web redirect in firefox and ie

Dell Dimension e520 desktop - customizab...
July 15, 2010 at 14:18:45
Specs: Windows XP
i have firefox and i keep getting redirected i use malweare bytes but i guess it didn't catch the redirect before it took over -it also got hold of ie i couldn't use it for a while i found a quick fix that enabled me to use ie and allowed me to enable real time protection which stops the redirection but it lingers and slows me down i am afraid one day it will escape im looking for a permanent solution i have

malwear bytes
adawear
superantispywear
sophos - lives on my computer but dose not do anything

the steps i took are listed below

1. Navigate to: C:Program FilesMozilla Firefoxextensions, look for a folder that is a string of letters, created around the time you began having the problem. Something like “{BCB94CDD-5542-403F-9FB3-07D3DB1E9951}”
2. Open the folder, and then open the folder called “chrome”, then “content”, and look for a file inside called overlay.xul (variants may have different names). i used search for overlay.xul found 4 in ie folder and firefox folder
3. Verify that it is the virus: does it have code similar to this: click to see code
4. If you have found the culprit, delete the file (or encrypt with Axcrypt which is reversible).
5. Replace it with a blank text file with the same name and extension.
6. Repeat the process – you may have multiple copies in multiple folders.
7. Test: Go back to Google, try your search results again.
8. If no redirects: Sing Hallelujah.

part 2

1. Do the “short fix” listed above.
2. Remove old versions of Java by downloading JavaRa and unziping it to your desktop.
3. Double-click on JavaRa.exe to start the program and Click on Remove Older Versions.
4. Download and install the latest version of Java (Most likely the first download you see here).
5. Install Malwarebytes and SuperAntiSpyware
6. Update them, run them, and delete all bad stuff.
7. Shutdown, restart, run them again.
8. If you are clean then test for redirects in Google.
9. If no redirects: Sing Hallelujah.


See More: web redirect in firefox and ie

Report •

#1
July 16, 2010 at 12:31:41
The type of problem you have is known as "browser hijacking". None of the malware scanners you are using can guard against this unless they include a "real-time" monitoring component.

SuperAntiSpyware is very good but only the "Pro" version gives real-time protection, you have to pay for that. Same with MalwareBytes - you have to pay for real-time protection.

Sophos AV won't stop browser hijacks anyway.

With Firefox, you could probably fix by thoroughly removing it and deleting "Mozilla Firefox" keys in the software sections of the REgistry. Internet Explorer, however, is more problematic since it can't be completely removed.

My son had a similar problem but only IE was hijacked (probably because the hijack required ActiveX). So he simply stopped using IE altogether (which is no bad thing anyway).


Report •

#2
July 16, 2010 at 14:43:13
i can try to remove keys and reinstall firefox but every thing i have read has stated that that will not fix the problem i also deleted all of my plug-ins and add on's through firefox with no change

Report •

#3
July 16, 2010 at 15:14:24

Report •

Related Solutions

#4
July 16, 2010 at 23:38:20
looks like combo fix worked but i have to get my log looked at

Report •

#5
July 17, 2010 at 11:19:43
ComboFix 10-07-15.05 -computer 07/16/2010 20:59:27.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1584 [GMT -7:00]
Running from: c:\documents and settings\computer\Desktop\ComboFix.exe
AV: Sophos Anti-Virus *On-access scanning disabled* (Outdated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
[i] ADS - WINDOWS: deleted 24 bytes in 1 streams. [/i]

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Application Data\Toolbar4
c:\program files\Search Toolbar
c:\program files\Search Toolbar\basis.xml
c:\program files\Search Toolbar\bg.bmp
c:\program files\Search Toolbar\bing_logo.png
c:\program files\Search Toolbar\celebrity.png
c:\program files\Search Toolbar\drop_images.png
c:\program files\Search Toolbar\drop_maps.png
c:\program files\Search Toolbar\drop_news.png
c:\program files\Search Toolbar\drop_videos.png
c:\program files\Search Toolbar\drop_web.png
c:\program files\Search Toolbar\facebook.png
c:\program files\Search Toolbar\favicon.png
c:\program files\Search Toolbar\games.png
c:\program files\Search Toolbar\hotmail.png
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\images.png
c:\program files\Search Toolbar\include.xml
c:\program files\Search Toolbar\info.txt
c:\program files\Search Toolbar\lifestyle.png
c:\program files\Search Toolbar\maps.png
c:\program files\Search Toolbar\messenger.png
c:\program files\Search Toolbar\msn.png
c:\program files\Search Toolbar\news.png
c:\program files\Search Toolbar\twitter.png
c:\program files\Search Toolbar\version.txt
c:\program files\Search Toolbar\video.png
c:\program files\Search Toolbar\videos.png
c:\program files\Search Toolbar\weather.png
c:\program files\Search Toolbar\web.png
c:\windows\xpsp1hfm.log

----- BITS: Possible infected sites -----

hxxp://virtual1
Infected copy of c:\windows\system32\drivers\ftdisk.sys was found and disinfected
Restored copy from - Kitty had a snack :p
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\system32\dllcache\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SVCHOST32
-------\Service_svchost32


((((((((((((((((((((((((( Files Created from 2010-06-17 to 2010-07-17 )))))))))))))))))))))))))))))))
.

2010-07-17 04:08 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-07-17 04:08 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2010-07-15 22:05 . 2010-07-12 08:55 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-15 18:17 . 2010-07-15 18:17 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-15 17:16 . 2010-07-12 08:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-15 17:16 . 2010-07-15 17:16 -------- d-----w- c:\documents and settings\computer\Local Settings\Application Data\Sunbelt Software
2010-07-15 17:09 . 2010-07-15 17:09 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-15 06:18 . 2010-07-15 06:18 -------- d-----w- c:\program files\Common Files\Java
2010-07-14 22:04 . 2010-07-14 22:04 -------- d-----w- c:\documents and settings\computer\Application Data\SUPERAntiSpyware.com
2010-07-14 22:04 . 2010-07-14 22:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-14 22:04 . 2010-07-16 03:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-12 00:11 . 2010-07-12 06:00 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\wtgwnoudn
2010-07-11 19:38 . 2010-07-11 19:38 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-10 17:47 . 2010-07-10 17:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-10 01:05 . 2010-07-16 16:22 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-10 01:01 . 2010-06-22 11:36 423656 ----a-w- c:\windows\system32\deployJava1.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-17 00:45 . 2007-07-25 20:19 -------- d-----w- c:\documents and settings\computer\Application Data\LimeWire
2010-07-15 17:08 . 2008-04-11 20:31 -------- d-----w- c:\program files\Lavasoft
2010-07-15 17:08 . 2008-04-11 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-15 06:17 . 2007-06-15 18:30 -------- d-----w- c:\program files\Java
2010-07-12 23:19 . 2009-08-05 19:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-30 01:01 . 2007-08-15 22:58 -------- d-----w- c:\documents and settings\computer\Application Data\dvdcss
2010-06-28 18:59 . 2007-09-28 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-06-03 00:00 . 2007-06-20 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-02 20:53 . 2007-06-15 18:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-01 21:11 . 2007-06-15 18:44 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-29 20:49 . 2009-11-25 00:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-19 19:08 . 2007-07-19 18:21 -------- d-----w- c:\program files\MSECache
2010-05-18 20:47 . 2009-04-03 20:57 -------- d-----w- c:\program files\AVS4YOU
2010-05-18 20:47 . 2009-04-03 20:57 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-05-02 05:22 . 2004-08-11 22:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 22:39 . 2009-11-25 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2009-11-25 00:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-20 20:13 . 2007-06-25 17:28 88 --sh--r- c:\windows\system32\2B5CB73C74.sys
2008-03-28 20:09 . 2007-09-24 19:13 88 --sh--r- c:\windows\system32\60BCEA2C95.sys
2010-01-20 20:13 . 2007-06-25 17:28 7358 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ecdee021-0d17-467f-a1ff-c7a115230949}"= "c:\program files\free-downloads.net\tbfre1.dll" [2010-05-12 2515552]

[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ecdee021-0d17-467f-a1ff-c7a115230949}]
2010-05-12 20:30 2515552 ----a-w- c:\program files\free-downloads.net\tbfre1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ecdee021-0d17-467f-a1ff-c7a115230949}"= "c:\program files\free-downloads.net\tbfre1.dll" [2010-05-12 2515552]

[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-31 4670704]
"NBJ"="c:\program files\Ahead\Nero BackItUp\nbj.exe" [2006-09-15 2048000]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe" [2009-11-15 33120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"UniPrint"="c:\program files\UniPrint\Client\SetDfltSettings.exe" [2006-08-24 155857]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-07 185896]
"SNPSTD2"="c:\windows\vsnpstd2.exe" [2004-01-06 40960]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2002-02-01 98304]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-05-07 591696]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2006-08-14 462336]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2009-01-29 57344]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]

c:\documents and settings\computer\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-7-2 113664]
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2008-12-23 245760]
BDARemote.lnk - c:\program files\USB TV\EM28XX\BDARemote.exe [2009-8-14 81997]
Device Monitor.lnk - c:\program files\ArcSoft\MediaConverter 3\Monitor.exe [2009-9-17 139264]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"3389:TCP"= 3389:TCP:*:Disabled:Remote Desktop

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/15/2010 10:16 AM 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/21/2009 5:54 PM 28552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [12/30/2008 3:08 PM 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [12/30/2008 3:08 PM 38528]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 1:55 AM 1352832]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/24/2009 5:09 PM 304464]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [9/22/2008 6:18 AM 69632]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [8/21/2008 6:04 AM 98304]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/24/2009 5:09 PM 20952]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SUPERAntiSpyware\SABKUTIL.sys --> c:\program files\SUPERAntiSpyware\SABKUTIL.sys [?]
S3 {B1C63025-057D-4C50-A92BDD8338F06138};{B1C63025-057D-4C50-A92BDD8338F06138};c:\windows\System32\svchost.exe -k netsvcs [8/11/2004 3:00 PM 14336]
S3 {B6F9599D-57B4-4C8E-A2128CD4A9418C9D};{B6F9599D-57B4-4C8E-A2128CD4A9418C9D};\??\c:\windows\TEMP\3E2.tmp --> c:\windows\TEMP\3E2.tmp [?]
S3 PID_0900_V;Logitech ClickSmart 310(PID_0900_V);c:\windows\system32\drivers\LV551AV.sys [4/9/2008 1:40 PM 220055]
S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\RkPavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?]
S3 RkPavproc2;RkPavproc2;\??\c:\windows\system32\drivers\RkPavproc2.sys --> c:\windows\system32\drivers\RkPavproc2.sys [?]
S3 RkPavproc3;RkPavproc3;\??\c:\windows\system32\drivers\RkPavproc3.sys --> c:\windows\system32\drivers\RkPavproc3.sys [?]
S3 RkPavproc4;RkPavproc4;\??\c:\windows\system32\drivers\RkPavproc4.sys --> c:\windows\system32\drivers\RkPavproc4.sys [?]
S3 RkPavproc5;RkPavproc5;\??\c:\windows\system32\drivers\RkPavproc5.sys --> c:\windows\system32\drivers\RkPavproc5.sys [?]
S3 RkPavproc6;RkPavproc6;\??\c:\windows\system32\drivers\RkPavproc6.sys --> c:\windows\system32\drivers\RkPavproc6.sys [?]
S3 RkPavproc7;RkPavproc7;\??\c:\windows\system32\drivers\RkPavproc7.sys --> c:\windows\system32\drivers\RkPavproc7.sys [?]
S3 RkPavproc8;RkPavproc8;\??\c:\windows\system32\drivers\RkPavproc8.sys --> c:\windows\system32\drivers\RkPavproc8.sys [?]
S3 RkPavproc9;RkPavproc9;\??\c:\windows\system32\drivers\RkPavproc9.sys --> c:\windows\system32\drivers\RkPavproc9.sys [?]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [12/30/2008 3:13 PM 14976]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/8/2010 2:19 PM 691696]
.
Contents of the 'Scheduled Tasks' folder

2010-07-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 08:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.abilityfirs.org
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel
FF - ProfilePath - c:\documents and settings\computer\Application Data\Mozilla\Firefox\Profiles\j0b0kdvd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.abilityfirst.org
FF - prefs.js: keyword.URL - hxxp://bing.zugotoolbar.com/s/?iesrc=IE-Address&site=Bing&q=
FF - component: c:\program files\ArcSoft\Video Downloader\Plugin_FireFox\components\nsURLRecordEx.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{0C8413C1-FAD1-446C-8584-BE50576F863E} - c:\program files\Search Toolbar\tbcore3.dll
HKCU-Run-QuickTime Task - c:\program files\QuickTime\QTTask.exe
Notify-NavLogon - (no file)
SafeBoot-yncfynj

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-16 21:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{B1C63025-057D-4C50-A92BDD8338F06138}]
"ServiceDll"="c:\docume~1\R4896~1.BRI\LOCALS~1\Temp\3E0.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{B6F9599D-57B4-4C8E-A2128CD4A9418C9D}]
"ImagePath"="\??\c:\windows\TEMP\3E2.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3394294521-2677142240-3474555951-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{93A6CEF4-EE14-1CD9-DA9F-C9DA4F29E2ED}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"namfomlppephkkacmahbhpgaddea"=hex:63,61,6e,64,69,69,00,7c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2440)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\stsystra.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-07-16 21:35:10 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-17 04:34

Pre-Run: 122,778,411,008 bytes free
Post-Run: 123,220,103,168 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 7173376DEA70570BE115D45A0FE73A4C


Report •

#6
July 18, 2010 at 12:14:37
it has returned !!!!!! i had like one day of peace now it is back anyone else have any other ideas ?

Report •

#7
July 18, 2010 at 12:24:05
Try trojan remover
http://www.simplysup.com/tremover/d...
Hitman Pro
http://www.surfright.nl/en/downloads
Run both till they are clean and then uninstall them as they are just 30 day fully functional trials. You can do that in all programs, no need to use add/remove

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#8
July 19, 2010 at 14:58:33
ran hitman and Trojan remover no luck finding anything but some cookies and a file that wasn't running i had it for some time just sitting there ucf2000.exe and there was a repair on my proxy sever ill look into that but the problem is there the only reason i know its there is because malware bytes catches web redirection when my browser is off i no longer have the redirection when clicking on links after doing short fix and combo fix listed above

thoughts ??


Report •

#9
July 19, 2010 at 15:08:52
by the way thanks for trying to help

Report •

#10
July 19, 2010 at 20:45:39
give spybot S&D a shot:
http://www.filehippo.com/download_s...
Update it and check for problems.

Some people use the tea-timer setting, not me though so I have that unchecked.

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#11
July 24, 2010 at 12:31:12
no luck with spybot it didn't find any thing but i still get pop ups when my browser is completely closed im lucky that mal wear bytes is on and blocking everything but i still cant find the source

Report •

#12
July 24, 2010 at 15:07:44
unhackme works pretty good, just follow the instructions on the website (unhackme for beginners):
http://www.greatis.com/unhackme/

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#13
July 30, 2010 at 18:58:01
did not work

Report •

Ask Question