Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect malware-sites being redirected


  • This topic is locked This topic is locked
6 replies to this topic

#1 avenues

avenues

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:52 PM

Posted 16 May 2009 - 10:09 PM

Hi
I am Using Windows XP service pack 3,. The infection causes redirects to occur on links that I click on. forcing browser (firefox 3) to, instead of displaying the correct website, show other, clearly suspicious and incorrect, sites. I can only copy and paste site link into the address bar to get to the proper sites, after which pressing the 'back' button does not direct to correct page but redirects more.
I have run, in safe mode, the following:
spybot
Malwarebytes Anti Malware
Spy hunter
Combo fix (though told me I had AVG still running (which I could not find running- though files do exist -I thought they had been disabled--- so I did nothing with combofix
My antivirus program is Avast
I have run multiple scans in safe mode and this Hijack seems to get worse.

DDS (Ver_09-05-14.01) - NTFSx86
Run by Leo at 19:45:00.40 on Sat 05/16/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.540 [GMT -7:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: avast! antivirus 4.8.1335 [VPS 090516-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\Turtle Beach\MontegoDDL\TBMontegoTray.exe
C:\Program Files\Hewlett-Packard\hp LaserJet 1160_1320 series\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Intuit\QuickBooks 2007\qbw32.exe
E:\PROGRA~1\Intuit\QUICKB~1\QBDBMgr.exe
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
C:\Documents and Settings\Leo\Desktop\HiJackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Leo\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AutorunsDisabled - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - e:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - e:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AsusStartupHelp] c:\program files\asus\aasp\1.00.17\AsRunHelp.exe
mRun: [Norton Ghost 12.0] "c:\program files\norton ghost\agent\VProTray.exe"
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [Turtle Beach Montego DDL] "c:\program files\turtle beach\montegoddl\TBMontegoTray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [hpqSRMon] c:\program files\hewlett-packard\hp laserjet 1160_1320 series\digital imaging\bin\hpqSRMon.exe
mRun: [<NO NAME>]
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Acrobat Assistant 8.0] "e:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [TomcatStartup 2.5] c:\program files\hewlett-packard\toolbox\hpbpsttp.exe
mRun: [StatusClient 2.6] c:\program files\hewlett-packard\toolbox\statusclient\StatusClient.exe /auto
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 6.0\apdproxy.exe"
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\leo\startm~1\programs\startup\mailwa~1.lnk - c:\program files\firetrust\mailwasher pro\MailWasher.exe
uPolicies-explorer: NoSMHelp = 01000000
uPolicies-explorer: NoActiveDesktop = 01000000
IE: Append to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://ra.intuit.com/sdccommon/download/tgctlcm.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {51A1CDAB-573D-45A4-B69F-B44791DFF60A} - hxxp://dot.pima.gov/gis/pictometry/viewer/ver30b/PictImageCtrl30.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://tarmls.crsdata.com/realestate/maps/downloads/mgaxctrlv65.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196723286781
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-latest.cab
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - e:\program files\intuit\quickbooks 2007\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\leo\applic~1\mozilla\firefox\profiles\dbqbe4oh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\leo\application data\mozilla\firefox\profiles\dbqbe4oh.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - component: c:\documents and settings\leo\application data\mozilla\firefox\profiles\dbqbe4oh.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdbplug.dll
FF - plugin: e:\program files\adobe\acrobat 8.0\acrobat\browser\nppdf32.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-5-6 130936]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-5-6 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-5-6 39200]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-4-24 114768]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-5-6 159600]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-14 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-4-24 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-4-24 138680]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-5-6 348752]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-5-6 1095560]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-5-16 102400]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-4-24 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-4-24 352920]
R3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2009-5-6 64392]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-14 7408]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-5-6 33056]
R3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]
S2 gupdate1c9c8e1e0b8875a;Google Update Service (gupdate1c9c8e1e0b8875a);c:\program files\google\update\GoogleUpdate.exe [2009-4-29 133104]
S2 QuickBooksDB17;QuickBooksDB17;e:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb17 --> e:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB17 [?]

=============== Created Last 30 ================

2009-05-15 17:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-15 16:56 <DIR> --d----- c:\program files\CleanUp!
2009-05-15 14:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-15 14:16 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-15 14:16 <DIR> --d----- c:\docume~1\leo\applic~1\SUPERAntiSpyware.com
2009-05-15 14:14 1,341,005 a------- C:\MGtools.exe
2009-05-15 13:48 <DIR> --d----- c:\program files\CCleaner
2009-05-13 18:23 <DIR> --d----- c:\program files\ThreatExpert Memory Scanner
2009-05-11 08:55 <DIR> --d----- c:\docume~1\leo\applic~1\EMCO
2009-05-11 08:55 <DIR> --d----- c:\program files\EMCO
2009-05-10 10:55 <DIR> --d----- c:\program files\Enigma Software Group
2009-05-06 19:51 51,488 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-05-06 19:51 39,200 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-05-06 19:51 33,056 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-05-06 19:51 12,576 a------- c:\windows\system32\drivers\TfKbMon.sys
2009-05-06 19:50 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-05-06 19:50 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-05-06 19:50 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-05-06 19:50 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-05-06 19:47 <DIR> --d----- c:\program files\common files\PC Tools
2009-05-06 19:47 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-05-06 19:47 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-05-06 19:47 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-05-06 19:47 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-05-06 19:46 <DIR> --d----- c:\program files\Spyware Doctor
2009-05-06 19:46 <DIR> --d----- c:\docume~1\leo\applic~1\PC Tools
2009-05-04 18:53 <DIR> --d----- c:\program files\IKEA HomePlanner
2009-05-04 18:52 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-02 20:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-04-28 16:37 <DIR> --d----- C:\Outlook on the Desktop
2009-04-26 15:33 <DIR> --d----- c:\program files\common files\Control Panels
2009-04-26 15:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ALM
2009-04-26 15:10 2,463,976 a------- c:\windows\system32\NPSWF32.dll
2009-04-26 15:10 190,696 a------- c:\windows\system32\NPSWF32_FlashUtil.exe
2009-04-26 15:00 <DIR> --d----- c:\program files\Bonjour
2009-04-26 13:46 0 a------- c:\windows\ativpsrm.bin
2009-04-26 13:42 1,149 a------- c:\windows\ATICIM.INI
2009-04-26 13:42 <DIR> --d----- c:\program files\ATI Technologies
2009-04-24 17:01 <DIR> --d----- c:\docume~1\leo\applic~1\Malwarebytes
2009-04-24 17:01 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-24 17:01 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-24 17:01 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-24 17:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-24 14:47 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-24 02:10 <DIR> --d----- C:\VProRecovery
2009-04-23 22:44 664 a------- c:\windows\system32\d3d9caps.dat
2009-04-23 20:33 8,552,448 a------- c:\windows\system32\software
2009-04-23 20:33 1,449,984 a------- c:\windows\system32\system
2009-04-23 20:33 225,280 a------- c:\windows\system32\default
2009-04-23 20:33 32,768 a------- c:\windows\system32\security
2009-04-23 20:33 24,576 a------- c:\windows\system32\sam
2009-04-23 20:25 <DIR> --d----- c:\windows\tmp
2009-04-23 16:59 <DIR> --d----- c:\program files\XP Smoker
2009-04-23 16:59 4,136,050 a------- c:\docume~1\leo\applic~1\xps.exe
2009-04-23 13:01 <DIR> --dsh--- C:\$RECYCLE.BIN
2009-04-17 16:13 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-04-17 12:23 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-17 12:23 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-17 12:23 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-04-17 12:23 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-17 12:23 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-04-17 12:23 <DIR> --d----- c:\docume~1\leo\applic~1\AVGTOOLBAR
2009-04-17 12:23 <DIR> --d----- c:\program files\AVG
2009-04-17 12:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8

==================== Find3M ====================

2009-04-26 13:41 598,016 a------- c:\windows\system32\ati2evxx.exe
2009-04-26 13:41 143,360 a------- c:\windows\system32\ati2evxx.dll
2009-04-26 13:41 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2009-04-26 13:41 577,536 a------- c:\windows\system32\ati2cqag.dll
2009-04-26 13:41 318,464 a------- c:\windows\system32\ati2dvag.dll
2009-04-26 13:41 53,248 a------- c:\windows\system32\drivers\ati2erec.dll
2009-04-26 13:41 48,640 a------- c:\windows\system32\amdpcom32.dll
2009-04-26 13:41 43,520 a------- c:\windows\system32\ati2edxx.dll
2009-04-24 16:59 23,704 a------- c:\windows\system32\tcpipbak.reg
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-25 09:48 2,434,544 a------- c:\windows\npdbplug.dll
2009-02-25 09:48 1,019,360 a------- c:\windows\dbplugin.exe
2009-02-25 09:48 225,360 a------- c:\windows\system32\DNLEng.dll
2009-02-25 09:48 143,360 a------- c:\windows\picn1120.dll
2009-02-25 09:48 143,360 a------- c:\windows\picn1020.dll
2009-02-25 09:48 31,728 a------- c:\windows\dbrmdwb.exe
2009-02-20 11:09 78,336 a------- c:\windows\system32\ieencode.dll
2008-07-28 19:29 256 a------- c:\documents and settings\leo\pool.bin
2007-03-09 01:12 27,648 a--sh--- c:\windows\system32\AVSredirect.dll
2008-08-26 09:27 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082620080827\index.dat

============= FINISH: 19:47:15.21 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:52 PM

Posted 17 May 2009 - 08:38 AM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 avenues

avenues
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:52 PM

Posted 17 May 2009 - 08:12 PM

Hi Sam -thanks for your help ! :thumbup2:
here is the Gooredlog.txt you requested
GooredFix v1.92 by jpshortstuff
Log created at 18:06 on 17/05/2009 running Option #1 (Leo)
Firefox version 3.0.10 (en-US)

=====Suspect Goored Entries=====

C:\Program Files\Mozilla Firefox\extensions\{758117DC-085B-41D1-825B-430661097FB0}

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:52 PM

Posted 18 May 2009 - 11:38 AM

Please double-click Goored.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt)


Let me know if you are still experiencing the redirections.

Edited by Buckeye_Sam, 18 May 2009 - 11:38 AM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 avenues

avenues
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:52 PM

Posted 18 May 2009 - 03:39 PM

Sam
It appears to have been fixed-so far so good :thumbup2: Thanks you kindly-send me another email so I can donate $ --How did you do that? Any suggestions on how to keep it from happening agian or spy ware I should/should not be running?
Thanks
Leo
GooredFix v1.92 by jpshortstuff
Log created at 12:41 on 18/05/2009 running Option #2 (Leo)
Firefox version 3.0.10 (en-US)

=====Goored Deletions=====
C:\Program Files\Mozilla Firefox\extensions\{758117DC-085B-41D1-825B-430661097FB0}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:52 PM

Posted 18 May 2009 - 04:59 PM

Just be cautious about any Firefox extensions that you are installing. Always make sure you know exactly what they are.
If you'd like to make a donation to me, just click on the gold button down below.

Here are some final steps/recommendations for you.

Run an online scan at Secunia Online Software Inspector
  • Click on the red button at the bottom of the screen that says Start Scanner.
  • Follow the prompts to install the scanning software.
  • Do not check the box for Enable thorough system inspection
  • Click the Start button.
  • The program will scan your system and identify insecure versions of software and missing security updates.
  • Using the links provided in the scan, download and install any current and secure versions that are needed.


===============



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbup2: :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:52 PM

Posted 31 May 2009 - 09:46 AM

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users