Google redirect piece of ...

Status
Not open for further replies.
Let's try and get some more information. I take it you're not getting the sites you click on? Please uninstall the Malwarebytes you have on the system now- the program and the log it created.

Then follow the steps HERE.

Scan with the updated Malware bytes, Superantispyware and follow with a new scan using HijckThis.
Please attach all 3 logs for review.

We'll be needing to get rid of the Crawler Toolbar and it's adware.

had already run combofix from another "tip" on another site.
Click to expand...
Taking 'tips' to clean malware almost never works and almost always makes the problem worse!

Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
 
I took of Crawler (total junk) and took off Malwarebytes.

But, I have Vista and I have no idea where "Run" is now?? I click start and ???? I can't find it.

I'm going to download malwarebytes again and scan. How do I get combofix to uninstall?
 
Oh, and yes, I get false search results and then a redirect message and some junk sites come up. This should be a new hate crime... :)
 
Malwarebytes won't download. It keeps giving me the "can't open web page" explorer page. Sneaky spware!!!

I'll post the 2 new logs from Superanti, and hijack this...
 
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/24/2010 at 03:13 PM

Application Version : 4.34.1000

Core Rules Database Version : 4596
Trace Rules Database Version: 1978

Scan type : Quick Scan
Total Scan Time : 00:34:24

Memory items scanned : 695
Memory threats detected : 0
Registry items scanned : 525
Registry threats detected : 0
File items scanned : 36479
File threats detected : 14

Adware.Tracking Cookie
C:\Users\KLH Insurance\AppData\Roaming\Microsoft\Windows\Cookies\klh_insurance@apmebf[1].txt
C:\Users\KLH Insurance\AppData\Roaming\Microsoft\Windows\Cookies\klh_insurance@media6degrees[1].txt
C:\Users\KLH Insurance\AppData\Roaming\Microsoft\Windows\Cookies\klh_insurance@clickthrough.kanoodle[1].txt
C:\Users\KLH Insurance\AppData\Roaming\Microsoft\Windows\Cookies\klh_insurance@revsci[1].txt
C:\Users\KLH Insurance\AppData\Roaming\Microsoft\Windows\Cookies\klh_insurance@at.atwola[2].txt
C:\Users\KLH Insurance\AppData\Roaming\Microsoft\Windows\Cookies\klh_insurance@tracking.realtor[1].txt
C:\Users\KLH Insurance\AppData\Roaming\Microsoft\Windows\Cookies\klh_insurance@dmtracker[1].txt
C:\Users\KLH Insurance\AppData\Roaming\Microsoft\Windows\Cookies\klh_insurance@bs.serving-sys[1].txt
C:\Users\KLH Insurance\AppData\Roaming\Microsoft\Windows\Cookies\klh_insurance@eyewonder[1].txt
C:\Users\KLH Insurance\AppData\Roaming\Microsoft\Windows\Cookies\klh_insurance@kontera[2].txt
C:\Users\KLH Insurance\AppData\Roaming\Microsoft\Windows\Cookies\klh_insurance@serving-sys[2].txt
C:\Users\KLH Insurance\AppData\Roaming\Microsoft\Windows\Cookies\klh_insurance@collective-media[2].txt
C:\Users\KLH Insurance\AppData\Roaming\Microsoft\Windows\Cookies\klh_insurance@tacoda[1].txt
C:\Users\KLH Insurance\AppData\Roaming\Microsoft\Windows\Cookies\klh_insurance@insightexpressai[1].txt



The other one is attached... Again, Malwarebytes wouldn't download???View attachment hijackthis 22224.txt
 
Malwarebytes won't update but it does scan and finds very little.
Click to expand...
Malwarebytes won't download. It keeps giving me the "can't open web page" explorer page.
Click to expand...

You are saying 2 different things above. If it scanned, you have a log. I need to see it. Let me be the judge of what it finds. I'd like to remove everything from Crawler if that's okay with you. It will include Spyware Terminator.

Your search is being redirected to a site in the Ukraine. Please reopen HijackThis to 'do system scan only.' Check each of the following entries if present: Optional removals are in green.

C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\TARISS\MainMenu\MainMenu.exe See Option 1
O4 - Startup: TexasMainMenu.lnk = C:\TARISS\MainMenu\MainMenu.exe See Option 1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60446
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=6044
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=bestbuy&pf=cndt
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "c:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "c:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" See Option 2
O4 - HKLM\..\Run: [UpdatePDIRShortCut] "c:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "c:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "c:\Program Files\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" "c:\Program Files\CyberLink\CyberLink DVD Suite Deluxe" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1C57204-5091-4C47-8EED-2FA742EAA100}: NameServer = 93.188.164.60,93.188.161.31
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

Option 1: I cannot identify this program. Note that there are 2 S. Do you know what it is? If not, please check for removal.

Option 2: CyberLink: none of these shortcuts need to load when you boot. Open the program when you want to use it. Don't waste the system resources.

Close all Windows except HijackThis and click on "Fix Checked."

Click on Start> Run> type in services.msc> double click on sp_rssrv> change the Startup Type to Disabled> Stop the Service.

See if you can access either of these download sites for Malwarebytes:

Link 1
Link 2

Run Malwarebytes, then rescan with HijackThis. Attach logs for each on next reply.
 
Malwarebytes downloaded from one of the two sites above, but is blocked when tyring to update. Also, I tried to go direct to their web site and explorer is blocked.

So, I'm scanning using a december version of the program and I'll post a log for you.

Main question, should I disconnect from the internet on this system? I don't want to be leaving myself open here.

I ran hijack and could not find these 2:
C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\TARISS\MainMenu\MainMenu.exe See Option

Maybe I got them already?

Sorry, I'm kind of a rookie.... Logs in next reply. Waiting on Malware to run...
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:27 PM, on 2/24/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18385)
Boot mode: Normal

Running processes:
C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\hp\support\hpsysdrv.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\HP\HP LaserJet M1319 MFP Series\ReceiveFaxUtility.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\PictureMover\Bin\PictureMover.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ReceiveUtility] C:\Program Files\HP\HP LaserJet M1319 MFP Series\ReceiveFaxUtility.exe
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.1\masqform.exe /RegServer -UpdateCurrentUser
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: PictureMover.lnk = C:\Program Files\PictureMover\Bin\PictureMover.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/54.16/uploader2.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://quicksilver.mercuryinsurance.com/engine/isetup.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate1c9db1244a666a0) (gupdate1c9db1244a666a0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PurgeIE XP Service (PurgeIEservice) - Assistance & Resources for Computing, Inc. - C:\Program Files\PurgeIE\PurgeIE_Service.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7420 bytes


Malwarebytes Log here:

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

2/24/2010 10:32:29 PM
mbam-log-2010-02-24 (22-32-29).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 289915
Time elapsed: 1 hour(s), 10 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Windows\System32\drivers\roqjjd.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.



Was in a hurry so I copied and pasted.
 
I'm still having the issue. Let me know if I need to do anything else.

Also, let me know if I should disconnect the net for security.
 
tractorback21, if you need to add, change or correct something in a post and there is no reply yet, please use the Edit feature instead of making a new reply.

It's doesn't make any sense to me that Mbam is the only program you're having a problem with. It does show a Rootkit was found and quarantined by Combofix. If you uninstalled Combofix as I instructed, the Qoobox entry shouldn't be in Mbam.

If you did not uninstall Combofix, please do so. Then do the following:
Run Eset NOD32 Online AntiVirus Scanner HERE
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
Rescan with HJT when finishes and leave both logs in next reply.

I don't see any reason at this point to disconnect from the internet. But I would like to know if Norton is updating.

I would like to point out that you are behind on updates: you have Vista SP1> you should have SP2 at this point:
Visit the Microsoft Download Site. You should get All updates marked Critical and the current SP updates: Vista> SP2
 
I don't use Norton, I actually would like to remove it completely (unless you think it's worthy of keeping).

Mbam will scan but will not update. I don't know why. It gives me an error message usually.

I tried to get rid of combofix how you said to. I think it worked, I don't see it on my side.

Will post the logs. ESET is a looong scan process....
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:03 AM, on 2/26/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\hp\support\hpsysdrv.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\HP\HP LaserJet M1319 MFP Series\ReceiveFaxUtility.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\PictureMover\Bin\PictureMover.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Windows\System32\calc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ReceiveUtility] C:\Program Files\HP\HP LaserJet M1319 MFP Series\ReceiveFaxUtility.exe
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.1\masqform.exe /RegServer -UpdateCurrentUser
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: PictureMover.lnk = C:\Program Files\PictureMover\Bin\PictureMover.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/54.16/uploader2.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://quicksilver.mercuryinsurance.com/engine/isetup.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate1c9db1244a666a0) (gupdate1c9db1244a666a0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PurgeIE XP Service (PurgeIEservice) - Assistance & Resources for Computing, Inc. - C:\Program Files\PurgeIE\PurgeIE_Service.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7704 bytes


Can't get a log from the scanner you told me to use.
 
Do this online scan instead:
Open
Kaspersky Online Scanner in Internet Explorer

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Click Accept and the web scanner will begin to load
  • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
  • You will be prompted to install an ActiveX component from Kaspersky, click Install
  • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT and then Scan Settings
  • In the scan settings make that the following are selected:
    [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
    [o] Scan Options: Scan Archives> Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    [o] Select My Computer
  • The program will start to scan your system.
  • Once the scan is complete, click on the Save as Text button and save the file to your desktop
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

The one Mbam log you left shows a file in Qoobox. This is the quarantine folder from Combofix. Did you uninstall Combofix as I requested?

Platform: Windows Vista SP1: you are not current in updates: Vista has SP2 out now:
Visit the Microsoft Download Site. You should get All updates marked Critical and the current SP updates:Vista> SP2

Did you have the calculator open when you ran the HJT? Or have you set it to launch on boot:
C:\Windows\System32\calc.exe

This can be launched by the W32/Bagle@MM. We really need to get a current AV scan on the system.
 
Kapersky is getting nothing, and I can't get a log. What is the deal?

I also did have that calculator open. I can scan again if I need to without it open.

Combofix seems to be gone.

The re-direct is still on the computer.
 
When you're scanning for malware, it is best if you are not running other programs or apps.

I don't have enough information from you. I understand that you are displeased the redirect is happening- so it everyone else it happens to. But I have to have some information about what is on your system to try and fix it!

Please download ComboFix HERE:
  • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

    Important! Save the renamed download to your desktop.
  • Please disable all security programs, such as antiviruses, antispywares, and firewalls.
  • Double click on the setup file on the desktop to run
  • If prompted to download and install the Recovery Console, please do so.
    (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
  • If prompted to update, please allow.
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
Notes:

  • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
.
When you have finished, rescan with HijackThis
Attach both Combofix report and new HJT log to next reply.
Please be sure there are no programs or apps running when you do the scans.
Please don't run any other cleaning programs unless I ask you to.
 
The windows update went as planned, basically made me hit a restore point in safe mode just to turn the computer back on.

Will attach logs after running the requested reports.
 
basically made me hit a restore point in safe mode just to turn the computer back on.
Click to expand...

Depending on the restore point used, it is possible that the system could have been reinfected.
 
Status
Not open for further replies.

Similar threads

Cal Jeffrey
Is Hello Games finally calling No Man's Sky "complete" with the Omega update?
Replies
12
Views
662
erickmendes
erickmendes
Shawn Knight
Reddit signs lucrative AI content licensing deal with Google in anticipation of IPO
Replies
10
Views
286
Gezzer
G
Cal Jeffrey
Out of Japan: This ultra-low-end 1-bit DIY "computer" sold out immediately after launch
Replies
10
Views
386
Cal Jeffrey
Cal Jeffrey

Latest posts

Back