Internet browser redirects me to ad sites

Status
Not open for further replies.
Hey everyone,

For a couple of weeks now, both my internet browsers (Firefox more so than Internet Explorer) have been redirecting me to two main ad sites when I use Google or Bing (I can tell right away because of the symbol to the left of the web address, a creepy 2 or a green globe). At one point both internet browsers could not connect to the internet, even when I was connected and Skype could connect. but then I ran this through the command thingy and it worked: netsh winsock reset catalog, (press enter) netsh int ip reset reset.log
When following the 8 step virus/spyware/malware removal thing on this site, I installed noscript (because I didn't know how to disable script blocking protection) and now it redirects me to a broken link (blocked by noscript) but still not the original site I clicked on. If I need to re-do the DDS scan, can someone please tell me how to disable script blocking protection? I have Java, AVG, Hitman Pro, and Malwarebytes.But I was disconnected from the internet and none of those programs were running when I did the DDS scan. Here are my logs:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4182

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

6/9/2010 1:17:33 AM
mbam-log-2010-06-09 (01-17-33).txt

Scan type: Full scan (C:\|)
Objects scanned: 213138
Time elapsed: 52 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f963f86d-8241-cb9d-eb1a-80d636ec419c} (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f963f86d-8241-cb9d-eb1a-80d636ec419c} (Adware.Adrotator) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2010-06-09 05:19:25
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kxrcypoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB9203380, 0x346307, 0xE8000020]
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB90C5F80]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\wuauclt.exe[184] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\wuauclt.exe[184] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
.text C:\WINDOWS\system32\wuauclt.exe[184] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C
.text C:\WINDOWS\System32\svchost.exe[752] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\svchost.exe[752] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[752] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C
.text C:\WINDOWS\System32\svchost.exe[752] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[2536] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0027000A
.text C:\WINDOWS\Explorer.EXE[2536] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0028000A
.text C:\WINDOWS\Explorer.EXE[2536] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0026000C
.text C:\WINDOWS\system32\wuauclt.exe[3484] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C4000A
.text C:\WINDOWS\system32\wuauclt.exe[3484] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C5000A
.text C:\WINDOWS\system32\wuauclt.exe[3484] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C3000C

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[2960] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [009E2EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[2960] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [009E2C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[2960] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [009E2C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[2960] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [009E2C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Java\Java Update\jusched.exe[3056] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00C32EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Java\Java Update\jusched.exe[3056] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00C32C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Java\Java Update\jusched.exe[3056] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00C32C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Java\Java Update\jusched.exe[3056] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00C32C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[3208] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A12EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[3208] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A12C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[3208] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A12C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\system32\ctfmon.exe[3208] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A12C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[3712] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00802EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[3712] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00802C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[3712] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00802C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe[3712] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00802C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----
 

Attachments

  • Attach.txt
    13.5 KB · Views: 2
here's the dds log..

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 7:55:03.06 on Wed 06/09/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.1956 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208725892498
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208725939638
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://plugin.driveragent.com/files/driveragent.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\tokj8z2i.default\
FF - prefs.js: browser.startup.homepage - blackle.com
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-6-5 52872]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2006-7-14 19240]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-6-5 216200]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-6-5 29584]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-6-5 242896]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-5 308064]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [2005-3-30 173824]
S3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [2005-3-30 29184]
S3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [2005-3-30 9088]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-6-5 430152]

=============== Created Last 30 ================

2010-06-09 07:12:47 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-06-09 07:12:47 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-09 06:03:46 0 d-----w- c:\windows\system32\scripting
2010-06-09 06:03:46 0 d-----w- c:\windows\l2schemas
2010-06-09 06:03:45 0 d-----w- c:\windows\system32\en
2010-06-09 06:03:45 0 d-----w- c:\windows\system32\bits
2010-06-08 04:09:00 0 d-----w- c:\docume~1\admini~1\applic~1\AVG9
2010-06-06 05:31:17 131 ----a-w- c:\windows\CRC.INI
2010-06-06 05:06:10 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-06-06 04:29:52 0 d--h--w- C:\$AVG
2010-06-06 04:29:41 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-06 04:29:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-06-06 04:29:06 0 d-----w- c:\program files\Hitman Pro 3.5
2010-06-06 04:12:26 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-06-06 04:12:26 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-06 04:12:22 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-06 04:12:14 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-06 04:11:58 0 d-----w- c:\windows\system32\drivers\Avg
2010-06-06 04:11:48 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2010-06-06 04:07:44 0 d-----w- c:\program files\AVG
2010-06-06 04:07:08 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-06-06 03:45:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-06 03:45:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-06 03:45:14 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-05 01:43:12 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-06-05 01:42:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-31 02:04:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-05-30 23:33:39 0 d-----w- C:\spoolerlogs
2010-05-30 23:32:55 0 d-----w- c:\docume~1\admini~1\applic~1\Street-Ads
2010-05-30 23:32:39 0 d-----w- c:\docume~1\admini~1\applic~1\Sky-Banners
2010-05-30 23:32:08 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-05-30 23:32:07 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-05-30 23:32:04 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-05-30 23:31:29 0 d-----w- c:\docume~1\admini~1\applic~1\87B31580A174C77DEA74DB85A7F7E313
2010-05-30 21:51:00 3276 ----a-w- c:\windows\system32\wbem\Outlook_01cb004230f9754c.mof

==================== Find3M ====================


============= FINISH: 7:56:43.09 ===============
 
There is an additional log for DDS named Attach.txt.
Additionally, please follow the step to run Malwarebytes.

Leave both logs in your next reply.
 
hey,
my attach log is attached to my first post. i tried to attach it again in case you couldn't see it or something, but it wouldn't let me as it is already attached in this thread. here's my malwarebytes log... thanks!

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4182

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

6/10/2010 8:15:29 PM
mbam-log-2010-06-10 (20-15-29).txt

Scan type: Quick scan
Objects scanned: 160509
Time elapsed: 9 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
Sorry- I missed the log. There isn't much in these logs. I want you to run the following:

Please download ComboFix from Here and save to your Desktop.

  • [1]. Do NOT rename Combofix unless instructed.
    [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3].Close any open browsers.
    [4]. Double click combofix.exe & follow the prompts to run.
  • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
    [5]. If Combofix asks you to install Recovery Console, please allow it.
    [6]. If Combofix asks you to update the program, always allow.
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
================================
Run Eset NOD32 Online AntiVirus Scanner HERE
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Leave both of those logs in your next reply..
I recommend that you uninstall BitTorrent. If you choose note to, do not use it while I am helping you.

Please do not use any other cleaning programs or scans while I'm working with you unless I direct you to. Do not use a Registry Cleaner or make any Registry changes.

Disable Hitman Pro. I will have you uninstall it, giving you reasons why you should not use it.

I note that the homepage in Firefox is set to blackle.com. Have you set this page?
 
Hello bobbye,

I have uninstalled hitman pro and bit torrent. can you tell me why you don't recommend hitman pro?

yes, I have set my homepage to blackle.com (the energy saving search engine!).

the two logs are attached. also, for eset online scanner, there were two options for scanning applications (like 1. scan potentially unwanted applications and 2. scan potentially unsafe applications) or somethign like that so I just checked them both.

thankssssssss!
 

Attachments

  • ComboFix.txt
    15.1 KB · Views: 2
  • log.txt
    860 bytes · Views: 1
Sorry for delay- illness in family.

1. Part of the Combofix header is missing. It tells me which AV programs and firewall are running or disabled.
2. You have multiple antivirus programs running: AVG, Avast and data from Symantec.
Please decide which antivirus program you want and remove the other. Multiple antivirus programs make the system more vulnerable. Use these Tools to remove AV programs you don't want:
Avast Removal
Norton Removal Tool
AVG Removal: Note: You may have to reinstall AVG to uninstall it fully.
Please reboot after removals.

3. Do you know what this folder is?
:\documents and settings\Administrator\Local Settings\Application Data\diworcgvl

4.
Is there a particular reason you don't recommend the Hitman program?
Yes, a few. Based on what I read and the cleaning programs I run. Others may think differently. The publisher's description is:
Anti-spyware program combines up to six popular engines to maximize removal effectiveness.
Part is personal preference, wanting to maintain control over my system. Hitman is also different in the versions. One main objection is the use of multiple programs that are free on the internet. Depending on the program, it should prevent and/or remove. While the scans with Hitman are free, removal of the malware can only be done within the 30 trial.

The scan time was very long, the program used many system resources and errors in the used third party programs could cause system instability.

Hitman Pro is using other people’s knowledge without their permission. NOD32 has granted permission to use their software. Software producer Lavasoft is in discussion with Mr. Loman over changes to the program before granting any official permission to implement their software and McAfee says they did not grant permission and claim no knowledge at all of the program with no further comment.

The new version of Hitman Pro, version 3, uses:
  • NOD32 Antivirus
  • Avira AntiVir
  • Prevx
  • G DATA Anti-Virus
  • a-squared Anti-Malware
Virus scanners are not installed on the local computer, but in the scan cloud on Internet
Unlimited free scanning and free 30-day version to remove detected malware

None of these programs- alone or together have the power of a program like Combofix- or other 'intensive' programs. While Hitman may resolve one problem, that does not mean all of the malware has been removed.
---------------------------------------
5. After the antivirus removals have been done, please run the following:

Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code:
KillAll::
File::
c:\windows\system32\drivers\hitmanpro35.sys
c:\windows\system32\drivers\hitmanpro35.sys
c:\windows\system32\bootdelete.exe

Folder::
c:\documents and settings\All Users\Application Data\Hitman Pro
c:\program files\Hitman Pro 3.5
C:\spoolerlogs
Registry::

Driver::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
=============================
If there are still any entries left for the antivirus programs you remove, I'll see them in the report that this script generates and can set up removal.
 
Status
Not open for further replies.
Back