Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Web search links are hijacked, cant seem to clean

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Web search links are hijacked, cant seem to clean

Unread postby friggenPC » August 7th, 2009, 7:55 pm

I have some sort of mailware that hijacks web search links (Example: do google search click on link from hit list and frowser will jump to some other random seach assistant site and from there evey link jumps to a you are infected web site that list viruses on drives that are not even present. A dialog box will propmt for ok to install viruse remover (which attempts to install trogens and the cancel button dose not work) the only way to leave the site is to ctrl + alt + del and kill all web session. I am runnning Partologic and malwarebytes anti-mailware. the anti malware app can find programs to and it dose report removing them but the browser still gets redirected.

I am adding a new hijakthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:30:22 PM, on 8/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe
C:\WINDOWS\system32\lxcfcoms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Documents and Settings\Dan Jordan\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LDTray] C:\Program Files\Livescribe\Livescribe Desktop\LDTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDTray] C:\Program Files\Livescribe\Livescribe Desktop\LDTray.exe
O4 - HKCU\..\Run: [ParetoLogic Anti-Spyware] "C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" -NM -hidesplash
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivillage.co.uk/save/makeover.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/tes ... eGames.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4754336213
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://www.tikgames.com/Portals/0/Onlin ... dfever.cab
O16 - DPF: {E6BB2089-163F-466B-812A-748096614DFD} (CAScanner Control) - http://cainternetsecurity.net/scanner/cascanner.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://employees.onbase.com/dana-cache ... Client.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: The Shield Deluxe 2008 (AVP) - PCSecurityShield - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Livescribe Pulse Smartpen Service (PenCommService) - Livescribe - C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Tmesbs32 (Tmesbs) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe

--
End of file - 8776 bytes
friggenPC
Active Member
 
Posts: 13
Joined: August 1st, 2009, 5:44 pm
Advertisement
Register to Remove

Re: Web search links are hijacked, cant seem to clean

Unread postby MWR 3 day Mod » August 11th, 2009, 11:58 pm

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Web search links are hijacked, cant seem to clean

Unread postby Odd dude » August 13th, 2009, 4:47 am

Looking over your log - back in a second. :)
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Web search links are hijacked, cant seem to clean

Unread postby Odd dude » August 13th, 2009, 4:56 am

Hello and welcome to the forums!

I'm Odd dude, pleased to meet you; if it helps, you can call me OD ;). I will be helping you to get rid of whatever you have on your computer (don't worry, just the malware stuff :D). However, it is important to take note of the following:

  • Logs from malware removal programs (Hijackthis is one of them) can take some time to analyze. I need you to be patient whilst I analyze any logs you post.
  • Please carefully read any instruction that I give you.
    Reading too lightly will cause you to miss important steps, which could have destructive effects.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • Please try to reply within three days - failure to do so might result in this thread being archived before we have finished cleaning you up. :o
    If you need more time than that, all you need to do is tell me. ;)
  • Do not do things I do not ask for, such as running a spyware scan. The one thing you should always do, though, is making sure that your antivirus definitions are up-to-date!
  • If I tell you to download a tool which you already have, please re-download it and do not use the copy you already have. This is because the tools are updated regularly.
  • In Windows Vista, all tools need to be started by right clicking and selecting Run as administrator!
  • Lastly, I am no magican. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system. Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.


DDS (Doesn't Do Squat)
Download DDS by sUBs to your desktop.
Your antivirus software might question the file. If it does, turn it off please :)
  • Double click DDS.scr to run it and wait for the scan to finish
  • When finished DDS.txt will open
  • A small while later, a prompt will open. Answer Yes
  • DDS will continue scanning
  • When done, Attach.txt will open
  • Post DDS.txt and attach Attach.txt
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Web search links are hijacked, cant seem to clean

Unread postby friggenPC » August 13th, 2009, 10:05 pm

first log dds.txt


DDS (Ver_09-07-30.01) - NTFSx86
Run by Dan Jordan at 21:59:57.14 on Thu 08/13/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.171 [GMT -4:00]

AV: The Shield Deluxe 2008 *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: The Shield Deluxe 2008 *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\RegCure\RegCure.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Livescribe\Livescribe Desktop\LDTray.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Documents and Settings\Dan Jordan\Local Settings\Temporary Internet Files\Content.IE5\006Y6MTB\dds[1].scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.toshiba.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [LDTray] c:\program files\livescribe\livescribe desktop\LDTray.exe
uRun: [ParetoLogic Anti-Spyware] "c:\program files\paretologic\anti-spyware\Pareto_AS.exe" -NM -hidesplash
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TMESBS.EXE] c:\program files\toshiba\tme3\TMESBS32.EXE /Client
mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LDTray] c:\program files\livescribe\livescribe desktop\LDTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\pcsecurityshield\the shield deluxe 2008\scieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shoc ... tor/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} - hxxp://makeover.ivillage.co.uk/save/makeover.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan ... stubie.cab
DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - hxxp://disney.go.com/pirates/online/tes ... eGames.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/share ... insctl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftup ... 4754336213
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/fl ... rashim.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/share ... cgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/aut ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/s ... wflash.cab
DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} - hxxp://www.tikgames.com/Portals/0/Onlin ... dfever.cab
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://employees.onbase.com/dana-cache ... Client.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: klogon - c:\windows\system32\klogon.dll
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: PASShlExt Class: {51c55f9e-c308-4c95-89ab-8858d8afd819} - c:\program files\paretologic\anti-spyware\PASShlExt.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2007-3-3 110360]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-7-19 28544]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-8-2 130936]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2001-10-22 33496]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.SYS [2000-9-11 10816]
R1 klif;Klif;c:\windows\system32\drivers\klif.sys [2007-1-27 175888]
R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\common files\livescribe\pencomm\PenCommService.exe [2009-6-23 151552]
R2 Tmesbs;Tmesbs32;c:\program files\toshiba\tme3\tmesbs32.exe [2003-1-3 77824]
S2 mrtRate;mrtRate; [x]
S3 AVP;The Shield Deluxe 2008;c:\program files\pcsecurityshield\the shield deluxe 2008\avp.exe [2007-8-23 200768]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\AWHOST32.EXE [2001-11-2 114749]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-12-29 33752]
S3 MSSEARCH;Microsoft Search;c:\program files\common files\system\mssearch\bin\mssearch.exe [2005-10-9 73728]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-8-2 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-8-2 1097096]
S3 wlags48b;Wireless LAN PCCard Driver;c:\windows\system32\drivers\wlags48b.sys [2003-1-21 156672]

=============== Created Last 30 ================

2009-08-12 09:09 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 09:09 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-05 05:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 23:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\19550934
2009-08-02 23:40 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-08-02 23:40 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-08-02 23:40 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-02 23:39 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-08-02 23:39 <DIR> --d----- c:\program files\common files\PC Tools
2009-08-02 23:39 <DIR> --d----- c:\program files\Spyware Doctor
2009-08-02 23:39 <DIR> --d----- c:\docume~1\danjor~2\applic~1\PC Tools
2009-08-02 23:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-07-27 20:59 2,206 a------- c:\windows\system32\wpa.dbl
2009-07-24 00:02 4,224 ac------ c:\windows\system32\dllcache\beep.sys
2009-07-24 00:02 4,224 a------- c:\windows\system32\drivers\beep.sys
2009-07-21 14:01 <DIR> --d----- c:\docume~1\danjor~2\applic~1\ParetoLogic
2009-07-21 14:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic
2009-07-21 14:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Downloaded Installations
2009-07-21 12:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic Anti-Spyware
2009-07-21 12:02 <DIR> --d----- c:\program files\ParetoLogic
2009-07-21 12:02 <DIR> --d----- c:\program files\common files\ParetoLogic
2009-07-21 11:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\RegCure
2009-07-20 22:51 <DIR> --d----- c:\program files\QUAD Utilities
2009-07-19 11:28 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-07-19 11:27 <DIR> --d----- c:\program files\Panda Security
2009-07-19 11:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CA
2009-07-18 20:18 12,805 a------- c:\docume~1\danjor~2\applic~1\ygejeba.bin
2009-07-17 15:01 58,880 -c------ c:\windows\system32\dllcache\atl.dll

==================== Find3M ====================

2009-08-12 22:49 1,155,104 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-08-12 22:49 109,364 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-24 21:20 15,233,824 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-07-24 21:20 206,144 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-07-18 20:41 968 ----h--- c:\windows\fonts\mlog
2009-07-18 20:18 11,905 a------- c:\program files\common files\cudejit.dl
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2005-10-12 17:04 0 a---h--- c:\docume~1\alluse~1\applic~1\msds.dat
2009-02-21 09:24 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009022120090222\index.dat

============= FINISH: 22:02:48.65 ===============
friggenPC
Active Member
 
Posts: 13
Joined: August 1st, 2009, 5:44 pm

Re: Web search links are hijacked, cant seem to clean

Unread postby friggenPC » August 13th, 2009, 10:10 pm

Thanks and understand the effort.

second dds log
attach.txt


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 10/6/2005 7:39:32 PM
System Uptime: 8/13/2009 9:07:33 PM (1 hours ago)

Motherboard: TOSHIBA | | Portable PC
Processor: Intel(R) Pentium(R) 4 CPU 2.40GHz | uFC-PGA Socket | 2394/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 56 GiB total, 18.733 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA

==== System Restore Points ===================

RP450: 7/13/2009 11:04:28 PM - System Checkpoint
RP451: 7/13/2009 11:04:29 PM - System Checkpoint
RP452: 7/13/2009 11:04:29 PM - System Checkpoint
RP453: 7/13/2009 11:04:29 PM - System Checkpoint
RP454: 7/13/2009 11:04:29 PM - Software Distribution Service 3.0
RP455: 7/13/2009 11:04:29 PM - System Checkpoint
RP456: 7/13/2009 11:04:29 PM - System Checkpoint
RP457: 7/13/2009 11:04:29 PM - System Checkpoint
RP458: 7/13/2009 11:04:29 PM - System Checkpoint
RP459: 7/13/2009 11:04:29 PM - Software Distribution Service 3.0
RP460: 7/13/2009 11:04:29 PM - System Checkpoint
RP461: 7/13/2009 11:04:29 PM - System Checkpoint
RP462: 7/13/2009 11:04:30 PM - Installed Java(TM) 6 Update 13
RP463: 7/13/2009 11:04:30 PM - System Checkpoint
RP464: 7/13/2009 11:04:30 PM - Software Distribution Service 3.0
RP465: 7/13/2009 11:04:30 PM - System Checkpoint
RP466: 7/13/2009 11:04:30 PM - System Checkpoint
RP467: 7/13/2009 11:04:30 PM - System Checkpoint
RP468: 7/13/2009 11:04:30 PM - System Checkpoint
RP469: 7/13/2009 11:04:30 PM - System Checkpoint
RP470: 7/13/2009 11:04:30 PM - System Checkpoint
RP471: 7/13/2009 11:04:30 PM - System Checkpoint
RP472: 7/13/2009 11:04:30 PM - System Checkpoint
RP473: 7/13/2009 11:04:30 PM - System Checkpoint
RP474: 7/13/2009 11:04:31 PM - System Checkpoint
RP475: 7/13/2009 11:04:32 PM - System Checkpoint
RP476: 7/13/2009 11:04:32 PM - System Checkpoint
RP477: 7/13/2009 11:04:32 PM - System Checkpoint
RP478: 7/13/2009 11:04:32 PM - Software Distribution Service 3.0
RP479: 7/13/2009 11:04:32 PM - System Checkpoint
RP480: 7/13/2009 11:04:32 PM - System Checkpoint
RP481: 7/13/2009 11:04:32 PM - System Checkpoint
RP482: 7/13/2009 11:04:32 PM - System Checkpoint
RP483: 7/13/2009 11:04:32 PM - System Checkpoint
RP484: 7/13/2009 11:04:32 PM - Software Distribution Service 3.0
RP485: 7/13/2009 11:04:32 PM - Installed Livescribe™ Desktop
RP486: 7/13/2009 11:04:32 PM - Installed Java(TM) SE Development Kit 6
RP487: 7/13/2009 11:04:32 PM - Installed Java(TM) SE Runtime Environment 6
RP488: 7/13/2009 11:04:32 PM - System Checkpoint
RP489: 7/13/2009 11:04:33 PM - System Checkpoint
RP490: 7/13/2009 11:04:33 PM - System Checkpoint
RP491: 7/13/2009 11:04:33 PM - System Checkpoint
RP492: 7/13/2009 11:04:33 PM - System Checkpoint
RP493: 7/13/2009 11:04:33 PM - System Checkpoint
RP494: 7/14/2009 9:22:08 PM - Software Distribution Service 3.0
RP495: 7/30/2009 7:59:05 PM - System Checkpoint
RP496: 7/30/2009 11:41:57 PM - Software Distribution Service 3.0
RP497: 8/12/2009 12:02:07 PM - System Checkpoint
RP498: 8/12/2009 1:48:03 PM - Software Distribution Service 3.0

==== Installed Programs ======================

Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.8
Adobe Shockwave Player
AnswerWorks 4.0 Runtime - English
Apple Mobile Device Support
Apple Software Update
ArcSoft Software Suite
AT&T Connection Services Manager
Avery® Wizard 2.1 for Microsoft® Office Word 2003
AVS Video Tools 5.3
Bluetooth Stack for Windows by Toshiba
Bonjour
C4F Vista P2P Toolkit
Critical Update for Windows Media Player 11 (KB959772)
Disney Pirates of the Caribbean Online
Drag'n Drop CD
Dragon NaturallySpeaking 7.3
DVD-RAM Driver
EDR
Game Creators Dark GDK
HASP Device Driver
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
HP Deskjet 3740
HP Software Update
InterActual Player
InterVideo WinDVD 4
iPod for Windows 2005-10-12
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_10
Java(TM) 6 Update 13
Java(TM) 6 Update 7
Java(TM) SE Development Kit 6
Java(TM) SE Runtime Environment 6
Juniper Networks Host Checker
Juniper Networks Setup Client
Lexmark 730 Series
LG USB Drivers
LiveReg (Symantec Corporation)
Livescribe™ Desktop
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft SQL Server 2000
Microsoft SQL Server Compact 3.5 Design Tools ENU
Microsoft SQL Server Compact 3.5 ENU
Microsoft Streets and Trips 2005 with USB GPS
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C# 2005 Express Edition - ENU
Microsoft Visual C# 2005 Express Edition - ENU Service Pack 1 (KB926749)
Microsoft Visual C# 2008 Express Edition - ENU
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows SDK for Visual Studio 2008 Express Tools for .NET Framework
Microsoft Windows SDK for Visual Studio 2008 Express Tools for Win32
Move Networks Media Player for Internet Explorer
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
MyScript for Livescribe 1.0
NVIDIA Windows 2000/XP Display Drivers
Panda ActiveScan 2.0
ParetoLogic Anti-Spyware
ParetoLogic Privacy Controls
PEERNET.DRV eTIFF 5.0 Developer Edition
PQ DVD to iPod Video Converter (remove only)
PQ DVD to iPod Video Suite (remove only)
PrimalScript 3.1
PrimalSQL
Quicken 2006
QuickTime
RealPlayer Basic
RegCure 1.6.0.0
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SmartSoft Video Converter
SoundMAX
Spyware Doctor 6.1
SureThing CD Labeler - Stomper Edition 32 bit
Symantec pcAnywhere
Synaptics Pointing Device Driver
The Shield Deluxe 2008
Torque X
Toshiba Access
TOSHIBA ConfigFree
TOSHIBA Console
TOSHIBA Controls
TOSHIBA Display Devices Change Utility
Toshiba Hotkey Utility for Display Devices
TOSHIBA Mobile Extension3 for Windows XP V3.33.00.XP
TOSHIBA Power Saver
Toshiba Software Upgrades
Toshiba Tbiosdrv Driver
TOSHIBA Utilities
Toshiba WinXP Registration
TurboTax Deluxe 2003
TurboTax Deluxe 2005
TurboTax Deluxe 2007
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2005
TurboTax ItsDeductible 2006
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
V CAST Music
VPN Client
WebFldrs XP
WexTech AnswerWorks
Windows Driver Package - Livescribe (PulseUsb) Image (03/19/2009 2.0.12.1)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinMPG VideoConvert 6.5.1
WinZip
Wireless Hotkey
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

8/9/2009 8:45:45 AM, error: System Error [1003] - Error code 100000d1, parameter1 e213e000, parameter2 00000002, parameter3 00000000, parameter4 f5279a60.
8/9/2009 11:45:35 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the lxcf_device service to connect.
8/9/2009 11:45:35 AM, error: Service Control Manager [7000] - The lxcf_device service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/9/2009 11:45:35 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service lxcf_device with arguments "" in order to run the server: {323CE21C-A448-40AA-BA74-7FCF1E44106F}
8/11/2009 8:51:47 AM, error: Dhcp [1002] - The IP address lease 192.168.2.2 for the Network Card with network address 0080C810F8B5 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
8/10/2009 8:26:10 AM, error: Service Control Manager [7000] - The mrtRate service failed to start due to the following error: The system cannot find the file specified.

==== End Of File ===========================
friggenPC
Active Member
 
Posts: 13
Joined: August 1st, 2009, 5:44 pm

Re: Web search links are hijacked, cant seem to clean

Unread postby Odd dude » August 14th, 2009, 4:41 am

Backup the registry
  1. Download ERUNT to your desktop from HERE
  2. Double-click on the file to install the program
  3. Uncheck the NTREGOPT desktop shortcut option
  4. Click No when you get the option to run ERUNT at Windows startup.
  5. During the installation, check Launch ERUNT
  6. Accept the defaults for running a backup
  7. ERUNT will then back up your registry

Click Start>Run and copy and paste this
Code: Select all
sc delete mrtRate

Click ok. A black box opens and closes in the blink of an eye. That is expected.

Submit a file for analysis
We need to have something checked for malware. Please go to Jotti's.
  • Click Browse next to File to upload & scan and copy and paste the first line of the following list into the browse box:
    Code: Select all
    c:\program files\common files\cudejit.dl
  • Click Submit. The file will now be scanned for malware and the results will be displayed from the screen. Select the part where the virus scan results are shown (the part starting with A-squared and ending with VBA32) and copy and paste this to notepad.
  • Repeat this procedure for any other files I have listed.
  • Copy and paste the whole notepad file you just made into your reply.

GMER
Do not touch the computer while GMER is running! If you do, it'll go completely unresponsive and you'll have to shut it down using the power switch. Just don't touch the PC while GMER is working.
Please download gmer.zip by GMER and save it to your desktop.

  • Right click the file you just downloaded and choose Extract all
  • Click Next
  • Click Browse
  • Click the + next to My Computer
  • Click Local Disk (C:)
  • Click Make new folder
  • Enter GMER
  • Click OK, then Next
  • Check Show extracted files and click Finish
  • Double click on GMER.exe to run it.
  • Select the Rootkit tab.
  • On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click on the Scan button.
  • When the scan is finished, click Copy to save the scan log to the Windows clipboard.
  • Open Notepad or a similar text editor.
  • Paste the clipboard contents into the text editor.
  • Save the GMER scan log and post it in your next reply.
  • Close GMER.
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Web search links are hijacked, cant seem to clean

Unread postby friggenPC » August 14th, 2009, 7:53 pm

Jotti's found nothing;
2009-08-13 Found nothing 2009-08-15 Found nothing
2009-08-15 Found nothing 2009-08-14 Found nothing
2009-08-14 Found nothing 2009-08-14 Found nothing
2009-08-14 Found nothing 2009-08-14 Found nothing
2009-08-14 Found nothing 2009-08-14 Found nothing
2009-08-10 Found nothing 2009-08-14 Found nothing
2009-08-14 Found nothing 2009-08-13 Found nothing
2009-08-14 Found nothing 2009-08-15 Found nothing
2009-08-15 Found nothing 2009-08-13 Found nothing
2009-08-14 Found nothing 2009-08-14 Found nothing
2009-08-14 Found nothing
friggenPC
Active Member
 
Posts: 13
Joined: August 1st, 2009, 5:44 pm

Re: Web search links are hijacked, cant seem to clean

Unread postby friggenPC » August 14th, 2009, 7:56 pm

The GMER log file exceeds the max num char allowed, do you want it in peices or a specific section?

Your message contains 595717 characters. The maximum number of allowed characters is 100000
friggenPC
Active Member
 
Posts: 13
Joined: August 1st, 2009, 5:44 pm

Re: Web search links are hijacked, cant seem to clean

Unread postby Odd dude » August 15th, 2009, 4:24 am

Please put it in a zip file and attach it (there's a function for attaching files below the 'Submit' button when you add a new reply to this topic).
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Web search links are hijacked, cant seem to clean

Unread postby friggenPC » August 15th, 2009, 10:05 am

zipped GMER log and attached as requested.

On a side note i will be going out of town sunday night and will not have access to this pc until the following Sat 8/22. Is it possible to keep the issue open if it is not resolved by tommorow?
You do not have the required permissions to view the files attached to this post.
friggenPC
Active Member
 
Posts: 13
Joined: August 1st, 2009, 5:44 pm

Re: Web search links are hijacked, cant seem to clean

Unread postby Odd dude » August 15th, 2009, 10:11 am

friggenPC wrote:On a side note i will be going out of town sunday night and will not have access to this pc until the following Sat 8/22. Is it possible to keep the issue open if it is not resolved by tommorow?
That's fine. :)

Malwarebytes' Anti-Malware
I need you to download Malwarebytes' Anti-Malware.

  • Install the program by following the prompts after double-clicking on mbam-setup.exe
  • Once you approach the final installation screen, put a check next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish
  • MBAM (that's an acronym of Malwarebytes' Anti-Malware) will now start. Choose Perform full scan and click Scan
  • Get a cup of coffee/tea/hot chocolate and watch some TV for about an hour.
  • Once the scan has finished, click OK, then Show Results.
  • Put a check next to everything, then click Remove selected.
  • Now, a log will open. Save this to your desktop and post it.
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Web search links are hijacked, cant seem to clean

Unread postby friggenPC » August 15th, 2009, 12:25 pm

Malwarebytes' Anti-Malware 1.39
Database version: 2494
Windows 5.1.2600 Service Pack 3

8/15/2009 12:23:21 PM
mbam-log-2009-08-15 (12-23-21).txt

Scan type: Full Scan (C:\|)
Objects scanned: 215138
Time elapsed: 49 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
friggenPC
Active Member
 
Posts: 13
Joined: August 1st, 2009, 5:44 pm

Re: Web search links are hijacked, cant seem to clean

Unread postby Odd dude » August 15th, 2009, 12:29 pm

Kaspersky Online Scan
I would like you to run an online antivirus scan. Please click here to be taken to the Kaspersky site.

  • The site will present you with a list of important items. Read those. If you're unsure about something, stop and ask! If you're sure everything is all right, close all other windows.
  • Now, click Accept.
  • It will start a download rougly 10 MB in size. If prompted by your firewall to allow internet access, allow.
  • Once the download has finished, click Next.
  • Under Please select a target to scan, choose My Computer
  • Get a cup of coffee and watch some TV. Do not run any other programs while Kaspersky is scanning! If you're on dial-up, you can now terminate the internet connection if you wish.
  • Once finished, you will be presented with the results. Click Save as text and save the log to your desktop.

Post the results in your next reply.
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Web search links are hijacked, cant seem to clean

Unread postby friggenPC » August 15th, 2009, 1:58 pm

having trouble with the kaspersky app it says i need java but i have installed it, uninstalled gone through trouble shooting and am trying again.
friggenPC
Active Member
 
Posts: 13
Joined: August 1st, 2009, 5:44 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 384 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware