[0630jay]

My GOOGLE search links have been hijacked in Firefox only (not IE). The first link operates properly but after that, the links go to random search sites or random add sites.

I have run Superantispyware, MB, Combofix and the Kaspersky on-line scanner and none finds a problem or fixes the one I have.

I am attaching various log files.

[muppy03]

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Ensure all Firefox windows are closed.
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
• When prompted to run the scan, click Yes.
• GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Please reply with:-

• Gooredfix.txt
• New HJT log

[0630jay]

All google search links now report being broken and do not connect.

[muppy03]

Quote:

All google search links now report being broken and do not connect

Explain what you mean exactly please? Also is this something that has just happened since running gooredfix? As that should not have caused any issue.

Also have you rebooted?

Disable Spybot's TeaTimer. This is a two step process.

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

First step:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot
• Reboot your machine for the changes to take effect.

Don't forget to re-enable it, when your computer is clean.



Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

• Start HijackThis
• Click on the Config button
• Click on the Misc Tools button
• Click on the Open Uninstall Manager button.
• Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Save the file to your desktop.

Please post this log on your next reply.

TFC(Temp File Cleaner):

• Please download TFC to your desktop,
• Save any unsaved work. TFC will close all open application windows.
• Double-click TFC.exe to run the program.
• If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

NEXT Download and Run: RSIT

• Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

You mentioned that you ran Kaspersky? Have you got the log from that run? Please also post that if you do.

Please reply with:-

• Uninstall list
• RSIT logs ( info.txt and log.txt)
• Previously run Kaspersky log

[0630jay]

Sorry about the delay but had other fish to fry.

See attached.

I did not save the Kaspersky logfile because it said nothing.

Suspect that trojan is embedded in innocuous file like service.dll or rptp*.dll that replicates under new names upon restart of Firefox/

[muppy03]

Quote:

Explain what you mean exactly please? Also is this something that has just happened since running gooredfix? As that should not have caused any issue.

Please answer this question, also you have not disabled Teatimer. Please do so and post back new HJT log.

[0630jay]

Gooredfix caused a temporary problem with google links in Firefox but after shutting FF down and restarting it, that problem went away but links still getting hijacked. I suspect the problem is a trojan that can replicate itself and rename upon reboot. May be this W32.MSNBancos trojan which uses service.dll and/or rtptblq.dll but may be renaming them as I can not find them anywhere.

I am a retired Unix technician. I hate windows and can see by reading the expert posts that no one really understands what is causing my problem. You can run every fix and logfile maker in your arsenal but it is obvious that no one knows what is causing this google hijack.

Anyway, I have attached the new HJ log with teatimer shut off. In my opinion, all these spyware progams are worthless including S & D.

Good luck - wish I could switch to Snow-Leopard and be done with this pathetic opsys but I can't.

[0630jay]

Don't give up yet. We need to solve this problem for all the others that have it.

[muppy03]

Quote:

Don't give up yet. We need to solve this problem for all the others that have it.

I have not given up, just different times zones etc

Quote:

I am a retired Unix technician. I hate windows and can see by reading the expert posts that no one really understands what is causing my problem. You can run every fix and logfile maker in your arsenal but it is obvious that no one knows what is causing this google hijack.

That is very true the bad guys are ‘bery bery sneaky’ . Unforunately there is no one cure for a lot of these infections,and more often than not one infection has let in a different one and we have to revert to looking at every file.

Quote:

Anyway, I have attached the new HJ log with teatimer shut off. In my opinion, all these spyware progams are worthless including S & D.

I agree, browsing habits play the major part in staying clean. Personally I would uninstall S&D. The reason I want Teatimer off, is that we are going to run Combofix later on, and Teatimer can stop it working correctly.

Do you know what this is? C:\images40

Please go to Virus Total <http://www.virustotal.com/> or Jotti
and upload C:\WINDOWS\system32\drivers\FDCENT.SYS for scanning.

For Virus Total
1. Please copy and paste C:\WINDOWS\system32\drivers\FDCENT.SYS in the text box next to the Browse button.
2. Click on Send File.

For Jotti
1. Please copy and paste C:\WINDOWS\system32\drivers\FDCENT.SYS in the text box next to the Browse button.
2. Click on Submit.

Please post back the results of the scan in your next post.


Please delete the version of Combofix you have and download the latest version from the link below.

Download and run Combofix
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  
  Code:

  File::
  c:\windows\system32\rtptblq.dll
  c:\windows\006247_.tmp
  C:\WINDOWS\system32\drivers\LMIRfsClientNP.sys
  
  Folder::
  c:\documents and settings\NetworkService\Application Data\llgjinzb
  c:\documents and settings\Owner\Application Data\llgjinzb
  
  Driver::
  Yntzlbey
  LMIRfsClientNP
  
  NetSvc::
  Yntzlbey
  

• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• If you need help to disable your protection programs see here.
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Please reply with:-

• Jotti/virus total results
• Combofix log
• New HJT log
• Answer to question and update on how things are running

[0630jay]

Problem still there - links being hijacked.

There is NO FDCENT.SYS to scan

Images40 is a directory where I store all my picture files. It is an artifact of the first photo download program that I used in 1995 and I just kept it to simplify things.

Combo Fix did not work.

[0630jay]

Word on the Mozilla forums is it is a trojan file in the Mozilla extentions folder and no one knows how to get rid of it so they have been removing firefox entirely, deleting all remaining folders and reinstalling a fresh copy to a new directory. Supposedly it has in an extention added by 3.07. One guy said to remove all overlay*.dll files and that would fix it but it doesn't.

That is also why combofix, and all the other fixit tools don't even touch it.

As we used to say in the Unix community about WINDOZ, "hurry up and reboot"!

Jay

[muppy03]

Quote:

Word on the Mozilla forums is it is a trojan file in the Mozilla extentions folder

That is true, but we already removed that file, that is what Goored fix did/does.

HostXpert
Download HostXpert from here & save it to your desktop

• Right click on HostsXpert.zip and select Extract All...
• Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard
• Click on the Browse button. Click on Desktop. Then click OK
• Once done, check (tick) the Show extracted files box and click Finish
• Once extracted, HostsXpert folder will open
• Double click on HostsXpert.exe to start it
• On your left hand side, click on Restore MS Hosts File
• Exit HostsXpert

Kaspersky Online Scan
Do an online scan with >Kaspersky Online Scanner<

• Read through the requirements and privacy statement and click on Accept button
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
• When the downloads have finished, click on Settings
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan
• Once the scan is complete, it will display the results. Click on View Scan Report
• You will see a list of infected items there. Click on Save Report As...
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
• Please post this log in your next reply

Please reply with:-

• Kaspersky report
• New HJT log

[0630jay]

You're persistent!

The Google redirect fix did not get rid if the overlay program. I did it manually after the program had run.

Also, my hosts file has a server IP resolution line that I need so I will add it back. Don't freak when you see it.

[0630jay]

Here you go -

J

[muppy03]

First up are you still being re-directed? If so is this the only symptom?

Open Hijack This and select Do a System Scan Only place a check next to the below lines if still present

• O1 - Hosts: 74.200.65.138 www.amateurfetishvideos.com # added by JAY!
  O3 - Toolbar: SYSTRAN Toolbar - {95daa571-4def-4a6d-97d8-98a346672a24} - mscoree.dll (file missing)
  O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
  

Once selected close all windows except HJT an click on Fix Checked

Download and Run OTM.exe

Download OTM.exe by Old Timer and save it to your Desktop.

• Double-click OTM.exe. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
• Copy the lines in the codebox below.

Code:

:Files
C:\Downloads\MGtools.exe

:Commands

[EmptyTemp]
[Start Explorer]
[Reboot]

• Return to OTM.exe, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar), and paste it in your next reply.
• Close OTM.exe

Please reply with:-

• OTM log
• New HJT log