1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Google search redirects

Discussion in 'Virus & Other Malware Removal' started by smash855, Aug 15, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. smash855

    smash855 Thread Starter

    Joined:
    Aug 15, 2010
    Messages:
    3
    Hi,

    I've been experiencing Google search redirects for the past couple of days. I've tried various Malware removal programs: MalwareBytes, Ad-Aware, Spybot and they all scan clean now. I am running on Windows XP 32-bit Home Edition SP2 and up-to-date Avira Antivir.

    Example of websites I am beeing redirected to:

    hxxp://star.feedsmixer.org/100/8033/search.php?k=parc%20safari&ts=1001_8033&num=7&subid=60675-20629&cid=1047037325-417f.69e0.4c6823aa.ccb
    hxxp://www.kdirectory.co.uk/results.asp?qry=outdoor%20security%20cameras&rfid=lakc1_60679-20629&bp=outdoor%20security%20cameras&rfs=http%3A%2F%2Feectf.com%2F%3Fc%3DZjE3Y2EyYzgyOTY4MGFkYTJmZWM5ZmM4N2JjNWY2MDY
    hxxp://pages.us.com/adsection.php?link=MD03ODU4MDEzMjM9MTA0MzMwMTQyNDE9MTUyMTM2JnNvdXJjZT1MJmJpZG1hdGNoPWImcHJvdmtleXdvcmQ9Y3VycmVuY3kgZXhjaGFuZ2UmYmlka2V5d29yZD1jdXJyZW5jeSBleGNoYW5nZQ%3D%3D&feed=3&partner=69536-3829873&ref=http%3A%2F%2Feectf.com%2F%3Fc%3DZjE3Y2EyYzgyOTY4MGFkYTJmZWM5ZmM4N2JjNWY2MDY&clickID=220608988-410f.50be.4c6823f8.4f55


    Here is my HijackThis log:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 1:55:29 PM, on 8/15/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programmes\Avira\AntiVir Desktop\sched.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programmes\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Programmes\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Programmes\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programmes\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Programmes\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    C:\Programmes\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\Documents and Settings\Owner\Desktop\etmin.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
    C:\Programmes\Mozilla Firefox\firefox.exe
    C:\Programmes\Mozilla Firefox\plugin-container.exe
    C:\Program Files\Ipswitch\WS_FTP 12\WsftpCOMHelper.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [avgnt] "C:\Programmes\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [StartCCC] "C:\Programmes\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmes\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: &Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/da2/PCPitStop2.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Programmes\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programmes\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

    --
    End of file - 6421 bytes


    Thanks for the help
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,654
  3. smash855

    smash855 Thread Starter

    Joined:
    Aug 15, 2010
    Messages:
    3
    As instructed, here are the logs:


    DDS (Ver_09-09-29.01) - NTFSx86
    Run by Owner at 22:01:53.55 on Sun 08/15/2010
    Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_18
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3071.2272 [GMT -4:00]

    AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programmes\Avira\AntiVir Desktop\sched.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programmes\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Programmes\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Programmes\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programmes\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Programmes\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    C:\Programmes\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\Documents and Settings\Owner\Desktop\etmin.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Program Files\Ipswitch\WS_FTP 12\WsftpCOMHelper.exe
    C:\Programmes\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Owner\My Documents\Downloads\dds.com

    ============== Pseudo HJT Report ===============

    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [avgnt] "c:\programmes\avira\antivir desktop\avgnt.exe" /min
    mRun: [StartCCC] "c:\programmes\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
    mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
    mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\programmes\itunes\iTunesHelper.exe"
    IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/da2/PCPitStop2.cab
    Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
    Notify: AtiExtEvent - Ati2evxx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\ate4obf0.default\
    FF - prefs.js: browser.startup.homepage - www.rds.ca
    FF - plugin: c:\programmes\itunes\mozilla plugins\npitunes.dll
    FF - plugin: c:\programmes\k-lite codec pack\real\browser\plugins\nppl3260.dll
    FF - plugin: c:\programmes\k-lite codec pack\real\browser\plugins\nprpjplug.dll
    FF - HiddenExtension: XULRunner: {2D7993FC-B147-43A8-B228-59E7AEC72330} - c:\documents and settings\owner\local settings\application data\{2D7993FC-B147-43A8-B228-59E7AEC72330}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\programmes\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\programmes\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\programmes\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\programmes\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\programmes\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\programmes\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\programmes\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\programmes\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\programmes\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\programmes\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\programmes\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\programmes\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\programmes\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\programmes\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\programmes\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\programmes\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\programmes\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\programmes\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\programmes\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\programmes\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\programmes\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\programmes\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\programmes\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\programmes\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\programmes\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\programmes\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\programmes\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\programmes\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\programmes\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\programmes\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\programmes\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\programmes\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\programmes\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\programmes\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\programmes\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\programmes\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\programmes\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\programmes\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\programmes\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\programmes\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R1 avgio;avgio;c:\programmes\avira\antivir desktop\avgio.sys [2010-1-28 11608]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\programmes\avira\antivir desktop\sched.exe [2010-1-28 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\programmes\avira\antivir desktop\avguard.exe [2010-1-28 267432]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-1-28 60936]
    R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2010-6-30 30576]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-1-28 1684736]
    S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-12 1355416]
    S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\programmes\pcpitstop\PCPitstopScheduleService.exe [2010-1-28 85504]

    =============== Created Last 30 ================

    2010-08-14 19:26 15,880 a------- c:\windows\system32\lsdelete.exe
    2010-08-14 10:13 90 a------- c:\windows\wininit.ini
    2010-08-14 09:43 95,024 a------- c:\windows\system32\drivers\SBREDrv.sys
    2010-08-14 09:41 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
    2010-08-14 09:40 <DIR> --d----- c:\program files\Lavasoft
    2010-08-14 09:39 <DIR> --d----- c:\program files\Spybot - Search & Destroy
    2010-08-14 09:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2010-08-14 03:14 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
    2010-08-14 03:14 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-14 03:14 20,952 a------- c:\windows\system32\drivers\mbam.sys
    2010-08-14 03:14 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
    2010-08-14 03:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-08-14 03:08 <DIR> --d----- c:\program files\Trend Micro
    2010-08-13 22:06 <DIR> --d----- c:\windows\system32\NtmsData
    2010-08-13 19:22 120 a------- c:\windows\Mzezebebeb.dat
    2010-08-13 19:22 0 a------- c:\windows\Aqiwij.bin
    2010-08-13 19:20 <DIR> --d----- c:\docume~1\owner\applic~1\4C1A7778BA19089B57C02C07052071C4
    2010-07-26 22:13 <DIR> --d----- c:\program files\VideoLAN
    2010-07-22 22:04 <DIR> --d----- c:\program files\DVDVideoSoft
    2010-07-22 22:04 <DIR> --d----- c:\program files\common files\DVDVideoSoft
    2010-07-22 21:59 <DIR> --d----- c:\docume~1\owner\applic~1\Xilisoft Corporation

    ==================== Find3M ====================

    2010-08-15 10:22 138,328 a------- c:\windows\system32\drivers\PnkBstrK.sys
    2010-08-15 10:22 214,816 a------- c:\windows\system32\PnkBstrB.exe
    2010-07-09 15:04 41,872 a------- c:\windows\system32\xfcodec.dll
    2010-05-20 15:27 677,232 a------- c:\windows\system32\LCCoin32.dll
    2010-05-20 15:27 39,280 a------- c:\windows\system32\nx6000res.dll

    ============= FINISH: 22:02:07.45 ===============


    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-08-16 22:37:39
    Windows 5.1.2600 Service Pack 2
    Running: v5cdc5nd.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pxtdipoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT 9C742BCE ZwCreateKey
    SSDT 9C742BC4 ZwCreateThread
    SSDT 9C742BD3 ZwDeleteKey
    SSDT 9C742BDD ZwDeleteValueKey
    SSDT 9C742BE2 ZwLoadKey
    SSDT 9C742BB0 ZwOpenProcess
    SSDT 9C742BB5 ZwOpenThread
    SSDT 9C742BEC ZwReplaceKey
    SSDT 9C742BE7 ZwRestoreKey
    SSDT 9C742BD8 ZwSetValueKey

    ---- Kernel code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB90CD000, 0x223937, 0xE8000020]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\Explorer.EXE[1920] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 009C874A

    ---- EOF - GMER 1.0.15 ----


    Thanks
     

    Attached Files:

  4. smash855

    smash855 Thread Starter

    Joined:
    Aug 15, 2010
    Messages:
    3
  5. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,654
    Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

    The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

    Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

    Important notes regarding ComboFix:

    ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

    ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/943283