Links redirected

By blacklotas
May 12, 2010
  1. Well helping my friend with his computer. Currently the links are be redirected when he clicks on them. This happens in Firefox and IE.

    Malwarebytes' Anti-Malware 1.46

    Database version: 4094

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 6.0.2900.2180

    5/12/2010 3:45:50 PM
    mbam-log-2010-05-12 (15-45-50).txt

    Scan type: Quick scan
    Objects scanned: 122542
    Time elapsed: 3 minute(s), 42 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 3
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\WINDOWS\PRAGMAbiqjpwtpev (Trojan.DNSChanger) -> No action taken.
    C:\WINDOWS\PRAGMAorpvnsspib (Trojan.DNSChanger) -> No action taken.
    C:\WINDOWS\PRAGMArtccpxepmt (Trojan.DNSChanger) -> No action taken.

    Files Infected:
    C:\Documents and Settings\All Users\Favorites\_favdata.dat (Malware.Trace) -> No action taken.

    Did click to remove these but clicked to save log before I did.

    DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
    Run by Stevo at 16:12:33.51 on Wed 05/12/2010
    Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_20
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1716 [GMT -4:00]

    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Documents and Settings\Stevo\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [Fraps] c:\fraps\FRAPS.EXE
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    mRun: [Zboard] f:\program files\fang\Zboard.exe
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [DAEMON Tools-1033] "c:\program files\d-tools\daemon.exe" -lang 1033
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [AlcWzrd] ALCWZRD.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~2.lnk - c:\windows\installer\{bdc88e5a-f47b-4314-ab38-994592e32c95}\NewShortcut1.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\d-link\d-link rangebooster n dwa-142\wirelesscm.exe
    IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://
    DPF: {AB4ADC0F-2B4B-4B08-8B5C-CA4D6188A180} - hxxp://
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://
    DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://
    DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://
    DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://
    DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    Notify: avgrsstarter - avgrsstx.dll
    Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\stevo\applic~1\mozilla\firefox\profiles\myprdm2u.default\
    FF - prefs.js: browser.startup.homepage - hxxp://
    FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - component: c:\documents and settings\stevo\application data\mozilla\firefox\profiles\myprdm2u.default\extensions\\components\coolirisstub.dll
    FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
    FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\documents and settings\stevo\application data\move networks\plugins\npqmp071505000010.dll
    FF - plugin: c:\documents and settings\stevo\application data\mozilla\firefox\profiles\myprdm2u.default\extensions\\plugins\npLogitechDeviceDetection.dll
    FF - plugin: c:\documents and settings\stevo\application data\mozilla\firefox\profiles\myprdm2u.default\extensions\\plugins\npcoolirisplugin.dll
    FF - plugin: c:\documents and settings\stevo\application data\mozilla\plugins\npcoolirisplugin.dll
    FF - plugin: c:\documents and settings\stevo\local settings\application data\yahoo!\browserplus\2.4.21\plugins\npybrowserplus_2.4.21.dll
    FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\\npGoogleOneClick8.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
    FF - plugin: c:\program files\mozilla firefox\plugins\npmidas.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

    ============= SERVICES / DRIVERS ===============

    R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2007-2-16 155136]
    R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2007-2-16 5248]
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-5-10 64288]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-9-25 242896]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1291544]
    S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-25 216200]
    S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-2-16 29512]
    S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 68168]
    S2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-13 916760]
    S2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-13 308064]
    S2 gupdate1c9b79c4eb6d65a;Google Update Service (gupdate1c9b79c4eb6d65a);c:\program files\google\update\GoogleUpdate.exe [2009-4-7 133104]
    S3 MAUSBJL;Service for M-Audio JamLab Driver (WDM);c:\windows\system32\drivers\mausbjl.sys --> c:\windows\system32\drivers\mausbjl.sys [?]
    S3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;c:\windows\system32\drivers\sis163u.sys [2009-3-12 215552]

    =============== Created Last 30 ================

    2010-05-12 19:33:26 0 d-----w- c:\docume~1\stevo\applic~1\Malwarebytes
    2010-05-12 19:33:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-05-12 19:33:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-05-12 19:33:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-05-12 19:33:18 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-05-12 19:31:05 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-05-12 16:44:48 0 d-----w- c:\docume~1\stevo\applic~1\Logishrd
    2010-05-12 01:49:05 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-05-11 13:59:57 0 d-----w- c:\docume~1\alluse~1\applic~1\
    2010-05-11 13:59:47 0 d-----w- c:\program files\SUPERAntiSpyware
    2010-05-11 13:59:47 0 d-----w- c:\docume~1\stevo\applic~1\
    2010-05-11 04:37:17 0 d-----w- c:\program files\ESET
    2010-05-10 04:41:28 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-05-10 04:41:06 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-05-10 04:37:31 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
    2010-05-10 04:37:15 0 d-----w- c:\program files\Lavasoft
    2010-05-04 22:16:21 0 d-----w- c:\docume~1\alluse~1\applic~1\DivX
    2010-04-26 22:04:42 353592 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
    2010-04-17 05:54:22 821 ----a-w- c:\documents and settings\stevo\.recently-used.xbel
    2010-04-16 03:37:57 151 ----a-w- c:\windows\PhotoSnapViewer.INI
    2010-04-15 03:26:30 0 d-----w- c:\program files\common files\xing shared

    ==================== Find3M ====================

    2010-04-20 15:08:13 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-03-31 01:58:04 44944 ------w- c:\windows\system32\drivers\PxHelp20.sys
    2010-03-31 01:58:04 133616 -c----w- c:\windows\system32\pxafs.dll
    2010-03-31 01:58:04 125424 -c----w- c:\windows\system32\pxinsi64.exe
    2010-03-31 01:58:04 123888 -c----w- c:\windows\system32\pxcpyi64.exe
    2010-03-13 15:01:17 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-03-08 17:59:18 94208 ----a-w- c:\windows\system32\dpl100.dll
    2010-02-19 19:27:36 720384 ----a-w- c:\windows\system32\DivX.dll
    2010-02-19 19:27:16 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
    2010-02-19 19:27:16 856064 ----a-w- c:\windows\system32\divx_xx07.dll
    2010-02-19 19:27:16 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
    2010-02-19 19:27:16 843776 ----a-w- c:\windows\system32\divx_xx16.dll
    2010-02-19 19:27:16 839680 ----a-w- c:\windows\system32\divx_xx11.dll

    ============= FINISH: 16:13:20.17 ===============

    Could not get gmer to work. As soon as I started it the gui would lock up so I could not uncheck the devices and about 2 seconds later it would crash. After the crash was unable to shut down windows.

    Please help as this is a very frustrating 1. If you want a hijack this log I have 1 attached.

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    There are some problem with what I'm seeing on the logs:

    1. Malwarebytes will have to be updated and run again. Malware was found but you did not check the line for removal, so it's still on the system. Each entry shows "No Action Taken."
    2. Your friend is running file sharing programs, Azureus and Vuze:
    P2P or 'file sharing' Warning:
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall both for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.
    If you decide not to uninstall these programs, do not use them while I am helping clean the system.

    3. There is at least one program on the system indicating that keys may be sought to pirate programs. That must be uninstalled: Keyfinder Advanced 2007 (Trial Version)
    4. There are 5 outdated versions of Java on the system which need to be removed. They are vulnerabilities for the system:
    Java(TM) 6 Update 2
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Java(TM) SE Runtime Environment 6 Update 1

    5. There are 2 installations of Spybot Search & Destroy. Neither is current. One should be updated, the other removed.

    6. He has porn on the system: VirtuaGirl HD

    Because of #3 and #6, I am declining help.
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Closed due to inactivity.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...