Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox Redirect problem


  • This topic is locked This topic is locked
3 replies to this topic

#1 jackdawreg

jackdawreg

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 24 December 2010 - 06:40 PM

Hi guys, another victim here. Tried a few things (Malwarebytes/Kaspersky/NOD32 to no avail.
Using Firefox and after googling get redirected to random sites :(

Heres a few logs hope someone can help. Cheers and thanks in advance!
Merry Christmas,

Jackdawreg

----------------------------------------------------------------------------------------

DDS (Ver_10-12-12.02) - NTFSx86
Run by Administrator at 6:34:25.06 on Sat 12/25/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1120 [GMT 11:00]

AV: ESET NOD32 Antivirus 4.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Cognizance
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\PROGRA~1\NETGEAR\MEDIAS~1\ImmsService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\CNAB3RPK.EXE
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\Sminst\Recguard.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\NETGEAR\Media Server\MediaServer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\NETGEAR\Media Server\RestartApp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/advanced_search?hl=en
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.hp.com
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: HP Credential Manager for ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hpq\iam\bin\ItIeAddIN.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [PTHOSTTR] c:\program files\hpq\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [CognizanceTS] rundll32.exe c:\progra~1\hpq\iam\bin\AsTsVcc.dll,RegisterModule
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [messenger.exe] c:\program files\common files\microsoft shared\web components\messenger.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dvdche~1.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\media server\MediaServer.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {0BBFD743-832D-4A54-AB1E-69A8A3ADAC3A} = 10.1.1.1,4.2.2.2
TCP: {7603780F-1DE7-4629-A997-60DA0CE6236A} = 192.168.0.1
Notify: igfxcui - igfxdev.dll
Notify: OneCard - c:\program files\hpq\iam\bin\AsWlnPkg.dll
LSA: Notification Packages = scecli AsWlnPkg

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\efv4x1yy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/advanced_search?hl=en
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Net Usage Item: {DA1B0AB5-7DD3-4066-BC2A-64AABBDD0A8B} - %profile%\extensions\{DA1B0AB5-7DD3-4066-BC2A-64AABBDD0A8B}
FF - Ext: Super Hide IP: support@super-hide-ip.com - %profile%\extensions\support@super-hide-ip.com
FF - Ext: Redirect Remover: {fe0258ab-4f74-43a1-8781-bcdf340f9ee9} - %profile%\extensions\{fe0258ab-4f74-43a1-8781-bcdf340f9ee9}

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-9-29 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-9-29 96408]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2004-8-4 14336]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-9-29 735960]
R2 io.sys;IO.DLL Driver;c:\windows\system32\drivers\io.sys [2010-10-15 5152]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-12-21 363344]
R2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\nitro pdf\reader\NitroPDFReaderDriverService.exe [2010-9-30 196912]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-12-21 20952]

=============== Created Last 30 ================

2010-12-24 09:18:41 709456 ----a-w- c:\windows\isRS-000.tmp
2010-12-21 04:51:09 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-12-21 04:51:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 04:51:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-21 04:50:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-21 04:50:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-20 17:17:23 56832 --sha-r- c:\windows\system32\psnppagnx.dll
2010-12-18 06:38:04 129520 ------w- c:\windows\system32\pxafs.dll
2010-12-17 20:10:11 -------- d-----w- c:\program files\DVD Decrypter
2010-12-17 19:40:15 -------- d-----w- c:\program files\SlySoft
2010-12-17 19:40:00 93417 ----a-w- c:\program files\common files\microsoft shared\web components\messenger.exe
2010-12-17 19:29:48 -------- d-----w- c:\program files\DVD Shrink
2010-12-17 06:49:00 -------- d-----w- c:\docume~1\admini~1\applic~1\AnvSoft
2010-12-17 06:48:49 -------- d-----w- c:\program files\AnvSoft
2010-12-14 11:10:20 93417 ----a-w- C:\messenger.exe
2010-12-12 22:56:45 -------- d-----w- c:\docume~1\admini~1\applic~1\Xilisoft
2010-12-12 22:55:03 -------- d-----w- c:\program files\Xilisoft
2010-12-12 22:55:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\Xilisoft
2010-12-10 07:04:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\Comodo
2010-12-10 07:03:59 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2010-12-09 05:52:16 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Help
2010-12-09 05:44:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\SuperHideIP
2010-12-09 05:44:01 -------- d-----w- c:\docume~1\admini~1\applic~1\SuperHideIP
2010-12-08 10:30:06 -------- d-----w- C:\panic
2010-12-08 03:59:38 1089536 ----a-w- c:\windows\system32\ROBOEX32.DLL
2010-12-08 03:59:38 1089536 ----a-w- c:\windows\system\ROBOEX32.DLL
2010-12-08 03:59:34 647168 ----a-w- c:\windows\system32\libdb41.dll
2010-12-08 03:59:31 182272 ----a-w- c:\windows\system32\avformat.dll
2010-12-08 03:59:31 1778176 ----a-w- c:\windows\system32\avcodec.dll
2010-12-08 03:59:31 107520 ----a-w- c:\windows\system32\dvrms.dll
2010-12-08 03:59:31 103436 ----a-w- c:\windows\system32\ShellEx.dll
2010-12-08 03:59:31 103436 ----a-w- c:\windows\system\ShellEx.dll
2010-12-08 03:59:30 916480 ----a-w- c:\windows\system32\FFMpeg.dll
2010-12-08 03:59:13 368912 ----a-w- c:\windows\system32\vbar332.dll
2010-12-08 03:59:10 -------- d-----w- c:\program files\NETGEAR
2010-12-04 06:34:29 -------- d-----w- c:\program files\MP3 Cutter Plus
2010-12-01 06:40:16 -------- d-----w- c:\docume~1\admini~1\applic~1\dBpoweramp
2010-12-01 06:37:53 -------- d-----w- c:\docume~1\admini~1\applic~1\AccurateRip
2010-12-01 06:37:46 243064 ----a-w- c:\windows\system32\SpoonUninstall.exe
2010-12-01 06:37:42 -------- d-----w- c:\program files\Illustrate
2010-12-01 05:36:56 196608 ----a-w- c:\windows\system32\HMIPCore.dll
2010-12-01 05:27:37 168256 ----a-w- c:\windows\system32\SecureNet.dll
2010-12-01 05:27:30 -------- d-----w- c:\program files\Hide My IP 2009
2010-11-28 06:42:53 -------- d-----w- C:\Ebooks
2010-11-28 06:42:19 -------- d-----w- c:\docume~1\admini~1\applic~1\calibre
2010-11-28 06:36:38 -------- d-----w- c:\program files\Calibre2
2010-11-27 22:55:09 -------- d-----w- C:\reg
2010-11-27 22:32:00 -------- d-----w- C:\Reg_test
2010-11-26 20:28:24 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Ahead
2010-11-26 20:21:31 -------- d-----w- c:\program files\Nero
2010-11-26 20:21:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\Nero

==================== Find3M ====================

2010-09-30 04:01:08 17712 ----a-w- c:\windows\system32\nitrolocalui.dll
2010-09-30 04:01:06 26416 ----a-w- c:\windows\system32\nitrolocalmon.dll

============= FINISH: 6:35:11.81 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 jackdawreg

jackdawreg
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 30 December 2010 - 03:50 PM

Have tried a few other "malware" programs to no avail. Has anyone managed to fix this type of problem yet?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:55 AM

Posted 01 January 2011 - 12:20 PM

Hello jackdawreg ,

Posted Image

Sorry for the delay. :( If you still need help, please post a new DDS/HijackThis log and I'll be happy to look at it. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:55 AM

Posted 10 January 2011 - 12:31 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users