Browser redirects to Shopica and various sites (Hijacked ?)

Page 2 of 3 Previous  1, 2, 3  Next

View previous topic View next topic Go down

Browser redirects to Shopica and various sites (Hijacked ?)

Post by Resto on Sat 10 Jul 2010, 2:15 pm

First topic message reminder :

Running Windows XP SP2 and IE6.

Browser seems to be hijacked and redirects to Shopica and other similar sites. Seems to be some sort of a Google hijack. Earlier today, I ran MBAM in Safe Mode and found a few issues that I allowed it to fix. I then ran MBAM again in Normal Mode and it found one additional issue that I allowed it to fix. I ran AVG 9 after this and it found a few items that it fixed. Further scans looked like the system was clean, however when I get online and search within Google, it seems that I am redirected when I click on a result. Not sure what to do next, so I ran MBAM and HJT a few minutes ago. The most recent MBAM and HJT Logs are posted below. I can also post the earlier ones if they are needed.

Any assistance will be greatly appreciated. Thank you.
-----------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4298

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

7/9/2010 10:46:17 PM
mbam-log-2010-07-09 (22-46-17).txt

Scan type: Quick scan
Objects scanned: 142990
Time elapsed: 5 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:46:58 PM, on 7/9/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [dsocfjro] C:\Documents and Settings\NetworkService\Local Settings\Application Data\patlnrdoh\yupnkditssd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [dsocfjro] C:\Documents and Settings\NetworkService\Local Settings\Application Data\patlnrdoh\yupnkditssd.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Google Sidewiki... - [You must be registered and logged in to see this link.] Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: Garmin Communicator Plug-In - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LeapFrog Connect Device Service - LeapFrog Enterprises, Inc. - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7907 bytes

Resto

Rookie Surfer
Rookie Surfer

Posts : 63
Joined : 2009-09-17
Operating System : Windows 7 64 bit

View user profile

Back to top Go down


Re: Browser redirects to Shopica and various sites (Hijacked ?)

Post by DragonMaster Jay on Sun 18 Jul 2010, 2:31 pm

Please download DrWeb-CureIt and save it to your Desktop. Do NOT perform a scan yet

  • Double-click on drweb-cureit.exe to start the program.
    An Express Scan of your PC notice will appear.
  • Under Start the Express Scan Now, Click OK to start the scan.
    This is a short scan that will scan the files currently running in memory.
    If something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the Scan tab and UNcheck Heuristic analysis
  • Back at the main window, click Custom Scan, then Select drives (a red dot will show which drives have been chosen).
  • Then click the Start/Stop Scanning button (green arrow on the right, and the scan will start.
  • When finished, a message will be displayed at the bottom advising if any viruses were found.
  • Click Yes to all if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found.
    If so, click it, then click the next icon right below and select Move incurable.
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your Desktop.
  • Exit Dr.Web Cureit when you have finished.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Browser redirects to Shopica and various sites (Hijacked ?)

Post by Resto on Mon 19 Jul 2010, 12:03 am

Dr.Web CureIt report posted per your request. Thank you.

couponprinter.exe\data012;C:\Documents and Settings\HP_Owner\Desktop\couponprinter.exe;Adware.Coupons.34;;
couponprinter.exe\data013;C:\Documents and Settings\HP_Owner\Desktop\couponprinter.exe;Adware.Coupons.34;;
couponprinter.exe\data015;C:\Documents and Settings\HP_Owner\Desktop\couponprinter.exe;Adware.Coupons.34;;
couponprinter.exe\data016;C:\Documents and Settings\HP_Owner\Desktop\couponprinter.exe;Adware.Coupons.34;;
couponprinter.exe;C:\Documents and Settings\HP_Owner\Desktop;Container contains infected objects;Moved.;
KillWind.exe;C:\hp\bin;Tool.ProcessKill;Incurable.Moved.;
A0027584.ocx;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP302;Adware.Coupons.34;Incurable.Moved.;
A0027592.exe\data012;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP302\A0027592.exe;Adware.Coupons.34;;
A0027592.exe\data013;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP302\A0027592.exe;Adware.Coupons.34;;
A0027592.exe\data015;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP302\A0027592.exe;Adware.Coupons.34;;
A0027592.exe\data016;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP302\A0027592.exe;Adware.Coupons.34;;
A0027592.exe;C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP302;Container contains infected objects;Moved.;
CouponPrinter.ocx;C:\WINDOWS;Adware.Coupons.34;Incurable.Moved.;

Resto

Rookie Surfer
Rookie Surfer

Posts : 63
Joined : 2009-09-17
Operating System : Windows 7 64 bit

View user profile

Back to top Go down

Re: Browser redirects to Shopica and various sites (Hijacked ?)

Post by DragonMaster Jay on Mon 19 Jul 2010, 5:59 am

Are the browser redirects still continuing?


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Browser redirects to Shopica and various sites (Hijacked ?)

Post by Resto on Mon 19 Jul 2010, 9:16 am

I have not experienced any more browser redirects. Thank you.
What's next ?!

Resto

Rookie Surfer
Rookie Surfer

Posts : 63
Joined : 2009-09-17
Operating System : Windows 7 64 bit

View user profile

Back to top Go down

Re: Browser redirects to Shopica and various sites (Hijacked ?)

Post by DragonMaster Jay on Mon 19 Jul 2010, 4:57 pm

Please run a free online scan with the ESET Online Scanner
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Browser redirects to Shopica and various sites (Hijacked ?)

Post by Resto on Tue 20 Jul 2010, 12:15 am

DragonMaster Jay, Good morning. Here is the ESET log. Thanks.

# version=7
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=de057ca556d10540beb6fb0959be0d90
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-19 01:01:16
# local_time=2010-07-19 09:01:16 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 25427998 25427998 0 0
# compatibility_mode=1024 16777175 100 0 2259045 2259045 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=93366
# found=0
# cleaned=0
# scan_time=3094

Resto

Rookie Surfer
Rookie Surfer

Posts : 63
Joined : 2009-09-17
Operating System : Windows 7 64 bit

View user profile

Back to top Go down

Re: Browser redirects to Shopica and various sites (Hijacked ?)

Post by DragonMaster Jay on Tue 20 Jul 2010, 1:12 pm

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE

You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done


To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

==

Please download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


==

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Browser redirects to Shopica and various sites (Hijacked ?)

Post by Resto on Tue 20 Jul 2010, 2:29 pm

The requested document is posted below. It looks like I have several things that are out of date. If they are able to be updated, I will be glad to do so. Do you have instructions on how to best do this ? Thanks !

Results of screen317's Security Check version 0.99.4
Windows XP Service Pack 2
Out of date service pack!!
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
AVG Free 9.0
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java(TM) 6 Update 15
Out of date Java installed!
Adobe Flash Player 10.0.42.34
Adobe Reader 6.0.1
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
````````````````````````````````
DNS Vulnerability Check:

Unknown. This method cannot test your vulnerability to DNS cache poisoning.

``````````End of Log````````````

Resto

Rookie Surfer
Rookie Surfer

Posts : 63
Joined : 2009-09-17
Operating System : Windows 7 64 bit

View user profile

Back to top Go down

Re: Browser redirects to Shopica and various sites (Hijacked ?)

Post by DragonMaster Jay on Tue 20 Jul 2010, 3:07 pm

Please upgrade to Windows XP SP3, because it includes all previously released updates. It also includes a small number of new functionalities. Some of the updates that Service Pack 3 provides, you may not have. It is now available via Windows Update.

More info about SP3: [You must be registered and logged in to see this link.]

==============================

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

==

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

========================

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Firewall

  • Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
  • Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
  • PC Tools Firewall Plus: free and excellent firewall.


AntiSpyware

  • SpywareBlaster
    SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
  • Spybot - Search & Destroy.
    Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).


NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Securing your computer

  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.


Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:


See [You must be registered and logged in to see this link.] for more info about malware and prevention.

Thank you for choosing GeekPolice. Please see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site. Do you have any more questions?


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Browser redirects to Shopica and various sites (Hijacked ?)

Post by Resto on Wed 21 Jul 2010, 4:35 pm

Sorry for the delay in replying to you.

Thanks for all you have done to rectify my issue. Everything seems to be working well at this time.

I will carefully follow your instructions to update all of the suggested items.

I really appreciate the professional and courteous assistance you have provided !

Resto

Rookie Surfer
Rookie Surfer

Posts : 63
Joined : 2009-09-17
Operating System : Windows 7 64 bit

View user profile

Back to top Go down

Re: Browser redirects to Shopica and various sites (Hijacked ?)

Post by Resto on Fri 13 Aug 2010, 2:29 pm

Since the above-referenced malware was removed from my computer, I have not had the need to utilize my internal DVD Burner - until today. I am not sure if this is related to any of the disinfection procedures or if it is another issue entirely, but I thought I would ask your opinion about this issue.

If I am not mistaken, it seems that there was something suspicious related to my ATAPI and cdrom drivers.

RKU showed:

>Stealth
==============================================
0xF7411000 WARNING: suspicious driver modification [atapi.sys::0x86383AEA]
0xF76C8000 WARNING: Virus alike driver modification [cdrom.sys], 53248 bytes
==============================================

You then asked me to do this with Combo Fix:

killall::
TDL::
c:\windows\system32\drivers\cdrom.sys
c:\windows\system32\drivers\atapi.sys

Reboot::

--------------------------------------------------------------------------------

Could any of this be contributing to my current issue ?

My burner / player will play recorded DVD and CD media perfectly, however it will not recognize blank media when I install it to burn. As soon as a blank DVD is inserted, it begins to spin continuously at a high rate of speed. Burning software does not show that the blank media has been detected. Closing the burning software does not stop the spinning. As a matter of fact, the blank media spins continuously and will not stop even when there are no applications or processes open. I should add that I am using the same blank media (DVD-R) from the same package of blank media that has always worked properly. I have also tried numerous DVD's from a stack of 100 of these blank media to rule out whether the discs were faulty or not.

While the blank media is spinning.... if I open "My Computer" to view properties of my E: drive - and right click on the E: drive - I get an hourglass and no window opens up for me to view properties. Everything seems to hang up at this point. When I finally get this closed down via Task Manager, my desktop has no icons visible - no Start icon or anything - and the blank media is still spinning at high speed in the DVD burner / player. The only thing I can do to restore functionality is to manually shut off my machine with the power switch.

The only thing that seems to stop the spinning media is blind luck. I push the eject button on the internal DVD burner / player....sometimes this stops the spinning media and it ejects correctly....sometimes pushing the eject button does nothing at all.... sometimes pushing the eject button opens the drawer with the blank media still spinning at top speed. Very confusing.

Device Manager says that the device is working properly and that I have the most updated driver available for the device.

Any ideas, troubleshooting tips, or instructions for me to follow ?

As always, thanks in advance for your assistance.

Resto

Rookie Surfer
Rookie Surfer

Posts : 63
Joined : 2009-09-17
Operating System : Windows 7 64 bit

View user profile

Back to top Go down

Re: Browser redirects to Shopica and various sites (Hijacked ?)

Post by DragonMaster Jay on Sat 14 Aug 2010, 3:57 pm

Go to this page, and click on the Run now button: [You must be registered and logged in to see this link.]

It will run a diagnostic to tell you why you cannot play media, etc.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Browser redirects to Shopica and various sites (Hijacked ?)

Post by Resto on Sun 15 Aug 2010, 5:02 am

DragonMaster Jay,

Thanks for the recommendation, but it is not working.

This computer will not connect to the Microsoft Support site. I have clicked on the link you gave me above. I have manually entered that URL in the address bar. I have also tried support.microsoft.com as well. No luck connecting with any of these methods.

My other computer readily accesses the link you have provided, so I'm guessing that there is still something not quite right with this computer.

Any further assistance will be greatly appreciated.

Resto

Rookie Surfer
Rookie Surfer

Posts : 63
Joined : 2009-09-17
Operating System : Windows 7 64 bit

View user profile

Back to top Go down

Re: Browser redirects to Shopica and various sites (Hijacked ?)

Post by Resto on Sun 15 Aug 2010, 3:01 pm

Not sure why I was not able to access the Microsoft Security website earlier today. I was able to easily get to it with no issues tonight. I ran the diagnostic you requested. The log is posted below. Thank you.
------------------------------------------------------------------------------------------

CD/DVD Reading and WritingPublisher details

Issues found
Media in CD/DVD drive is not readable (HL-DT-ST DVDRRW GWA-4161B)Media in
CD/DVD drive is not readable (HL-DT-ST DVDRRW GWA-4161B)
The drive is empty or the media format is not supportedNot fixed
Insert readable mediaSucceeded

Issues checked
Class filter drivers are corruptClass filter drivers are corrupt
One or more class-specific filter drivers are missing/corruptChecked
Device filter drivers are corrupt (HL-DT-ST DVDRRW GWA-4161B)Device filter
drivers are corrupt (HL-DT-ST DVDRRW GWA-4161B)
One or more device-specific filter drivers are missing/corruptChecked
Device is not working properly (HL-DT-ST DVDRRW GWA-4161B)Device is not
working properly (HL-DT-ST DVDRRW GWA-4161B)
This device is experiencing a problem that is preventing it from working
properlyChecked
Drive is disabled (HL-DT-ST DVDRRW GWA-4161B)Drive is disabled (HL-DT-ST
DVDRRW GWA-4161B)
The CD/DVD drive have been disabled in Device ManagerChecked
Drive is not assigned a drive letterDrive is not assigned a drive letter
The CD/DVD drive is not accessible via an assigned drive letterChecked

Issues foundDetection details

6Media in CD/DVD drive is not readable (HL-DT-ST DVDRRW
GWA-4161B)Not fixed

The drive is empty or the media format is not supported
Insert readable mediaSucceeded

Insert a readable CD or DVD into the selected CD/DVD drive


Issues checkedDetection details

6Class filter drivers are corruptChecked

One or more class-specific filter drivers are missing/corrupt
Repair class filter driversNot Run

Remove missing/corrupt class filter driver references

6Device filter drivers are corrupt (HL-DT-ST DVDRRW
GWA-4161B)Checked

One or more device-specific filter drivers are missing/corrupt
Uninstall deviceNot Run

Uninstall the problem device

6Device is not working properly (HL-DT-ST DVDRRW GWA-4161B)Checked

This device is experiencing a problem that is preventing it from working
properly
Rescan devicesNot Run

Check for changes in available devices
Uninstall deviceNot Run

Assign drive letters to all drives that do not have drive letter

6Drive is disabled (HL-DT-ST DVDRRW GWA-4161B)Checked

The CD/DVD drive have been disabled in Device Manager
Enable the deviceNot Run

The device must be enabled before it can be used

6Drive is not assigned a drive letterChecked

The CD/DVD drive is not accessible via an assigned drive letter
Assign drive letterNot Run

Assign drive letters to all drives that do not have drive letter


Detection details

Collection information
Computer Name: CHRIS
Windows Version:5.1
Architecture:x86
Time:8/14/2010 11:47:02 PM

Publisher details

CD/DVD Reading and Writing
This diagnostic identifies and resolves common problems that may prevent
you from reading and writing CDs/DVDs
Package Version:2.0
Publisher:Microsoft Corporation


Resto

Rookie Surfer
Rookie Surfer

Posts : 63
Joined : 2009-09-17
Operating System : Windows 7 64 bit

View user profile

Back to top Go down

Re: Browser redirects to Shopica and various sites (Hijacked ?)

Post by DragonMaster Jay on Tue 17 Aug 2010, 7:38 am

cdrom.sys is damaged. We will need to replace that.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:
    :filefind
    cdrom.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Browser redirects to Shopica and various sites (Hijacked ?)

Post by Resto on Tue 17 Aug 2010, 10:42 am

Thank you.

SystemLook log per your request:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 19:39 on 16/08/2010 by HP_Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "cdrom.sys"
C:\WINDOWS\$NtServicePackUninstall$\cdrom.sys -----c 49536 bytes [03:30 23/07/2010] [12:00 04/08/2004] AF9C19B3100FE010496B1A27181FBF72
C:\WINDOWS\ServicePackFiles\i386\cdrom.sys ------ 62976 bytes [21:46 18/08/2008] [18:40 13/04/2008] 1F4260CC5B42272D71F79E570A27A4FE
C:\WINDOWS\system32\drivers\cdrom.sys --a--- 62976 bytes [12:00 04/08/2004] [18:40 13/04/2008] 1F4260CC5B42272D71F79E570A27A4FE

-=End Of File=-

Resto

Rookie Surfer
Rookie Surfer

Posts : 63
Joined : 2009-09-17
Operating System : Windows 7 64 bit

View user profile

Back to top Go down

Re: Browser redirects to Shopica and various sites (Hijacked ?)

Post by DragonMaster Jay on Tue 17 Aug 2010, 3:20 pm

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com (Click the green button on the page to download it).

Rename ComboFix.exe to combo-fix.exe before you save it to your Desktop
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    killall::

    FCopy::
    C:\WINDOWS\$NtServicePackUninstall$\cdrom.sys | C:\WINDOWS\system32\drivers\cdrom.sys

    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.




NOTE:
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It should just continue scanning.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Browser redirects to Shopica and various sites (Hijacked ?)

Post by Resto on Tue 17 Aug 2010, 4:51 pm

ComboFix log posted below. Thank you.

------------------------------------------------------------------------------------------

ComboFix 10-08-16.03 - HP_Owner 08/17/2010 1:28.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.566 [GMT -4:00]
Running from: c:\documents and settings\HP_Owner\Desktop\combo-fix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Owner\Application Data\inst.exe

.
--------------- FCopy ---------------

c:\windows\$NtServicePackUninstall$\cdrom.sys --> c:\windows\system32\drivers\cdrom.sys
.
((((((((((((((((((((((((( Files Created from 2010-07-17 to 2010-08-17 )))))))))))))))))))))))))))))))
.

2010-08-16 02:24 . 2010-08-16 02:24 -------- d-----w- c:\windows\system32\XPSViewer
2010-08-16 02:24 . 2010-08-16 02:24 -------- d-----w- c:\program files\MSBuild
2010-08-16 02:24 . 2010-08-16 02:24 -------- d-----w- c:\program files\Reference Assemblies
2010-08-16 02:23 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-08-16 02:23 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-08-16 02:23 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-08-16 02:23 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-08-16 02:23 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-08-16 02:23 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-08-16 02:23 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-08-16 02:23 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-08-16 02:23 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2010-08-16 02:23 . 2010-08-16 02:23 -------- d-----w- C:\81fc91858e2fca0d05fc
2010-08-15 03:40 . 2010-08-15 03:40 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\ElevatedDiagnostics
2010-08-08 21:31 . 2010-08-08 21:31 503808 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-22bf9bcd-n\msvcp71.dll
2010-08-08 21:31 . 2010-08-08 21:31 499712 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-22bf9bcd-n\jmc.dll
2010-08-08 21:31 . 2010-08-08 21:31 348160 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-22bf9bcd-n\msvcr71.dll
2010-08-08 21:31 . 2010-08-08 21:31 61440 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-367b0667-n\decora-sse.dll
2010-08-08 21:31 . 2010-08-08 21:31 12800 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-367b0667-n\decora-d3d.dll
2010-07-23 12:38 . 2009-08-13 15:16 512000 ------w- c:\windows\system32\dllcache\jscript.dll
2010-07-23 03:39 . 2010-07-23 03:39 -------- d-----w- c:\windows\system32\scripting
2010-07-23 03:39 . 2010-07-23 03:39 -------- d-----w- c:\windows\l2schemas
2010-07-23 03:39 . 2010-07-23 03:39 -------- d-----w- c:\windows\system32\bits
2010-07-23 03:30 . 2010-07-23 03:30 -------- d-----w- c:\windows\EHome
2010-07-23 03:10 . 2010-07-23 03:10 -------- d-----w- c:\program files\Common Files\Java
2010-07-23 03:10 . 2010-07-23 03:10 503808 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-61b9ee4a-n\msvcp71.dll
2010-07-23 03:10 . 2010-07-23 03:10 499712 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-61b9ee4a-n\jmc.dll
2010-07-23 03:10 . 2010-07-23 03:10 348160 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-61b9ee4a-n\msvcr71.dll
2010-07-23 03:10 . 2010-07-23 03:10 61440 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5dbcde63-n\decora-sse.dll
2010-07-23 03:10 . 2010-07-23 03:10 12800 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5dbcde63-n\decora-d3d.dll
2010-07-23 03:10 . 2010-07-23 03:09 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-20 17:17 . 2010-07-20 17:17 921440 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgemc.exe
2010-07-20 17:17 . 2010-07-20 17:17 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-07-20 17:17 . 2010-07-20 17:17 1615200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-07-20 17:17 . 2010-07-20 17:17 1107296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-17 05:10 . 2006-04-06 21:53 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Canon
2010-08-17 01:33 . 2006-04-30 20:00 67624 ----a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-12 05:57 . 2010-05-27 19:41 -------- d-----w- c:\program files\DVDFab 7
2010-08-12 05:57 . 2010-05-27 19:42 47360 ----a-w- c:\documents and settings\HP_Owner\Application Data\pcouffin.sys
2010-08-12 05:57 . 2010-05-27 19:42 47360 ----a-w- c:\documents and settings\HP_Owner\Application Data\pcouffin.sys
2010-08-12 05:57 . 2010-05-27 19:41 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Vso
2010-08-12 04:53 . 2010-05-27 19:42 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-07-29 20:44 . 2008-12-04 05:18 -------- d-----w- c:\program files\Coupons
2010-07-24 14:27 . 2008-03-06 04:38 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-07-23 03:42 . 2005-01-27 05:13 83187 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-07-23 03:42 . 2010-07-23 03:42 45056 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2010-07-23 03:42 . 2010-07-23 03:42 44032 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2010-07-23 03:09 . 2005-08-17 15:42 -------- d-----w- c:\program files\Java
2010-07-21 22:55 . 2006-03-17 20:46 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\AdobeUM
2010-07-18 13:57 . 2006-05-06 00:07 2138 ----a-w- c:\documents and settings\HP_Owner\Application Data\wklnhst.dat
2010-07-15 19:15 . 2010-06-12 16:42 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 19:15 . 2010-07-15 19:15 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 19:13 . 2010-06-12 16:42 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-11 03:11 . 2010-07-11 03:11 -------- d-----w- c:\program files\ESET
2010-07-10 03:37 . 2010-07-10 03:37 -------- d-----w- c:\program files\7-Zip
2010-07-09 21:17 . 2010-07-09 21:17 -------- d-----w- c:\documents and settings\Administrator.CHRIS\Application Data\Malwarebytes
2010-06-30 12:31 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-26 23:54 . 2008-12-29 01:48 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-06-26 23:53 . 2008-12-29 01:49 -------- d-----w- c:\program files\DIFX
2010-06-26 23:51 . 2010-06-26 23:51 31287640 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\UPCInstaller.exe
2010-06-26 23:51 . 2009-12-26 18:50 6178648 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\TagPlugin.exe
2010-06-24 12:10 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:10 . 2004-08-04 11:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 19:39 . 2010-06-23 19:39 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb5.tmp.exe
2010-06-23 13:44 . 2004-08-04 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-04 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2004-08-04 12:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-13 15:50 . 2010-06-12 16:42 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2005-11-03 09:09 . 2006-03-16 00:45 22 --sha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-26 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-18 61952]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-03-29 155648]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-06-10 554328]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-12-30 108544]
Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2007-12-18 151552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 19:15 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
2004-10-14 20:54 253952 ----a-w- c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-03-29 03:57 155648 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 sonypvl3;sonypvl3;c:\windows\system32\drivers\sonypvl3.sys [3/22/2008 3:28 PM 19507]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/12/2010 12:42 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/12/2010 12:42 PM 243024]
R1 sonypvf3;sonypvf3;c:\windows\system32\drivers\sonypvf3.sys [3/22/2008 3:28 PM 619390]
R1 sonypvt3;sonypvt3;c:\windows\system32\drivers\sonypvt3.sys [3/22/2008 3:28 PM 423454]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [7/15/2010 3:13 PM 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 3:15 PM 308136]
S1 sonypvd3;Sony DVD Handycam;c:\windows\system32\drivers\sonypvd3.sys [3/22/2008 3:28 PM 64964]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 10:33 AM 135664]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [12/28/2008 9:49 PM 18560]
.
Contents of the 'Scheduled Tasks' folder

2010-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 14:33]

2010-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 14:33]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
DPF: Garmin Communicator Plug-In - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-08-17 01:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-08-17 01:38:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-17 05:38

Pre-Run: 72,740,900,864 bytes free
Post-Run: 72,976,646,144 bytes free

- - End Of File - - BD7F6EE0DC02A5EBA063625A995E7D6A

Resto

Rookie Surfer
Rookie Surfer

Posts : 63
Joined : 2009-09-17
Operating System : Windows 7 64 bit

View user profile

Back to top Go down

Re: Browser redirects to Shopica and various sites (Hijacked ?)

Post by DragonMaster Jay on Tue 17 Aug 2010, 4:55 pm

Now, try a CD and let me know if it works.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Browser redirects to Shopica and various sites (Hijacked ?)

Post by Resto on Tue 17 Aug 2010, 5:12 pm

No. Not working correctly !

1) Will not recognize blank DVD-R media
- Burning software states "Device not ready...or no media present"
- Endless spinning of disc
- Will sometimes stop disc and eject it when "eject" button is pressed
- Will sometimes open drawer with disc still at full speed when "eject"
button is pressed

2) Played a recorded CD perfectly

Very confusing !

Resto

Rookie Surfer
Rookie Surfer

Posts : 63
Joined : 2009-09-17
Operating System : Windows 7 64 bit

View user profile

Back to top Go down

Re: Browser redirects to Shopica and various sites (Hijacked ?)

Post by DragonMaster Jay on Wed 18 Aug 2010, 4:48 pm

Ohhh, now I get it. I just thought it was with CDs, my bad.

Download and run this tool:
[You must be registered and logged in to see this link.]

It will fix how Windows recognize correct disc types.

==============

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:
    :reg
    [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Class/4D36E965-E325-11CE-BFC1-08002BE10318]

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Browser redirects to Shopica and various sites (Hijacked ?)

Post by Resto on Wed 18 Aug 2010, 11:50 pm

DragonMaster Jay,

The link provided is not working: [You must be registered and logged in to see this link.]

It generates a 404 Error stating that the requested resource (FixCdRomTypeError.exe) is not available.

Looking forward to your next reply. Thank you.

Resto

Rookie Surfer
Rookie Surfer

Posts : 63
Joined : 2009-09-17
Operating System : Windows 7 64 bit

View user profile

Back to top Go down

Re: Browser redirects to Shopica and various sites (Hijacked ?)

Post by DragonMaster Jay on Thu 19 Aug 2010, 5:18 am

Ok. Go ahead with the next step, SystemLook.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Browser redirects to Shopica and various sites (Hijacked ?)

Post by Resto on Thu 19 Aug 2010, 7:58 am

SystemLook log posted below. Thank you.
------------------------------------------------------------------------------------------
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 16:55 on 18/08/2010 by HP_Owner (Administrator - Elevation successful)

========== reg ==========

[HKEY_LOCAL_MACHINE]
(No values found)

[HKEY_LOCAL_MACHINE\HARDWARE]

[HKEY_LOCAL_MACHINE\SAM]

[HKEY_LOCAL_MACHINE\SECURITY]

[HKEY_LOCAL_MACHINE\SOFTWARE]

[HKEY_LOCAL_MACHINE\SYSTEM]


-=End Of File=-

Resto

Rookie Surfer
Rookie Surfer

Posts : 63
Joined : 2009-09-17
Operating System : Windows 7 64 bit

View user profile

Back to top Go down

Re: Browser redirects to Shopica and various sites (Hijacked ?)

Post by DragonMaster Jay on Thu 19 Aug 2010, 8:11 am

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:
    :regfind
    UpperFilters
    LowerFilters

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Browser redirects to Shopica and various sites (Hijacked ?)

Post by Sponsored content Today at 6:08 pm


Sponsored content


Back to top Go down

Page 2 of 3 Previous  1, 2, 3  Next

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum