Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE8 Google Redirect Infection on XP SP3


  • This topic is locked This topic is locked
19 replies to this topic

#1 Foglight

Foglight

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SE michigan
  • Local time:05:19 AM

Posted 19 June 2011 - 01:41 PM

Hi Forum,

I am running XP SP3 on a Dell Precision 390 ...

I've browsed some of the other threads here over the past few days while I scanned, re-scanned, and then scanned a few more times -- all to no avail ...

My browser ( IE8 - which I reinstalled a day or two ago ... not sure which , I've lost track at this point ... ) is being redirected from google results to other search-type sites , and then most recently now to another instance of Google itself ...

When I start IE8, taskManager shows a second instance of IE8 always starts up too, and stays there even when the first IE8 is closed down ... in fact right after a reboot taskManager shows an image of 'iexplorer.exe' has started up all on its own, already sucking up 2-15 % of CPU , then it seems to drop off to about 2 % CPU , after it has logged around 20-25 seconds of total CPU time ...

This all started just about exacly a week ago when I experienced an "XP System Restore" attack, and based on my browsing of the threads here , there's a lot of that going around - so at least I don't feel alone ( I guess ) ... it was pretty straightforward to get my desktop and taskManager back , but the 'Google redirect' issue has not gotten better , and maybe even worse since then ...

In fact my situation sounds exactly like this gentleman's - http://www.bleepingcomputer.com/forums/topic401945.html ...

In addition, my sound drivers stopped working probably at the time of the initial 'XP System Restore' attack , although I didn't notice that until a few days later when I tried to play a youTube video and had no sound. I have not attempted to address this issue, since I felt fixing the 'deeper problems' should probably come first.

About half an hour ago I scared myself quite badly by running the Symantec fix referred to in the above thread, found here, http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe , which rebooted, flagged volsnap.sys as a problem , and then repeatedly gave me a different kind of 'blue screen of death' which I haven't ever seen before ... maybe Symantec's custom version , who knows ...

I know it's terribly stupid to try somebody else's fix - I guess I'm coming a little unglued at this point , after a week of trying to get this thing fixed -- maybe I should've come here sooner ...

Even though I have Recovery Console installed , I have no idea how to use it , so thank God I was able to choose 'revert to the last good configuration' from the F8 screen , which got me back up and at least able to ask for some help here ...

Since 'VolSnap.sys' seems to be a hard disk driver , I know enough to realize it's pointless to disable it ...

So , here is my voice from the internet wilderness , crying out for some help , ideas , basically anything except even more infections ...

The most recent relevant logs ( to the best of my ability ) are attached here for review ...

Hopefully sombody will see this and be able to help.

Best , Foglight

Attached Files


Edited by Foglight, 19 June 2011 - 02:20 PM.


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:19 AM

Posted 19 June 2011 - 03:31 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Note:
If you are unable to run a Gmer scan due the fact you are running a64bit machine please run the following tool and post its log.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.



Thanks and again sorry for the delay.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 Foglight

Foglight
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SE michigan
  • Local time:05:19 AM

Posted 19 June 2011 - 08:43 PM

Just wanted to check in here ...

Firstly , thanks for the quick reply - it is much appreciated !

My system crashed with the 'new style' blue screen of death at least three hours into the GMER scan ... there was a popup about a 'Delayed Write Failure' , or something like that ...

Luckily , I rebooted ok - then immediately after logging on , an XP popup came up and said something like 'Windows has recovered from a serious error, please reort this to Microsoft' , and so I did, but then there was some other kind of an error after that which seemed to go away ...

Anyways , maybe I should post the two DDS logs now , which I ran first, since I am still able to get here ...

Then I'll try GMER again to see what happens ...

Thanks again - Foggy

Attached Files



#4 Foglight

Foglight
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SE michigan
  • Local time:05:19 AM

Posted 20 June 2011 - 04:42 AM

I started a second run of GMER last night before turning in , hoping to see it had reached completion this morning ... no such luck ...

This morning my machine was still powered up, but the computer screen was dark and would not respond to any mouse or keyboard inputs ... I had to pull the plug to get it to reboot, which it did ok , and so I am here now posting this ...

Thinking that I had possibly forgotten to disable CD emulation, I ran Defogger again this morning and after running , both buttons , 'Disable' and 'Re-enable' , were still enabled ... I seem to remember that when I ran Defogger a few days ago trying to troubleshoot this problem on my own, after Defogger completed , the 'Disable' button was greyed out ... now it is not behaving that way ...

So, anyways, I am not going to do anything else at this point, and wait for some further input from the Fireman.

I'll be out of the house all day, and plan to check in here again tonight around 6:30pm EST.

See you then , Foglight

#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:19 AM

Posted 20 June 2011 - 11:09 AM

Hello,


Let's get started cleaning your machine.


1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.5.5.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.5.5.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.



2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TDssKiller log
Combofix.txt
Being how these infections are today are you able to burn CD's and have a USB Flash Drive you can use?
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 Foglight

Foglight
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SE michigan
  • Local time:05:19 AM

Posted 20 June 2011 - 05:10 PM

Thanks for posting , Fireman !

I thought I would acknowledge your post now before I get started running the tools , just in case something bad happens and I am not able to get back on the internet right away. The good news is my wife has a good laptop and so I will be able to work with you using Recovery Console ( God forbid ! ) if things come to that ...

Finally , yes I do have a CD R/w drive , but I have to tell you I haven't tried to use it since this infection , and so I can't say for sure if it's working now or not ...

Anyways, I'm off now to run the tools.

Thanks again for quick response - Foggy

#7 Foglight

Foglight
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SE michigan
  • Local time:05:19 AM

Posted 20 June 2011 - 05:29 PM

Well, that was quick ... TDSSKiller.exe would not run , so I renamed it in the manner you suggested and it still wouldn't run. Then I went to Kaspersky's site and read there that TDSSKiller still works in safe mode , so I rebooted in Safe mode and tried to run it again , but it still wouldn't run.

Your advice was to run Combofix after TDSSKiller ran , so I didn't run Combofix ...

I'm starting to think this isn't looking too good , but thanks anyways for your help so far ...

I'll wait to hear back from you before I try anything else.

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:19 AM

Posted 20 June 2011 - 06:10 PM

Hello,


With this infection sometimes it block TDSSKiller from running. Go ahead and skip TDSS for now and proceed with Combofix. Also in answer to my previous question. Do you have or have access to a USB Flash Drive?

Edited by fireman4it, 20 June 2011 - 06:11 PM.
spelling

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 Foglight

Foglight
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SE michigan
  • Local time:05:19 AM

Posted 20 June 2011 - 07:58 PM

Yes, I have a flash drive.

I'll go ahead and run Combofix and post the results here.

#10 Foglight

Foglight
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SE michigan
  • Local time:05:19 AM

Posted 20 June 2011 - 08:38 PM

Combofix ran to completion !

It found a 'rootkit patch' in volsnap.sys and it thinks that it fixed it ...

This is an unexpected suprise !

Google is no longer re-directing !!

Posted Image

UNBELIEVBLE !!


Combofix log attached to this post for your review.

Thanks for all your great help so far , Fireman !

Attached Files


Edited by Foglight, 20 June 2011 - 09:49 PM.


#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:19 AM

Posted 20 June 2011 - 11:13 PM

Hello,

Looks like we got the main infection without much of a fight. :clapping: Lets run a couple other scans to make sure nothing else is still there leftover.

1.
Please download Malwarebytes' Anti-Malware (v1.50) and save it to your desktop.
Download Link 1
Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.

2.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Things to include in your next reply::
MBAM log
Eset log
A new DDS log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 Foglight

Foglight
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SE michigan
  • Local time:05:19 AM

Posted 21 June 2011 - 05:39 PM

Looks like all the tools were able to run to completion and produce the requested logs which are attached here for your review ...

While I am making this post I thought I'd mention that the original 'XP System Restore' attack caused most of the entries in my 'programs' list to disappear, as well as all the shortcuts in my quick start list. I recall seeing one of the experts here post in another thread a link to a tool I think is called 'unhide' , or something similar , which I believe was written specifically to repair the situation I describe. If so, and you have a link to the tool handy , could you please post that too ? Of course , only if appropriate -- I readily admit I am prone to a deep and abiding confusion about these matters ...

As always, thank you , Fireman , for your kind attention !

Attached Files


Edited by Foglight, 21 June 2011 - 05:43 PM.


#13 Foglight

Foglight
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SE michigan
  • Local time:05:19 AM

Posted 22 June 2011 - 06:09 AM

Just checking for your reply - will check again this evening when I return.

#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:19 AM

Posted 22 June 2011 - 11:42 AM

Install HijackThis:

You can download the latest version of HijackThis by clicking HERE.
Should you be prompted to save to a certain directory, please choose the desktop.
Note:Only this file should be saved to the desktop. During the installation process, you must allow HijackThis to install into its own directory.

Once you download the HijackThis Installer from the above link:

  • Double-click the new HJTInstall.exe icon on your desktop or your default download location.
  • An install window will appear, please accept all the default locations and settings. (Vista users may need to approve a notification from windows. Please accept this warning if it appears, and allow the instalation)
  • Once installed, you will be presented with a list of options, please select 'Do a system scan and save a logfile'. (Vista users: you may need to close the program, then Right-click the HijackThis icon, choosing 'Run as Administrator')
  • Once he scan has completed, a 'Notepad' window will appear. This is the log i require.
  • In the notepad window, select 'Edit' from the top row, then 'Select all'
  • Again, in the notepad window, select 'Edit' again, this time choosing 'copy'
  • Close HijackThis by clicking the red X in the top right hand corner of the programs window.
  • Please reply to this message. In the reply window, please Right click, and select Paste
  • Once your log is posted, please close the Notepad window. You may also delete HJTInstall.exe from your desktop, as it is no longer required.

Note: DO NOT have HijackThis fix anything yet! Most of what it finds is legitimate, and DANGEROUS if misinterpreted!!
DO NOT use this program unless told to by a Trained Malware Removal Expert, and make sure you understand and follow ALL instructions. If you don't understand STOP and ASK!!!



2.
Here is the link for unhide.exe
http://download.bleepingcomputer.com/grinler/unhide.exe

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 Foglight

Foglight
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SE michigan
  • Local time:05:19 AM

Posted 22 June 2011 - 06:19 PM

Here is the required HJT log -

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:17:31 PM, on 6/22/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
D:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
D:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
D:\Program Files\OpenDNS Updater\OpenDNS Updater.exe
D:\WINDOWS\system32\taskmgr.exe
d:\PROGRA~1\mcafee.com\agent\mcagent.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/mail?.intl=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/openmanage
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - D:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110513065529.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [OpenDNS Update] "D:\Program Files\OpenDNS Updater\OpenDNS Updater.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: Download Video on This Page - D:\Program Files\Free Convert MOV AVI to FLV Flash WMV Converter\IEPage.html
O8 - Extra context menu item: Download Video This Links To - D:\Program Files\Free Convert MOV AVI to FLV Flash WMV Converter\IELink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://D:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Download Video - {B53C7980-9F20-48BB-8FC3-5A1CC9660C48} - D:\Program Files\Free Convert MOV AVI to FLV Flash WMV Converter\IEPage.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.centershift.com
O16 - DPF: CabBuilder - http://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos-beta/OnlineScanner.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F2BFD7F-E51E-4E0E-8687-FF7A80A4DDB9}: NameServer = 208.67.222.222,208.67.220.220
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - D:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - D:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - D:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - D:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - D:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - D:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - D:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - D:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - D:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

--
End of file - 7071 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users