TechSpot

Internet browser redirects me to ad sites

By tutti
Jun 9, 2010
  1. Hey everyone,

    For a couple of weeks now, both my internet browsers (Firefox more so than Internet Explorer) have been redirecting me to two main ad sites when i use Google or Bing (I can tell right away because of the symbol to the left of the web address, a creepy 2 or a green globe). At one point both internet browsers could not connect to the internet, even when I was connected and Skype could connect. but then i ran this through the command thingy and it worked: netsh winsock reset catalog, (press enter) netsh int ip reset reset.log
    When following the 8 step virus/spyware/malware removal thing on this site, I installed noscript (because I didn't know how to disable script blocking protection) and now it redirects me to a broken link (blocked by noscript) but still not the original site I clicked on. If I need to re-do the DDS scan, can someone please tell me how to disable script blocking protection? I have Java, AVG, Hitman Pro, and Malwarebytes.But I was disconnected from the internet and none of those programs were running when I did the DDS scan. Here are my logs:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4182

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    6/9/2010 1:17:33 AM
    mbam-log-2010-06-09 (01-17-33).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 213138
    Time elapsed: 52 minute(s), 43 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f963f86d-8241-cb9d-eb1a-80d636ec419c} (Adware.Adrotator) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{f963f86d-8241-cb9d-eb1a-80d636ec419c} (Adware.Adrotator) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    GMER 1.0.15.15252 - http://www.gmer.net
    Rootkit scan 2010-06-09 05:19:25
    Windows 5.1.2600 Service Pack 3
    Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kxrcypoc.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB9203380, 0x346307, 0xE8000020]
    init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB90C5F80]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\wuauclt.exe[184] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
    .text C:\WINDOWS\system32\wuauclt.exe[184] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
    .text C:\WINDOWS\system32\wuauclt.exe[184] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C
    .text C:\WINDOWS\System32\svchost.exe[752] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
    .text C:\WINDOWS\System32\svchost.exe[752] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
    .text C:\WINDOWS\System32\svchost.exe[752] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C
    .text C:\WINDOWS\System32\svchost.exe[752] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00B6000A
    .text C:\WINDOWS\Explorer.EXE[2536] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0027000A
    .text C:\WINDOWS\Explorer.EXE[2536] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0028000A
    .text C:\WINDOWS\Explorer.EXE[2536] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0026000C
    .text C:\WINDOWS\system32\wuauclt.exe[3484] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C4000A
    .text C:\WINDOWS\system32\wuauclt.exe[3484] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C5000A
    .text C:\WINDOWS\system32\wuauclt.exe[3484] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C3000C

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[2960] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [009E2EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[2960] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [009E2C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[2960] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [009E2C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[2960] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [009E2C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Common Files\Java\Java Update\jusched.exe[3056] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00C32EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Common Files\Java\Java Update\jusched.exe[3056] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00C32C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Common Files\Java\Java Update\jusched.exe[3056] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00C32C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Common Files\Java\Java Update\jusched.exe[3056] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00C32C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\system32\ctfmon.exe[3208] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A12EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\system32\ctfmon.exe[3208] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A12C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\system32\ctfmon.exe[3208] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A12C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\system32\ctfmon.exe[3208] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A12C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[3712] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00802EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[3712] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00802C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[3712] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00802C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[3712] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00802C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc)
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \FileSystem\Fastfat \Fat SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----
     

    Attached Files:

  2. tutti

    tutti TS Rookie Topic Starter

    here's the dds log..

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Administrator at 7:55:03.06 on Wed 06/09/2010
    Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.1956 [GMT -7:00]


    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\WINDOWS\system32\brsvc01a.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\AVG\AVG9\avgam.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208725892498
    DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208725939638
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
    DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://plugin.driveragent.com/files/driveragent.cab
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: avgrsstarter - avgrsstx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\tokj8z2i.default\
    FF - prefs.js: browser.startup.homepage - blackle.com
    FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-6-5 52872]
    R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2006-7-14 19240]
    R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-6-5 216200]
    R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-6-5 29584]
    R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-6-5 242896]
    R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-5 308064]
    S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
    S3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [2005-3-30 173824]
    S3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [2005-3-30 29184]
    S3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [2005-3-30 9088]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-6-5 430152]

    =============== Created Last 30 ================

    2010-06-09 07:12:47 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-06-09 07:12:47 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-06-09 06:03:46 0 d-----w- c:\windows\system32\scripting
    2010-06-09 06:03:46 0 d-----w- c:\windows\l2schemas
    2010-06-09 06:03:45 0 d-----w- c:\windows\system32\en
    2010-06-09 06:03:45 0 d-----w- c:\windows\system32\bits
    2010-06-08 04:09:00 0 d-----w- c:\docume~1\admini~1\applic~1\AVG9
    2010-06-06 05:31:17 131 ----a-w- c:\windows\CRC.INI
    2010-06-06 05:06:10 12872 ----a-w- c:\windows\system32\bootdelete.exe
    2010-06-06 04:29:52 0 d--h--w- C:\$AVG
    2010-06-06 04:29:41 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-06-06 04:29:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
    2010-06-06 04:29:06 0 d-----w- c:\program files\Hitman Pro 3.5
    2010-06-06 04:12:26 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
    2010-06-06 04:12:26 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-06-06 04:12:22 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-06-06 04:12:14 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-06-06 04:11:58 0 d-----w- c:\windows\system32\drivers\Avg
    2010-06-06 04:11:48 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
    2010-06-06 04:07:44 0 d-----w- c:\program files\AVG
    2010-06-06 04:07:08 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
    2010-06-06 03:45:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-06-06 03:45:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-06-06 03:45:14 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-06-05 01:43:12 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
    2010-06-05 01:42:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-05-31 02:04:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
    2010-05-30 23:33:39 0 d-----w- C:\spoolerlogs
    2010-05-30 23:32:55 0 d-----w- c:\docume~1\admini~1\applic~1\Street-Ads
    2010-05-30 23:32:39 0 d-----w- c:\docume~1\admini~1\applic~1\Sky-Banners
    2010-05-30 23:32:08 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
    2010-05-30 23:32:07 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
    2010-05-30 23:32:04 8192 ----a-w- c:\windows\system32\drivers\changer.sys
    2010-05-30 23:31:29 0 d-----w- c:\docume~1\admini~1\applic~1\87B31580A174C77DEA74DB85A7F7E313
    2010-05-30 21:51:00 3276 ----a-w- c:\windows\system32\wbem\Outlook_01cb004230f9754c.mof

    ==================== Find3M ====================


    ============= FINISH: 7:56:43.09 ===============
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    There is an additional log for DDS named Attach.txt.
    Additionally, please follow the step to run Malwarebytes.

    Leave both logs in your next reply.
     
  4. tutti

    tutti TS Rookie Topic Starter

    hey,
    my attach log is attached to my first post. i tried to attach it again in case you couldn't see it or something, but it wouldn't let me as it is already attached in this thread. here's my malwarebytes log... thanks!

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4182

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    6/10/2010 8:15:29 PM
    mbam-log-2010-06-10 (20-15-29).txt

    Scan type: Quick scan
    Objects scanned: 160509
    Time elapsed: 9 minute(s), 57 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry- I missed the log. There isn't much in these logs. I want you to run the following:

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    ================================
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Leave both of those logs in your next reply..
    I recommend that you uninstall BitTorrent. If you choose note to, do not use it while I am helping you.

    Please do not use any other cleaning programs or scans while I'm working with you unless I direct you to. Do not use a Registry Cleaner or make any Registry changes.

    Disable Hitman Pro. I will have you uninstall it, giving you reasons why you should not use it.

    I note that the homepage in Firefox is set to blackle.com. Have you set this page?
     
  6. tutti

    tutti TS Rookie Topic Starter

    hello bobbye,

    i have uninstalled hitman pro and bit torrent. can you tell me why you don't recommend hitman pro?

    yes, i have set my homepage to blackle.com (the energy saving search engine!).

    the two logs are attached. also, for eset online scanner, there were two options for scanning applications (like 1. scan potentially unwanted applications and 2. scan potentially unsafe applications) or somethign like that so i just checked them both.

    thankssssssss!
     

    Attached Files:

  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry for delay- illness in family.

    1. Part of the Combofix header is missing. It tells me which AV programs and firewall are running or disabled.
    2. You have multiple antivirus programs running: AVG, Avast and data from Symantec.
    Please decide which antivirus program you want and remove the other. Multiple antivirus programs make the system more vulnerable. Use these Tools to remove AV programs you don't want:
    Avast Removal
    Norton Removal Tool
    AVG Removal: Note: You may have to reinstall AVG to uninstall it fully.
    Please reboot after removals.

    3. Do you know what this folder is?
    :\documents and settings\Administrator\Local Settings\Application Data\diworcgvl

    4.
    Yes, a few. Based on what I read and the cleaning programs I run. Others may think differently. The publisher's description is:
    Part is personal preference, wanting to maintain control over my system. Hitman is also different in the versions. One main objection is the use of multiple programs that are free on the internet. Depending on the program, it should prevent and/or remove. While the scans with Hitman are free, removal of the malware can only be done within the 30 trial.

    The scan time was very long, the program used many system resources and errors in the used third party programs could cause system instability.

    Hitman Pro is using other people’s knowledge without their permission. NOD32 has granted permission to use their software. Software producer Lavasoft is in discussion with Mr. Loman over changes to the program before granting any official permission to implement their software and McAfee says they did not grant permission and claim no knowledge at all of the program with no further comment.

    The new version of Hitman Pro, version 3, uses:
    None of these programs- alone or together have the power of a program like Combofix- or other 'intensive' programs. While Hitman may resolve one problem, that does not mean all of the malware has been removed.
    ---------------------------------------
    5. After the antivirus removals have been done, please run the following:

    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    c:\windows\system32\drivers\hitmanpro35.sys
    c:\windows\system32\drivers\hitmanpro35.sys
    c:\windows\system32\bootdelete.exe
    
    Folder::
    c:\documents and settings\All Users\Application Data\Hitman Pro
    c:\program files\Hitman Pro 3.5
    C:\spoolerlogs
    Registry::
    
    Driver::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    =============================
    If there are still any entries left for the antivirus programs you remove, I'll see them in the report that this script generates and can set up removal.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...