AntiVirus System Pro: Aftermath. Search Engines Hijacked?

View previous topic View next topic Go down

AntiVirus System Pro: Aftermath. Search Engines Hijacked?

Post by 123fixmyshit on Sat Jul 11, 2009 11:24 pm

Hello All,

Malwarebytes erased Antivirus System Pro from my machine, but now all search engines in various browsers just bring up a couple pages of random stuff before i get to any kind of actual search result.

I downloaded that GooredFix and it didn't do anything.

Could anyone help?

BTW, here is the log from GooredFix:

GooredFix by jpshortstuff (03.07.09)
Log created at 15:08 on 11/07/2009 (a)
Firefox version 3.0.11 (en-US)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [17:17 12/06/2007]
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [23:23 17/11/2007]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
(Key not found)

-=E.O.F=-

123fixmyshit
Novice
Novice

Posts Posts : 5
Joined Joined : 2009-07-11
OS OS : windows xp
Points Points : 27057
# Likes # Likes : 0

View user profile

Back to top Go down

Re: AntiVirus System Pro: Aftermath. Search Engines Hijacked?

Post by Belahzur on Sat Jul 11, 2009 11:29 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: AntiVirus System Pro: Aftermath. Search Engines Hijacked?

Post by 123fixmyshit on Sat Jul 11, 2009 11:45 pm

DDS (Ver_09-06-26.01) - NTFSx86
Run by a at 19:45:15.18 on Sat 07/11/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.397 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Autobahn\autobahn.exe
C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AIM\aim.exe
D:\mIRC\mirc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Documents and Settings\a\Desktop\dds.scr

============== Pseudo HJT Report ===============

mStart Page = about:blank
mWindow Title = Windows Internet Explorer provided by Comcast
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [DAEMON Tools-1033] "c:\program files\d-tools\daemon.exe" -lang 1033
dRun: [DriverLoad]
dRun: [DriverCheck]
dRun: [SystemDriverLoad]
dRun: [SystemDriver]
dRun: [FDriver]
dRun: [ADriver]
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autobahn.lnk - c:\program files\autobahn\autobahn.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\pci f5d7000\wireless utility\Belkinwcui.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
LSP: c:\windows\system32\lsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\a\applic~1\mozilla\firefox\profiles\y7he3x8s.default\
FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAbacheck.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [2009-5-24 156800]
R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [2009-5-24 5248]
R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-5-2 30208]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2003-5-21 610304]
R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2007-7-14 27992]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-7 24652]
R3 BLKWGD;Belkin Wireless G Desktop Card Service;c:\windows\system32\drivers\BLKWGD.sys [2009-5-24 463872]
R3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-5-2 224256]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090711.006\NAVENG.sys [2009-7-11 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090711.006\NAVEX15.sys [2009-7-11 876144]
R3 wlanndi5;wlanndi5 NDIS Protocol Driver;c:\windows\system32\wlanndi5.sys [2004-4-21 16384]
S3 IKFileFlt;File Filter Driver;c:\windows\system32\drivers\ikfileflt.sys [2007-10-4 39248]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2007-10-4 52304]
S3 IkSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2007-10-4 59984]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2007-10-4 83536]
S3 sdAuxService;Spyware Doctor Auxiliary Service;c:\program files\spyware doctor\svcntaux.exe [2007-10-4 708176]
S3 sdCoreService;Spyware Doctor Service;c:\program files\spyware doctor\swdsvc.exe [2007-10-4 1302272]

=============== Created Last 30 ================

2009-07-11 15:30 0 a------- c:\windows\system32\8104297.jun
2009-07-11 15:30 --d----- c:\program files\Browser Hijack Recover
2009-07-11 15:22 --d----- c:\program files\NVT Malware Remover Tool
2009-07-07 22:37 --ds---- c:\documents and settings\a\UserData
2009-07-07 21:33 --d----- c:\docume~1\a\applic~1\Malwarebytes
2009-07-07 21:28 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-07 21:28 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-07 21:28 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-07 21:28 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-07 20:20 180,224 a------- c:\windows\system32\lsp.dll

==================== Find3M ====================

2009-07-03 18:56 138,944 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-03 18:56 189,784 a------- c:\windows\system32\PnkBstrB.exe
2009-05-24 20:24 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-05-24 19:58 22,328 a------- c:\docume~1\a\applic~1\PnkBstrK.sys
2009-05-24 19:57 2,246,144 a------- c:\windows\system32\pbsvc.exe
2009-05-24 17:37 17,801 a------- c:\windows\system32\drivers\AegisP.sys

============= FINISH: 19:45:38.21 ===============

123fixmyshit
Novice
Novice

Posts Posts : 5
Joined Joined : 2009-07-11
OS OS : windows xp
Points Points : 27057
# Likes # Likes : 0

View user profile

Back to top Go down

Re: AntiVirus System Pro: Aftermath. Search Engines Hijacked?

Post by Belahzur on Sun Jul 12, 2009 1:01 am

Well, I see your problem now. I just wanna check an uninstall log before doing the removal, can you post attach.txt please?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: AntiVirus System Pro: Aftermath. Search Engines Hijacked?

Post by 123fixmyshit on Sun Jul 12, 2009 6:33 pm

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 6/12/2007 12:20:11 PM
System Uptime: 7/12/2009 2:25:35 PM (0 hours ago)

Motherboard: | | nForce
Processor: AMD Athlon(tm) 64 Processor 3200+ | Socket 754 | 2210/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 56 GiB total, 8.213 GiB free.
D: is FIXED (NTFS) - 75 GiB total, 7.303 GiB free.
E: is FIXED (NTFS) - 186 GiB total, 184.948 GiB free.
F: is CDROM (CDFS)

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================


µTorrent
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe® Photoshop® Album Starter Edition 3.2
AMD Processor Driver
AOL Instant Messenger
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Audacity 1.2.6
Autobahn
Belkin Wireless Utility
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
Day of Defeat: Source
dBpoweramp Music Converter
DeadAIM
Digital Guitar Tuner v2.3
DivX Content Uploader
DivX Web Player
enable Tuner 4.0
FL Studio 6
Google Earth
Google Talk (remove only)
Half-Life 2
Half-Life 2: Deathmatch
Half-Life 2: Episode One
Half-Life 2: Episode Two
Half-Life 2: Lost Coast
HijackThis 1.98.2
HLSW v1.1.6
ImageMixer VCD/DVD2 for OLYMPUS
InFlac 1.1.1
iTunes
Java(TM) 6 Update 3
Left 4 Dead
LiveUpdate 1.80 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0
Microsoft Application Error Reporting
Microsoft IntelliPoint 6.1
Microsoft IntelliType Pro 6.3
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
mIRC
Mozilla Firefox (3.0.11)
MSXML 6.0 Parser (KB933579)
Nero 6 Demo
NVIDIA Drivers
NVIDIA SMBus Driver
NVT Malware Remover Tool v2.0.8b1
Octoshape add-in for Adobe Flash Player
OLYMPUS Master
OOBOX SynchroBox data 2.0
Peggle (remove only)
Peggle Extreme
Portal
PowerStrip 3 (remove only)
PunkBuster Services
Quake Live Mozilla Plugin
QuickTime
RealPlayer
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB958644)
Serious Sam: The First Encounter
Sid Meier's Civilization 4
Skins
SmartFTP Client
SopCast 1.1.2
SoulSeek 157 NS 13c
SoulSeek Client 156c
Source SDK Base
Spyware Doctor 5.0
Steam
Streambox Vcr Suite 2
Symantec AntiVirus Client
Team Fortress 2
TVAnts 1.0
TVUPlayer 2.3.3.2
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB931836)
Ventrilo Client
VideoLAN VLC media player 0.8.6c
Viewpoint Manager (Remove Only)
Viewpoint Media Player
ViewSonic Monitor Drivers
WebFldrs XP
Winamp (remove only)
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (04/28/2006 1.3.1.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver

==== Event Viewer Messages From Past Week ========

7/7/2009 9:21:46 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
7/7/2009 9:21:46 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/5/2009 8:26:18 PM, error: Service Control Manager [7034] - The Symantec AntiVirus Client service terminated unexpectedly. It has done this 1 time(s).
7/5/2009 8:11:04 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.nist.gov,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
7/5/2009 12:00:47 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume E:.
7/11/2009 3:05:11 PM, error: Service Control Manager [7034] - The PnkBstrA service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================

123fixmyshit
Novice
Novice

Posts Posts : 5
Joined Joined : 2009-07-11
OS OS : windows xp
Points Points : 27057
# Likes # Likes : 0

View user profile

Back to top Go down

Re: AntiVirus System Pro: Aftermath. Search Engines Hijacked?

Post by Belahzur on Sun Jul 12, 2009 6:44 pm

Hello.

I see that you are running Limewire.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    µTorrent
    Adobe Reader 8.1.2
    Adobe Reader 8.1.2 Security Update 1 (KB403742)
    Java(TM) 6 Update 3
    Viewpoint Manager (Remove Only)
    Viewpoint Media Player

Please download the LSPfix from here: [You must be registered and logged in to see this link.]
Unzip it to the Desktop (Important!!) and run it. Check the box that says "I know what I'm doing", and then select each instance of "lsp.dll" in the left-hand panel and click >> button to move it to the right-hand panel. Then click Finish to allow LSPfix to rebuild the LSP chain.

Next, reboot normally.
Then after reboot,

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\windows\system32\lsp.dll
    c:\program files\Browser Hijack Recover
    c:\windows\system32\8104297.jun
    c:\program files\viewpoint


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: AntiVirus System Pro: Aftermath. Search Engines Hijacked?

Post by 123fixmyshit on Sun Jul 12, 2009 8:36 pm

Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!

OTM by OldTimer - Version 3.0.0.4 log created on 07122009_163539

123fixmyshit
Novice
Novice

Posts Posts : 5
Joined Joined : 2009-07-11
OS OS : windows xp
Points Points : 27057
# Likes # Likes : 0

View user profile

Back to top Go down

Re: AntiVirus System Pro: Aftermath. Search Engines Hijacked?

Post by Belahzur on Sun Jul 12, 2009 11:05 pm

Hello.

You missed :files as the top line. Include :files and re-run the script.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum