Resolved Getting help elsewhere. Firefox and IE keep redirecting log attached

[bic23]

Hi. Both my firefox and ie8 browsers keep redirecting me to random sites. my avast anti virus has suddenly been disabled and I think the virus/malware probably had something to do with it. I fixedsometing called sharedtaskscheduler browseruri but that didn't seem to fix it. I ran another hijackthis log and here is the current one. Your help is greatly appreciated. thanks.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 11:24:53 PM, on 4/11/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Downloads\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [Tlisosafuzawo] rundll32.exe "C:\WINDOWS\elujudoy.dll",Startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 6929 bytes

 

[Bobbye]

Welcome to TechSpot, bic23. I'll help with the malware. But I would like you to follow the preliminary removal steps HERE>

As you will see, there are 2 additional programs to run. Then rescan with HijackThis. Leave all 3 logs in your next reply. There is nothing evident in the HJT log.

Please do not run any other cleaning programs while I am helping you. Do not run a Registry cleaner or make any Registry changes.

FYI:

SharedTaskScheduler - This section corresponds to files being loaded through the SharedTaskScheduler registry value for XP, NT, 2000 machines..The entries in this registry run automatically when you start windows.

Avant Browser URI about: Dialog XSS.
Vendor URL: http://www.avantbrowser.com/

See information HERE.

I caution you about stopping or removing any process before identifying it.

 

[bic23]

Here is the superantispyware and malwareybtes log and current hjt log. malwarebytes didn't detect anything but superantispyware did and I clicked next and finish after scan. Whenever I start my computer I get a message that says "RunDLL error loading C:\WINDOWS\elujudoy.dll- specific module could not be found" . The two items I told you that I fixed with my first hijack this log were sharedtaskscheduler browseui and sharedtaskscheduler component categories cache daemon. When I clicked info it said that it was an undocumented registry key and the recommended action taken was that the registry value is deleted for both items.

View attachment SUPERAntiSpyware Scan Log - 04-13-2010 - 16-46-40.log

View attachment mbam-log-2010-04-13 (15-56-51).txt

View attachment HJT log.txt

 

[Bobbye]

The system is badly infected. And it appears that it may be a Virut infection. There is no fix for that and we recommend reformat and reinstall.

But I'd like you to do this frst- it will either confirm or rule out Virut:

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
  • c:\windows\system32\userinit.exe
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Also scan these,

C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe


Virut is a Polymorphic File Infector that infects ..exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine. It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker

The content of that scan will determine what to do next.

 

[bic23]

The scanner found no malware on all three of those files you told me to scan. I wasn't sure if you could copy and paste results if there was no malware found. I saw the copy to clipboard button but I didn't see a clipboard to copy and paste from. Overall no malware found.

 

[Bobbye]

Just so you know, that scan did not rule out all malware. It is mostly specific for Virut. This was found by Superantispyware:
Trojan.Agent/Gen-Virut
If it had been Virut, the removal of that one entry wouldn't have cleared the system. That's why I had you run the scan.

About the clipboard and copy and paste. You don't 'see' a clipboard. But when you 'copy' anything, it goes to that clipboard. It stays on it until you 'paste' the contents somewhere.

Please run these 2 programs while I'm offline for a while. I'm having a system problem I have to work on:
Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls.
  
• Double click on the setup file on the desktop to run
• If prompted to download and install the Recovery Console, please do so.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
• If prompted to update, please allow.
• Click on Yes, to continue scanning for malware.
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.

.
Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please leave Combofix report and Eset log in next reply.

 

[bic23]

Sorry I was a little confused on how to use the clipboard on your previous instructions. But here are the two logs.

View attachment combofixlog.txt

View attachment esetlog.txt

 

[Bobbye]

No problem- it's confusing when you try to see something that isn't there!

Okay, some conditions: You are running BitComet. You have given it access through the firewall. the Java is way out of date. There are entries from another AV program loading.

Condition 1: Uninstall BitComet

P2P or 'file sharing' Warning:
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall BitComet for the following reasons:

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.

Condition 2: Get your Java up to date. you are using v6u4. the current version is v6u19. Every older version of Java on the machine is a vulnerability to your system. Run the following to remove all the outdated versions, then get the current:

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer before continuing!***

• Double-click on JavaRa.exe to start the program.
• Choose Englishfrom the drop-down menu and click on
  Select.
• JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
• Click Yes when prompted.
• When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
• A logfile will pop up. Please save it to a convenient location.

Then download and install Java Runtime Environment (JRE) 6 Update 19
Java Updates

You have Real Player set to auto-update, Google Toolbar set to auto-update and iTunes set to auto-update, but the only program that makes you vulnerable isn't updating!

Condition 3: Remove the left-over AVG entries: Multiple AV entries make you more vulnerable as well as slow the system down. This tool will help:
AVG Removal: Note: You may have to reinstall AVG to uninstall it fully.

You have malware and need to go further to get rid of it. I will help you do that if you meet my 'conditions.' Why? Because there is so much junk getting on systems and it's getting very tough to get it off. If the system is full of holes like file sharing and out of date programs, the malware will be getting back in before we have time to get it all out.

Your call.

 

[bic23]

I don't understand because I removed Bitcomet awhile ago through the control panel. But what I did was go back into my downloads folder and remove anything I might have downloaded through bitcomet in the past. As far as AVG, I didn't see it in the control panel. I downloaded the link you told me to and it took me to a black screen that quickly appeared and then disappeared. I did the Java run where it removed old java and installed the latest update. I believe it is now set up to automatic updates as well now. Here is the log.

View attachment JavaRalogfile.txt

 

[Bobbye]

Most users don't understand that just because they don't see a program in Add/Remove, that it isn't there. Not so. Programs can be started from the Registry and/or a Service. So even though you may not see the entries, we can in subsequent logs.

You had 4 old versions of Java. Not good. This is one that must be kept currrent as the updates are for security- once an update has been issued to patch a vulnerability, any remaining older versions have the unpatched vulnerability. I did find the auto-updater after all- but maybe you refused it.

You also need to be aware of the fact that you got a Beta version of HijackThis- somewhere else because it's not what we have on the thread. I'll work with the logs you left now, but I would like you to remove that Beta HJT and install v2.0.2 from HERE. You don't need to rescan yet.

Before you run this script, be sure the security programs have been disabled as in:

Please disable all security programs, such as antiviruses, antispywares, and firewalls.

---------------------------

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\program files\BitComet\BitComet.exe
c:\docume~1\Ronald\LOCALS~1\Temp\RGIE.tmp
C:\WINDOWS\elujudoy.dll
c:\progra~1\Grisoft\AVG7\avgcc.exe [N/A]
c:\documents and settings\All Users\Application Data\4mAX17Bj3.dat
c:\windows\Yrojunitoba.bin
c:\windows\Lpuka.dat
c:\documents and settings\Ronald\Application Data\Real\Update\setup3.10\setup.exe
c:\progra~1\Grisoft\AVG7\avgcc.exe 

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]

Folder::

RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.

I didn't include this in the script, but I wondered if you were still using it. It looks like you're using a laptop with the touchpad enabled:
2006-06-09 19:47 >>Mouse Suite 98 Daemon.

 

[bic23]

You mentioned the touchpad, I recently downloaded a driver for my touchpad, but I still have trouble because it won't scroll. Furthermore, other than looking for the files that were downloaded by bitcomet I don't know how else to completely delete it from my computer. I did delete the beta version and installed the v2.0.2 as well.
Here is the log.

View attachment CFTlog1.txt

 

[Bobbye]

About the touchpad: Go to the Control Panel> Mouse> Gestures tab> check 'use scroll' and 'use forward/back buttons'> Set the dialog boxes for each of the 4 corners as you want> click on Apply> OK when through. You can also use the Touchpad tab to set sensitivity and tapping. It may take a few tries to get it as you want.

About BitComet: It should be gone. There are entries that show up in Combofix that you don't see in your system. If you look at the log from the script- at the top- for files and deleted, you'll see several entries for BitComet. I also moved an AVG v7 entry.

How is the redirect problem now? Are you having any other problems that might be related to the malware? (Not the mouse scroll.)

Please scan with HijackThis and let me see if there are any entries to remove. Thank you for following my "Conditions." Your system will be the better for them.

 

[bic23]

As of now I'm not having any issues with re-directing or constant trojan attack warnings from my avast antivirus. I tried the control pad mouse instructions but there is no gestures tab so I went to the touchpad icon at the lower right hand of my screen and tried to alter the scrolling settings but nothing pops up when I click on the option scrolling settings like it does for all the other three options live device settings, button settings, etc. Here is the log.

View attachment hijackthislogv2.txt

 

[Bobbye]

I don't think the mouse problem is related to malware. So I suggest you post in the Windows forum right above this on and request guidance.

I'd like to see the Combofix report that was generated after you ran the script. If nothing else needs to be moved, I'll have you remove the cleaning tools.

 

[bic23]

I thought I already attached that log in my previous post. Every time I try to attach it it says that I've already attached it in this post.

 

[Bobbye]

Since you are leaving additional logs on another board and getting help elsewhere, I'll end my support now.

http://www.spywareinfoforum.com/ind...ywareinfoforum.com/index.php?showtopic=128277

Someone else also looked at my computer and they said they think it may be a virut virus.Here are the logs

While we appreciate that you very likely posted at multiple forums in order to ensure a response, that only serves to tie up the time of multiple helpers who could be using that time to help someone else who also has problems. Although there are many forums that handle HijackThis logs, there are not so many helpers; most of us help out at several forums. In addition, the results may not work out so well when you're following different instructions from different helpers. They may suggest different approaches for the same problem, all of which may be good; however, system conflicts may arise if different fixes for the same problem are applied simultaneously.

In the future, for your sake as well as ours, please refrain from requesting help from multiple forums.