TechSpot

[Closed] Browser redirection trouble

By wooliewillie
Apr 23, 2011
  1. Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6403

    Windows 6.0.6000
    Internet Explorer 8.0.6001.18882

    4/23/2011 4:21:40 AM
    mbam-log-2011-04-23 (04-21-40).txt

    Scan type: Quick scan
    Objects scanned: 192063
    Time elapsed: 8 minute(s), 24 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 3
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\richb2\AppData\Local\qud.exe" -a "firefox.exe) Good: (firefox.exe) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\richb2\AppData\Local\qud.exe" -a "firefox.exe -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\richb2\AppData\Local\qud.exe" -a "iexplore.exe) Good: (iexplore.exe) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    GMER

    GMER 1.0.15.15570 - http://www.gmer.net
    Rootkit quick scan 2011-04-23 04:29:46
    Windows 6.0.6000 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.V54O
    Running: lh8bb9kt.exe; Driver: C:\Users\Admin\AppData\Local\Temp\kwlyqpow.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\tdx \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
    AttachedDevice \Driver\tdx \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:412] 8A197140
    Thread System [4:420] 8A197140
    Thread System [4:424] 8A1CF520
    Thread System [4:428] 8A1CF520
    Thread System [4:436] 8A1D1580
    Thread System [4:440] 8A1D1580
    Thread System [4:444] 8A1D1580
    Thread System [4:452] 8A1CF520

    ---- EOF - GMER 1.0.15 ----

    attach.txt

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 7/4/2007 12:45:35 AM
    System Uptime: 4/23/2011 4:23:20 AM (0 hours ago)
    .
    Motherboard: ASUSTek Computer INC. | | Leonite2
    Processor: Intel(R) Core(TM)2 CPU 4400 @ 2.00GHz | Socket 775 | 2000/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 289 GiB total, 159.393 GiB free.
    D: is FIXED (NTFS) - 9 GiB total, 1.005 GiB free.
    E: is CDROM ()
    G: is FIXED (NTFS) - 298 GiB total, 283.672 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    .
    ==== Hosts File Hijack ======================
    .
    Hosts: 127.0.0.1 www.avast.com
    Hosts: 127.0.0.1 www.avg.com
    Hosts: 127.0.0.1 www.bitdefender.com
    Hosts: 127.0.0.1 www.eset.com
    Hosts: 127.0.0.1 www.f-secure.com
    Hosts: 127.0.0.1 www.grisoft.com
    Hosts: 127.0.0.1 www.kaspersky.com
    Hosts: 127.0.0.1 www.mcafee.com
    Hosts: 127.0.0.1 www.microsoft.com
    Hosts: 127.0.0.1 www.pandasecurity.com
    Hosts: 127.0.0.1 www.sophos.com
    Hosts: 127.0.0.1 www.symantec.com
    Hosts: 127.0.0.1 www.trendmicro.com
    Hosts: 127.0.0.1 www.viruslist.com
    Hosts: 127.0.0.1 www.virustotal.com
    .
    ==== Installed Programs ======================
    .
    µTorrent
    Activation Assistant for the 2007 Microsoft Office suites
    Ad-Aware
    Ad-Aware Email Scanner for Outlook
    Adobe Flash Player 10 ActiveX
    Adobe Reader 8.1.1
    Adobe Shockwave Player 11.5
    AnalogX AutoTune
    AnswerWorks 5.0 English Runtime
    Apple Mobile Device Support
    Apple Software Update
    Ask Toolbar
    Audacity 1.2.6
    Awave Studio v10.1
    Band-in-a-Box 2008.5 (Build 263)
    Becker CPA Review CD-ROM Course and PassMaster - 2008 Edition
    Bisk CPA Review Software 13.10
    Bonjour
    CloneCD
    Compatibility Pack for the 2007 Office system
    Creative MediaSource 5
    Digital Voice Editor 3
    DiskCheckup V2.1
    DivX Content Uploader
    DivX Web Player
    DzSoft Favorites Search 2.1
    EarMaster Pro 5
    Enhanced Multimedia Keyboard Solution
    ESET Online Scanner v3
    FreeMind
    FretPro V.2.00
    Garmin City Navigator North America NT 2010.20
    Garmin WebUpdater
    Google Desktop
    Google Toolbar for Internet Explorer
    Guitar Freak Workstation with SightReader
    H-Series_ASIO32
    Hardware Diagnostic Tools
    HD Tune Pro 4.01
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Customer Experience Enhancements
    HP Customer Feedback
    HP Easy Setup - Frontend
    HP On-Screen Cap/Num/Scroll Lock Indicator
    HP Photosmart Essential 2.0
    HP Photosmart Essential2.5
    HP Picasso Media Center Add-In
    HP Product Detection
    HP Total Care Advisor
    HP Update
    ieSpell
    ImgBurn
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) Matrix Storage Manager
    Intel® Viiv™ Software
    iSkysoft DVD to iPod Converter(Build 1.5.23)
    iTunes
    J2SE Runtime Environment 5.0 Update 12
    Java Auto Updater
    Kaspersky Anti-Virus 7.0
    LAME v3.98.2 for Audacity
    LG USB Modem driver
    LightScribe 1.4.142.1
    LiveUpdate 3.2 (Symantec Corporation)
    Macrium Reflect - Free Edition
    Malwarebytes' Anti-Malware
    McAfee Security Scan Plus
    Mega Manager
    Megaupload Toolbar
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB953297)
    Microsoft .NET Framework 3.5 SP1
    Microsoft IntelliPoint 6.1
    Microsoft Office Basic Edition 2003
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Works
    MobileMe Control Panel
    Mozilla Firefox (3.6.3)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 Parser and SDK
    MSXML 4.0 SP3 Parser
    MSXML 4.0 SP3 Parser (KB973685)
    Musicnotes Software Suite 1.5.5
    muvee autoProducer 6.0
    My HP Games
    NETGEAR Live Parental Controls Management Utility 2.0b44
    NETGEAR Live Parental Controls User Utility 1.0b38
    NirSoft BlueScreenView
    Pdf995 (installed by TaxCut)
    PdfEdit995 (installed by TaxCut)
    PG Music DirectX Plugins 1.3.4.1
    Picasa 2
    Power Tab Editor 1.7
    PSSWCORE
    Python 2.4.3
    QMC
    QuickBooks Pro 2007
    QuickBooks Product Listing Service
    Quicken 2008
    QuickTime
    Realtek High Definition Audio Driver
    Rhapsody
    Rhapsody Player Engine
    River Past Audio Converter
    Roxio Creator Audio
    Roxio Creator Basic v9
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator EasyArchive
    Roxio Creator Tools
    Roxio Express Labeler 3
    Safari
    SampleTestInstall
    Shockwave
    Sibelius Scorch (ActiveX Only)
    Skype Toolbars
    Skype™ 5.0
    Snapfish Media Detector
    Snitch
    Soft Data Fax Modem with SmartCP
    Spybot - Search & Destroy
    Stock Investor Professional
    Streamripper (Remove only)
    SupportSoft Assisted Service
    TaxCut New Jersey 2007
    TaxCut New York 2007
    TaxCut Premium + State 2007
    TeamViewer 3
    Transcribe! 8.10
    Ulead VideoStudio SE DVD
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Video Piggy
    Viewpoint Media Player
    Virtual Sound Canvas DXi
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    Winamp
    Winamp Remote
    Windows Installer Clean Up
    Windows Movie Maker 2.6
    WinPcap 4.1.1
    WinRAR archiver
    WinZip 11.2
    Yahoo! Toolbar
    Yahoo! Toolbar for Internet Explorer
    ZENcast Organizer
    ZillaTube 3.1
    Zune
    Zune Language Pack (ES)
    Zune Language Pack (FR)
    .
    ==== End Of File ===========================

    dds.txt

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Admin at 4:33:58.96 on Sat 04/23/2011
    Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.5.0_12
    Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2038.917 [GMT -4:00]
    .
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\system32\CTsvcCDA.exe
    C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Macrium\Reflect\ReflectService.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\TeamViewer3\TeamViewer_Host.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    C:\Program Files\TeamViewer3\TeamViewer.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Program Files\Zune\ZuneLauncher.exe
    C:\Windows\System32\wpcumi.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Windows\vVX6000.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Snapfish Media Detector\SnapfishMediaDetector.exe
    C:\Windows\RtHDVCpl.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\hp\support\hpsysdrv.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil10o_ActiveX.exe
    C:\hp\kbd\kbd.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\Admin\Desktop\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=desktop
    uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_12\bin\ssv.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
    BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll
    BHO: CocoonSoftware Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
    TB: CocoonSoftware Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
    mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
    mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
    mRun: [VX6000] c:\windows\vVX6000.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [SnapfishMediaDetector] c:\program files\snapfish media detector\SnapfishMediaDetector.exe
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
    mRun: [KBD] c:\hp\kbd\KbdStub.EXE
    mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
    mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
    mRun: [CCUTRAYICON] FactoryMode
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 7.0\avp.exe"
    mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
    IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
    IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
    IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
    IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
    IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
    IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_12\bin\ssv.dll
    IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 7.0\SCIEPlgn.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    IE: {FF925300-80E6-11D4-A15B-FFF9086C1A3C} - {4DC701A0-93AD-11D4-A15B-AF07886E4A07} - c:\progra~1\dzsoft\favori~1\FavSeek.dll
    LSP: c:\windows\system32\wpclsp.dll
    DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
    DPF: {49232000-16E4-426C-A231-62846947304B} - hxxps://wimpro2.cce.hp.com/ChatEntry/downloads/sysinfo.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1303530075634
    DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll
    Notify: klogon - c:\windows\system32\klogon.dll
    Hosts: 127.0.0.1 www.avast.com
    Hosts: 127.0.0.1 www.avg.com
    Hosts: 127.0.0.1 www.bitdefender.com
    Hosts: 127.0.0.1 www.eset.com
    Hosts: 127.0.0.1 www.f-secure.com
    .
    Note: multiple HOSTS entries found. Please refer to Attach.txt
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath -
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-5 64288]
    R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2010-3-17 15328]
    R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2007-4-4 20760]
    R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-9-3 208896]
    R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2010-3-17 220128]
    R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2007-9-28 600912]
    R2 TeamViewer;TeamViewer 3;c:\program files\teamviewer3\TeamViewer_Host.exe [2008-3-12 181544]
    R3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2008-1-25 25088]
    S2 AVP;Kaspersky Anti-Virus 7.0;c:\program files\kaspersky lab\kaspersky anti-virus 7.0\avp.exe [2007-6-28 218376]
    S2 gupdate;gupdate; [x]
    S2 IntelDHSvcConf;Intel DH Service;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2006-5-10 29696]
    S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-11-1 30192]
    S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [2008-5-11 39048]
    S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352832]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
    S3 MCLServiceATL;Intel(R) Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-9-11 167936]
    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
    S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2007-4-10 2385896]
    S3 ZMHHPAudioSrv;ZOOM H Series High Performance Audio Driver Service;c:\windows\system32\drivers\zmhhpau.sys [2010-4-16 32000]
    .
    =============== Created Last 30 ================
    .
    2011-04-23 03:21:42 -------- d-----w- C:\_OTM
    2011-04-22 23:42:43 7071056 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{f9c6cc1f-2a06-4892-a269-ee12ad9e30aa}\mpengine.dll
    2011-04-22 10:26:03 -------- d--h--w- C:\$AVG
    2011-04-22 03:04:45 -------- d-----w- c:\progra~2\AVG Security Toolbar
    2011-04-22 02:55:27 -------- d-----w- c:\progra~2\AVG10
    2011-04-22 02:50:11 -------- d-----w- c:\program files\AVG
    2011-04-22 02:37:05 -------- d-----w- c:\progra~2\MFAData
    2011-04-21 19:40:16 -------- d-s---w- C:\ComboFix
    2011-04-20 20:29:18 -------- d-----w- C:\_OTL
    2011-04-20 17:54:28 -------- d-----w- c:\users\admin\appdata\local\Musicnotes
    2011-04-20 00:05:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-20 00:05:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-13 18:26:48 -------- d-----w- c:\program files\Streamripper
    2011-04-11 01:12:49 -------- d-----w- c:\progra~2\Musicnotes
    2011-04-11 00:54:03 -------- d-----w- c:\users\admin\appdata\local\OpenCandy
    2011-04-11 00:53:59 -------- d-----w- c:\users\admin\appdata\roaming\OpenCandy
    2011-04-11 00:53:59 -------- d-----w- c:\program files\Musicnotes
    2011-04-02 20:18:43 -------- d-----w- c:\program files\common files\Sonic Shared
    2011-04-02 02:16:25 -------- d-----w- c:\progra~2\McAfee Security Scan
    2011-04-02 02:16:22 -------- d-----w- c:\program files\McAfee Security Scan
    .
    ==================== Find3M ====================
    .
    2011-02-14 03:53:25 320000 ----a-w- c:\windows\system32\CF6700.exe
    2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
    .
    ============= FINISH: 4:35:37.98 ===============
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Good Morning and welcome to TechSpot! Looks like the host files have been hijacked. Just a note for you before I continue> even though you may thing the subject of "Browser redirection trouble" says it all, that is not the case. I have found that sometimes members think they are being redirected when getting a message "can't find the server" or "server disconnected." So it helps us to help you if you give us some description.

    While I finish checking these logs, please do the following: Note: It's important that you follow the order I have set up:

    You will need to do a DNS Flush, then reset your router.
    Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

    Exit the Command prompt when finished and shut the system down.-

    • [1]. Shut down your computer, and any other computer connected to your router.
      [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
      [3]. Unplug the router. Wait sixty seconds.
      [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
      [5].With the router unplugged, start your computer. Run MBAM again.
      [6].Connect to the router again. The turn the router back on.
      [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
      [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.
    ==================================
    Edit: You are running 2 antivirus programs> McAfee Security Scan Plus and Kaspersky Anti-Virus 7.0. Please uninstall one of them.
    McAfee Removal
    Kaspersky archive kavremover.zip.
    • Unpack the archive (for example, using WinZip)
    • Double click on kavremover.exe
    • Enter the code from the picture. If you cannot read the code from the picture, click on the button next to the picture to generate a new code
      [o] The screen will display the products detected.
      [o] You can also select Remove all known products.
    • Click on the button Remove
      [​IMG]
    • Wait until a dialog window appears to inform you that the product was successfully removed
      [​IMG]
    • Click OK
    Images courtesy Kaspersky
    Reboot the computer.
    =========================
    After completing the above, please Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ================================
    If you are using any file sharing programs, please uninstall or disable them while I am helping you.
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
    ==================================
    Please paste the new Malwarebytes log and Combofix log in your next reply
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    It appears that some cleaning attempts have already been made on your system, due to the presence of these:
    2011-04-23 03:21:42 -------- d-----w- C:\_OTM
    2011-04-22 02:37:05 -------- d-----w- c:\progra~2\MFAData
    2011-04-21 19:40:16 -------- d-s---w- C:\ComboFix
    2011-04-20 20:29:18 -------- d-----w- C:\_OTL

    I also note the presence of several AVG entries:
    2011-04-22 10:26:03 -------- d--h--w- C:\$AVG
    2011-04-22 03:04:45 -------- d-----w- c:\progra~2\AVG Security Toolbar
    2011-04-22 02:55:27 -------- d-----w- c:\progra~2\AVG10
    2011-04-22 02:50:11 -------- d-----w- c:\program files\AVG

    Tell me please if you are being helped in another computer forum for this time for this problem.
     
  4. wooliewillie

    wooliewillie TS Rookie Topic Starter

    I was working with dslreports, but they gave up and told me to reformat. On some other issues:

    1) the browser seems to search OK, but when I click on one of the found sites, it takes me to a totally different site.

    2) The admin user is working much better than my user (richb2) account.

    3) I ran combofix and it said that my explorer was infected but then said that it fixed it. But after that, when I rebooted, explorer fails. I had to use Microsoft recovery to get my PC working again.

    4) In the richb2 user, I always get a popup that orbtray.exe needs me to allow it to run. I never allow it.

    5) I have invested about 20 hours in getting rid of Vista Home Firewall virus. Finally I used the code and it went away. The reidrection error seems to be the last problem. I have a lot of programs on this PC. Is there anyway to reinstall Vista (or XP) without wiping the applications?

    Here is the last MBAM that I ran after flushing the DNS and rebooting the router as per the instructs.

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6403

    Windows 6.0.6000
    Internet Explorer 8.0.6001.18882

    4/23/2011 11:06:04 AM
    mbam-log-2011-04-23 (11-06-04).txt

    Scan type: Quick scan
    Objects scanned: 193714
    Time elapsed: 5 minute(s), 26 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 3
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\richb2\AppData\Local\qud.exe" -a "firefox.exe) Good: (firefox.exe) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\richb2\AppData\Local\qud.exe" -a "firefox.exe -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\richb2\AppData\Local\qud.exe" -a "iexplore.exe) Good: (iexplore.exe) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    One more thing, I just took off McAfee. I didn;'t see that instruct before.
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    >>
    http://www.broadbandreports.com/forum/r25761660-Here-are-my-required-steps~start=20

    They didn't give up! They told you that was what you needed to do for your badly infected system.

    As far as I'm concerned, you have already gotten help for this problem in another forum. Considering you were still getting active help there on 4/24, you should not have started a thread here on 4/23 expecting us to do magic and find a solution you liked better!

    This thread is closed.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...