Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojans still hijacking links! trojan vundo, gen???


  • This topic is locked This topic is locked
12 replies to this topic

#1 gg2327

gg2327

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 08 May 2009 - 09:54 AM

hi,

i'm still having problems with my links being redirected elsewhere especially to this online scanner page which tries to constantly download antimalware to my computer. rigel the moderator at the am i infected forum has helped me for over a week now but the problem is still there. he has asked me to post here. here's a link to the thread. thank you.

http://www.bleepingcomputer.com/forums/ind...p;#entry1238800




DDS (Ver_09-03-16.01) - NTFSx86
Run by Administrator at 15:40:41.00 on 08/05/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.510.73 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated)
FW: Online Armor Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Movies\dds.scr

============== Pseudo HJT Report ===============

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SNPSTD2] c:\windows\vsnpstd2.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dslmon.lnk - c:\program files\sagem\sagem f@st 800-840\dslmon.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1209536619203
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\ajn2sbye.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-4-25 11608]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-4-29 196688]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-4-29 31824]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-4-29 29776]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-4-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-4-25 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-4-25 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-4-25 55640]
R2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2009-4-29 361160]
R2 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2009-4-29 3049160]
S2 ELOADER;General Purpose USB Driver (adildr.sys);c:\windows\system32\drivers\adildr.sys [2009-4-14 56088]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-4-28 7408]

=============== Created Last 30 ================

2009-05-07 17:20 --d----- c:\docume~1\admini~1\applic~1\eMusic
2009-05-07 17:19 --d----- c:\program files\eMusic Download Manager
2009-05-05 15:43 --d----- c:\windows\Downloaded Installations
2009-05-05 13:26 --d----- c:\documents and settings\administrator\DoctorWeb
2009-04-30 17:41 794 a------- c:\windows\system32\tmp.reg
2009-04-30 00:09 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-30 00:08 --d----- c:\program files\SUPERAntiSpyware
2009-04-30 00:08 --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2009-04-30 00:07 --d----- c:\program files\common files\Wise Installation Wizard
2009-04-29 03:16 --d----- c:\docume~1\alluse~1\applic~1\OnlineArmor
2009-04-29 03:16 --d----- c:\docume~1\admini~1\applic~1\OnlineArmor
2009-04-29 03:16 196,688 a------- c:\windows\system32\drivers\OADriver.sys
2009-04-29 03:16 31,824 a------- c:\windows\system32\drivers\OAmon.sys
2009-04-29 03:16 29,776 a------- c:\windows\system32\drivers\OAnet.sys
2009-04-29 03:16 --d----- c:\program files\Tall Emu
2009-04-28 16:29 0 a------- c:\documents and settings\administrator\settings.dat
2009-04-28 02:27 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-04-28 02:25 --d----- c:\windows\ERUNT
2009-04-28 00:23 --d----- C:\SDFix
2009-04-25 22:28 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-04-25 22:28 --d----- c:\program files\Avira
2009-04-25 22:28 --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-04-25 21:52 249,856 -------- c:\windows\Setup1.exe
2009-04-25 21:52 73,216 a------- c:\windows\ST6UNST.EXE
2009-04-25 20:43 --d----- c:\program files\SpywareBlaster
2009-04-24 23:52 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-04-24 17:14 2,560 a------- c:\windows\_MSRSTRT.EXE
2009-04-24 06:40 --d----- c:\program files\Agnitum
2009-04-23 23:10 155 a------- c:\windows\system32\SelfDel.bat
2009-04-22 23:07 --d----- c:\program files\Sunbelt Software
2009-04-22 18:33 --d----- c:\program files\directx
2009-04-17 23:13 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-04-17 03:57 --d----- c:\program files\The Adventure Company
2009-04-17 03:54 --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Pro
2009-04-17 03:51 --d----- c:\program files\DAEMON Tools Pro
2009-04-17 00:45 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-17 00:45 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-17 00:45 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-17 00:45 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-17 00:45 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 00:45 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 00:45 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 00:45 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-17 00:45 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-16 23:45 --d----- c:\documents and settings\administrator\Tracing
2009-04-16 23:44 --d----- c:\program files\Microsoft
2009-04-16 23:44 --d----- c:\program files\Windows Live SkyDrive
2009-04-16 23:25 --d----- c:\windows\system32\XPSViewer
2009-04-16 23:23 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-16 23:23 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-16 23:23 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-16 23:23 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-04-16 23:23 117,760 -------- c:\windows\system32\prntvpt.dll
2009-04-16 23:23 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-04-16 23:23 --d----- C:\2a70f39ea7c0ab7c4ad410
2009-04-16 23:23 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-04-16 22:54 --d----- c:\docume~1\admini~1\applic~1\DAEMON Tools Pro
2009-04-16 22:49 685,816 a------- c:\windows\system32\drivers\sptd.sys
2009-04-15 18:17 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 18:17 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-15 18:17 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-15 15:14 268,648 a------- c:\windows\system32\mucltui.dll
2009-04-15 15:14 208,744 a------- c:\windows\system32\muweb.dll
2009-04-15 15:14 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-04-15 02:51 499,712 a------- c:\windows\system32\msvcp71.dll
2009-04-15 02:51 348,160 a------- c:\windows\system32\msvcr71.dll
2009-04-15 02:51 --d----- c:\program files\Real Alternative
2009-04-14 22:50 --d----- c:\program files\Mingjong
2009-04-14 22:50 245,408 a------- c:\windows\system32\unicows.dll
2009-04-14 22:50 53,248 a------- c:\windows\system32\dsnpstd2.dll
2009-04-14 22:50 40,960 a------- c:\windows\vsnpstd2.exe
2009-04-14 22:50 15,541 a------- c:\windows\snpstd2.ini
2009-04-14 22:50 13,023 a------- c:\windows\snpstd2.src
2009-04-14 22:49 302,720 a------- c:\windows\system32\drivers\snpstd2.sys
2009-04-14 22:49 61,440 a------- c:\windows\system32\csnpstd2.dll
2009-04-14 22:49 40,960 a------- c:\windows\system32\rsnpstd2.dll
2009-04-14 22:49 36,864 a------- c:\windows\system32\vsnpstd2.dll
2009-04-14 22:49 36,864 a------- c:\windows\system32\dsnpstd2.ax
2009-04-14 22:49 20,480 a------- c:\windows\usnpstd2.exe
2009-04-14 22:49 --d----- c:\program files\common files\snpstd2
2009-04-14 17:29 --d----- c:\program files\Spybot - Search & Destroy
2009-04-14 17:29 --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-14 17:28 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-04-14 17:28 --d--r-- c:\program files\Skype
2009-04-14 17:14 --d----- c:\program files\CCleaner
2009-04-14 17:13 --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-04-14 17:13 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-14 17:13 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-14 17:13 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-14 17:13 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-14 16:28 --d----- c:\program files\common files\Windows Live
2009-04-14 16:27 --d----- c:\program files\VideoLAN
2009-04-14 16:26 --d----- c:\program files\GRETECH
2009-04-14 14:21 --d----- C:\Movies
2009-04-14 13:51 --d----- c:\program files\SAGEM
2009-04-09 15:58 990 a------- c:\windows\adiras.ini
2009-04-09 11:05 5,504 ac------ c:\windows\system32\dllcache\mstee.sys
2009-04-09 11:05 5,504 a------- c:\windows\system32\drivers\MSTEE.sys
2009-04-09 11:02 --d-h--- c:\windows\msdownld.tmp
2009-04-09 11:02 --d----- c:\program files\Windows Media Components
2009-04-09 11:01 53,248 a------- c:\windows\amcap.exe
2009-04-09 10:40 60,032 ac------ c:\windows\system32\dllcache\usbaudio.sys
2009-04-09 10:40 60,032 a------- c:\windows\system32\drivers\USBAUDIO.sys
2009-04-09 10:39 32,128 ac------ c:\windows\system32\dllcache\usbccgp.sys
2009-04-09 10:39 32,128 a------- c:\windows\system32\drivers\usbccgp.sys

==================== Find3M ====================

2009-04-30 01:36 75,776 a------- c:\windows\system32\WS2Fix.exe
2009-04-14 13:52 32 a------- c:\windows\system32\drivers\adidsl.cfg
2009-03-06 15:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 19:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 13:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 13:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 13:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 13:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 12:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2008-10-25 08:08 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102520081026\index.dat

============= FINISH: 15:42:32.92 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:46 AM

Posted 23 May 2009 - 09:51 AM

Hello gg2327,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you. I've read your other thread, so we'll go from there. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 gg2327

gg2327
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 24 May 2009 - 06:18 PM

hi tea,

here's new hijack logs. thank you :thumbup2:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Administrator at 0:13:00.39 on 25/05/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.510.78 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated)
FW: Online Armor Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Movies\install\dds.scr

============== Pseudo HJT Report ===============

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [YouSendIt.exe] c:\program files\yousendit\express\YouSendIt.exe -ui none
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SNPSTD2] c:\windows\vsnpstd2.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dslmon.lnk - c:\program files\sagem\sagem f@st 800-840\dslmon.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1209536619203
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\ajn2sbye.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-4-25 11608]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-4-29 196688]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-4-29 31824]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-4-29 29776]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-4-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-4-25 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-4-25 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-4-25 55640]
R2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2009-4-29 361160]
R2 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2009-4-29 3049160]
S2 ELOADER;General Purpose USB Driver (adildr.sys);c:\windows\system32\drivers\adildr.sys [2009-4-14 56088]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-4-28 7408]

=============== Created Last 30 ================

2009-05-08 23:17 <DIR> --d----- c:\docume~1\admini~1\applic~1\YouSendIt
2009-05-07 17:20 <DIR> --d----- c:\docume~1\admini~1\applic~1\eMusic
2009-05-07 17:19 <DIR> --d----- c:\program files\eMusic Download Manager
2009-05-05 15:43 <DIR> --d----- c:\windows\Downloaded Installations
2009-05-05 13:26 <DIR> --d----- c:\documents and settings\administrator\DoctorWeb
2009-04-30 17:41 794 a------- c:\windows\system32\tmp.reg
2009-04-30 00:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-30 00:08 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-30 00:08 <DIR> --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2009-04-30 00:07 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-04-29 03:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\OnlineArmor
2009-04-29 03:16 <DIR> --d----- c:\docume~1\admini~1\applic~1\OnlineArmor
2009-04-29 03:16 196,688 a------- c:\windows\system32\drivers\OADriver.sys
2009-04-29 03:16 31,824 a------- c:\windows\system32\drivers\OAmon.sys
2009-04-29 03:16 29,776 a------- c:\windows\system32\drivers\OAnet.sys
2009-04-29 03:16 <DIR> --d----- c:\program files\Tall Emu
2009-04-28 16:29 0 a------- c:\documents and settings\administrator\settings.dat
2009-04-28 02:27 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-04-28 02:25 <DIR> --d----- c:\windows\ERUNT
2009-04-28 00:23 <DIR> --d----- C:\SDFix
2009-04-25 22:28 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-04-25 22:28 <DIR> --d----- c:\program files\Avira
2009-04-25 22:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-04-25 21:52 249,856 -------- c:\windows\Setup1.exe
2009-04-25 21:52 73,216 a------- c:\windows\ST6UNST.EXE
2009-04-25 20:43 <DIR> --d----- c:\program files\SpywareBlaster

==================== Find3M ====================

2009-04-30 01:36 75,776 a------- c:\windows\system32\WS2Fix.exe
2009-04-24 17:14 2,560 a------- c:\windows\_MSRSTRT.EXE
2009-04-16 22:49 685,816 a------- c:\windows\system32\drivers\sptd.sys
2009-04-14 13:52 32 a------- c:\windows\system32\drivers\adidsl.cfg
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-06 15:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\wininet.dll
2008-10-25 08:08 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102520081026\index.dat

============= FINISH: 0:14:47.98 ===============

Attached Files



#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:46 AM

Posted 24 May 2009 - 07:22 PM

Hello,

Apologies, I thought you already had HijackThis.

Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Post that in your reply also. :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 gg2327

gg2327
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 25 May 2009 - 11:57 AM

GooredFix v1.92 by jpshortstuff
Log created at 17:40 on 25/05/2009 running Option #1 (Administrator)
Firefox version 3.0.10 (en-GB)

=====Suspect Goored Entries=====

C:\Program Files\Mozilla Firefox\extensions\{3687D1FC-3573-460F-8E92-BB1462E79939}

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3112ca9c-de6d-4884-a869-9855de68056c}"="C:\Documents and Settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}"











Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:41:21, on 25/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\WINDOWS\System32\msiexec.exe
C:\Movies\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1209536619203
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\OAcat.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 4408 bytes

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:46 AM

Posted 25 May 2009 - 12:01 PM

Hello there,

Please double-click Goored.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

Please let me know if the redirects stop after that. :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 gg2327

gg2327
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 26 May 2009 - 07:46 PM

hi tea,

i'm dont think i'm having anymore redirect problems.:thumbup2: could u tell me what was was causing it. was it a virus? or a google problem cos i've been reading that lots of people were having this problem with google search. logs posted below. thank you!



GooredFix v1.92 by jpshortstuff
Log created at 01:34 on 27/05/2009 running Option #2 (Administrator)
Firefox version 3.0.10 (en-GB)

=====Goored Deletions=====
C:\Program Files\Mozilla Firefox\extensions\{3687D1FC-3573-460F-8E92-BB1462E79939}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3112ca9c-de6d-4884-a869-9855de68056c}"="C:\Documents and Settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}"

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:46 AM

Posted 27 May 2009 - 04:53 PM

Hello,

It's not Google.....it's an infection that only affects Firefox and it redirects Google. You can delete GooredFix. :thumbup2:

Everything else running all right?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 gg2327

gg2327
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 27 May 2009 - 05:12 PM

hi tea,

thanks for helping me fix the redirect problems :thumbup2:
the only other thing wrong with computer now is the recent occurence of windows live messenger restarting my pc 3 or 4 times for no apparent reason. i have reinstalled wondows live to see if that works but wont have the chance to test it out till next week when i have my weekly family chats. i will post another log if i still have that problem. thanks a lot for your help :)

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:46 AM

Posted 27 May 2009 - 05:42 PM

You're welcome. :) I'll leave the thread open until I hear from you then, so please do let me know. :thumbup2:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 gg2327

gg2327
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 28 May 2009 - 06:39 PM

hi tea,

i will let you know then this coming monday when i'll have a chance to use msn chat. thanks!

#12 gg2327

gg2327
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:46 AM

Posted 01 June 2009 - 09:49 AM

hi tea,

msn chat was fine today so evrything is working fine now. thanks again for all your help in fixing my problem! :thumbup2:

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:46 AM

Posted 10 June 2009 - 12:02 AM

You're most welcome, and glad all went well for you. :thumbup2:

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users