Google Toolbar-search.good-search.net

Dell / Mxc061
June 18, 2010 at 21:22:39
Specs: Microsoft Windows XP Home Edition, 1.596 GHz / 502 MB
Hi! Any help or suggestions would be appreciated.

When I use the Firefox (ver 3.6.3), Google toolbar does not produce "google" results. My search results end up as a fake google web address, "search.good-search.net." This is only a problem when I use the toolbar, regular google.com is fine when typed into the browser.

So far, I have tried:
-AdAware
-Malwarebytes
-Avira
-Spybot Search and Destroy
-Windows Defender

Additionally, I have tried to reconfigure/reset firefox with "about:config," type in "keyword" and then "reset."

Any more ideas? Thank you in advance for your response!


See More: Google Toolbar-search.good-search.net

Report •

#1
June 18, 2010 at 21:52:04
I would remove the Google Toolbar (if possible), and then do a fresh-reinstall if you must.

You could also try Hitman Pro 3.5.: http://download.cnet.com/Hitman-Pro...

Helpful tips before getting started: http://www.computing.net/howtos/sho...


Report •

#2
June 18, 2010 at 22:12:10
Hi xryanx,

Thank you for your suggestion, but I couldn't remove the Google Toobar. (I was looking under "Tools" then "Add -Ons." Is that where it's supposed to be?

I did download and use Hitman Pro 3.5, but the result came up clean.

Any other suggestions are welcomed!


Report •

#3
June 18, 2010 at 22:34:46
Try using Gmer : http://gmer.net/download.php

Before scanning with Gmer, please do the following in this order...

1) Disconnect from the internet and close ALL running programs.

2) Disable any Anti-Virus/Anti-Spyware software currently running to avoid conflicts.

3) Double click on "Gmer.exe", and allow it's .Sys driver to load.

4) Gmer will then open and run a quick scan. please DO NOT USE THE COMPUTER WHILE THE SCAN IS IN PROGRESS.

5) If you receive a warning about Rootkit Activity on your system and are asked to do a full scan click No.

6) Click the Scan button, and if you see a Rootkit Warning window click Ok (it should be the only option in the dialog box).

7) When the scan is finished, please click Save, and save the log to your desktop as Gmer.log

8) Click the Copy button and paste the log into your next reply.

9) Re-enable any Anti-Virus/Anti-Spyware software and any other security software you've disabled (Firewall).

Notes: If Gmer results in a BSOD or crashes please uncheck<b/> "Devices" on the right side of the program before scanning. Also, if you encounter problems while scanning in normal mode, please try scanning in Safe Mode.

Helpful tips before getting started: http://www.computing.net/howtos/sho...


Report •

Related Solutions

#4
June 19, 2010 at 08:46:55
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-19 08:12:55
Windows 5.1.2600 Service Pack 3
Running: v0oo569o.exe; Driver: C:\DOCUME~1\MISSLA~1\LOCALS~1\Temp\uxtdapog.sys


---- System - GMER 1.0.15 ----

SSDT F8BDE2E6 ZwCreateKey
SSDT F8BDE2DC ZwCreateThread
SSDT F8BDE2EB ZwDeleteKey
SSDT F8BDE2F5 ZwDeleteValueKey
SSDT F8BDE2FA ZwLoadKey
SSDT F8BDE2C8 ZwOpenProcess
SSDT F8BDE2CD ZwOpenThread
SSDT F8BDE304 ZwReplaceKey
SSDT F8BDE2FF ZwRestoreKey
SSDT F8BDE2F0 ZwSetValueKey
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA99FBDF0]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device \FileSystem\Fastfat \Fat A7F61D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----


Report •

#5
June 19, 2010 at 18:28:45
For what I've researched, that Uxtdapog.sys on the top of the scan as you can see, is considered a threat. Is that tool bar still there?.. If so, please, try running a scan with Spyware Blaster and then RemoveIT Pro, and if that doesn't help we can try something else.

: http://download.cnet.com/RemoveIT-P...

http://download.cnet.com/SpywareBla...

:

Helpful tips before getting started: http://www.computing.net/howtos/sho...


Report •

#6
June 19, 2010 at 19:56:22
Yes, the toolbar is still there.

First I downloaded the Spyware Blaster, but I couldn't find a "Scan" option. Instead I just hit "enabled all protection."

Next, I downloaded RemoveItPro. It found 39 dangerous files, but I couldn't remove them without buying the program. here is the log of the scan:


RemoveIT Pro v7 Ultra (Build date: 11.11.2008) log.
Generated at: 6/19/2010 on 7:35:26 PM
Microsoft Windows XP Home Edition Service Pack 3 (Build 2600)

7:35:26 PM: Scanning, please wait...
7:35:38 PM: Infected file (Win32.Unknown.Random.X) c:\program files\common files\microsoft shared\source
engine\ose.exe -> No action taken.
7:37:19 PM: Infected file (Sys32.launchpad removal) C:\Documents and Settings\Miss Lauren\application data\u3
\temp\launchpad removal.exe -> No action taken.
7:37:33 PM: Infected file (Sys32.npqmp071503000010) C:\Documents and Settings\Miss Lauren\application
data\move networks\plugins\npqmp071503000010.dll -> No action taken.
7:37:42 PM: Infected file (Sys32.proquota) C:\i386\proquota.exe -> No action taken.
7:37:55 PM: Infected file (Sys32.ssupdate) C:\Documents and Settings\Miss Lauren\local
settings\temp\ssupdate.exe -> No action taken.
7:37:55 PM: Infected file (Sys32.ssupdate) C:\DOCUME~1\MISSLA~1\LOCALS~1\Temp\ssupdate.exe -> No
action taken.
7:38:54 PM: Infected file (Sys32.bmapi) C:\WINDOWS\system32\bmapi.dll -> No action taken.
7:39:02 PM: Infected file (Sys32.dlashx_w) C:\WINDOWS\system32\dla\dlashx_w.dll -> No action taken.
7:39:14 PM: Infected file (Sys32.gpcienum) C:\WINDOWS\system32\gpcienum.sys -> No action taken.
7:39:14 PM: Infected file (Sys32.gtkcmos) C:\WINDOWS\system32\gtkcmos.sys -> No action taken.
7:39:19 PM: Infected file (Sys32.init32) C:\WINDOWS\system32\init32.exe -> No action taken.
7:39:19 PM: Infected file (Sys32.instlsp) C:\WINDOWS\system32\instlsp.exe -> No action taken.
7:39:27 PM: Infected file (Sys32.kpower) C:\WINDOWS\system32\kpower.dll -> No action taken.
7:39:36 PM: Infected file (Sys32.msscript) C:\WINDOWS\system32\msscript.ocx -> No action taken.
7:40:00 PM: Infected file (Sys32.uci32103) C:\WINDOWS\system32\uci32103.dll -> No action taken.
7:40:06 PM: Infected file (Sys32.vxdmdcdlg) C:\WINDOWS\system32\vxdmdcdlg.dll -> No action taken.
7:40:35 PM: Infected file (Sys32.erdnt) C:\WINDOWS\erdnt\hiv-backup\erdnt.exe -> No action taken.
7:40:35 PM: Infected file (Sys32.erdnt) C:\WINDOWS\erdnt\subs\erdnt.exe -> No action taken.
7:41:12 PM: Infected file (Sys32.bae) C:\Program Files\bae\bae.dll -> No action taken.
7:41:15 PM: 19 Dangerous files has been found on your computer.
Click on "Fix" button to fix selected tasks.
7:41:48 PM: Scanning, please wait...
7:45:34 PM: Infected file (Sys32.uci32103) C:\drivers\modem\onboard\UCI32103.dll -> No action taken.
7:45:38 PM: Infected file (Sys32.bmapi) C:\i386\BMAPI.dll -> No action taken.
7:45:44 PM: Infected file (Sys32.dlashx_w) C:\i386\DLASHX_W.DLL -> No action taken.
7:45:47 PM: Infected file (Sys32.gpcienum) C:\i386\GPCIEnum.sys -> No action taken.
7:45:47 PM: Infected file (Sys32.gtkcmos) C:\i386\GTKCMOS.sys -> No action taken.
7:45:50 PM: Infected file (Sys32.kpower) C:\i386\KPower.dll -> No action taken.
7:46:07 PM: Infected file (Sys32.uci32103) C:\i386\Uci32103.dll -> No action taken.
7:46:08 PM: Infected file (Sys32.vxdmdcdlg) C:\i386\vxdmdcdlg.dll -> No action taken.
7:46:13 PM: Infected file (Win32.Unknown.Random.X) C:\MSOCache\All Users\90000409-6000-11D3-8CFE-
0150048383C9\FILES\SETUP\OSE.EXE -> No action taken.
7:46:13 PM: Infected file (Win32.Unknown.Random.X) C:\MSOCache\All Users\90AB0409-6000-11D3-8CFE-
0150048383C9\FILES\SETUP\OSE.EXE -> No action taken.
7:46:13 PM: Infected file (Win32.Unknown.Random.X) C:\MSOCache\All Users\90AC0409-6000-11D3-8CFE-
0150048383C9\FILES\SETUP\OSE.EXE -> No action taken.
7:46:13 PM: Infected file (Win32.Unknown.Random.X) C:\MSOCache\All Users\90AD0409-6000-11D3-8CFE-
0150048383C9\FILES\SETUP\OSE.EXE -> No action taken.
7:50:28 PM: Infected file (Sys32.dlashx_w) C:\Program Files\Roxio\DLA\install\dlashx_w.dll -> No action taken.
7:50:29 PM: Infected file (Sys32.ssupdate) C:\Program Files\SUPERAntiSpyware\SSUpdate.exe -> No action taken.
7:51:33 PM: Infected file (Sys32.proquota) C:\WINDOWS\$NtServicePackUninstall$\proquota.exe -> No action
taken.
7:51:56 PM: Infected file (Sys32.init32) C:\WINDOWS\ERDNT\cache\userinit.exe -> No action taken.
7:52:46 PM: Infected file (Sys32.msscript) C:\WINDOWS\ServicePackFiles\i386\msscript.ocx -> No action taken.
7:52:52 PM: Infected file (Sys32.init32) C:\WINDOWS\ServicePackFiles\i386\userinit.exe -> No action taken.
7:53:05 PM: Infected file (Sys32.init32) C:\WINDOWS\system32\dllcache\userinit.exe -> No action taken.
7:53:20 PM: Infected file (Sys32.init32) C:\WINDOWS\system32\userinit.exe -> No action taken.
7:53:26 PM: 39 Dangerous files has been found on your computer.
Click on "Fix" button to fix selected tasks.
Finished...


Report •

#7
June 19, 2010 at 21:33:00
Have you tried restarting Firefox in Safe Mode: http://support.mozilla.com/en-US/kb... and checking disable add on's, reset toolbars and controls, reset all preferences to user defaults, and restore default search engines?.. Another option is maybe trying Combo Fix: http://www.bleepingcomputer.com/com... , follow the instructions very carefully.

Helpful tips before getting started: http://www.computing.net/howtos/sho...


Report •

#8
June 20, 2010 at 21:12:41
Restarting Firefox in Safe Mode didn't work. Thus, I tried Combo Fix. It sorta fixed the problem, but I'm concerned there's some kind of virus still there.

See screen cap: http://rapidshare.com/files/4011959...

Right now I'm missing the Google toolbar, but it has defaulted to a Yahoo toolbar search instead. The Yahoo toolbar works, fine, but as seen in the screen capture there's still not something right.

Below is the log from Combo Fix:

ComboFix 10-06-19.03 - Miss Lauren 06/19/2010 21:47:24.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.203 [GMT -7:00]
Running from: c:\documents and settings\Miss Lauren\My Documents\Downloads\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\searchplugins\google_search.xml

.
((((((((((((((((((((((((( Files Created from 2010-05-20 to 2010-06-20 )))))))))))))))))))))))))))))))
.

2010-06-20 02:19 . 2010-06-20 02:26 -------- d-----w- c:\program files\SpywareBlaster
2010-06-20 01:53 . 2010-06-20 01:53 -------- d-----w- c:\program files\InCode Solutions
2010-06-19 05:01 . 2010-06-19 05:01 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-19 05:01 . 2010-06-19 05:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-06-19 05:01 . 2010-06-19 05:01 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-06-19 03:32 . 2010-06-18 05:21 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-18 05:22 . 2010-06-18 05:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-18 05:22 . 2010-06-18 05:21 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-18 04:49 . 2010-06-18 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-18 04:49 . 2010-06-18 04:50 -------- d-----w- c:\program files\Lavasoft
2010-06-18 04:05 . 2010-05-21 21:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-06-18 04:02 . 2010-06-18 04:02 -------- d-----w- c:\program files\Windows Defender
2010-06-18 03:32 . 2010-06-18 04:50 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-18 00:45 . 2010-06-18 02:14 -------- d-----w- c:\windows\system32\NtmsData
2010-06-18 00:27 . 2010-06-18 00:27 -------- d-----w- c:\documents and settings\Miss Lauren\Application Data\Avira
2010-06-18 00:19 . 2010-03-01 17:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-06-18 00:19 . 2009-05-11 19:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-06-18 00:19 . 2009-05-11 19:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-06-18 00:19 . 2010-06-18 00:19 -------- d-----w- c:\program files\Avira
2010-06-18 00:19 . 2010-06-18 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-06-16 05:32 . 2010-06-16 05:32 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-16 01:48 . 2010-06-17 03:14 120 ----a-w- c:\windows\Svepezuqujaro.dat
2010-06-16 01:48 . 2010-06-17 00:04 0 ----a-w- c:\windows\Jguyume.bin
2010-06-16 01:47 . 2010-06-16 13:48 -------- d-----w- c:\documents and settings\Miss Lauren\Local Settings\Application Data\wilsrtp
2010-06-16 01:47 . 2010-06-16 13:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Update

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-20 02:26 . 2008-11-09 07:53 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-19 15:27 . 2010-06-16 04:17 52224 ----a-w- c:\documents and settings\Miss Lauren\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-19 15:27 . 2009-06-30 08:08 117760 ----a-w- c:\documents and settings\Miss Lauren\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-19 15:21 . 2009-10-28 21:44 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-19 04:44 . 2010-06-19 04:44 2568656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-06-18 04:34 . 2007-11-28 16:37 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-06-17 03:27 . 2006-07-18 20:09 100576 ----a-w- c:\documents and settings\Miss Lauren\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-17 02:02 . 2009-06-30 08:07 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-16 05:33 . 2010-06-16 05:33 503808 ----a-w- c:\documents and settings\Miss Lauren\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-238a5f14-n\msvcp71.dll
2010-06-16 05:33 . 2010-06-16 05:33 499712 ----a-w- c:\documents and settings\Miss Lauren\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-238a5f14-n\jmc.dll
2010-06-16 05:33 . 2010-06-16 05:33 348160 ----a-w- c:\documents and settings\Miss Lauren\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-238a5f14-n\msvcr71.dll
2010-06-16 05:33 . 2010-06-16 05:33 61440 ----a-w- c:\documents and settings\Miss Lauren\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-66688d34-n\decora-sse.dll
2010-06-16 05:33 . 2010-06-16 05:33 12800 ----a-w- c:\documents and settings\Miss Lauren\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-66688d34-n\decora-d3d.dll
2010-06-16 05:33 . 2006-07-13 08:52 -------- d-----w- c:\program files\Common Files\Java
2010-06-16 02:06 . 2009-06-03 06:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-16 00:23 . 2010-06-16 00:23 503808 ----a-w- c:\documents and settings\Miss Lauren\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6405a8ea-n\msvcp71.dll
2010-06-16 00:23 . 2010-06-16 00:23 499712 ----a-w- c:\documents and settings\Miss Lauren\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6405a8ea-n\jmc.dll
2010-06-16 00:23 . 2010-06-16 00:23 348160 ----a-w- c:\documents and settings\Miss Lauren\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6405a8ea-n\msvcr71.dll
2010-05-04 17:20 . 2004-08-10 17:51 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2004-08-10 17:50 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2004-08-10 17:51 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 22:39 . 2009-06-03 06:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2009-06-03 06:49 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2004-08-10 17:50 285696 ----a-w- c:\windows\system32\atmfd.dll
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-12-01 20:42 . 2006-07-18 20:10 88 --sh--r- c:\windows\system32\04BCCF4B19.sys
2007-12-01 20:42 . 2006-07-18 20:10 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]
"RemoveIT Pro v7Ultra"="c:\program files\InCode Solutions\RemoveIT Pro v7 Ultra\removeit.exe" [2010-05-17 2326016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"CTSVolFE.exe"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 57344]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-15 198160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-06-19 5937984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-7-13 24576]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/17/2010 10:22 PM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R1 uziwotiw;AVZ-RK Kernel Driver;c:\windows\system32\drivers\uziwotiw.sys [6/29/2009 5:29 PM 11264]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/17/2010 5:19 PM 135336]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/29/2007 10:14 AM 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 8:52 AM 1352832]
S2 NetFxUpdate_v1.1.4322;Microsoft .NET Framework v1.1.4322 Update;c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe [8/10/2004 4:20 PM 106496]
.
Contents of the 'Scheduled Tasks' folder

2010-06-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 05:18]

2009-11-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]

2010-06-19 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]

2010-06-19 c:\windows\Tasks\WebReg Photosmart C4100 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2006-02-19 13:09]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:1947
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Miss Lauren\Application Data\Mozilla\Firefox\Profiles\p47x9d5l.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.good-search.net/?sid=10101030100&s=
FF - plugin: c:\documents and settings\Miss Lauren\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Miss Lauren\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.good-search.net/?sid=10101030100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-19 21:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-06-19 22:07:06
ComboFix-quarantined-files.txt 2010-06-20 05:07
ComboFix2.txt 2010-06-17 04:18

Pre-Run: 9,333,702,656 bytes free
Post-Run: 9,601,961,984 bytes free

- - End Of File - - 3033E7F08578C4F1F54DB89B5A86CA07



Report •

#9
June 20, 2010 at 21:41:39
Yeah, that keyword URL thing. Have you tried editing that string?.. Maybe this will help you: http://kb.mozillazine.org/Keyword.URL I would try editing that in Safe Mode (rebooting and pressing F8), and then maybe even doing a full scan with Malware Bytes while still in safe mode.

Helpful tips before getting started: http://www.computing.net/howtos/sho...


Report •

#10
June 21, 2010 at 18:01:13
After restarting in Safe Mode and restarting Firefox in safe mode, I RESET the keyword.URL to http://www.google.com/search?ie=UTF... (the default.)

Then I ran a full scan of MalwareBytes (of course I updated to the latest version.) Below is the log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4219

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.11

6/20/2010 10:56:05 PM
mbam-log-2010-06-20 (22-56-05).txt

Scan type: Full scan (C:\|)
Objects scanned: 231455
Time elapsed: 53 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Report •

#11
June 23, 2010 at 19:30:53
Is the tool bar still there?.. Sorry I forgot to respond!.

Helpful tips before getting started: http://www.computing.net/howtos/sho...


Report •

#12
June 23, 2010 at 19:42:03
Yes, the toolbar is still there. Although I'm missing the "google" toolbar option. Instead there is a Yahoo toolbar search. Yahoo search is not infected, it searches properly.

Although, when I look under "about:config," search "keyword" search.good-search.net is still there.

Am I still infected?


Report •

#13
June 23, 2010 at 20:56:32
If you're not being redirected, I would say the problem is fixed, but I'm not too sure about that entry since it still seems to be there. Try running a scan with CCleaner: http://download.cnet.com/ccleaner/?...

Helpful tips before getting started: http://www.computing.net/howtos/sho...


Report •

#14
June 28, 2010 at 21:15:28
Is there anyway to post a log file from that program? There are two options with the program "Cleaner" and "Registry." I don't want to "fix" the all the programs. - most of them are missing shortcuts.

Report •

#15
June 29, 2010 at 08:06:01
Hi lst417,
Ccleaner is real easy and safe to use.
When you run the registry cleaner, remove all it finds.

If you are still unable to remove the google toolbar, you can use revo uninstaller (the freeware version) to remove it:

http://www.revouninstaller.com/revo...

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#16
July 4, 2010 at 21:22:53
After using CCleaner and removing all it finds, the search.good-search.net still appears when I type in "about:config" to Firefox.

Good thing is, the Google tool bar has altogether been removed and defaulted to Yahoo. I installed another Google Toolbar and it works just fine.

Thank you very much to xryanx and XpUser4Real for your time and patience! =)


Report •

Ask Question