Live Chat & Podcast at 1:00PM Eastern on Sunday!

Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Go to first new post Files keep deleting themselves! NEED HEL ...
Go to first new post Laptop is slow
Go to first new post Virus
Go to first new post Explorer.exe doesn't start
Go to first new post Conduit search provider in IE
Go to first new post Laptop is acting weird
Go to first new post Trojan virus
Go to first new post Suspected virus is causing havoc (contin ...
Go to first new post Suspected virus is causing havoc (contin ...
Go to first new post Suspected virus is causing havoc
Go to first new post intermittent freezing and strange progra ...
Go to first new post Browser shutdown
Go to first new post Infected with "Police Cybercrime In ...
Go to first new post Lavasoft Search redirect hijack
Go to first new post Yontoo removal
Search Search
Search for:
Tech Support Guy Forums > > >

Google search redirects

(In Progress)
(!)

Reply
smash855's Avatar
Junior Member with 3 posts.
THREAD STARTER
  
Join Date: Aug 2010
Experience: Advanced
15-Aug-2010, 01:57 PM #1
Google search redirects
Hi,

I've been experiencing Google search redirects for the past couple of days. I've tried various Malware removal programs: MalwareBytes, Ad-Aware, Spybot and they all scan clean now. I am running on Windows XP 32-bit Home Edition SP2 and up-to-date Avira Antivir.

Example of websites I am beeing redirected to:

hxxp://star.feedsmixer.org/100/8033/search.php?k=parc%20safari&ts=1001_8033&num=7&subid=60675-20629&cid=1047037325-417f.69e0.4c6823aa.ccb
hxxp://www.kdirectory.co.uk/results.asp?qry=outdoor%20security%20cameras&rfid=lakc1_60679-20629&bp=outdoor%20security%20cameras&rfs=http%3A%2F%2Feectf.com%2F%3Fc%3DZ jE3Y2EyYzgyOTY4MGFkYTJmZWM5ZmM4N2JjNWY2MDY
hxxp://pages.us.com/adsection.php?link=MD03ODU4MDEzMjM9MTA0MzMwMTQyNDE9MTUyMTM2JnNvdXJjZT1MJmJp ZG1hdGNoPWImcHJvdmtleXdvcmQ9Y3VycmVuY3kgZXhjaGFuZ2UmYmlka2V5d29yZD1jdXJyZW5 jeSBleGNoYW5nZQ%3D%3D&feed=3&partner=69536-3829873&ref=http%3A%2F%2Feectf.com%2F%3Fc%3DZjE3Y2EyYzgyOTY4MGFkYTJmZWM5ZmM 4N2JjNWY2MDY&clickID=220608988-410f.50be.4c6823f8.4f55


Here is my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:55:29 PM, on 8/15/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmes\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Programmes\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Programmes\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Programmes\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmes\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Programmes\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Programmes\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Documents and Settings\Owner\Desktop\etmin.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Programmes\Mozilla Firefox\firefox.exe
C:\Programmes\Mozilla Firefox\plugin-container.exe
C:\Program Files\Ipswitch\WS_FTP 12\WsftpCOMHelper.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avgnt] "C:\Programmes\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [StartCCC] "C:\Programmes\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmes\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/da2/PCPitStop2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Programmes\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programmes\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 6421 bytes


Thanks for the help
Last edited by Cookiegal; 15-Aug-2010 at 02:46 PM..
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 89,439 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
15-Aug-2010, 02:47 PM #2
Please do not post links to malicious sites. I've edit them so they are not clickable.

Also, please complete the instructions at the following link and then post back with the requested logs.

http://forums.techguy.org/virus-othe...ting-help.html
smash855's Avatar
Junior Member with 3 posts.
THREAD STARTER
  
Join Date: Aug 2010
Experience: Advanced
16-Aug-2010, 10:41 PM #3
As instructed, here are the logs:


DDS (Ver_09-09-29.01) - NTFSx86
Run by Owner at 22:01:53.55 on Sun 08/15/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3071.2272 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmes\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Programmes\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Programmes\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Programmes\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmes\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Programmes\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Programmes\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Documents and Settings\Owner\Desktop\etmin.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Ipswitch\WS_FTP 12\WsftpCOMHelper.exe
C:\Programmes\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.com

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [avgnt] "c:\programmes\avira\antivir desktop\avgnt.exe" /min
mRun: [StartCCC] "c:\programmes\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\programmes\itunes\iTunesHelper.exe"
IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/da2/PCPitStop2.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\ate4obf0.default\
FF - prefs.js: browser.startup.homepage - www.rds.ca
FF - plugin: c:\programmes\itunes\mozilla plugins\npitunes.dll
FF - plugin: c:\programmes\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\programmes\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: XULRunner: {2D7993FC-B147-43A8-B228-59E7AEC72330} - c:\documents and settings\owner\local settings\application data\{2D7993FC-B147-43A8-B228-59E7AEC72330}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programmes\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\programmes\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\programmes\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\programmes\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\programmes\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\programmes\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\programmes\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\programmes\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\programmes\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\programmes\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\programmes\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\programmes\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\programmes\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\programmes\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\programmes\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\programmes\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\programmes\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\programmes\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\programmes\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\programmes\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\programmes\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\programmes\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\programmes\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\programmes\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\programmes\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\programmes\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\programmes\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\programmes\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\programmes\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\programmes\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\programmes\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\programmes\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_availa ble_pref", true);
c:\programmes\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\programmes\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\programmes\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\programmes\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\programmes\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\programmes\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\programmes\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\programmes\avira\antivir desktop\avgio.sys [2010-1-28 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\programmes\avira\antivir desktop\sched.exe [2010-1-28 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\programmes\avira\antivir desktop\avguard.exe [2010-1-28 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-1-28 60936]
R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2010-6-30 30576]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-1-28 1684736]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-12 1355416]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\programmes\pcpitstop\PCPitstopScheduleService.exe [2010-1-28 85504]

=============== Created Last 30 ================

2010-08-14 19:26 15,880 a------- c:\windows\system32\lsdelete.exe
2010-08-14 10:13 90 a------- c:\windows\wininit.ini
2010-08-14 09:43 95,024 a------- c:\windows\system32\drivers\SBREDrv.sys
2010-08-14 09:41 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-08-14 09:40 <DIR> --d----- c:\program files\Lavasoft
2010-08-14 09:39 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2010-08-14 09:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-08-14 03:14 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2010-08-14 03:14 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-14 03:14 20,952 a------- c:\windows\system32\drivers\mbam.sys
2010-08-14 03:14 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2010-08-14 03:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-14 03:08 <DIR> --d----- c:\program files\Trend Micro
2010-08-13 22:06 <DIR> --d----- c:\windows\system32\NtmsData
2010-08-13 19:22 120 a------- c:\windows\Mzezebebeb.dat
2010-08-13 19:22 0 a------- c:\windows\Aqiwij.bin
2010-08-13 19:20 <DIR> --d----- c:\docume~1\owner\applic~1\4C1A7778BA19089B57C02C07052071C4
2010-07-26 22:13 <DIR> --d----- c:\program files\VideoLAN
2010-07-22 22:04 <DIR> --d----- c:\program files\DVDVideoSoft
2010-07-22 22:04 <DIR> --d----- c:\program files\common files\DVDVideoSoft
2010-07-22 21:59 <DIR> --d----- c:\docume~1\owner\applic~1\Xilisoft Corporation

==================== Find3M ====================

2010-08-15 10:22 138,328 a------- c:\windows\system32\drivers\PnkBstrK.sys
2010-08-15 10:22 214,816 a------- c:\windows\system32\PnkBstrB.exe
2010-07-09 15:04 41,872 a------- c:\windows\system32\xfcodec.dll
2010-05-20 15:27 677,232 a------- c:\windows\system32\LCCoin32.dll
2010-05-20 15:27 39,280 a------- c:\windows\system32\nx6000res.dll

============= FINISH: 22:02:07.45 ===============


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-16 22:37:39
Windows 5.1.2600 Service Pack 2
Running: v5cdc5nd.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pxtdipoc.sys


---- System - GMER 1.0.15 ----

SSDT 9C742BCE ZwCreateKey
SSDT 9C742BC4 ZwCreateThread
SSDT 9C742BD3 ZwDeleteKey
SSDT 9C742BDD ZwDeleteValueKey
SSDT 9C742BE2 ZwLoadKey
SSDT 9C742BB0 ZwOpenProcess
SSDT 9C742BB5 ZwOpenThread
SSDT 9C742BEC ZwReplaceKey
SSDT 9C742BE7 ZwRestoreKey
SSDT 9C742BD8 ZwSetValueKey

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB90CD000, 0x223937, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1920] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 009C874A

---- EOF - GMER 1.0.15 ----


Thanks
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
smash855's Avatar
Junior Member with 3 posts.
THREAD STARTER
  
Join Date: Aug 2010
Experience: Advanced
17-Aug-2010, 12:56 PM #4
bump
Cookiegal's Avatar
Administrator & Malware Removal Specialist with 89,439 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
17-Aug-2010, 03:49 PM #5
Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.
__________________
Microsoft MVP - Consumer Security
Email This Email  Print This Print  Tweet This Send to Facebook Send to MySpace Send to StumbleUpon Digg This | More Services More
Reply
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join Today!

(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | Virus & Other Malware Removal | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


Similar Threads
Title Thread Starter Forum Replies Last Post
Please Help. Problem with Google searches being redirected! tahaadamji Virus & Other Malware Removal 7 05-Jul-2010 07:40 AM
Google Chrome Google Search Redirects Giltrap Virus & Other Malware Removal 3 31-Jan-2010 11:48 AM
Google search redirect problem oyuz Virus & Other Malware Removal 0 02-Nov-2009 08:35 AM
Redirecting of Google Search gsmith22 Virus & Other Malware Removal 1 04-Apr-2009 12:34 AM
Google search redirect. james_j_reilly Virus & Other Malware Removal 5 12-Sep-2008 05:43 PM

TECH SUPPORT GUY
WELCOME
FOLLOW US
 
You Are Using: Server ID
All times are GMT -4. The time now is 04:14 AM.
Advertisements do not imply our endorsement of that product or service.
Copyright © 1996 - 2013 TechGuy, Inc. All rights reserved. Privacy & Terms.

Trusted Website Back to the Top ↑