Browser redirecting

View previous topic View next topic Go down

Browser redirecting

Post by CADMAN303 on Tue Mar 24, 2009 2:16 pm

Hi Belahzur,
Can you please help me remove a browser redirector. It's windowsclick that redirects me up when I try to use Google or another search engine. Can you tell me what to do first because I don't have the Laptop with me today but I will do it tonite and I will have the laptop tomorrow.

Thanks,
CADMAN303

CADMAN303
Novice
Novice

Status :
Online
Offline

Posts : 41
Joined : 2009-03-04
OS : XP

View user profile

Back to top Go down

Re: Browser redirecting

Post by Belahzur on Tue Mar 24, 2009 2:24 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Browser redirecting

Post by CADMAN303 on Tue Mar 24, 2009 3:40 pm

DDS (Ver_09-03-16.01) - NTFSx86
Run by P-Computer at 11:35:27.60 on Tue 03/24/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.60 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\P-Computer\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uDefault_Page_URL = [You must be registered and logged in to see this link.]
mDefault_Page_URL = [You must be registered and logged in to see this link.]
mDefault_Search_URL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\googleafe\GoogleAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~3\mimboot.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Dell Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: musicmatch.com\online
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - [You must be registered and logged in to see this link.]
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - [You must be registered and logged in to see this link.]
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

============= SERVICES / DRIVERS ===============

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-6-20 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-6-20 47640]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-03-15 12:08 --d----- c:\windows\pss
2009-03-10 12:23 16,384 a------- c:\windows\DCEBoot.exe
2009-03-06 18:07 2 a------- c:\windows\msoffice.ini
2009-03-04 23:34 --d----- c:\windows\system32\scripting
2009-03-04 23:34 --d----- c:\windows\l2schemas
2009-03-04 23:34 --d----- c:\windows\system32\en
2009-03-04 23:34 --d----- c:\windows\system32\bits
2009-03-04 23:31 --d----- c:\windows\ServicePackFiles
2009-03-04 23:29 --d----- c:\windows\network diagnostic
2009-03-04 23:22 --d----- c:\windows\EHome
2009-03-04 23:14 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-04 22:50 --d----- c:\windows\system32\log
2009-03-03 21:04 --d----- c:\windows\system32\LogFiles
2009-03-03 16:07 --d----- c:\docume~1\alluse~1\applic~1\Trend Micro

==================== Find3M ====================

2009-03-04 23:38 77,859 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-03 00:27 4,704 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 11:36:34.28 ===============

CADMAN303
Novice
Novice

Status :
Online
Offline

Posts : 41
Joined : 2009-03-04
OS : XP

View user profile

Back to top Go down

Re: Browser redirecting

Post by Belahzur on Tue Mar 24, 2009 3:58 pm

You aren't running any AV, but we'll address that once we check for a rootkit.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Browser redirecting

Post by CADMAN303 on Tue Mar 24, 2009 6:55 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "UACd.sys" found!
ImagePath: \systemroot\system32\drivers\UACqppkossw.sys
Driver disabled successfully.

Rootkit scan completed.


Completed script processing.

*******************

Finished! Terminate.

CADMAN303
Novice
Novice

Status :
Online
Offline

Posts : 41
Joined : 2009-03-04
OS : XP

View user profile

Back to top Go down

Re: Browser redirecting

Post by Belahzur on Tue Mar 24, 2009 6:57 pm

Heh, that's the problem.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to delete:
UACd.sys

Files to delete:
C:\WINDOWS\system32\drivers\UACqppkossw.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Browser redirecting

Post by CADMAN303 on Tue Mar 24, 2009 7:22 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "UACd.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\UACqppkossw.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

CADMAN303
Novice
Novice

Status :
Online
Offline

Posts : 41
Joined : 2009-03-04
OS : XP

View user profile

Back to top Go down

Re: Browser redirecting

Post by Belahzur on Tue Mar 24, 2009 7:43 pm

* Please install Avira Antivirus: [You must be registered and logged in to see this link.]
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Browser redirecting

Post by CADMAN303 on Tue Mar 24, 2009 9:36 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:31:05 PM, on 3/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\P-Computer\Desktop\Scan\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\LocalService\Application Data\Macromedia\Common\1b0bc0121.dll"" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\1b0bc0121.dll"" (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - [You must be registered and logged in to see this link.]
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 8400 bytes

CADMAN303
Novice
Novice

Status :
Online
Offline

Posts : 41
Joined : 2009-03-04
OS : XP

View user profile

Back to top Go down

Re: Browser redirecting

Post by Belahzur on Tue Mar 24, 2009 9:38 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Avira Report Part1

Post by CADMAN303 on Tue Mar 24, 2009 9:41 pm

Avira AntiVir Personal
Report file date: Tuesday, March 24, 2009 16:20

Scanning for 1284893 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : PCOMPUTER

Version information:
BUILD.DAT : 9.0.0.386 17962 Bytes 3/11/2009 15:55:00
AVSCAN.EXE : 9.0.3.3 464641 Bytes 2/24/2009 16:13:26
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 14:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 15:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 14:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 16:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 00:33:26
ANTIVIR2.VDF : 7.1.2.105 513536 Bytes 3/3/2009 11:41:14
ANTIVIR3.VDF : 7.1.2.127 110592 Bytes 3/5/2009 18:58:20
Engineversion : 8.2.0.100
AEVDF.DLL : 8.1.1.0 106868 Bytes 1/27/2009 21:36:42
AESCRIPT.DLL : 8.1.1.56 352634 Bytes 2/27/2009 00:01:56
AESCN.DLL : 8.1.1.7 127347 Bytes 2/12/2009 15:44:25
AERDL.DLL : 8.1.1.3 438645 Bytes 10/29/2008 22:24:41
AEPACK.DLL : 8.1.3.10 397686 Bytes 3/4/2009 17:06:10
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 00:01:56
AEHEUR.DLL : 8.1.0.100 1618295 Bytes 2/25/2009 19:49:16
AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 00:01:56
AEGEN.DLL : 8.1.1.24 336244 Bytes 3/4/2009 17:06:10
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 18:32:40
AECORE.DLL : 8.1.6.6 176501 Bytes 2/17/2009 18:22:44
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 18:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 12:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 14:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 18:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 14:32:09
AVARKT.DLL : 9.0.0.1 292609 Bytes 2/9/2009 11:52:24
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 14:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 19:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 12:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 14:32:10
RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 15:45:45
RCTEXT.DLL : 9.0.35.0 87297 Bytes 3/11/2009 19:55:12

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: on
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Tuesday, March 24, 2009 16:20

Initiating scan of system files:
Signed -> 'C:\WINDOWS\system32\svchost.exe'
Signed -> 'C:\WINDOWS\system32\winlogon.exe'
Signed -> 'C:\WINDOWS\explorer.exe'
Signed -> 'C:\WINDOWS\system32\smss.exe'
Signed -> 'C:\WINDOWS\system32\wininet.DLL'
Signed -> 'C:\WINDOWS\system32\wsock32.DLL'
Signed -> 'C:\WINDOWS\system32\ws2_32.DLL'
Signed -> 'C:\WINDOWS\system32\services.exe'
Signed -> 'C:\WINDOWS\system32\lsass.exe'
Signed -> 'C:\WINDOWS\system32\csrss.exe'
Signed -> 'C:\WINDOWS\system32\drivers\kbdclass.sys'
Signed -> 'C:\WINDOWS\system32\spoolsv.exe'
Signed -> 'C:\WINDOWS\system32\alg.exe'
Signed -> 'C:\WINDOWS\system32\wuauclt.exe'
Signed -> 'C:\WINDOWS\system32\advapi32.DLL'
Signed -> 'C:\WINDOWS\system32\user32.DLL'
Signed -> 'C:\WINDOWS\system32\gdi32.DLL'
Signed -> 'C:\WINDOWS\system32\kernel32.DLL'
Signed -> 'C:\WINDOWS\system32\ntdll.DLL'
Signed -> 'C:\WINDOWS\system32\ntoskrnl.exe'
Signed -> 'C:\WINDOWS\system32\ctfmon.exe'
The system files were scanned ('21' files)

Starting search for hidden objects.
'46732' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'DLG.exe' - '1' Module(s) have been scanned
Scan process 'MMDiag.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'mim.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'MediaDetect.exe' - '1' Module(s) have been scanned
Scan process 'GoogleDesktopIndex.exe' - '1' Module(s) have been scanned
Scan process 'quickset.exe' - '1' Module(s) have been scanned
Scan process 'WLTRAY.EXE' - '1' Module(s) have been scanned
Scan process 'tfswctrl.exe' - '1' Module(s) have been scanned
Scan process 'LMIGuardian.exe' - '1' Module(s) have been scanned
Scan process 'DVDLauncher.exe' - '1' Module(s) have been scanned
Scan process 'GoogleDesktop.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'issch.exe' - '1' Module(s) have been scanned
Scan process 'LogMeInSystray.exe' - '1' Module(s) have been scanned
Scan process 'CALMAIN.exe' - '1' Module(s) have been scanned
Scan process 'mm_tray.exe' - '1' Module(s) have been scanned
Scan process 'realplay.exe' - '1' Module(s) have been scanned
Scan process 'stsystra.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'NicConfigSvc.exe' - '1' Module(s) have been scanned
Scan process 'LMIGuardian.exe' - '1' Module(s) have been scanned
Scan process 'LogMeIn.exe' - '1' Module(s) have been scanned
Scan process 'ramaint.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'BCMWLTRY.EXE' - '1' Module(s) have been scanned
Scan process 'WLTRYSVC.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
53 processes with 53 modules were scanned

Starting master boot sector scan:

Start scanning boot sectors:

CADMAN303
Novice
Novice

Status :
Online
Offline

Posts : 41
Joined : 2009-03-04
OS : XP

View user profile

Back to top Go down

Avira Report Part2

Post by CADMAN303 on Tue Mar 24, 2009 9:42 pm

Starting to scan executable files (registry).
The registry was scanned ( '68' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Avenger\UACqppkossw.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
C:\Documents and Settings\Administrator\Application Data\Macromedia\Common\1b0bc0121.dll
[DETECTION] Is the TR/Agent.btax Trojan
C:\Documents and Settings\LocalService\Application Data\Macromedia\Common\1b0bc0121.dll
[DETECTION] Is the TR/Agent.btax Trojan
C:\Documents and Settings\LocalService\Local Settings\Temp\1b0bc0122.tmp
[DETECTION] Is the TR/Agent.btax Trojan
C:\Documents and Settings\LogMeInRemoteUser\Application Data\Macromedia\Common\1b0bc0121.dll
[DETECTION] Is the TR/Agent.btax Trojan
C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\1b0bc0121.dll
[DETECTION] Is the TR/Agent.btax Trojan
C:\Documents and Settings\NetworkService\Local Settings\Temp\1b0bc0122.tmp
[DETECTION] Is the TR/Agent.btax Trojan
C:\Documents and Settings\P-Computer\Desktop\a.exe
[DETECTION] Is the TR/PCK.Tdss.F.244 Trojan
C:\Documents and Settings\P-Computer\Local Settings\Temp\1b0bc0122.tmp
[DETECTION] Is the TR/Agent.btax Trojan
C:\Documents and Settings\P-Computer\Local Settings\Temp\HAVPgNCF.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\Documents and Settings\P-Computer\Local Settings\Temp\KPcOHyjl.exe
[DETECTION] Is the TR/Drop.Agent.aink Trojan
C:\Documents and Settings\P-Computer\Local Settings\Temp\lDugQSdr.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\Documents and Settings\P-Computer\Local Settings\Temp\UACdae0.tmp
[DETECTION] Is the TR/Patched.EQ Trojan
C:\Documents and Settings\P-Computer\Local Settings\Temp\WPbEeAor.exe
[DETECTION] Is the TR/Drop.Agent.aink Trojan
C:\Program Files\Trend Micro\Internet Security\Quarantine\UAC652d.tmp
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Trend Micro\Internet Security\Quarantine\UAC652d.tmp
[DETECTION] Is the TR/PCK.Tdss.F.135 Trojan
C:\Program Files\Trend Micro\Internet Security\Quarantine\UAC8bc0.tmp
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Trend Micro\Internet Security\Quarantine\UAC8bc0.tmp
[DETECTION] Is the TR/PCK.Tdss.F.135 Trojan
C:\Program Files\Trend Micro\Internet Security\Quarantine\UACb59f.tmp
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Trend Micro\Internet Security\Quarantine\UACb59f.tmp
[DETECTION] Is the TR/PCK.Tdss.F.135 Trojan
C:\Program Files\Trend Micro\Internet Security\Quarantine\UACddompjgj.dll
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Trend Micro\Internet Security\Quarantine\UACddompjgj.dll
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.66 root kit
C:\Program Files\Trend Micro\Internet Security\Quarantine\UACddompjgj_46c.VIR
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Trend Micro\Internet Security\Quarantine\UACddompjgj_46c.VIR
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.66 root kit
C:\Program Files\Trend Micro\Internet Security\Quarantine\UACixmtbnnf.dll
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Trend Micro\Internet Security\Quarantine\UACixmtbnnf.dll
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.65 root kit
C:\Program Files\Trend Micro\Internet Security\Quarantine\UACixmtbnnf_46c.VIR
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Trend Micro\Internet Security\Quarantine\UACixmtbnnf_46c.VIR
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.65 root kit
C:\Program Files\Trend Micro\Internet Security\Quarantine\UACqppkossw.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
C:\Program Files\Trend Micro\Internet Security\Quarantine\UACqppkossw_46c.VIR
[DETECTION] Is the TR/Rootkit.Gen Trojan
C:\Program Files\Trend Micro\Internet Security\Quarantine\UACtymxehrm.dll
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Trend Micro\Internet Security\Quarantine\UACtymxehrm.dll
[DETECTION] Is the TR/PCK.Tdss.F.135 Trojan
C:\Program Files\Trend Micro\Internet Security\Quarantine\UACuxboxvak.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Program Files\Trend Micro\Internet Security\Quarantine\UACuxboxvak_46c.VIR
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000024.dll
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.65 root kit
C:\WINDOWS\system32\auole4.dll
[DETECTION] Contains recognition pattern of the ADSPY/Agent.o.1 adware or spyware
C:\WINDOWS\system32\UACddompjgj.dll
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.66 root kit
C:\WINDOWS\system32\UACuxboxvak.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Common\1b0bc0121.dll
[DETECTION] Is the TR/Agent.btax Trojan

Beginning disinfection:
C:\Avenger\UACqppkossw.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '4a0c4935.qua'!
C:\Documents and Settings\Administrator\Application Data\Macromedia\Common\1b0bc0121.dll
[DETECTION] Is the TR/Agent.btax Trojan
[NOTE] The file was moved to '49f94956.qua'!
C:\Documents and Settings\LocalService\Application Data\Macromedia\Common\1b0bc0121.dll
[DETECTION] Is the TR/Agent.btax Trojan
[NOTE] The file was moved to '484cd607.qua'!
C:\Documents and Settings\LocalService\Local Settings\Temp\1b0bc0122.tmp
[DETECTION] Is the TR/Agent.btax Trojan
[NOTE] The file was moved to '484bceaf.qua'!
C:\Documents and Settings\LogMeInRemoteUser\Application Data\Macromedia\Common\1b0bc0121.dll
[DETECTION] Is the TR/Agent.btax Trojan
[NOTE] The file was moved to '484ee7b7.qua'!
C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\1b0bc0121.dll
[DETECTION] Is the TR/Agent.btax Trojan
[NOTE] The file was moved to '4841ffff.qua'!
C:\Documents and Settings\NetworkService\Local Settings\Temp\1b0bc0122.tmp
[DETECTION] Is the TR/Agent.btax Trojan
[NOTE] The file was moved to '49f94957.qua'!
C:\Documents and Settings\P-Computer\Desktop\a.exe
[DETECTION] Is the TR/PCK.Tdss.F.244 Trojan
[NOTE] The file was moved to '4a2e4923.qua'!
C:\Documents and Settings\P-Computer\Local Settings\Temp\1b0bc0122.tmp
[DETECTION] Is the TR/Agent.btax Trojan
[NOTE] The file was moved to '48438f60.qua'!
C:\Documents and Settings\P-Computer\Local Settings\Temp\HAVPgNCF.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4a1f4936.qua'!
C:\Documents and Settings\P-Computer\Local Settings\Temp\KPcOHyjl.exe
[DETECTION] Is the TR/Drop.Agent.aink Trojan
[NOTE] The file was moved to '4a2c4945.qua'!
C:\Documents and Settings\P-Computer\Local Settings\Temp\lDugQSdr.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4a3e4939.qua'!
C:\Documents and Settings\P-Computer\Local Settings\Temp\UACdae0.tmp
[DETECTION] Is the TR/Patched.EQ Trojan
[NOTE] The file was moved to '4a0c4937.qua'!
C:\Documents and Settings\P-Computer\Local Settings\Temp\WPbEeAor.exe
[DETECTION] Is the TR/Drop.Agent.aink Trojan
[NOTE] The file was moved to '4a2b4946.qua'!
C:\Program Files\Trend Micro\Internet Security\Quarantine\UAC652d.tmp
[NOTE] The file was moved to '49ca7db0.qua'!
C:\Program Files\Trend Micro\Internet Security\Quarantine\UAC8bc0.tmp
[NOTE] The file was moved to '4a0c4938.qua'!
C:\Program Files\Trend Micro\Internet Security\Quarantine\UACb59f.tmp
[NOTE] The file was moved to '49c02a01.qua'!
C:\Program Files\Trend Micro\Internet Security\Quarantine\UACddompjgj.dll
[NOTE] The file was moved to '49c40d21.qua'!
C:\Program Files\Trend Micro\Internet Security\Quarantine\UACddompjgj_46c.VIR
[NOTE] The file was moved to '4a0c4939.qua'!
C:\Program Files\Trend Micro\Internet Security\Quarantine\UACixmtbnnf.dll
[NOTE] The file was moved to '49cd449a.qua'!
C:\Program Files\Trend Micro\Internet Security\Quarantine\UACixmtbnnf_46c.VIR
[NOTE] The file was moved to '428fd24a.qua'!
C:\Program Files\Trend Micro\Internet Security\Quarantine\UACqppkossw.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '4a0c493a.qua'!
C:\Program Files\Trend Micro\Internet Security\Quarantine\UACqppkossw_46c.VIR
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '428bfbeb.qua'!
C:\Program Files\Trend Micro\Internet Security\Quarantine\UACtymxehrm.dll
[NOTE] The file was moved to '4a0c493b.qua'!
C:\Program Files\Trend Micro\Internet Security\Quarantine\UACuxboxvak.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '42858b5c.qua'!
C:\Program Files\Trend Micro\Internet Security\Quarantine\UACuxboxvak_46c.VIR
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4a0c493c.qua'!
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000024.dll
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.65 root kit
[NOTE] The file was moved to '49f9492b.qua'!
C:\WINDOWS\system32\auole4.dll
[DETECTION] Contains recognition pattern of the ADSPY/Agent.o.1 adware or spyware
[NOTE] The file was moved to '4a384970.qua'!
C:\WINDOWS\system32\UACddompjgj.dll
[DETECTION] Contains recognition pattern of the RKIT/TDss.eyj.66 root kit
[NOTE] The file was moved to '4282a075.qua'!
C:\WINDOWS\system32\UACuxboxvak.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4a0c493d.qua'!
C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Common\1b0bc0121.dll
[DETECTION] Is the TR/Agent.btax Trojan
[NOTE] The file was moved to '49f9495e.qua'!


End of the scan: Tuesday, March 24, 2009 16:56
Used time: 34:21 Minute(s)

The scan has been done completely.

6644 Scanned directories
240573 Files were scanned
31 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
31 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
240540 Files not concerned
3616 Archives were scanned
2 Warnings
33 Notes
46732 Objects were scanned with rootkit scan
0 Hidden objects were found

CADMAN303
Novice
Novice

Status :
Online
Offline

Posts : 41
Joined : 2009-03-04
OS : XP

View user profile

Back to top Go down

Re: Browser redirecting

Post by Belahzur on Tue Mar 24, 2009 9:47 pm

Hello.
I want to run two more general scans to make sure we got it all. First we'll use MBAM, so I have posted it here:
[You must be registered and logged in to see this link.]

Use my instructions for running it there.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Browser redirecting

Post by CADMAN303 on Tue Mar 24, 2009 10:28 pm

Malwarebytes' Anti-Malware 1.34
Database version: 1893
Windows 5.1.2600 Service Pack 3

3/24/2009 6:26:40 PM
mbam-log-2009-03-24 (18-26-40).txt

Scan type: Quick Scan
Objects scanned: 77609
Time elapsed: 7 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 30

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\2 find mp3 (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\2 find mp3\Data (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\2 find mp3\Downloads (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\2 find mp3\Incomplete (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\UACbmqpqqpi.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACtymxehrm.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\P-Computer\Desktop\avenger.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\2 find mp3\Data\SearchKeys.txt (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\2 find mp3\Downloads\Acdc - Hells Bells.mp3 (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\2 find mp3\Downloads\Debbie Gibson - Lost In Your Eyes.mp3 (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\2 find mp3\Downloads\Greenday - Time Of Your Life.mp3 (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\2 find mp3\Downloads\Ice-T - The House.mp3 (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\2 find mp3\Downloads\knockin on heavens door.mp3 (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\2 find mp3\Downloads\Korn - Falling Away From Me.mp3 (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\2 find mp3\Downloads\november rain.mp3 (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\2 find mp3\Downloads\Tim Mcgraw - Real Good Man.mp3 (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\2 find mp3\Downloads\welcome to the jungle.mp3 (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\2 find mp3\Incomplete\Acdc - Hells Bells.mp3 (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\2 find mp3\Incomplete\Debbie Gibson - Lost In Your Eyes.mp3 (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\2 find mp3\Incomplete\Greenday - Time Of Your Life.mp3 (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\2 find mp3\Incomplete\Ice-T - The House.mp3 (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\2 find mp3\Incomplete\knockin on heavens door.mp3 (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\2 find mp3\Incomplete\Korn - Falling Away From Me.mp3 (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\2 find mp3\Incomplete\november rain.mp3 (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\2 find mp3\Incomplete\The Ataris - The Boys Of Summer.mp3 (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\2 find mp3\Incomplete\Tim Mcgraw - Real Good Man.mp3 (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\2 find mp3\Incomplete\welcome to the jungle.mp3 (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\MalwareRemovalBot\MalwareRemovalBot on the Web.lnk (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\MalwareRemovalBot\MalwareRemovalBot.lnk (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\MalwareRemovalBot\Uninstall MalwareRemovalBot.lnk (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\MalwareRemovalBot Scheduled Scan.job (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UAChllaquvl.log (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACvpavbrfl.dat (Trojan.Agent) -> Quarantined and deleted successfully.

CADMAN303
Novice
Novice

Status :
Online
Offline

Posts : 41
Joined : 2009-03-04
OS : XP

View user profile

Back to top Go down

Re: Browser redirecting

Post by Belahzur on Tue Mar 24, 2009 11:16 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Browser redirecting

Post by CADMAN303 on Tue Mar 24, 2009 11:33 pm

DDS (Ver_09-03-16.01) - NTFSx86
Run by P-Computer at 19:31:18.48 on Tue 03/24/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.76 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\P-Computer\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uDefault_Page_URL = [You must be registered and logged in to see this link.]
mDefault_Page_URL = [You must be registered and logged in to see this link.]
mDefault_Search_URL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\googleafe\GoogleAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~3\mimboot.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Dell Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: musicmatch.com\online
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - [You must be registered and logged in to see this link.]
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - [You must be registered and logged in to see this link.]
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-3-24 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-3-24 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-3-24 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-3-24 55640]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-6-20 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-6-20 47640]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-03-24 18:14 --d----- c:\docume~1\p-comp~1\applic~1\Malwarebytes
2009-03-24 18:14 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-24 18:14 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-24 18:14 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-24 18:14 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-24 16:13 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-03-24 16:13 --d----- c:\program files\Avira
2009-03-24 16:13 --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-03-24 15:16 0 a------- C:\backup.reg
2009-03-24 14:45 135,168 a------- C:\zip.exe
2009-03-24 14:45 19,286 a------- C:\cleanup.exe
2009-03-24 14:45 574 a------- C:\cleanup.bat
2009-03-15 12:08 --d----- c:\windows\pss
2009-03-10 12:23 16,384 a------- c:\windows\DCEBoot.exe
2009-03-06 18:07 2 a------- c:\windows\msoffice.ini
2009-03-04 23:34 --d----- c:\windows\system32\scripting
2009-03-04 23:34 --d----- c:\windows\l2schemas
2009-03-04 23:34 --d----- c:\windows\system32\en
2009-03-04 23:34 --d----- c:\windows\system32\bits
2009-03-04 23:31 --d----- c:\windows\ServicePackFiles
2009-03-04 23:29 --d----- c:\windows\network diagnostic
2009-03-04 23:22 --d----- c:\windows\EHome
2009-03-04 23:14 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-04 22:50 --d----- c:\windows\system32\log
2009-03-03 21:04 --d----- c:\windows\system32\LogFiles
2009-03-03 16:07 --d----- c:\docume~1\alluse~1\applic~1\Trend Micro

==================== Find3M ====================

2009-03-04 23:38 77,859 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-03 00:27 4,704 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 19:32:10.85 ===============

CADMAN303
Novice
Novice

Status :
Online
Offline

Posts : 41
Joined : 2009-03-04
OS : XP

View user profile

Back to top Go down

Re: Browser redirecting

Post by Belahzur on Wed Mar 25, 2009 12:10 am

This looks fine now.

AV: AntiVir Desktop *On-access scanning disabled* (Outdated)

Please update it now!!!


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Browser redirecting

Post by CADMAN303 on Wed Mar 25, 2009 1:56 am

Ok, Belahzur. I updated the AV. I want to thank you for all your help today. I also need to let you know I was having another problem that Dr. Inferno was trying to help me with. I was getting an error message on bootup and then it would lock up. After I did the things you advised me to do, that cleared up to. I will let him know that I solved that problem also.

Thanks,
CADMAN303

CADMAN303
Novice
Novice

Status :
Online
Offline

Posts : 41
Joined : 2009-03-04
OS : XP

View user profile

Back to top Go down

Re: Browser redirecting

Post by Belahzur on Wed Mar 25, 2009 2:04 am

Awesome.

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum