Getting help elsewhere. Firefox and IE keep redirecting log attached

By bic23
Apr 13, 2010
  1. Hi. Both my firefox and ie8 browsers keep redirecting me to random sites. my avast anti virus has suddenly been disabled and I think the virus/malware probably had something to do with it. I fixedsometing called sharedtaskscheduler browseruri but that didn't seem to fix it. I ran another hijackthis log and here is the current one. Your help is greatly appreciated. thanks.

    Logfile of Trend Micro HijackThis v2.0.3 (BETA)
    Scan saved at 11:24:53 PM, on 4/11/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\ 2.4\program\soffice.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\ 2.4\program\soffice.BIN
    C:\Program Files\iPod\bin\iPodService.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKLM\..\Run: [Tlisosafuzawo] rundll32.exe "C:\WINDOWS\elujudoy.dll",Startup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - Startup: 2.4.lnk = C:\Program Files\ 2.4\program\quickstart.exe
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: WLANKEEPER - IntelĀ® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    End of file - 6929 bytes
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot, bic23. I'll help with the malware. But I would like you to follow the preliminary removal steps HERE>

    As you will see, there are 2 additional programs to run. Then rescan with HijackThis. Leave all 3 logs in your next reply. There is nothing evident in the HJT log.

    Please do not run any other cleaning programs while I am helping you. Do not run a Registry cleaner or make any Registry changes.

    See information HERE.

    I caution you about stopping or removing any process before identifying it.
  3. bic23

    bic23 TS Rookie Topic Starter

    Here is the superantispyware and malwareybtes log and current hjt log. malwarebytes didn't detect anything but superantispyware did and I clicked next and finish after scan. Whenever I start my computer I get a message that says "RunDLL error loading C:\WINDOWS\elujudoy.dll- specific module could not be found" . The two items I told you that I fixed with my first hijack this log were sharedtaskscheduler browseui and sharedtaskscheduler component categories cache daemon. When I clicked info it said that it was an undocumented registry key and the recommended action taken was that the registry value is deleted for both items.

    View attachment SUPERAntiSpyware Scan Log - 04-13-2010 - 16-46-40.log

    View attachment mbam-log-2010-04-13 (15-56-51).txt

    View attachment HJT log.txt
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The system is badly infected. And it appears that it may be a Virut infection. There is no fix for that and we recommend reformat and reinstall.

    But I'd like you to do this frst- it will either confirm or rule out Virut:

    • Make sure to use Internet Explorer for this
    • Please go to FREE on-line scan service
    • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
      • c:\windows\system32\userinit.exe
    • Click on the Upload button
    • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
    • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
    • Paste the contents of the Clipboard in your next reply.
    Also scan these,


    Virut is a Polymorphic File Infector that infects ..exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine. It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker

    The content of that scan will determine what to do next.
  5. bic23

    bic23 TS Rookie Topic Starter

    The scanner found no malware on all three of those files you told me to scan. I wasn't sure if you could copy and paste results if there was no malware found. I saw the copy to clipboard button but I didn't see a clipboard to copy and paste from. Overall no malware found.
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Just so you know, that scan did not rule out all malware. It is mostly specific for Virut. This was found by Superantispyware:
    If it had been Virut, the removal of that one entry wouldn't have cleared the system. That's why I had you run the scan.

    About the clipboard and copy and paste. You don't 'see' a clipboard. But when you 'copy' anything, it goes to that clipboard. It stays on it until you 'paste' the contents somewhere.

    Please run these 2 programs while I'm offline for a while. I'm having a system problem I have to work on:
    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

      Important! Save the renamed download to your desktop.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    • Double click on the setup file on the desktop to run
    • If prompted to download and install the Recovery Console, please do so.
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • If prompted to update, please allow.
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Please leave Combofix report and Eset log in next reply.
  7. bic23

    bic23 TS Rookie Topic Starter

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    No problem- it's confusing when you try to see something that isn't there!

    Okay, some conditions: You are running BitComet. You have given it access through the firewall. the Java is way out of date. There are entries from another AV program loading.

    Condition 1: Uninstall BitComet

    P2P or 'file sharing' Warning:
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall BitComet for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.

    Condition 2: Get your Java up to date. you are using v6u4. the current version is v6u19. Every older version of Java on the machine is a vulnerability to your system. Run the following to remove all the outdated versions, then get the current:

    Please download JavaRa and unzip it to your desktop.

    ***Please close any instances of Internet Explorer before continuing!***
    • Double-click on JavaRa.exe to start the program.
    • Choose Englishfrom the drop-down menu and click on
    • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
    • Click Yes when prompted.
    • When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
    • A logfile will pop up. Please save it to a convenient location.

    Then download and install Java Runtime Environment (JRE) 6 Update 19
    Java Updates

    You have Real Player set to auto-update, Google Toolbar set to auto-update and iTunes set to auto-update, but the only program that makes you vulnerable isn't updating!

    Condition 3: Remove the left-over AVG entries: Multiple AV entries make you more vulnerable as well as slow the system down. This tool will help:
    AVG Removal: Note: You may have to reinstall AVG to uninstall it fully.

    You have malware and need to go further to get rid of it. I will help you do that if you meet my 'conditions.' Why? Because there is so much junk getting on systems and it's getting very tough to get it off. If the system is full of holes like file sharing and out of date programs, the malware will be getting back in before we have time to get it all out.

    Your call.
  9. bic23

    bic23 TS Rookie Topic Starter

    I don't understand because I removed Bitcomet awhile ago through the control panel. But what I did was go back into my downloads folder and remove anything I might have downloaded through bitcomet in the past. As far as AVG, I didn't see it in the control panel. I downloaded the link you told me to and it took me to a black screen that quickly appeared and then disappeared. I did the Java run where it removed old java and installed the latest update. I believe it is now set up to automatic updates as well now. Here is the log.

    View attachment JavaRalogfile.txt
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Most users don't understand that just because they don't see a program in Add/Remove, that it isn't there. Not so. Programs can be started from the Registry and/or a Service. So even though you may not see the entries, we can in subsequent logs.

    You had 4 old versions of Java. Not good. This is one that must be kept currrent as the updates are for security- once an update has been issued to patch a vulnerability, any remaining older versions have the unpatched vulnerability. I did find the auto-updater after all- but maybe you refused it.

    You also need to be aware of the fact that you got a Beta version of HijackThis- somewhere else because it's not what we have on the thread. I'll work with the logs you left now, but I would like you to remove that Beta HJT and install v2.0.2 from HERE. You don't need to rescan yet.

    Before you run this script, be sure the security programs have been disabled as in:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:

    c:\program files\BitComet\BitComet.exe
    c:\progra~1\Grisoft\AVG7\avgcc.exe [N/A]
    c:\documents and settings\All Users\Application Data\4mAX17Bj3.dat
    c:\documents and settings\Ronald\Application Data\Real\Update\setup3.10\setup.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
    Save this as CFScript.txt, in the same location as ComboFix.exe

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.

    I didn't include this in the script, but I wondered if you were still using it. It looks like you're using a laptop with the touchpad enabled:
    2006-06-09 19:47 >>Mouse Suite 98 Daemon.
  11. bic23

    bic23 TS Rookie Topic Starter

    You mentioned the touchpad, I recently downloaded a driver for my touchpad, but I still have trouble because it won't scroll. Furthermore, other than looking for the files that were downloaded by bitcomet I don't know how else to completely delete it from my computer. I did delete the beta version and installed the v2.0.2 as well.
    Here is the log.

    View attachment CFTlog1.txt
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    About the touchpad: Go to the Control Panel> Mouse> Gestures tab> check 'use scroll' and 'use forward/back buttons'> Set the dialog boxes for each of the 4 corners as you want> click on Apply> OK when through. You can also use the Touchpad tab to set sensitivity and tapping. It may take a few tries to get it as you want.

    About BitComet: It should be gone. There are entries that show up in Combofix that you don't see in your system. If you look at the log from the script- at the top- for files and deleted, you'll see several entries for BitComet. I also moved an AVG v7 entry.

    How is the redirect problem now? Are you having any other problems that might be related to the malware? (Not the mouse scroll.)

    Please scan with HijackThis and let me see if there are any entries to remove. Thank you for following my "Conditions." Your system will be the better for them.
  13. bic23

    bic23 TS Rookie Topic Starter

    As of now I'm not having any issues with re-directing or constant trojan attack warnings from my avast antivirus. I tried the control pad mouse instructions but there is no gestures tab so I went to the touchpad icon at the lower right hand of my screen and tried to alter the scrolling settings but nothing pops up when I click on the option scrolling settings like it does for all the other three options live device settings, button settings, etc. Here is the log.

    View attachment hijackthislogv2.txt
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I don't think the mouse problem is related to malware. So I suggest you post in the Windows forum right above this on and request guidance.

    I'd like to see the Combofix report that was generated after you ran the script. If nothing else needs to be moved, I'll have you remove the cleaning tools.
  15. bic23

    bic23 TS Rookie Topic Starter

    I thought I already attached that log in my previous post. Every time I try to attach it it says that I've already attached it in this post.
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Since you are leaving additional logs on another board and getting help elsewhere, I'll end my support now.
    While we appreciate that you very likely posted at multiple forums in order to ensure a response, that only serves to tie up the time of multiple helpers who could be using that time to help someone else who also has problems. Although there are many forums that handle HijackThis logs, there are not so many helpers; most of us help out at several forums. In addition, the results may not work out so well when you're following different instructions from different helpers. They may suggest different approaches for the same problem, all of which may be good; however, system conflicts may arise if different fixes for the same problem are applied simultaneously.

    In the future, for your sake as well as ours, please refrain from requesting help from multiple forums.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...