Inactive Browser Hijacked?

Status
Not open for further replies.
T

ThoroughlyBroke

Greetings,

Im attempting to fix my girlfriends computer. Internet Explorer seems to be hijacked. When in clicking links, it constantly redirects her to different webpages.

I'm in the process of following this:
UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions


she uses avira, spybot and windows firewall. compaq presario, 2.6GHz, I've upgraded the RAM from 512MB to 1G running windows XP.


step 2: done, everything ran smoothly.



step 3: kept freezing when I tried to run it. eventually booted in safe mode and it ran fine.
Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5270

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

12/8/2010 2:26:53 AM
mbam-log-2010-12-08 (02-26-49).txt

Scan type: Quick scan
Objects scanned: 128571
Time elapsed: 6 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_XMLLookup (Hijacker.XMLLookup) -> Value: bak_XMLLookup -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_Application (Hijacker.Application) -> Value: bak_Application -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_intl (Hijacker.intl) -> Value: bak_intl -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\XMLLookup (Hijacker.XMLLookup) -> Bad: (http://www.helpmeopen.com/?n=app&l=x&ext=%s) Good: (http://shell.windows.com/fileassoc/fileassoc.asp?LangID=x&Ext=%s) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\Application (Hijacker.Application) -> Bad: (http://www.helpmeopen.com/?n=app&l=x&ext=%s) Good: (http://shell.windows.com/fileassoc/x/xml/redir.asp?Ext=%s) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\intl (Hijacker.intl) -> Bad: (http://www.helpmeopen.com/?n=app&l=x&ext=%s) Good: (http://shell.windows.com/fileassoc/fileassoc.asp?LangID=x&Ext=%s) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Click to expand...



step 4: computer locked up. ieexplorere crashed and I lost the desktop. had to reboot. could someone explain what GMER is? should I reboot in safe mode and try again?



step 5: DDS:
DDS (Ver_10-12-05.01) - NTFSx86
Run by user at 13:50:18.04 on Wed 12/08/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.453 [GMT -5:00]

AV: CleanUp Antivirus *On-access scanning enabled* (Updated) {5507A8CF-C0C3-4F25-8A99-B02D19B4EC85}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: CleanUp Antivirus *enabled* {CD4D61FA-F9E2-4AE9-BFB7-246E4F804C1D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxbmcoms.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: NetAssistantBHO Class: {e38fa08e-f56a-4169-abf5-5c71e3c153a1} - c:\program files\freeze.com\my.freeze.com netassistant\NetAssistant.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: NetAssistantBHO Class: {e38fa08e-f56a-4169-abf5-5c71e3c153a1} - c:\program files\freeze.com\my.freeze.com netassistant\NetAssistant.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=1800
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\user\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki...
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1253834427593
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} - hxxp://www.mikethetiger.com/cam/wg_webeye.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxsrvc.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
IFEO: image file execution options - svchost.exe
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-3-29 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-3-29 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-3-29 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-9-24 56816]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2010-8-22 10448]
R2 lxbm_device;lxbm_device;c:\windows\system32\lxbmcoms.exe -service --> c:\windows\system32\lxbmcoms.exe -service [?]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-12-8 363344]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-12-8 20952]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-3 14336]

=============== Created Last 30 ================

2010-12-08 06:38:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-08 06:37:54 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-08 20:30:08 -------- d-----w- c:\windows\pss

==================== Find3M ====================

2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl

============= FINISH: 13:51:24.84 ===============
Click to expand...
Attach:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-05.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/23/2009 11:59:53 PM
System Uptime: 12/8/2010 1:37:02 PM (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | 'P4SD-LA'
Processor: Intel(R) Pentium(R) 4 CPU 2.60GHz | CPU 1 | 2600/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 112 GiB total, 95.08 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP347: 9/10/2010 1:35:52 AM - System Checkpoint
RP348: 9/11/2010 2:35:52 AM - System Checkpoint
RP349: 9/12/2010 3:35:55 AM - System Checkpoint
RP350: 9/13/2010 4:28:31 AM - System Checkpoint
RP351: 9/14/2010 5:28:31 AM - System Checkpoint
RP352: 9/15/2010 6:28:34 AM - System Checkpoint
RP353: 9/15/2010 3:37:25 PM - Software Distribution Service 3.0
RP354: 9/15/2010 3:57:38 PM - Unsigned driver install
RP355: 9/15/2010 4:06:55 PM - Configured Microsoft Office Professional 2007 Trial
RP356: 9/15/2010 4:07:56 PM - Installed Java(TM) 6 Update 21
RP357: 9/15/2010 4:09:10 PM - Installed Java Runtime Environment
RP358: 9/16/2010 5:05:42 PM - System Checkpoint
RP359: 9/17/2010 6:16:26 PM - System Checkpoint
RP360: 9/18/2010 6:26:51 PM - System Checkpoint
RP361: 9/19/2010 7:10:08 PM - System Checkpoint
RP362: 9/20/2010 8:26:50 PM - System Checkpoint
RP363: 9/21/2010 9:06:47 PM - System Checkpoint
RP364: 9/22/2010 10:05:42 PM - System Checkpoint
RP365: 9/23/2010 7:56:50 PM - Configured Microsoft Office Professional 2007 Trial
RP366: 9/24/2010 8:46:46 PM - System Checkpoint
RP367: 9/25/2010 9:45:33 PM - System Checkpoint
RP368: 9/27/2010 12:04:22 AM - System Checkpoint
RP369: 9/28/2010 12:40:56 AM - System Checkpoint
RP370: 9/29/2010 1:40:56 AM - System Checkpoint
RP371: 9/29/2010 3:00:15 AM - Software Distribution Service 3.0
RP372: 9/30/2010 3:40:56 AM - System Checkpoint
RP373: 10/1/2010 12:29:05 AM - Unsigned driver install
RP374: 10/2/2010 12:40:56 AM - System Checkpoint
RP375: 10/3/2010 1:41:50 AM - System Checkpoint
RP376: 10/4/2010 3:02:21 AM - System Checkpoint
RP377: 10/5/2010 3:40:56 AM - System Checkpoint
RP378: 10/6/2010 3:00:15 AM - Software Distribution Service 3.0
RP379: 10/7/2010 3:21:39 AM - System Checkpoint
RP380: 10/8/2010 3:40:56 AM - System Checkpoint
RP381: 10/9/2010 4:40:56 AM - System Checkpoint
RP382: 10/10/2010 5:40:56 AM - System Checkpoint
RP383: 10/11/2010 5:42:01 AM - System Checkpoint
RP384: 10/12/2010 6:40:56 AM - System Checkpoint
RP385: 10/13/2010 3:00:15 AM - Software Distribution Service 3.0
RP386: 10/14/2010 3:34:33 AM - System Checkpoint
RP387: 10/15/2010 4:25:07 AM - System Checkpoint
RP388: 10/16/2010 5:25:07 AM - System Checkpoint
RP389: 10/17/2010 6:25:06 AM - System Checkpoint
RP390: 10/18/2010 7:25:07 AM - System Checkpoint
RP391: 10/19/2010 8:22:28 AM - System Checkpoint
RP392: 10/20/2010 8:48:44 AM - System Checkpoint
RP393: 10/21/2010 9:48:43 AM - System Checkpoint
RP394: 10/22/2010 10:48:43 AM - System Checkpoint
RP395: 10/23/2010 11:48:43 AM - System Checkpoint
RP396: 10/24/2010 12:48:42 PM - System Checkpoint
RP397: 10/25/2010 12:50:11 PM - System Checkpoint
RP398: 10/26/2010 1:48:42 PM - System Checkpoint
RP399: 10/27/2010 3:05:46 PM - System Checkpoint
RP400: 10/28/2010 3:48:43 PM - System Checkpoint
RP401: 10/29/2010 4:48:43 PM - System Checkpoint
RP402: 10/30/2010 5:15:42 PM - System Checkpoint
RP403: 10/31/2010 6:34:51 PM - System Checkpoint
RP404: 11/1/2010 6:49:47 PM - System Checkpoint
RP405: 11/1/2010 8:22:51 PM - Configured Microsoft Office Professional 2007 Trial
RP406: 10/27/2010 8:29:34 PM - Removed Microsoft Office Professional 2007 Trial
RP407: 10/28/2010 8:59:35 PM - System Checkpoint
RP408: 11/2/2010 10:43:10 PM - System Checkpoint
RP409: 11/3/2010 11:50:17 PM - System Checkpoint
RP410: 11/5/2010 12:24:13 AM - System Checkpoint
RP411: 11/6/2010 12:26:18 AM - System Checkpoint
RP412: 11/7/2010 12:59:22 AM - System Checkpoint
RP413: 11/8/2010 1:24:54 AM - System Checkpoint
RP414: 11/9/2010 2:26:29 AM - System Checkpoint
RP415: 11/10/2010 3:00:15 AM - Software Distribution Service 3.0
RP416: 11/11/2010 3:24:13 AM - System Checkpoint
RP417: 11/12/2010 4:24:13 AM - System Checkpoint
RP418: 11/13/2010 4:25:19 AM - System Checkpoint
RP419: 11/14/2010 5:24:14 AM - System Checkpoint
RP420: 11/15/2010 6:24:13 AM - System Checkpoint
RP421: 11/16/2010 7:24:14 AM - System Checkpoint
RP422: 11/17/2010 7:42:37 AM - System Checkpoint
RP423: 11/18/2010 8:42:38 AM - System Checkpoint
RP424: 11/19/2010 9:42:38 AM - System Checkpoint
RP425: 11/20/2010 10:42:37 AM - System Checkpoint
RP426: 11/21/2010 11:42:37 AM - System Checkpoint
RP427: 11/22/2010 12:42:37 PM - System Checkpoint
RP428: 11/23/2010 1:42:37 PM - System Checkpoint
RP429: 11/24/2010 2:42:37 PM - System Checkpoint
RP430: 11/25/2010 3:43:41 PM - System Checkpoint
RP431: 11/26/2010 4:42:37 PM - System Checkpoint
RP432: 11/27/2010 5:42:37 PM - System Checkpoint
RP433: 11/28/2010 6:39:10 PM - System Checkpoint
RP434: 11/29/2010 7:54:00 PM - System Checkpoint
RP435: 11/30/2010 9:11:37 PM - System Checkpoint
RP436: 12/1/2010 9:17:57 PM - System Checkpoint
RP437: 12/2/2010 9:38:05 PM - System Checkpoint
RP438: 12/3/2010 10:38:05 PM - System Checkpoint
RP439: 12/5/2010 12:31:56 AM - System Checkpoint
RP440: 12/6/2010 1:21:45 AM - System Checkpoint
RP441: 12/7/2010 1:49:18 AM - System Checkpoint
RP442: 12/8/2010 2:51:47 AM - System Checkpoint

==== Hosts File Hijack ======================

Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com
Hosts: 74.125.45.100 secure-plus-payments.com
Hosts: 74.125.45.100 www.getantivirusplusnow.com
Hosts: 74.125.45.100 www.secure-plus-payments.com
Hosts: 74.125.45.100 www.getavplusnow.com
Hosts: 74.125.45.100 safebrowsing-cache.google.com
Hosts: 74.125.45.100 urs.microsoft.com
Hosts: 74.125.45.100 www.securesoftwarebill.com
Hosts: 74.125.45.100 secure.paysecuresystem.com
Hosts: 74.125.45.100 paysoftbillsolution.com
Hosts: 74.125.45.100 protected.maxisoftwaremart.com
Hosts: 67.212.177.251 www.google.com
Hosts: 67.212.177.251 google.com
Hosts: 67.212.177.251 google.com.au
Hosts: 67.212.177.251 www.google.com.au
Hosts: 67.212.177.251 google.be
Hosts: 67.212.177.251 www.google.be
Hosts: 67.212.177.251 google.com.br
Hosts: 67.212.177.251 www.google.com.br
Hosts: 67.212.177.251 google.ca
Hosts: 67.212.177.251 www.google.ca
Hosts: 67.212.177.251 google.ch
Hosts: 67.212.177.251 www.google.ch
Hosts: 67.212.177.251 google.de
Hosts: 67.212.177.251 www.google.de
Hosts: 67.212.177.251 google.dk
Hosts: 67.212.177.251 www.google.dk
Hosts: 67.212.177.251 google.fr
Hosts: 67.212.177.251 www.google.fr
Hosts: 67.212.177.251 google.ie
Hosts: 67.212.177.251 www.google.ie
Hosts: 67.212.177.251 google.it
Hosts: 67.212.177.251 www.google.it
Hosts: 67.212.177.251 google.co.jp
Hosts: 67.212.177.251 www.google.co.jp
Hosts: 67.212.177.251 google.nl
Hosts: 67.212.177.251 www.google.nl
Hosts: 67.212.177.251 google.no
Hosts: 67.212.177.251 www.google.no
Hosts: 67.212.177.251 google.co.nz
Hosts: 67.212.177.251 www.google.co.nz
Hosts: 67.212.177.251 google.pl
Hosts: 67.212.177.251 www.google.pl
Hosts: 67.212.177.251 google.se
Hosts: 67.212.177.251 www.google.se
Hosts: 67.212.177.251 google.co.uk
Hosts: 67.212.177.251 www.google.co.uk
Hosts: 67.212.177.251 google.co.za
Hosts: 67.212.177.251 www.google.co.za
Hosts: 67.212.177.251 www.google-analytics.com
Hosts: 67.212.177.251 www.bing.com
Hosts: 67.212.177.251 search.yahoo.com
Hosts: 67.212.177.251 www.search.yahoo.com
Hosts: 67.212.177.251 uk.search.yahoo.com
Hosts: 67.212.177.251 ca.search.yahoo.com
Hosts: 67.212.177.251 de.search.yahoo.com
Hosts: 67.212.177.251 fr.search.yahoo.com
Hosts: 67.212.177.251 au.search.yahoo.com

==== Installed Programs ======================

Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Avira AntiVir Personal - Free Antivirus
Bonjour
Carbonite Online Backup Setup
eReg
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) Extreme Graphics Driver
iTunes
Java Auto Updater
Java(TM) 6 Update 21
Lexmark 4200 Series
LimeWire 5.3.6
Logitech SetPoint 6.15
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Default Manager
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office Professional Edition 2003
Microsoft Search Enhancement Pack
Microsoft UI Engine
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft XML Parser
MSN Toolbar
MSN Toolbar Platform
My.Freeze.com NetAssistant
QuickTime
Realtek AC'97 Audio
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Spybot - Search & Destroy
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB943729)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VideoLAN VLC media player 0.8.6f
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live ID Sign-in Assistant
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
Windows PowerShell(TM) 1.0
Windows XP Service Pack 3
Yahoo! Software Update
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

12/8/2010 2:32:49 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde
12/8/2010 2:32:00 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
12/8/2010 2:12:24 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss ssmdrv Tcpip
12/8/2010 2:12:24 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
12/8/2010 2:12:24 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/8/2010 2:12:24 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/8/2010 2:12:24 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
12/8/2010 2:12:24 AM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/8/2010 2:12:24 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/8/2010 2:11:28 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/8/2010 2:11:26 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
12/8/2010 1:30:28 AM, error: Service Control Manager [7034] - The Yahoo! Updater service terminated unexpectedly. It has done this 1 time(s).
12/8/2010 1:30:28 AM, error: Service Control Manager [7034] - The SeaPort service terminated unexpectedly. It has done this 1 time(s).
12/8/2010 1:30:28 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
12/8/2010 1:30:28 AM, error: Service Control Manager [7031] - The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
12/8/2010 1:30:27 AM, error: Service Control Manager [7034] - The lxbm_device service terminated unexpectedly. It has done this 1 time(s).
12/8/2010 1:30:27 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
12/8/2010 1:30:27 AM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
12/8/2010 1:30:27 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

==== End Of File ===========================
Click to expand...




Thanks to any and all replies! I will be checking back momentarily after I've run GMER in safe mode and done some research as to what it actually does (just curiosity)

~Tim
 

Attachments

  • mbam-log-2010-12-08 (02-26-49).txt
    2.1 KB · Views: 1
Please read all before acting!:

Welcome to TechSpot! The system has been hit by the Windows Security Suite malware infection. This is a rogue security program from the same family as Antivirus System Pro and Spyware Protect 2009. When installed, the program will be configured to start automatically when Windows starts and when run, will perform a scan and then list a variety of infections that it states resides on your computer. It will not remove, though, any of these infections unless you purchase it. The catch is that the entries being given as infections are actually harmless files that the program itself created to trick you.

She likely will have seen the alert pictured here:http://www.bleepingcomputer.com/virus-removal/remove-windows-security-suite The program creates a new search tool in Internet Explorer, which impersonates Windows Live, and Firefox, which impersonates Google. Both of these search providers will perform searches that look like they are from Windows Live or Google, but are in fact coming from Search-gala.com.

When MBAM was run, the following line wasn't' checked, so all entries show No Action Taken
Be sure that everything is checked, and click Remove Selected.

To get MBAM to run in Normal Mode:please download randmbam.exe

It will try to create random names and shortcuts for Malwarebytes Anti Malware(MBAM) if you have it installed already.

Malwarebytes is a good tool in the removal of this malware, but we vary the scan some. After you have run randmbam and are ready to run the Mbam scan again:
  • Click Perform Full Scan instead of quick scan. This will take a longer time and when finished, you will get this:
    scan-finished.jpg
  • Click on Okay and when the screen returns> Click on Show Results
  • Now click on the Remove Selected button
  • MBAM will delete all the files and registry keys and add them to the programs quarantine.
  • If you get a message to reboot, please do so
  • The log after the malware removal displays in Notepad and should be saved to paste into the next reply.
Thanks to bleeping computer.
===============================================================
The presence of the singlehop host hijack is also noted. This is Adiv Financial (Stolen Identity) Fraud by a Zombie botnet host: http://www.bobbear.co.uk/adiv-financial.html
==============================================================
Although we can remove the Windows Security Suite entries fairly easily, I think the system has been compromised by the fraudelent singlehop. And because of the potential for Identity Theft, I recommend that the system be fully reformatted and reinstalled.

All passwords should be changed and any internet financial transactions should be monitored. This should all be done now

You will find excellent reformat/reinstall instructions here:
http://www.tech-101.com/tutorials/356-tutorial-windows-install-repair-xp-vista.html[/color]
 
MBAM log after full scan:
Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5270

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/8/2010 10:47:29 PM
mbam-log-2010-12-08 (22-47-29).txt

Scan type: Full scan (C:\|)
Objects scanned: 168943
Time elapsed: 32 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Click to expand...


it still redirects every so often. i got her to change all her passwords on her dads computer a couple hours ago and she hasn't used this computer since yesterday. i cannot find her xp boot cd that came with the computer.
 
Okay, next steps:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
=========================================
Download Combofix to your desktop from one of these locations:
Link 1
Link 2
  • Double click combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Query- Recovery Console image
    RcAuto1.gif

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    Click to expand...
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes it will open a text window. Please paste that log in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
Status
Not open for further replies.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
797
uber_beetle
uber_beetle
A
Windows 10 Enterprise and Education editions will soon enter end of life status
Replies
12
Views
250
Lounds
L
A
Microsoft breaks users' PCs again with latest Windows 11 update
Replies
19
Views
400
trparky
T

Latest posts

Back