240480]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-26 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"PrismXL"=2 (0x2)
"iPod Service"=3 (0x3)
"accoca"=2 (0x2)
"acautoup"=2 (0x2)
"acachsrv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/8/2010 8:39 AM 135336]
S3 APL531;CRS Photo Scanner;c:\windows\system32\Drivers\PS550.sys --> c:\windows\system32\Drivers\PS550.sys [?]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2/22/2010 10:56 PM 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2/22/2010 10:56 PM 30104]
S3 QuarticsWP;QuarticsWP_Display_Driver;c:\windows\system32\DRIVERS\QuarticsWP.sys --> c:\windows\system32\DRIVERS\QuarticsWP.sys [?]
S3 QuarticsWPMirror;QuarticsWPMirror_Display_Driver;c:\windows\system32\DRIVERS\QuarticsWPMirror.sys --> c:\windows\system32\DRIVERS\QuarticsWPMirror.sys [?]
S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [10/17/2007 11:11 PM 56448]
.
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.yahoo.com/
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\www.update
FF - ProfilePath - c:\documents and settings\Owner.Sutter\Application Data\Mozilla\Firefox\Profiles\uvbhgmvr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=BABTDF&PC=BBLN&q=
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=BABTDF&PC=BBLN&q=
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4D36E769-B7A1-49B0-7FF57AC1710650DC}\{A2C50D74-0103-0472-B4B4032F319B5A49}\{CF55CBC2-03B6-AE3E-9F7994016B214C0B}*]
"JWOYTVPITEDJCHYUGDR5XL6BSC1"=hex:01,00,01,00,00,00,00,00,b1,dc,8a,ef,e5,23,43,
80,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EB668333-F612-E1D7-2FB00B30B4B4E4AA}\{D1B6E034-64F3-148A-55D2E81E9958627F}\{B02B1958-B4EC-2E2F-D228BAC73E6936F4}*]
"JWOYTVPITEDJCHYUGDR5XL6BSC1"=hex:01,00,01,00,00,00,00,00,b1,dc,8a,ef,e5,23,43,
80,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2924)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
c:\windows\stsystra.exe
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\progra~1\MICROS~3\rapimgr.exe
.
**************************************************************************
.
Completion time: 2010-10-12 08:35:15 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-12 12:35
ComboFix2.txt 2010-10-09 13:04

Pre-Run: 18,457,272,320 bytes free
Post-Run: 18,346,958,848 bytes free

- - End Of File - - 03DAF51E93397FCA67A92E7FC28DBE18


Thanks for all your help so far. Looking forward to your next post.

-sutman04
sutman04
Active Member
 
Posts: 14
Joined: October 5th, 2010, 11:37 pm

Re: Redirect malware

Unread postby askey127 » October 12th, 2010, 9:02 am

-----------------------------------------------------------
Flush DNS Cache
  • Click Start, Run
  • In the box, type the following, and then hit Enter: ipconfig /flushdns
  • (There is a space after ipconfig)
  • A window will flash on and off. This is normal.

Let me know if the redirects continue.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Redirect malware

Unread postby sutman04 » October 12th, 2010, 10:32 am

askey127,

Flushed the DNS cache with no problems.

Same problems. Redirects with IE and FF in yahoo! searches. No redirects in google searches.

This thing is being persistent! Thanks for your help so far. Looking forward to your next post.

-Sutman04
sutman04
Active Member
 
Posts: 14
Joined: October 5th, 2010, 11:37 pm

Re: Redirect malware

Unread postby askey127 » October 12th, 2010, 10:47 am

sutman04,
These can be a little difficult to find at times.
Please do the following, in this order.
-------------------------------------------------------------
  • Open a new Notepad window (Start>All programs>accessories>notepad). Choose File, New.
  • Highlight the contents of the codebox below and press Ctrl+C to copy it to the clipboard. Do Not copy the word "Code".
    Code: Select all
    RegNull::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4D36E769-B7A1-49B0-7FF57AC1710650DC}\{A2C50D74-0103-0472-B4B4032F319B5A49}\{CF55CBC2-03B6-AE3E-9F7994016B214C0B}*]
    
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EB668333-F612-E1D7-2FB00B30B4B4E4AA}\{D1B6E034-64F3-148A-55D2E81E9958627F}\{B02B1958-B4EC-2E2F-D228BAC73E6936F4}*]
    
    
  • Paste the contents of the clipboard into the Notepad window by pressing Ctrl+V or Edit, Paste
  • Save it to your desktop as CFScript.txt

    Image
  • Now drag and drop the CFScript.txt icon onto combofix.exe (zzz.exe) as in the picture above, and follow the prompts.
  • Then post the resultant log, C:\ComboFix.txt, in your next reply.
----------------------------------------------
Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Now Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Redirect malware

Unread postby sutman04 » October 13th, 2010, 10:44 am

askey127,

Ran combofix again and gooredfix with no problems. Below are the logs.


ComboFix 10-10-12.03 - Owner 10/13/2010 10:28:10.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.452 [GMT -4:00]
Running from: c:\documents and settings\Owner.Sutter\Desktop\zzz.exe
Command switches used :: c:\documents and settings\Owner.Sutter\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-09-13 to 2010-10-13 )))))))))))))))))))))))))))))))
.

2010-10-11 15:32 . 2010-10-11 15:32 -------- d-----w- C:\rsit
2010-10-11 12:52 . 2010-10-11 12:52 -------- d-----w- c:\program files\Common Files\Adobe
2010-10-08 20:07 . 2010-10-08 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Driver Boost
2010-10-08 19:59 . 2010-10-08 19:59 -------- d-----w- c:\program files\Microsoft
2010-10-08 19:59 . 2010-10-08 19:59 -------- d-----w- c:\program files\MSN Toolbar
2010-10-08 19:58 . 2010-10-08 20:00 -------- d-----w- c:\program files\MSN Toolbar Installer
2010-10-08 19:58 . 2010-10-08 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Driver Whiz
2010-10-08 19:53 . 2010-10-08 19:53 -------- d-----w- c:\documents and settings\Owner.Sutter\Application Data\ElevatedDiagnostics
2010-10-08 19:47 . 2004-08-04 02:32 231552 -c--a-w- c:\windows\system32\dllcache\ac97ali.sys
2010-10-08 19:47 . 2004-08-04 02:32 231552 ----a-w- c:\windows\system32\drivers\ac97ali.sys
2010-10-08 19:37 . 2005-12-29 03:42 634880 ------w- c:\windows\system32\stlang.dll
2010-10-08 12:46 . 2010-10-08 12:46 -------- d-----w- c:\documents and settings\Owner.Sutter\Application Data\Avira
2010-10-08 12:39 . 2010-10-08 12:39 -------- d-----w- c:\program files\Avira
2010-10-08 12:39 . 2010-10-08 12:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-10-08 12:39 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-10-08 12:39 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-10-08 12:39 . 2009-05-11 16:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-10-08 12:39 . 2009-05-11 16:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-10-06 03:36 . 2010-10-06 03:36 388096 ----a-r- c:\documents and settings\Owner.Sutter\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-06 02:25 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-06 02:25 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-06 00:19 . 2010-10-06 00:19 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-06 00:18 . 2010-10-06 00:18 -------- d-----w- c:\documents and settings\Owner.Sutter\Application Data\abelhadigital.com
2010-10-05 13:58 . 2010-10-06 00:18 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-05 13:57 . 2010-10-06 00:18 -------- d-----w- c:\program files\HostsMan(2)
2010-10-05 13:53 . 2010-10-06 02:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-05 03:42 . 2010-10-11 15:32 -------- d-----w- c:\program files\Trend Micro
2010-10-01 17:25 . 2010-10-01 17:25 -------- d-----w- C:\spoolerlogs
2010-10-01 01:53 . 2010-10-01 01:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-01 01:53 . 2010-10-01 01:52 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-01 01:53 . 2010-10-01 01:52 423656 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-09-30 19:47 . 2010-09-30 19:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-30 07:11 . 2010-09-30 07:11 -------- d-----w- c:\documents and settings\Owner.Sutter\Application Data\SUPERAntiSpyware.com
2010-09-30 05:54 . 2010-09-30 05:54 -------- d-----w- c:\documents and settings\Owner.Sutter\Application Data\Malwarebytes
2010-09-30 05:52 . 2010-09-30 05:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-30 05:29 . 2010-10-05 13:57 -------- d-----w- c:\documents and settings\All Users\Application Data\abelhadigital.com
2010-09-30 04:55 . 2010-09-30 04:55 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-09-30 04:53 . 2010-09-30 04:53 -------- d-----w- c:\program files\MSSOAP
2010-09-30 04:53 . 2010-09-30 04:53 -------- d-----w- c:\program files\Webroot
2010-09-30 04:02 . 2010-09-30 04:02 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-09-22 22:10 . 2010-09-22 22:10 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-09-22 22:10 . 2010-09-22 22:10 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0417.0\mswinext.exe" [2010-07-06 240480]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-26 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"PrismXL"=2 (0x2)
"iPod Service"=3 (0x3)
"accoca"=2 (0x2)
"acautoup"=2 (0x2)
"acachsrv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/8/2010 8:39 AM 135336]
S3 APL531;CRS Photo Scanner;c:\windows\system32\Drivers\PS550.sys --> c:\windows\system32\Drivers\PS550.sys [?]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2/22/2010 10:56 PM 30104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2/22/2010 10:56 PM 30104]
S3 QuarticsWP;QuarticsWP_Display_Driver;c:\windows\system32\DRIVERS\QuarticsWP.sys --> c:\windows\system32\DRIVERS\QuarticsWP.sys [?]
S3 QuarticsWPMirror;QuarticsWPMirror_Display_Driver;c:\windows\system32\DRIVERS\QuarticsWPMirror.sys --> c:\windows\system32\DRIVERS\QuarticsWPMirror.sys [?]
S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [10/17/2007 11:11 PM 56448]
.
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.yahoo.com/
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\www.update
FF - ProfilePath - c:\documents and settings\Owner.Sutter\Application Data\Mozilla\Firefox\Profiles\uvbhgmvr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=BABTDF&PC=BBLN&q=
FF - prefs.js: browser.startup.homepage - yahoo.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=BABTDF&PC=BBLN&q=
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
.
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3496)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-10-13 10:37:44
ComboFix-quarantined-files.txt 2010-10-13 14:37
ComboFix2.txt 2010-10-12 12:35
ComboFix3.txt 2010-10-09 13:04

Pre-Run: 18,427,355,136 bytes free
Post-Run: 18,401,669,120 bytes free

- - End Of File - - 4B83EC8BF5A611C0003DAE9A8A8B3483



GooredFix by jpshortstuff (03.07.10.1)
Log created at 10:39 on 13/10/2010 (Owner)
Firefox version 3.5.13 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [02:08 02/12/2006]
{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [01:53 01/10/2010]

C:\Documents and Settings\Owner.Sutter\Application Data\Mozilla\Firefox\Profiles\uvbhgmvr.default\extensions\
{20a82645-c095-46ed-80e3-08825760534b} [02:41 06/10/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [20:23 01/04/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [01:52 01/10/2010]
"msntoolbar@msn.com"="C:\Program Files\MSN Toolbar\Platform\4.0.0417.0\Firefox" [19:59 08/10/2010]
"{27182e60-b5f3-411c-b545-b44205977502}"="C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\" [16:49 09/10/2010]

-=E.O.F=-



I am still getting redirects the same way I have been. Yahoo! redirects in FF and IE. Google does not.

Thanks for the help so far. Looking forward to your next post.

-sutman04
sutman04
Active Member
 
Posts: 14
Joined: October 5th, 2010, 11:37 pm

Re: Redirect malware

Unread postby askey127 » October 13th, 2010, 4:22 pm

sutman,
These rootkit infections can do anything, and sometimes the "results" of their handiwork are hard to find.

Start Firefox.
In the upper right. click the little arrow on the left hand edge of the Search bar.
Click "Manage search engines"
Please note down the search engines listed and tell me what they are.

At the bottom uncheck "Show search suggestions". Click OK.

Hit the < Alt > key.
Under the Tools menu at the top, click Options, and then the Content tab.
Uncheck the box labeled "Enable Java Script" and click OK.
Now use Firefox to do a search in Yahoo.

This will tell us whether the redirects are likely to be a result of a javascript.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Redirect malware

Unread postby sutman04 » October 13th, 2010, 5:40 pm

askey127,

Did all that with FF. Now I am getting all the Yahoo! search results that are being redirected to stall out on this page: hxxp://results.yahoo.com/ , with a 'continue' tab in the top left corner. Results are only being redirected about 1 out of every 5 times. I'll click a link and it will be redirected, then go back and click the same one and it won't be redirected.

Something new, in FF after click about 50 search results with google I got a redirect. It stalled out on hxxp://results.googleadservices.com/ with the same 'continue' tab in the top left corner.

In IE it still redirects all the way through. These redirects are about 1 in 5 as well. In the URL address I can see it flow through the hxxp://results.yahoo.com/ before going to a final page.

In IE there was no redirects using google.

Hope that information helps pin down this crazy thing. Thank you for all the help. Looking forward to your next post.

-Sutman04
sutman04
Active Member
 
Posts: 14
Joined: October 5th, 2010, 11:37 pm

Re: Redirect malware

Unread postby askey127 » October 17th, 2010, 1:27 pm

sutman,
Sorry I missed your reply.

Let's check whether you have any other leftover infected files or settings.
This scan can take a long time (hours), but it is very thorough. Please start it when you can let it finish.
It doesn't remove anything. The report, however, is very valuable.
-----------------------------------------------------
Run an Online Kaspersky WebScan
  • Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the Program and Database downloads have finished, (may take a while), Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post the contents of this log in your next reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Redirect malware

Unread postby askey127 » October 20th, 2010, 2:30 pm

Due to Lack of Response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 327 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware