Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


firefox gets redirected by "ad served by yourprofitclub"

  • Please log in to reply
8 replies to this topic

#1 vlisson


  • Members
  • 7 posts
  • Local time:09:44 AM

Posted 22 February 2011 - 03:31 AM

hello there


i used this thread and you want to open a new one?

firefox gets redirected by "ad served by yourprofitclub"

i dont lost any data but when i browse with my firefox and opens new tabs/urls... then sometimes (10 from 1) the page gets white (use an script and ad blocker) and sometimes the tab shows this "ad served by yourprofitclub" and sometimes i see an adertisement page

pls help me.

DDS (Ver_10-12-12.02) - NTFS_AMD64
Run by Vlisson at 9:04:42,58 on 22.02.2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.49.1031.18.4091.2167 [GMT 1:00]

AV: Lavasoft Ad-Watch Live! Virenschutz *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

============== Running Processes ===============

C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Windows\system32\svchost.exe -k apphost
C:\Windows\System32\svchost.exe -k ipripsvc
C:\Program Files (x86)\Norton Internet Security\Engine\\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
D:\Program Files (x86)\TuneUp Utilities 2010\TuneUpUtilitiesService64.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
D:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
D:\Program Files (x86)\Xfire\Xfire.exe
D:\Program Files (x86)\TuneUp Utilities 2010\TuneUpUtilitiesApp64.exe
D:\Program Files (x86)\Xfire\xfire64.exe
C:\Program Files (x86)\Norton Internet Security\Engine\\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
D:\Program Files (x86)\Xfire\xfire64.exe
C:\Windows\system32\svchost.exe -k SDRSVC
D:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
D:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files (x86)\ICQ7.4\ICQ.exe
f:\steam\steamapps\common\dc universe online\LaunchPad.exe
D:\Program Files (x86)\Mozilla Firefox\firefox.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://go.1und1.de/links/home
uWindow Title = Windows Internet Explorer bereitgestellt von 1&1 Internet AG
uSearchURL,(Default) = hxxp://go.1und1.de/suchbox/1und1suche?su=%s
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\\IPS\IPSBHO.DLL
BHO: Windows Live ID-Anmelde-Hilfsprogramm: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: 1&&1 Internet AG Browser Configuration by mquadr.at: {d48ff4b4-e68f-47d1-8e25-81a0f0eeb341} - C:\Windows\SysWow64\ieconfig_1und1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\\coIEPlg.dll
uRun: [1&1 EasyLogin] D:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
uRun: [ICQ] "C:\Program Files (x86)\ICQ7.4\ICQ.exe" silent loginmode=4
StartupFolder: C:\Users\Vlisson\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Xfire.lnk - D:\Program Files (x86)\Xfire\Xfire.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {73C6DCFB-B606-47F3-BDFA-9A4FBF931E37} - C:\Program Files (x86)\ICQ7.4\ICQ.exe
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
Hosts: www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - C:\Users\Vlisson\AppData\Roaming\Mozilla\Firefox\Profiles\8pw23t6s.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - www.google.de
FF - component: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\coFFPlgn\components\coFFPlgn.dll
FF - component: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\IPSFFPlgn\components\IPSFFPl.dll
FF - component: C:\Users\Vlisson\AppData\Roaming\Mozilla\Firefox\Profiles\8pw23t6s.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
FF - component: C:\Users\Vlisson\AppData\Roaming\Mozilla\Firefox\Profiles\8pw23t6s.default\extensions\fb_add_on@avm.de\components\FB_AddOn.dll
FF - component: C:\Users\Vlisson\AppData\Roaming\Mozilla\Firefox\Profiles\8pw23t6s.default\extensions\lazarus@interclue.com\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
FF - component: D:\Program Files (x86)\Mozilla Firefox\extensions\{94565d01-18bc-81a6-462f-8462a5a63d5f}\components\6c665d90.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Vlisson\AppData\Roaming\Mozilla\Firefox\Profiles\8pw23t6s.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}\plugins\npietab2.dll
FF - plugin: C:\Users\Vlisson\AppData\Roaming\Mozilla\Firefox\Profiles\8pw23t6s.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - plugin: D:\Program Files (x86)\QuickTime\Plugins\npqtplugin.dll
FF - plugin: D:\Program Files (x86)\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: D:\Program Files (x86)\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: D:\Program Files (x86)\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: D:\Program Files (x86)\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: D:\Program Files (x86)\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: D:\Program Files (x86)\QuickTime\Plugins\npqtplugin7.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - D:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: z: {94565d01-18bc-81a6-462f-8462a5a63d5f} - D:\Program Files (x86)\Mozilla Firefox\extensions\{94565d01-18bc-81a6-462f-8462a5a63d5f}
FF - Ext: FRITZ!Box AddOn: fb_add_on@avm.de - %profile%\extensions\fb_add_on@avm.de
FF - Ext: Lazarus: Form Recovery: lazarus@interclue.com - %profile%\extensions\lazarus@interclue.com
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
FF - Ext: Noia 2.0 (eXtreme): {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} - %profile%\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Noia 2.0 eXtreme OPT: noia2_option@kk.noia - %profile%\extensions\noia2_option@kk.noia
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: IE Tab 2 (FF 3.6+): {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB} - %profile%\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\coFFPlgn

FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 600000
FF - user.js: nglayout.initialpaint.delay - 600

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;C:\Windows\System32\drivers\Lbd.sys [2011-2-15 69376]
R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\NISx64\1205000.07D\SymDS64.sys [2011-2-20 450608]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\NISx64\1205000.07D\SymEFA64.sys [2011-2-20 802864]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\BASHDefs\20110114.001\BHDrvx64.sys [2011-2-20 953904]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\IPSDefs\20110218.003\IDSviA64.sys [2011-2-20 476792]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2010-2-17 14920]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2010-2-17 12360]
R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\NISx64\1205000.07D\Ironx64.sys [2011-2-20 171128]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\System32\drivers\NISx64\1205000.07D\symnets.sys [2011-2-20 382072]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-14 59904]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2010-6-29 128752]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2009-8-18 203264]
R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2010-8-6 81072]
R2 iprip;RIP-Überwachung;C:\Windows\System32\svchost.exe -k ipripsvc [2009-7-14 27136]
R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\\ccSvcHst.exe [2011-2-20 130000]
R2 serviceIEConfig;IEConfig 1und1 Edition;C:\Windows\SysWOW64\ieconfig_1und1_svc.exe [2011-1-14 1053848]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;D:\Program Files (x86)\TuneUp Utilities 2010\TuneUpUtilitiesService64.exe [2009-10-30 1353544]
R2 ubsbm;Unibrain 1394 SBM Driver;C:\Windows\System32\drivers\UBSBM.sys [2010-9-1 24064]
R2 ubumapi;Unibrain 1394 FireAPI Driver;C:\Windows\System32\drivers\UBUMAPI.sys [2010-9-1 92160]
R3 amdkmdag;amdkmdag;C:\Windows\System32\drivers\atikmdag.sys [2010-8-9 7195648]
R3 amdkmdap;amdkmdap;C:\Windows\System32\drivers\atikmpag.sys [2010-8-9 265728]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2010-8-24 116240]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-2-20 132656]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;D:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2010-12-3 1405384]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;D:\Program Files (x86)\Lavasoft\Ad-Aware\kernexplorer64.sys [2010-12-3 17152]
R3 netw5v64;Intel® Wireless WiFi Link der Serie 5000 Adaptertreiber für Windows Vista 64-Bit;C:\Windows\System32\drivers\NETw5v64.sys [2010-8-14 7533568]
R3 O2MDRDR;O2MDRDR;C:\Windows\System32\drivers\o2mdx64.sys [2010-8-11 64160]
R3 O2SDRDR;O2SDRDR;C:\Windows\System32\drivers\o2sdx64.sys [2010-8-14 50592]
R3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
R3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
R3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;D:\Program Files (x86)\TuneUp Utilities 2010\TuneUpUtilitiesDriver64.sys [2009-10-14 11856]
R3 ubohci;Unibrain 1394 OHCI Driver;C:\Windows\System32\drivers\ubohci.sys [2010-9-1 132608]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2010-8-24 402720]
S2 AntiVirSchedulerService;Avira AntiVir Planer;"E:\Program Files\Avira\AntiVir Desktop\sched.exe" --> E:\Program Files\Avira\AntiVir Desktop\sched.exe [?]
S2 AntiVirService;Avira AntiVir Guard;"E:\Program Files\Avira\AntiVir Desktop\avguard.exe" --> E:\Program Files\Avira\AntiVir Desktop\avguard.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc --> C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [?]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2010-10-21 1038088]
S3 NETw5s64;Intel® Wireless WiFi Link Adaptertreiber für Windows 7 64-Bit;C:\Windows\System32\drivers\NETw5s64.sys [2010-1-13 7675392]
S3 StorSvc;Speicherdienst;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 27136]

=============== Created Last 30 ================

2011-02-21 21:13:06 -------- d-----w- C:\Program Files (x86)\ICQ7.4
2011-02-21 11:35:44 -------- d-----w- C:\PROGRA~3\Spybot - Search & Destroy
2011-02-20 21:28:10 -------- d-----w- C:\TDSSKiller_Quarantine
2011-02-20 10:51:57 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared
2011-02-20 10:43:44 174640 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2011-02-20 10:43:44 -------- d-----w- C:\Program Files\Symantec
2011-02-20 10:43:44 -------- d-----w- C:\Program Files\Common Files\Symantec Shared
2011-02-20 10:43:21 802864 ----a-r- C:\Windows\System32\drivers\NISx64\1205000.07D\SymEFA64.sys
2011-02-20 10:43:21 735864 ----a-r- C:\Windows\System32\drivers\NISx64\1205000.07D\srtsp64.sys
2011-02-20 10:43:21 450608 ----a-r- C:\Windows\System32\drivers\NISx64\1205000.07D\SymDS64.sys
2011-02-20 10:43:21 40568 ----a-r- C:\Windows\System32\drivers\NISx64\1205000.07D\srtspx64.sys
2011-02-20 10:43:21 382072 ----a-r- C:\Windows\System32\drivers\NISx64\1205000.07D\symnets.sys
2011-02-20 10:43:19 171128 ----a-r- C:\Windows\System32\drivers\NISx64\1205000.07D\Ironx64.sys
2011-02-20 10:42:56 -------- d-----w- C:\Windows\System32\drivers\NISx64\1205000.07D
2011-02-20 10:42:56 -------- d-----w- C:\Windows\System32\drivers\NISx64
2011-02-20 10:42:54 -------- d-----w- C:\Program Files (x86)\Norton Internet Security
2011-02-20 10:42:52 -------- d-----w- C:\PROGRA~3\Norton
2011-02-20 10:41:40 -------- d-----w- C:\Program Files (x86)\NortonInstaller
2011-02-20 10:41:40 -------- d-----w- C:\PROGRA~3\NortonInstaller
2011-02-17 11:35:49 -------- d-----w- C:\Users\Vlisson\AppData\Roaming\SUPERAntiSpyware.com
2011-02-17 11:35:49 -------- d-----w- C:\PROGRA~3\SUPERAntiSpyware.com
2011-02-17 11:35:43 -------- d-----w- C:\PROGRA~3\!SASCORE
2011-02-17 11:35:41 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2011-02-16 18:05:29 16432 ----a-w- C:\Windows\System32\lsdelete.exe
2011-02-16 11:39:23 -------- d-----w- C:\Users\Vlisson\AppData\Roaming\Malwarebytes
2011-02-16 11:38:52 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-02-16 11:38:51 -------- d-----w- C:\PROGRA~3\Malwarebytes
2011-02-16 11:38:48 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-02-15 20:58:59 -------- d--h--w- C:\$AVG
2011-02-15 12:09:11 69376 ----a-w- C:\Windows\System32\drivers\Lbd.sys
2011-02-15 12:09:06 49752 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
2011-02-15 12:06:40 -------- d-----w- C:\Users\Vlisson\AppData\Local\Sunbelt Software
2011-02-15 12:05:40 -------- dc-h--w- C:\PROGRA~3\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2011-02-14 12:07:01 -------- d-----w- C:\Program Files (x86)\MSXML 4.0
2011-02-13 18:18:12 -------- d-----w- C:\PROGRA~3\Nero
2011-02-12 22:22:36 -------- d-----w- C:\download
2011-02-10 10:39:41 2003968 ----a-w- C:\Windows\System32\msxml6.dll
2011-02-10 10:36:32 214016 ----a-w- C:\Windows\System32\winsrv.dll
2011-02-10 10:36:30 612352 ----a-w- C:\Windows\System32\vbscript.dll
2011-02-10 10:36:30 428032 ----a-w- C:\Windows\SysWow64\vbscript.dll
2011-02-10 10:36:21 5510528 ----a-w- C:\Windows\System32\ntoskrnl.exe
2011-02-10 10:36:21 1739176 ----a-w- C:\Windows\System32\ntdll.dll
2011-02-10 10:36:20 3957120 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2011-02-10 10:36:20 3901824 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2011-02-10 10:36:20 1293120 ----a-w- C:\Windows\SysWow64\ntdll.dll
2011-02-10 10:35:06 46080 ----a-w- C:\Windows\System32\atmlib.dll
2011-02-10 10:35:06 366080 ----a-w- C:\Windows\System32\atmfd.dll
2011-02-10 10:35:06 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2011-02-10 10:35:06 294400 ----a-w- C:\Windows\SysWow64\atmfd.dll
2011-02-06 17:28:40 -------- d-----w- C:\PROGRA~3\IEConfiguration1und1
2011-01-30 13:57:00 103864 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\nppdf32.dll
2011-01-29 17:59:12 -------- d-----w- C:\Users\Vlisson\AppData\Local\Apple Computer

==================== Find3M ====================

2011-01-26 06:53:10 982912 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2011-01-26 06:53:10 265088 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys
2011-01-26 06:31:20 144384 ----a-w- C:\Windows\System32\cdd.dll
2011-01-14 18:18:18 1053848 ----a-w- C:\Windows\SysWow64\ieconfig_1und1_svc.exe
2011-01-14 18:18:17 978576 ----a-w- C:\Windows\SysWow64\ieconfig_1und1.dll
2011-01-05 04:00:16 3127808 ----a-w- C:\Windows\System32\win32k.sys
2010-12-21 06:16:27 97280 ----a-w- C:\Windows\System32\wscsvc.dll
2010-12-21 06:16:27 62976 ----a-w- C:\Windows\System32\wscapi.dll
2010-12-21 06:16:14 442880 ----a-w- C:\Windows\System32\winhttp.dll
2010-12-21 06:16:14 1197056 ----a-w- C:\Windows\System32\wininet.dll
2010-12-21 06:16:09 258048 ----a-w- C:\Windows\System32\WebClnt.dll
2010-12-21 06:15:55 264192 ----a-w- C:\Windows\System32\upnp.dll
2010-12-21 06:15:31 15360 ----a-w- C:\Windows\System32\slwga.dll
2010-12-21 06:13:03 1880576 ----a-w- C:\Windows\System32\msxml3.dll
2010-12-21 06:10:22 100864 ----a-w- C:\Windows\System32\davclnt.dll
2010-12-21 05:38:24 51200 ----a-w- C:\Windows\SysWow64\wscapi.dll
2010-12-21 05:38:22 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2010-12-21 05:38:22 350720 ----a-w- C:\Windows\SysWow64\winhttp.dll
2010-12-21 05:38:21 204800 ----a-w- C:\Windows\SysWow64\WebClnt.dll
2010-12-21 05:38:19 204288 ----a-w- C:\Windows\SysWow64\upnp.dll
2010-12-21 05:38:16 14336 ----a-w- C:\Windows\SysWow64\slwga.dll
2010-12-21 05:36:17 1389568 ----a-w- C:\Windows\SysWow64\msxml6.dll
2010-12-21 05:36:16 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2010-12-21 05:34:12 80384 ----a-w- C:\Windows\SysWow64\davclnt.dll
2010-12-18 06:11:41 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2010-12-18 06:11:34 714752 ----a-w- C:\Windows\System32\kerberos.dll
2010-12-18 05:29:40 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2010-12-18 05:29:31 541184 ----a-w- C:\Windows\SysWow64\kerberos.dll
2010-12-18 04:55:03 482816 ----a-w- C:\Windows\System32\html.iec
2010-12-18 04:20:55 386048 ----a-w- C:\Windows\SysWow64\html.iec
2010-12-18 04:13:40 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2010-12-18 03:47:59 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb

============= FINISH: 9:05:49,53 ===============


DDS (Ver_10-12-12.02)

Microsoft Windows 7 Enterprise
Boot Device: \Device\HarddiskVolume2
Install Date: 06.08.2010 17:13:12
System Uptime: 22.02.2011 04:16:25 (5 hours ago)

Motherboard: TOSHIBA | | Satellite P300
Processor: Intel® Core™2 Duo CPU P8700 @ 2.53GHz | U2E1 | 2534/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 73 GiB total, 41,833 GiB free.
D: is FIXED (NTFS) - 298 GiB total, 136,544 GiB free.
E: is CDROM ()
F: is FIXED (NTFS) - 146 GiB total, 71,251 GiB free.

==== Disabled Device Manager Items =============

Class GUID:
Description: Unibrain 1394 PC
Device ID: UB1394\UNIBRAIN&1394_PC\001B2400014CC68E
Name: Unibrain 1394 PC
PNP Device ID: UB1394\UNIBRAIN&1394_PC\001B2400014CC68E

==== System Restore Points ===================

RP130: 20.02.2011 11:35:46 - Removed AVG 2011
RP131: 20.02.2011 11:37:37 - Removed AVG 2011
RP132: 20.02.2011 19:00:17 - Windows-Sicherung
RP133: 21.02.2011 12:22:27 - Removed Nero Multimedia Suite 10.

==== Installed Programs ======================

1&1 EasyLogin
1und1 Internet Explorer Add-On
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Recommended Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Extra Settings CS4
Adobe Color Video Profiles CS CS4
Adobe Community Help
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Linguistics CS4
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 9.4.2 - Deutsch
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
ALTools Update
Apple Application Support
Apple Software Update
DC Universe Online
DC Universe Online Beta
DC Universe Online Beta (0)
DC Universe Online Live
Google Update Helper
ICQ 7.2 Build #3140 Banner Remover 1.0
IrfanView (remove only)
Java Auto Updater
Java™ 6 Update 20
Java™ 6 Update 22
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Primary Interoperability Assemblies 2005
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MozBackup 1.4.9
Mozilla Firefox (3.6.12)
Mozilla Thunderbird (3.1.7)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Norton Internet Security
OpenOffice.org 3.2
Pando Media Booster
PDF Settings CS4
Photoshop Camera Raw
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Skype™ 4.2
StarCraft II
Suite Shared Configuration CS4
System Requirements Lab
System Requirements Lab CYRI
TeamSpeak 3 Client
TuneUp Utilities
TuneUp Utilities Language Pack (de-DE)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Visual C++ 8.0 Runtime Setup Package (x64)
Visual Studio 2008 x64 Redistributables
Windows Live Communications Platform
Windows Live Essentials
Windows Live Fotogalerie
Windows Live Installer
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
WinPcap 4.1.2
Xfire (remove only)

==== End Of File ===========================

gmer is still running, i will post the log when finished
can only scan for service, registry and files, all other is greyed out

OK it found no modifications

Edited by Orange Blossom, 23 February 2011 - 12:03 AM.
Corrected link. ~ OB

BC AdBot (Login to Remove)


#2 SweetTech


    Agent ST

  • Members
  • 13,421 posts
  • Gender:Male
  • Location:Antarctica
  • Local time:04:44 AM

Posted 25 February 2011 - 05:24 PM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • These instructions have been specifically tailored to your computer and the issues you are experiencing with your computer. It's important to note that these instructions are not suitable for any other computer, even if the issues are fairly similar.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Please do not PM me directly for help. If you have any questions, post them in this topic.
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.


I see where the problem is. I'd like to grab a sample of this file, and have you uploaded it, so that a developer can take a look at this specific infection you have.

Please download ZipIt from here:
Download Link
  • Double-click ZipIt! to run it.
  • Then copy the content of the following codebox into the textfield:

    D:\Program Files (x86)\Mozilla Firefox\extensions\{94565d01-18bc-81a6-462f-8462a5a63d5f}
  • Then, just click the Zip button.
  • When finished, and if successful, a new file will have been created on your Desktop. You will be notified of what the file name is when the process has been completed.


Uploading File
Please visit this site & follow the instructions for uploading the file mentioned below.
Copy/paste the contents of the Code Box below into the Link to topic where this file was requested: box:
Click Browse & navigate to your desktop where the newely created .zip file is.


Running OTM

We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    D:\Program Files (x86)\Mozilla Firefox\extensions\{94565d01-18bc-81a6-462f-8462a5a63d5f}
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Update Adobe Reader
Earlier versions of Adobe Reader have known security flaws so it is recommended that you update your copy
  • Go to Start > Control Panel > Add/Remove Programs
  • Remove ALL instances of Adobe Reader
  • Re-boot your computer as required.
  • Once ALL versions of Adobe Reader have been uninstalled, visit: <<here>> and download the latest version of Adobe Reader
Alternative Option: after uninstalling Adobe Reader, you could try installing Foxit Reader from >here< Foxit Reader has fewer add-ons therefore loads more quickly.


Java Outdated
Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Microsoft: ‘Unprecedented Wave of Java Exploitation’
Drive-by Trojan preying on out-of-date Java installations
Ghosts of Java Haunt UsersPlease follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows" (32-bit) or "Windows x64" (64-bit).
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "I agree to the Java SE...License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u24-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.


Please be sure to include an update on how things are currently running in your next reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image

The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#3 SweetTech


    Agent ST

  • Members
  • 13,421 posts
  • Gender:Male
  • Location:Antarctica
  • Local time:04:44 AM

Posted 28 February 2011 - 01:16 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image

The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#4 vlisson

  • Topic Starter

  • Members
  • 7 posts
  • Local time:09:44 AM

Posted 10 March 2011 - 06:46 AM


sorry for the delayed answer :(

looks like my eMailprogramm made an error or my browser loaded an cached version :(

i already sent a moderator to unlock the topic

im using now firefox beta 4 and the redirection infected only the firefox 3.

the security leak with this redirection? is it dangerous to loose datas/passwords or be infected with viruses?

thanks very much for your help SweetTech! i run the first steps and here are the logs

> Malware Submission
Improper usage.
i could not upload the file :(

All processes killed
Error: Unable to interpret <Processes> in the current context!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
D:\Program Files (x86)\Mozilla Firefox\extensions\{94565d01-18bc-81a6-462f-8462a5a63d5f}\components folder moved successfully.
D:\Program Files (x86)\Mozilla Firefox\extensions\{94565d01-18bc-81a6-462f-8462a5a63d5f}\chrome folder moved successfully.
D:\Program Files (x86)\Mozilla Firefox\extensions\{94565d01-18bc-81a6-462f-8462a5a63d5f} folder moved successfully.
========== COMMANDS ==========


User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56504 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

User: Vlisson
->Temp folder emptied: 9245993 bytes
->Temporary Internet Files folder emptied: 22810087 bytes
->Java cache emptied: 6747444 bytes
->FireFox cache emptied: 111214198 bytes
->Flash cache emptied: 82934 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 36160 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 50296 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50434 bytes
RecycleBin emptied: 19872559 bytes

Total Files Cleaned = 162,00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTM Restore Point

OTM by OldTimer - Version log created on 03102011_120155

Files moved on Reboot...
C:\Users\Vlisson\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...

Edited by vlisson, 10 March 2011 - 06:53 AM.

#5 Andrew


    Bleepin' Night Watchman

  • Moderator
  • 8,260 posts
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:01:44 AM

Posted 10 March 2011 - 12:46 PM

Reopened by OP request.

#6 Budapest


    Bleepin' Cynic

  • Moderator
  • 23,579 posts
  • Gender:Male
  • Local time:06:44 PM

Posted 10 March 2011 - 04:31 PM

OP has started a new topic here: http://www.bleepingcomputer.com/forums/topic384238.html
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 Andrew


    Bleepin' Night Watchman

  • Moderator
  • 8,260 posts
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:01:44 AM

Posted 10 March 2011 - 04:45 PM

Merged. See above for OP response.

#8 vlisson

  • Topic Starter

  • Members
  • 7 posts
  • Local time:09:44 AM

Posted 11 March 2011 - 11:46 AM

thanks very much!!!

#9 vlisson

  • Topic Starter

  • Members
  • 7 posts
  • Local time:09:44 AM

Posted 14 March 2011 - 07:02 AM

sorry cant edit my old post

looks like the redirection got deleted and im got used to firefox 4 so i dont miss my firefox3 anymore

its the best solution i think

thanks very much

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users