Articles

Help!! Redirect Google Websites

Dell / Latitude/d600
February 20, 2009 at 07:11:43
Specs: Windows XP

When I select a link in Google as a result of a search I'm redirected to different website. On the tab at the top while processing I see http://mypinkelephantz.com. I haven't been able to copy othe rest of it. Here is what I have been able to copy:

http://push-analytics.com/ap-IwEAAF...

http://216.133.243.28/2.php?sid=777...

Also, I have AVG Virus Protection. When I try to run it the message says that I'm not connecting to the server.

I appreciate any help you can give. Note: I'm not technical.

Thanks,
LB


See More: Help!! Redirect Google Websites

Report •


#1
February 20, 2009 at 19:33:29

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


If Malwarebytes installed but will not run navigate to this folder:

C:\Programs Files\Malwarebytes' AntiMalware

Rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again.

Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This

Rename the setup file, HJTInstall.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename HJTInstall.exe to tools.exe> click save.
1. Save " tools.exe" to your desktop.
2. Double click on tools.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report •

#2
February 22, 2009 at 15:10:54

Thank you for responding. However, before i could start the process you offered, my internet stopped connecting. I'm getting these pop-ups from Spyware Protect 2009 saying I have a virus do I want to "block the attack". I can't get rid of the pop-ups from this stie. I have Cyberdefender, installed within the last day or so, after all this mess started but it didn't fix the problem. Spyware Project 2009 shows an icon in the left lower side of my screen, but the program isn't showing up when I list programs hoping to delete it.

Spyware Project automatically runs a program and shows 34 viruses. I was able to type up a list of those but I don't know where to go from here. When I try to connect to the internet I get HTTP 404 Not Found. HELP!!! please...


Report •

#3
February 22, 2009 at 16:01:05

Sounds like a domain problem, this .reg file may fix it.

Open notepad (Start Menu > Run > Type notepad and press "ok".

Copy and paste everything into notepad between the x's making regedit4 the top line.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]


XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it Fix.reg then save it to your desktop.

Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes.

Restart the computer try to download Malwarebytes asap.


Report •

Related Solutions

#4
February 22, 2009 at 16:35:07

You are my new best friend. I actually continued to look at similar problems while I waited for a response. I found a requeest from Nox54 in which you responded and suggested the software be downloaded on the USB. So, I did that, followed your instructions to the letter, got the notepad log, rebooted and HURRAH...was able to log into Yahoo, everything looks good. The icon from the Spyware Project is not longer in the left corner. Thank you, thank you, thank you.

I do have another quick question. I purchased CyberDefender, which was no help, what exactly should I have on my PC to avoid this problem in the future. Because I downloaded the Malwarebytes to my USB I don't have the latest version. I can now update that. Do I need anything other than Malwarebytes Anti-Malware? Again, I can't thank you enough. I've had a terrible time! I'm not technical. You directions were terrific.


Report •

#5
February 22, 2009 at 16:41:21

Update: When I opened Malwarebytes' to update to latest version, Spyware Project is back. I got an alert from CyberDefense that three new files had been added, worry I didn't take notes on those. I blocked all three, or so I thought and am now re-running Malwarebytes. So far the scan has found 4 ojbects. Any suggestions?

Report •

#6
February 22, 2009 at 16:43:20

Although your computer is operating I doubt if it is clean. It would be best to follow through with the clean up procedure which include a scan from two more tools. To continue we need to see your Hijack This log.

Report •

#7
February 22, 2009 at 17:09:50

I need to continue your instructions. I stopped after running the first software. I assumed the latter part of your instructions were specific to if you weren't successful. I misunderstood, sorry. I'll wrap up the rest now and send the Hijack log.

Report •

#8
February 22, 2009 at 17:35:44

OK,

Here are the logs from (2) scans from Malwarebytes' and (1) from Hijack.

The first Malwarebytes Log:
Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3

2/22/2009 7:14:59 PM
mbam-log-2009-02-22 (19-14-59).txt

Scan type: Quick Scan
Objects scanned: 75140
Time elapsed: 7 minute(s), 39 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 23
Registry Values Infected: 3
Registry Data Items Infected: 4
Folders Infected: 5
Files Infected: 13

Memory Processes Infected:
C:\windows\sysguard.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\cdmyidd.securitytoolbar (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{cd24eb02-9831-4838-99d0-726d411b1328} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f20da564-9254-49fe-a678-cc3cef172252} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cdmyidd.securitytoolbar.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nfr.sys (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nfr.sys (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\nfr.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn (Hijack.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\LB\Application Data\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LB\Application Data\MalwareRemovalBot\Log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LB\Application Data\MalwareRemovalBot\Settings (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\LB\Local Settings\Application Data\CyberDefender\cdmyidd.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\windows\system32\iehelper.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\LB\Application Data\MalwareRemovalBot\rs.dat (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LB\Application Data\MalwareRemovalBot\Log\2009 Feb 20 - 10_57_21 AM_385.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LB\Application Data\MalwareRemovalBot\Log\2009 Feb 20 - 12_43_40 PM_858.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LB\Application Data\MalwareRemovalBot\Settings\ScanResults.pie (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\autorun.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-3-4-11-100012841-100014798-100000247-6331.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\windows\system32\drivers\nfr.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\C41\Local Settings\Temp\ie3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LB\Local Settings\Temp\ie3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\windows\sysguard.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\windows\system32\drivers\etc\SERVICES.001 (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.


The second Malwarebytes' scan after reboot:

Malwarebytes' Anti-Malware 1.34
Database version: 1795
Windows 5.1.2600 Service Pack 3

2/22/2009 8:06:57 PM
mbam-log-2009-02-22 (20-06-57).txt

Scan type: Quick Scan
Objects scanned: 76237
Time elapsed: 6 minute(s), 24 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
C:\windows\sysguard.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
c:\windows\system32\drivers\nfr.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nfr (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\nfr (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nfr (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NFR (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NFR (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\nfr (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\windows\system32\iehelper.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\windows\system32\nfr.dll (Trojan.Proxy) -> Delete on reboot.
C:\Documents and Settings\LB\Local Settings\Temp\ie27.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\LB\Local Settings\Temporary Internet Files\Content.IE5\X2Z0AX3X\FlashPlayer[1].exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\LB\Local Settings\Temporary Internet Files\Content.IE5\X2Z0AX3X\6007[1].exe (Trojan.Proxy) -> Quarantined and deleted successfully.
C:\windows\system32\drivers\nfr.dll (Trojan.Agent) -> Delete on reboot.
C:\windows\sysguard.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\windows\system32\drivers\nfr.dll.assembly (Trojan.Agent) -> Quarantined and deleted successfully.

The HiJack log after both scans above:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:38 PM, on 2/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\LB\Application Data\Smilebox\SmileboxTray.exe
C:\Program Files\CyberDefender\AntiSpyware\cdas64.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\LB\Application Data\U3\0000169BA7758091\LaunchPad.exe
H:\Documents\Downloads\tools.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cyberdefender.com...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cintas Corporation
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7070
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\System32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CyberDefender Early Detection Center] "C:\Program Files\CyberDefender\AntiSpyware\ISSIntro.exe"
O4 - HKCU\..\Run: [SmileboxTray] "C:\Documents and Settings\LB\Application Data\Smilebox\SmileboxTray.exe"
O4 - HKCU\..\Run: [CyberDefender Early Detection Center] "C:\Program Files\CyberDefender\AntiSpyware\cdas64.exe" /minimize
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.avginet.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloa...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O17 - HKLM\System\CCS\Services\Tcpip\..\{4823B10C-B83B-440B-9BFA-E7CBA9F4556E}: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CCS\Services\Tcpip\..\{B697C4A2-1B85-4E0C-A0CF-9F2219C742D5}: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

--
End of file - 7807 bytes

Per your instructions I have not "fixed" anything in HiJack.


Report •

#9
February 22, 2009 at 17:52:17

I don't see an antivirus program running, to continue you need to install one.

You can download the free version of AVG antivirus at this link:
AVG Free Antivirus

Update it once you get it installed.

We will need to disable the antivirus program to run some scans. To do this click the AVG icon in the systray (bottom right of your screen)> then click exit.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to toolb.exe> click save.

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your AVG antivirus, Cyber Defender and any other antispyware that you may have.
2. Run Combofix by double clicking the toolb.exe icon on your desktop and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.


Report •

#10
February 22, 2009 at 18:17:57

Actually CyberDefender Early Detection Center has an "earlyVirus". I started a scan and it returned with the Summary of Memory scanned - 1702; Files scanned 2584; and 0 emails scanned, perhaps because I use YAHOO.

Does any of this information change you instructions above?


Report •

#11
February 22, 2009 at 18:45:02

None what so ever.

Report •

#12
February 23, 2009 at 08:11:23

Here is the log from ComboFix. How do I turn AVG back on. Because I couldn't get on the internet it appeared that there were some modules of AVG that were not active and some that were, specifically the scanning appeared to be on. I had to disable it before running ComboFix. I couldn't get on to the internet and still can't. Should I call my ISP?

ComboFix 09-02-21.01 - LB 2009-02-23 10:39:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.489 [GMT -5:00]
Running from: h:\documents\Downloads\toolb.exe.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\documents and settings\All Users\Start Menu\Internet Explorer.lnk
c:\recycler\S-3-0-19-100017246-100030419-100010143-5424.com
c:\windows\system32\drivers\fad.sys
c:\windows\system32\drivers\gaopdxqjdqwbrp.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxutfmytqr.dll
H:\autorun.inf
h:\recycler\S-3-0-19-100017246-100030419-100010143-5424.com

[color=blue]Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe[/COLOR]

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-01-23 to 2009-02-23 )))))))))))))))))))))))))))))))
.

2009-02-23 09:57 . 2009-02-23 09:57 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-02-23 09:57 . 2009-02-23 09:57 <DIR> d-------- c:\program files\AVG
2009-02-23 09:57 . 2009-02-23 10:00 <DIR> d-------- c:\documents and settings\LB\Application Data\AVGTOOLBAR
2009-02-23 09:57 . 2009-02-23 09:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-02-23 09:57 . 2009-02-23 09:57 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-02-23 09:57 . 2009-02-23 09:57 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-02-23 09:57 . 2009-02-23 09:57 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-02-22 19:03 . 2009-02-22 19:03 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-22 19:03 . 2009-02-22 19:03 <DIR> d-------- c:\documents and settings\LB\Application Data\Malwarebytes
2009-02-22 19:03 . 2009-02-22 19:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-22 19:03 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-22 19:03 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-20 22:39 . 2009-02-20 22:39 0 --a------ c:\windows\system32\nfr.assembly
2009-02-20 12:53 . 2009-02-20 12:53 63 --a------ c:\windows\st_affiliate.ini
2009-02-20 12:36 . 2009-02-20 12:36 <DIR> d-------- c:\documents and settings\LB\Application Data\CyberDefender
2009-02-19 17:26 . 2009-02-19 17:26 0 --a------ c:\windows\system32\drivers\nfr.dll.mpref
2009-02-19 16:32 . 2009-02-19 16:32 0 --a------ c:\windows\system32\drivers\nfr.dll.gpref
2009-02-19 14:02 . 2008-04-13 19:12 26,112 --a------ c:\windows\system32\stu2.exe
2009-02-09 11:11 . 2009-02-09 11:11 <DIR> d-------- c:\program files\iTunes
2009-02-09 11:11 . 2009-02-09 11:11 <DIR> d-------- c:\program files\iPod
2009-02-09 11:11 . 2009-02-09 11:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-09 11:04 . 2009-02-09 11:04 <DIR> d-------- c:\program files\Bonjour
2009-01-28 18:02 . 2009-02-07 20:16 <DIR> d-------- c:\program files\Yahoo!
2009-01-28 18:02 . 2009-02-07 20:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-23 15:13 --------- d-----w c:\documents and settings\LB\Application Data\U3
2009-02-19 16:27 --------- d-----w c:\documents and settings\LB\Application Data\Apple Computer
2009-02-12 13:44 --------- d-----w c:\documents and settings\LB\Application Data\Smilebox
2009-02-09 16:10 --------- d-----w c:\program files\Common Files\Apple
2009-02-09 16:04 --------- d-----w c:\program files\QuickTime
2009-02-08 01:12 --------- d-----w c:\program files\Opera
2008-12-27 23:41 --------- d-----w c:\documents and settings\All Users\Application Data\MumboJumbo
2008-12-27 22:47 --------- d-----w c:\program files\Yahoo! Games
2008-12-27 20:35 --------- d-----w c:\documents and settings\LB\Application Data\Unity
2008-12-27 20:32 --------- d-----w c:\program files\Unity
2008-12-26 00:54 --------- d-----w c:\program files\Java
2008-09-05 15:42 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090520080906\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmileboxTray"="c:\documents and settings\LB\Application Data\Smilebox\SmileboxTray.exe" [2009-01-29 254600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-08-22 155648]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2004-05-16 528384]
"ZCfgSvc.exe"="c:\windows\System32\ZCfgSvc.exe" [2005-07-05 639040]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2005-06-27 135168]
"Lexmark X6100 Series"="c:\program files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-07-25 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-25 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-23 1601304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-11-19 24576]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2005-07-05 01:33 188482 c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-23 09:57 10520 c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\windows\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"= 80:TCP:nfr
"7070:TCP"= 7070:TCP:nfr

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-23 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-23 107272]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-23 298264]
.
Contents of the 'Scheduled Tasks' folder

2009-01-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-02-22 c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
- c:\program files\MalwareRemovalBot\MalwareRemovalBot.exe []

2009-02-22 c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
- c:\program files\MalwareRemovalBot []
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
WebBrowser-{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyServer = http=localhost:7070
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: plaxo.com\www
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-23 10:44:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\LgNotify.dll
c:\windows\System32\gpkcsp.dll
c:\windows\System32\gpkrsrc.dll
.
r Running Proce
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\S24EvMon.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\BAsfIpM.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\RegSrvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\1XConfig.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Lexmark X6100 Series\lxbfbmon.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-02-23 10:47:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-23 15:47:25

Pre-Run: 26,406,572,032 bytes free
Post-Run: 26,723,520,512 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

180 --- E O F --- 2009-02-12 01:52:50


Report •

#13
February 23, 2009 at 09:29:49

I have now been able to update the AVG software and it is running fine. I still cannot get on the internet, the message I get with the diagnostics I can run is that it isn't recognizing HPPT, HPPTS, and FTP. I've called my ISP and they are still trouble shooting. Any thoughts?

Report •

#14
February 23, 2009 at 14:26:46

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\windows\system32\nfr.assembly
c:\windows\system32\drivers\nfr.dll.mpref
c:\windows\system32\drivers\nfr.dll.gpref

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.

Go to start> control panel> internet options> connections> settings> Make sure the box beside "Use a proxy server for this connection" is unchecked (unless you use a proxy server of course). if you found it unchecked restart the computer and see if you can get on the internet.

If not it is probably because the winsocks are damaged and tcp/ip needs to be reset. This is microsofts method for repairing them.

Step 1


1. Click Start, and then click Run.
2. In the Open box, type regedit, and then click OK.
3. In Registry Editor, locate the following keys, right-click each key, and then click Delete:


HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock


HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2


4. When you are prompted to confirm the deletion, click Yes.
Note Restart the computer after you delete the Winsock keys. Doing so causes the Windows XP operating system to create new shell entries for those two keys. If you do not restart the computer after you delete the Winsock keys, the next step does not work correctly.


Step 2 Install TCP/IP


1. Right-click the network connection, and then click Properties.
2. Click Install.
3. Click Protocol, and then click Add.
4. Click Have Disk.
5. Type C:\Windows\inf and then click OK.
6. On the list of available protocols, click Internet Protocol (TCP/IP), and then click OK.

Normally you do not need to go any further than this...Restart the computer and try to get online.

If Internet Protocol (TCP/IP) does not appear, follow these steps:


1. Click Start, and then click Search.
2. In the Search Companion pane, click More advanced options.
3. Click to select the following three check boxes:
a. Search system folders
b. Search hidden files and folders
c. Search subfolders
4. In the All or part of the file name box, type nettcpip.inf, and then click Search.
5. In the results pane, right-click Nettcpip.inf, and then click Install.
6. Restart the computer.


Report •

#15
February 23, 2009 at 17:22:36

Here is the log:

Also, my ISP is Roadrunner. Do I have a proxy server? Nothing was marked or checked when I followed your directions above. When I rebooted, my internet still didn't work. I also looked in the registry as you directed above. I could not find the keys. I found the folders, i.e. H-key, system, control set, services but no mention of winsock.

ComboFix 09-02-21.01 - LB 2009-02-23 19:53:21.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.415 [GMT -5:00]
Running from: h:\documents\Downloads\toolb.exe.exe
Command switches used :: h:\documents\Downloads\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\drivers\nfr.dll.gpref
c:\windows\system32\drivers\nfr.dll.mpref
c:\windows\system32\nfr.assembly
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\nfr.dll.gpref
c:\windows\system32\drivers\nfr.dll.mpref
c:\windows\system32\nfr.assembly

.
((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 )))))))))))))))))))))))))))))))
.

2009-02-23 11:14 . 2009-02-23 11:14 <DIR> d--h----- C:\$AVG8.VAULT$
2009-02-23 09:57 . 2009-02-23 12:03 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-02-23 09:57 . 2009-02-23 09:57 <DIR> d-------- c:\program files\AVG
2009-02-23 09:57 . 2009-02-23 10:00 <DIR> d-------- c:\documents and settings\LB\Application Data\AVGTOOLBAR
2009-02-23 09:57 . 2009-02-23 11:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-02-23 09:57 . 2009-02-23 09:57 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-02-23 09:57 . 2009-02-23 09:57 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-02-23 09:57 . 2009-02-23 09:57 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-02-22 19:03 . 2009-02-22 19:03 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-22 19:03 . 2009-02-22 19:03 <DIR> d-------- c:\documents and settings\LB\Application Data\Malwarebytes
2009-02-22 19:03 . 2009-02-22 19:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-22 19:03 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-22 19:03 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-20 12:53 . 2009-02-20 12:53 63 --a------ c:\windows\st_affiliate.ini
2009-02-20 12:36 . 2009-02-20 12:36 <DIR> d-------- c:\documents and settings\LB\Application Data\CyberDefender
2009-02-19 14:02 . 2008-04-13 19:12 26,112 --a------ c:\windows\system32\stu2.exe
2009-02-09 11:11 . 2009-02-09 11:11 <DIR> d-------- c:\program files\iTunes
2009-02-09 11:11 . 2009-02-09 11:11 <DIR> d-------- c:\program files\iPod
2009-02-09 11:11 . 2009-02-09 11:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-09 11:04 . 2009-02-09 11:04 <DIR> d-------- c:\program files\Bonjour
2009-01-28 18:02 . 2009-02-07 20:16 <DIR> d-------- c:\program files\Yahoo!
2009-01-28 18:02 . 2009-02-07 20:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 00:39 --------- d-----w c:\documents and settings\LB\Application Data\U3
2009-02-19 16:27 --------- d-----w c:\documents and settings\LB\Application Data\Apple Computer
2009-02-12 13:44 --------- d-----w c:\documents and settings\LB\Application Data\Smilebox
2009-02-09 16:10 --------- d-----w c:\program files\Common Files\Apple
2009-02-09 16:04 --------- d-----w c:\program files\QuickTime
2009-02-08 01:12 --------- d-----w c:\program files\Opera
2008-12-27 23:41 --------- d-----w c:\documents and settings\All Users\Application Data\MumboJumbo
2008-12-27 22:47 --------- d-----w c:\program files\Yahoo! Games
2008-12-27 20:35 --------- d-----w c:\documents and settings\LB\Application Data\Unity
2008-12-27 20:32 --------- d-----w c:\program files\Unity
2008-12-26 00:54 --------- d-----w c:\program files\Java
2008-09-05 15:42 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090520080906\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-23_10.46.35.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-24 00:56:57 16,384 ----atw c:\windows\temp\Perflib_Perfdata_2a0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmileboxTray"="c:\documents and settings\LB\Application Data\Smilebox\SmileboxTray.exe" [2009-01-29 254600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-08-22 155648]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2004-05-16 528384]
"ZCfgSvc.exe"="c:\windows\System32\ZCfgSvc.exe" [2005-07-05 639040]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2005-06-27 135168]
"Lexmark X6100 Series"="c:\program files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-07-25 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-25 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-23 1601304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-11-19 24576]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2005-07-05 01:33 188482 c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-23 09:57 10520 c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\windows\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"= 80:TCP:nfr
"7070:TCP"= 7070:TCP:nfr

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-23 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-23 107272]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-23 298264]
.
Contents of the 'Scheduled Tasks' folder

2009-01-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-02-22 c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
- c:\program files\MalwareRemovalBot\MalwareRemovalBot.exe []

2009-02-22 c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
- c:\program files\MalwareRemovalBot []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyServer = http=localhost:7070
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: plaxo.com\www
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-23 19:57:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\LgNotify.dll
c:\windows\System32\gpkcsp.dll
c:\windows\System32\gpkrsrc.dll
.
r Running Proce
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\S24EvMon.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\BAsfIpM.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\RegSrvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\1XConfig.exe
c:\windows\system32\ati2evxx.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\program files\Lexmark X6100 Series\lxbfbmon.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-02-23 20:00:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-24 01:00:03
ComboFix2.txt 2009-02-23 15:47:48

Pre-Run: 26,583,080,960 bytes free
Post-Run: 26,568,359,936 bytes free

172 --- E O F --- 2009-02-23 17:29:25


Report •

#16
February 23, 2009 at 19:29:04

Go to start>control panel> add/remove programs and uninstall this program if found:

MalwareRemovalBot

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job

Driver::
NFRAgent

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Do the second part of the winsock repair even if you don't see the keys:

Step 2 Install TCP/IP


1. Right-click the network connection, and then click Properties.
2. Click Install.
3. Click Protocol, and then click Add.
4. Click Have Disk.
5. Type C:\Windows\inf and then click OK.
6. On the list of available protocols, click Internet Protocol (TCP/IP), and then click OK.

Normally you do not need to go any further than this...Restart the computer and try to get online.

If Internet Protocol (TCP/IP) does not appear, follow these steps:


1. Click Start, and then click Search.
2. In the Search Companion pane, click More advanced options.
3. Click to select the following three check boxes:
a. Search system folders
b. Search hidden files and folders
c. Search subfolders
4. In the All or part of the file name box, type nettcpip.inf, and then click Search.
5. In the results pane, right-click Nettcpip.inf, and then click Install.
6. Restart the computer.


Report •

#17
February 24, 2009 at 20:41:57

Thank you for your assistance. I ran the last set of instructions. However, it didn't fix my connection to the internet. I appreciate all your help. Great strides were made in getting rid of the virus. I think you have done what you can via the web. I believe my next step will be to take my laptop to a local resource and let them repair it.

Again, I really appreciate all of your assistance.


Report •

#18
February 24, 2009 at 21:11:57

See the parallel thread. I was able to fix my infection with NFRA by removing the executable and registry items defined here:

http://www.threatexpert.com/report....


Report •

#19
February 25, 2009 at 15:02:27

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
DDS::
uInternet Settings,ProxyServer = http=localhost:7070

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"=-
"7070:TCP"=-

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Restart the computer and try to get on line.


Report •

#20
February 26, 2009 at 20:05:14

YOU DID IT!!!!! Thank you so much. I'm back on the internet virus free! Yeah... You have hung in there with me and I really appreciate it!

L


Report •

#21
February 28, 2009 at 06:34:47

Glad we could help.

Report •


Ask Question