TechSpot

Google redirect piece of ...

By tractorback21
Feb 24, 2010
  1. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Let's try and get some more information. I take it you're not getting the sites you click on? Please uninstall the Malwarebytes you have on the system now- the program and the log it created.

    Then follow the steps HERE.

    Scan with the updated Malware bytes, Superantispyware and follow with a new scan using HijckThis.
    Please attach all 3 logs for review.

    We'll be needing to get rid of the Crawler Toolbar and it's adware.

    Taking 'tips' to clean malware almost never works and almost always makes the problem worse!

    Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
     
  2. tractorback21

    tractorback21 TS Rookie Topic Starter

    I took of Crawler (total junk) and took off Malwarebytes.

    But, I have Vista and I have no idea where "Run" is now?? I click start and ???? I can't find it.

    I'm going to download malwarebytes again and scan. How do I get combofix to uninstall?
     
  3. tractorback21

    tractorback21 TS Rookie Topic Starter

    Oh, and yes, I get false search results and then a redirect message and some junk sites come up. This should be a new hate crime... :)
     
  4. tractorback21

    tractorback21 TS Rookie Topic Starter

    Ah, found out how to do "run" now.... Can't they leave well enough alone?
     
  5. tractorback21

    tractorback21 TS Rookie Topic Starter

    Malwarebytes won't download. It keeps giving me the "can't open web page" explorer page. Sneaky spware!!!

    I'll post the 2 new logs from Superanti, and hijack this...
     
  6. tractorback21

    tractorback21 TS Rookie Topic Starter

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 02/24/2010 at 03:13 PM

    Application Version : 4.34.1000

    Core Rules Database Version : 4596
    Trace Rules Database Version: 1978

    Scan type : Quick Scan
    Total Scan Time : 00:34:24

    Memory items scanned : 695
    Memory threats detected : 0
    Registry items scanned : 525
    Registry threats detected : 0
    File items scanned : 36479
    File threats detected : 14

    Adware.Tracking Cookie
    C:\Users\KLH Insurance\AppData\Roaming\Microsoft\Windows\Cookies\klh_insurance@apmebf[1].txt
    C:\Users\KLH Insurance\AppData\Roaming\Microsoft\Windows\Cookies\klh_insurance@media6degrees[1].txt
    C:\Users\KLH Insurance\AppData\Roaming\Microsoft\Windows\Cookies\klh_insurance@clickthrough.kanoodle[1].txt
    C:\Users\KLH Insurance\AppData\Roaming\Microsoft\Windows\Cookies\klh_insurance@revsci[1].txt
    C:\Users\KLH Insurance\AppData\Roaming\Microsoft\Windows\Cookies\klh_insurance@at.atwola[2].txt
    C:\Users\KLH Insurance\AppData\Roaming\Microsoft\Windows\Cookies\klh_insurance@tracking.realtor[1].txt
    C:\Users\KLH Insurance\AppData\Roaming\Microsoft\Windows\Cookies\klh_insurance@dmtracker[1].txt
    C:\Users\KLH Insurance\AppData\Roaming\Microsoft\Windows\Cookies\klh_insurance@bs.serving-sys[1].txt
    C:\Users\KLH Insurance\AppData\Roaming\Microsoft\Windows\Cookies\klh_insurance@eyewonder[1].txt
    C:\Users\KLH Insurance\AppData\Roaming\Microsoft\Windows\Cookies\klh_insurance@kontera[2].txt
    C:\Users\KLH Insurance\AppData\Roaming\Microsoft\Windows\Cookies\klh_insurance@serving-sys[2].txt
    C:\Users\KLH Insurance\AppData\Roaming\Microsoft\Windows\Cookies\klh_insurance@collective-media[2].txt
    C:\Users\KLH Insurance\AppData\Roaming\Microsoft\Windows\Cookies\klh_insurance@tacoda[1].txt
    C:\Users\KLH Insurance\AppData\Roaming\Microsoft\Windows\Cookies\klh_insurance@insightexpressai[1].txt



    The other one is attached... Again, Malwarebytes wouldn't download??? View attachment hijackthis 22224.txt
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You are saying 2 different things above. If it scanned, you have a log. I need to see it. Let me be the judge of what it finds. I'd like to remove everything from Crawler if that's okay with you. It will include Spyware Terminator.

    Your search is being redirected to a site in the Ukraine. Please reopen HijackThis to 'do system scan only.' Check each of the following entries if present: Optional removals are in green.

    C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
    C:\TARISS\MainMenu\MainMenu.exe See Option 1
    O4 - Startup: TexasMainMenu.lnk = C:\TARISS\MainMenu\MainMenu.exe
    See Option 1
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60446
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=6044
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=bestbuy&pf=cndt
    O4 - HKLM\..\Run: [UpdateP2GoShortCut] "c:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "c:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" See Option 2
    O4 - HKLM\..\Run: [UpdatePDIRShortCut] "c:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "c:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
    O4 - HKLM\..\Run: [UpdatePSTShortCut] "c:\Program Files\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" "c:\Program Files\CyberLink\CyberLink DVD Suite Deluxe" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"

    O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
    O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B1C57204-5091-4C47-8EED-2FA742EAA100}: NameServer = 93.188.164.60,93.188.161.31
    O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe


    Option 1: I cannot identify this program. Note that there are 2 S. Do you know what it is? If not, please check for removal.

    Option 2: CyberLink: none of these shortcuts need to load when you boot. Open the program when you want to use it. Don't waste the system resources.

    Close all Windows except HijackThis and click on "Fix Checked."

    Click on Start> Run> type in services.msc> double click on sp_rssrv> change the Startup Type to Disabled> Stop the Service.

    See if you can access either of these download sites for Malwarebytes:

    Link 1
    Link 2

    Run Malwarebytes, then rescan with HijackThis. Attach logs for each on next reply.
     
  8. tractorback21

    tractorback21 TS Rookie Topic Starter

    Malwarebytes downloaded from one of the two sites above, but is blocked when tyring to update. Also, I tried to go direct to their web site and explorer is blocked.

    So, I'm scanning using a december version of the program and I'll post a log for you.

    Main question, should I disconnect from the internet on this system? I don't want to be leaving myself open here.

    I ran hijack and could not find these 2:
    C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
    C:\TARISS\MainMenu\MainMenu.exe See Option

    Maybe I got them already?

    Sorry, I'm kind of a rookie.... Logs in next reply. Waiting on Malware to run...
     
  9. tractorback21

    tractorback21 TS Rookie Topic Starter

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:37:27 PM, on 2/24/2010
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v7.00 (7.00.6001.18385)
    Boot mode: Normal

    Running processes:
    C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\hp\support\hpsysdrv.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\HP\HP LaserJet M1319 MFP Series\ReceiveFaxUtility.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\PictureMover\Bin\PictureMover.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Windows Mail\WinMail.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\IPSBHO.DLL
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
    O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll
    O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [ReceiveUtility] C:\Program Files\HP\HP LaserJet M1319 MFP Series\ReceiveFaxUtility.exe
    O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.1\masqform.exe /RegServer -UpdateCurrentUser
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: PictureMover.lnk = C:\Program Files\PictureMover\Bin\PictureMover.exe
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
    O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/54.16/uploader2.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://quicksilver.mercuryinsurance.com/engine/isetup.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
    O23 - Service: Google Update Service (gupdate1c9db1244a666a0) (gupdate1c9db1244a666a0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: PurgeIE XP Service (PurgeIEservice) - Assistance & Resources for Computing, Inc. - C:\Program Files\PurgeIE\PurgeIE_Service.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 7420 bytes


    Malwarebytes Log here:

    Malwarebytes' Anti-Malware 1.44
    Database version: 3510
    Windows 6.0.6001 Service Pack 1
    Internet Explorer 7.0.6001.18000

    2/24/2010 10:32:29 PM
    mbam-log-2010-02-24 (22-32-29).txt

    Scan type: Full Scan (C:\|D:\|)
    Objects scanned: 289915
    Time elapsed: 1 hour(s), 10 minute(s), 43 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Qoobox\Quarantine\C\Windows\System32\drivers\roqjjd.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.



    Was in a hurry so I copied and pasted.
     
  10. tractorback21

    tractorback21 TS Rookie Topic Starter

    I'm still having the issue. Let me know if I need to do anything else.

    Also, let me know if I should disconnect the net for security.
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    tractorback21, if you need to add, change or correct something in a post and there is no reply yet, please use the Edit feature instead of making a new reply.

    It's doesn't make any sense to me that Mbam is the only program you're having a problem with. It does show a Rootkit was found and quarantined by Combofix. If you uninstalled Combofix as I instructed, the Qoobox entry shouldn't be in Mbam.

    If you did not uninstall Combofix, please do so. Then do the following:
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Rescan with HJT when finishes and leave both logs in next reply.

    I don't see any reason at this point to disconnect from the internet. But I would like to know if Norton is updating.

    I would like to point out that you are behind on updates: you have Vista SP1> you should have SP2 at this point:
    Visit the Microsoft Download Site. You should get All updates marked Critical and the current SP updates: Vista> SP2
     
  12. tractorback21

    tractorback21 TS Rookie Topic Starter

    I don't use Norton, I actually would like to remove it completely (unless you think it's worthy of keeping).

    Mbam will scan but will not update. I don't know why. It gives me an error message usually.

    I tried to get rid of combofix how you said to. I think it worked, I don't see it on my side.

    Will post the logs. ESET is a looong scan process....
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Try running Mbam in Safe Mode.
     
  14. tractorback21

    tractorback21 TS Rookie Topic Starter

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:52:03 AM, on 2/26/2010
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v8.00 (8.00.6001.18882)
    Boot mode: Normal

    Running processes:
    C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\hp\support\hpsysdrv.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\HP\HP LaserJet M1319 MFP Series\ReceiveFaxUtility.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\PictureMover\Bin\PictureMover.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Windows Mail\WinMail.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
    C:\Windows\System32\calc.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\IPSBHO.DLL
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
    O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll
    O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [ReceiveUtility] C:\Program Files\HP\HP LaserJet M1319 MFP Series\ReceiveFaxUtility.exe
    O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.1\masqform.exe /RegServer -UpdateCurrentUser
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: PictureMover.lnk = C:\Program Files\PictureMover\Bin\PictureMover.exe
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
    O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/54.16/uploader2.cab
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://quicksilver.mercuryinsurance.com/engine/isetup.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\coIEPlg.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
    O23 - Service: Google Update Service (gupdate1c9db1244a666a0) (gupdate1c9db1244a666a0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: PurgeIE XP Service (PurgeIEservice) - Assistance & Resources for Computing, Inc. - C:\Program Files\PurgeIE\PurgeIE_Service.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 7704 bytes


    Can't get a log from the scanner you told me to use.
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Do this online scan instead:
    Open
    Kaspersky Online Scanner in Internet Explorer


    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
    • Click Accept and the web scanner will begin to load
    • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
    • You will be prompted to install an ActiveX component from Kaspersky, click Install
    • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT and then Scan Settings
    • In the scan settings make that the following are selected:
      [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
      [o] Scan Options: Scan Archives> Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      [o] Select My Computer
    • The program will start to scan your system.
    • Once the scan is complete, click on the Save as Text button and save the file to your desktop
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

    The one Mbam log you left shows a file in Qoobox. This is the quarantine folder from Combofix. Did you uninstall Combofix as I requested?

    Platform: Windows Vista SP1: you are not current in updates: Vista has SP2 out now:
    Visit the Microsoft Download Site. You should get All updates marked Critical and the current SP updates:Vista> SP2

    Did you have the calculator open when you ran the HJT? Or have you set it to launch on boot:
    C:\Windows\System32\calc.exe

    This can be launched by the W32/Bagle@MM. We really need to get a current AV scan on the system.
     
  16. tractorback21

    tractorback21 TS Rookie Topic Starter

    Kapersky is getting nothing, and I can't get a log. What is the deal?

    I also did have that calculator open. I can scan again if I need to without it open.

    Combofix seems to be gone.

    The re-direct is still on the computer.
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    When you're scanning for malware, it is best if you are not running other programs or apps.

    I don't have enough information from you. I understand that you are displeased the redirect is happening- so it everyone else it happens to. But I have to have some information about what is on your system to try and fix it!

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

      Important! Save the renamed download to your desktop.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    • Double click on the setup file on the desktop to run
    • If prompted to download and install the Recovery Console, please do so.
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • If prompted to update, please allow.
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
    .
    When you have finished, rescan with HijackThis
    Attach both Combofix report and new HJT log to next reply.
    Please be sure there are no programs or apps running when you do the scans.
    Please don't run any other cleaning programs unless I ask you to.
     
  18. tractorback21

    tractorback21 TS Rookie Topic Starter

    The windows update went as planned, basically made me hit a restore point in safe mode just to turn the computer back on.

    Will attach logs after running the requested reports.
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Depending on the restore point used, it is possible that the system could have been reinfected.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...