Firefox search posioning help

cls123 · January 31, 2009

I am currently having problems using google on mozilla firefox. If I search a topic on google, I get strange website in green below the website description. (e.g. Searching google on Google.com gives me hxxp://whattoexpect.com/) It's only on the first page of the search results. Firefox is version 2.0.0.20.

Malwarebytes' Anti-Malware 1.33

Database version: 1712

Windows 5.1.2600 Service Pack 2

1/31/2009 12:30:38 PM

mbam-log-2009-01-31 (12-30-38).txt

Scan type: Quick Scan

Objects scanned: 66756

Time elapsed: 9 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:00:24 PM, on 1/31/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft Works\WksSb.exe

C:\Program Files\Common Files\AOL\1127779177\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

C:\Program Files\InterVideo\WinDVD4PR\SchSvr.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\WiFiConnector\NintendoWFCReg.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\Program Files\Common Files\AOL\1127779177\ee\services\safetyCore\ver210_5_2_1\aolavupd.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

C:\Program Files\Common Files\AOL\1127779177\ee\aolsoftware.exe

C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe

C:\Program Files\Common Files\AOL\1127779177\ee\AOLOpenRide.exe

C:\Program Files\mcafee.com\personal firewall\MPFService.exe

C:\PROGRA~1\mcafee.com\ANTIVI~1\OasClnt.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\Program Files\mcafee.com\personal firewall\MpfTray.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\AOL\1127779177\ee\aolsoftware.exe

C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\AOL 9.1\waol.exe

C:\Program Files\AOL 9.1\shellmon.exe

C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R3 - URLSearchHook: IAOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL Toolbar\aoltb.dll

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

N2 - Netscape 6: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\USER\Application Data\Mozilla\Profiles\default\e87wmdun.slt\prefs.js)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: AOL Toolbar Loader - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL Toolbar\aoltb.dll

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL Toolbar\aoltb.dll

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127779177\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB002" /M "Stylus Photo R220"

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1127779177\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe

O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1127779177\ee\SSCRun.exe

O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [iMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

O4 - HKLM\..\Run: [FastTVSync] "C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe"

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [PCLEUSBTip] C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - Startup: AOL OpenRide.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: hp psc 1000 series.lnk = ?

O4 - Global Startup: InterVideo Scheduler server.lnk = C:\Program Files\InterVideo\WinDVD4PR\SchSvr.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Norton Internet Security.lnk = C:\Documents and Settings\User\My Documents\iTunesSetup.exe

O4 - Global Startup: Run Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe

O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} (WebIQ Engine Application Object) - http://webiq005.webiqonline.com/WebIQ/Data...6-6D5536C585C9}

O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099927148234

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136256744125

O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab

O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

O23 - Service: AOL Antivirus Update Service (aolavupd) - AOL LLC - C:\Program Files\Common Files\AOL\1127779177\ee\services\safetyCore\ver210_5_2_1\aolavupd.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 11970 bytes

Please help.

cls123 · January 31, 2009

Bump

Still not solved.

Getting redirected to un-related sites.

Help

cls123 · January 31, 2009

Here is an image of what is happening.

cls123 · January 31, 2009

Downloaded avira and it solved the problem.

Here's the scan logfile for avira

Avira AntiVir Personal

Report file date: Saturday, January 31, 2009 17:38

Scanning for 1302306 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic

Serial number: 0000149996-ADJIE-0001

Platform: Windows XP

Windows version: (Service Pack 2) [5.1.2600]

Boot mode: Normally booted

Username: SYSTEM

Computer name: USER-JYHXSUGSQJ

Version information:

BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00

AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 14:21:26

AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 13:56:40

LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 18:44:19

LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 13:58:52

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36

ANTIVIR1.VDF : 7.1.1.113 2817536 Bytes 1/14/2009 22:34:50

ANTIVIR2.VDF : 7.1.1.207 1359360 Bytes 1/30/2009 22:34:59

ANTIVIR3.VDF : 7.1.1.208 2048 Bytes 1/30/2009 22:34:59

Engineversion : 8.2.0.70

AEVDF.DLL : 8.1.1.0 106868 Bytes 1/31/2009 22:35:18

AESCRIPT.DLL : 8.1.1.39 344443 Bytes 1/31/2009 22:35:16

AESCN.DLL : 8.1.1.6 127348 Bytes 1/31/2009 22:35:15

AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 19:58:38

AEPACK.DLL : 8.1.3.5 393588 Bytes 1/31/2009 22:35:14

AEOFFICE.DLL : 8.1.0.33 196987 Bytes 1/31/2009 22:35:12

AEHEUR.DLL : 8.1.0.89 1569143 Bytes 1/31/2009 22:35:11

AEHELP.DLL : 8.1.2.0 119159 Bytes 1/31/2009 22:35:06

AEGEN.DLL : 8.1.1.12 328053 Bytes 1/31/2009 22:35:03

AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 16:05:56

AECORE.DLL : 8.1.6.3 176501 Bytes 1/31/2009 22:35:01

AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 16:05:56

AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 14:40:05

AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 15:28:01

AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 18:02:15

AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 17:26:40

AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23

AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 18:27:49

SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02

SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 18:49:40

NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10

RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 19:48:07

RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 19:34:37

Configuration settings for the scan:

Jobname..........................: Complete system scan

Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp

Logging..........................: low

Primary action...................: interactive

Secondary action.................: ignore

Scan master boot sector..........: on

Scan boot sector.................: on

Boot sectors.....................: C:,

Process scan.....................: on

Scan registry....................: on

Search for rootkits..............: off

Scan all files...................: Intelligent file selection

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Macro heuristic..................: on

File heuristic...................: medium

Start of the scan: Saturday, January 31, 2009 17:38

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'rundll32.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'aolsoftware.exe' - '1' Module(s) have been scanned

Scan process 'aoltpsd3.exe' - '1' Module(s) have been scanned

Scan process 'AOLSP Scheduler.exe' - '1' Module(s) have been scanned

Scan process 'MpfTray.exe' - '1' Module(s) have been scanned

Scan process 'aolsoftware.exe' - '1' Module(s) have been scanned

Scan process 'shellmon.exe' - '1' Module(s) have been scanned

Scan process 'wuauclt.exe' - '1' Module(s) have been scanned

Scan process 'waol.exe' - '1' Module(s) have been scanned

Scan process 'cidaemon.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'iPodService.exe' - '1' Module(s) have been scanned

Scan process 'wmpnetwk.exe' - '1' Module(s) have been scanned

Scan process 'wanmpsvc.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'snmp.exe' - '1' Module(s) have been scanned

Scan process 'tcpsvcs.exe' - '1' Module(s) have been scanned

Scan process 'MpfService.exe' - '1' Module(s) have been scanned

Scan process 'McShield.exe' - '1' Module(s) have been scanned

Scan process 'ITMRTSVC.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'cisvc.exe' - '1' Module(s) have been scanned

Scan process 'aoltpspd.exe' - '1' Module(s) have been scanned

Scan process 'aolavupd.exe' - '1' Module(s) have been scanned

Scan process 'aoltsmon.exe' - '1' Module(s) have been scanned

Scan process 'AOLacsd.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

45 processes with 45 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Starting to scan the registry.

The registry was scanned ( '75' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\pagefile.sys

[WARNING] The file could not be opened!

C:\Documents and Settings\All Users\Application Data\AOL Downloads\AOL_OpenRide_1.23.16.1\comps\acscore.exe

[DETECTION] Is the TR/Agent.1436664 Trojan

[NOTE] The file was moved to '49f7d3ee.qua'!

End of the scan: Saturday, January 31, 2009 18:41

Used time: 1:02:23 Hour(s)

The scan has been done completely.

9853 Scanning directories

280863 Files were scanned

1 viruses and/or unwanted programs were found

0 Files were classified as suspicious:

0 files were deleted

0 files were repaired

1 files were moved to quarantine

0 files were renamed

1 Files cannot be scanned

280861 Files not concerned

1490 Archives were scanned

1 Warnings

1 Notes

Please notify me if I seem to be still infected.

AdvancedSetup · February 1, 2009

Your Adobe Acrobat Reader and Java need to be removed and updated to the latest versions.

Update available for vulnerability in versions 8.1 and earlier of Adobe Reader and Acrobat

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

When we're done you can go back and install the latest version but for now please do not install any.

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

Double-click on JavaRa.exe to start the program.
From the drop-down menu, choose English and click on Select.
JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location and post it back when you reply

Then look for the following Java folders and if found delete them.

C:\Program Files\Java

C:\Program Files\Common Files\Java

C:\Documents and Settings\All Users\Application Data\Java

C:\Documents and Settings\All Users\Application Data\Sun\Java

C:\Documents and Settings\username\Application Data\Java

C:\Documents and Settings\username\Application Data\Sun\Java

Then run this tool.

Please visit this webpage for instructions for downloading ComboFix to your

DESKTOP

:

how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run

ComboFix.exe

on your DESKTOP and not from any other folder.

Also,

DO NOT

click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

ComboFix.exe

Note:

The

Windows Recovery Console

will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click
Yes
to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please post the
C:\ComboFix.txt
along with a
new HijackThis log
so we may continue cleaning the system.

cls123 · February 1, 2009

Ok, here are the results

ComboFix 09-02-01.01 - User 2009-02-01 18:02:34.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1263.798 [GMT -5:00]

Running from: c:\documents and settings\User\Desktop\ComboFix.exe

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_IPRIP

((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))

.

2009-01-31 17:30 . 2009-01-31 17:30 <DIR> d-------- c:\program files\Avira

2009-01-31 17:30 . 2009-01-31 17:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira

2009-01-31 11:59 . 2009-01-31 11:59 <DIR> d-------- c:\program files\Trend Micro

2009-01-18 07:37 . 2009-01-18 07:37 <DIR> d-------- c:\program files\Common Files\Software Update Utility

2009-01-17 10:44 . 2009-01-17 11:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-17 10:44 . 2009-01-17 10:44 <DIR> d-------- c:\documents and settings\User\Application Data\Malwarebytes

2009-01-17 10:44 . 2009-01-17 10:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-17 10:44 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-17 10:44 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-15 16:42 . 2009-01-15 16:42 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)

2009-01-15 16:42 . 2009-01-15 16:42 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2009-01-15 15:13 . 2009-01-15 15:13 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)

2009-01-15 15:13 . 2009-01-15 15:13 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-01 22:51 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee

2009-02-01 22:49 --------- d-----w c:\program files\Common Files\AOL

2009-02-01 22:49 --------- d-----w c:\documents and settings\All Users\Application Data\AOL

2009-02-01 16:57 --------- d-----w c:\program files\Common Files\Adobe

2009-01-31 15:37 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-31 15:37 --------- d-----w c:\program files\Pure Networks

2009-01-31 15:31 --------- d-----w c:\program files\Common Files\Real

2009-01-31 15:29 --------- d-----w c:\program files\NewTech Infosystems

2009-01-31 15:26 --------- d-----w c:\program files\Microsoft Picture It! PhotoPub

2009-01-31 15:22 --------- d-----w c:\program files\Kodak

2009-01-31 15:21 --------- d-----w c:\program files\Hewlett-Packard

2009-01-18 12:37 --------- d-----w c:\program files\AOL Toolbar

2009-01-15 03:18 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-12-21 19:23 --------- d-----w c:\program files\Google

2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys

2009-01-14 01:38 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll

2009-01-14 01:38 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

2009-01-14 01:38 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll

2009-01-14 01:38 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll

2009-01-14 01:38 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]

"AOL Fast Start"="c:\program files\AOL 9.1\AOL.EXE" [2007-10-27 50528]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2000-08-08 24576]

"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2000-08-08 311350]

"HostManager"="c:\program files\Common Files\AOL\1127779177\ee\AOLSoftware.exe" [2008-06-24 41824]

"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]

"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]

"FastTVSync"="c:\program files\Common Files\InterVideo\FastTVSync\FastTVSync.exe" [2003-06-04 241664]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-10 406016]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

c:\documents and settings\User\Start Menu\Programs\Startup\

AOL OpenRide.lnk - c:\program files\Common Files\AOL\Launch\aollaunch.exe [2008-06-24 41824]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 147456]

InterVideo Scheduler server.lnk - c:\program files\InterVideo\WinDVD4PR\SchSvr.exe [2004-11-13 135168]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-08-08 65588]

Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-08-08 24633]

Norton Internet Security.lnk - c:\documents and settings\User\My Documents\iTunesSetup.exe [2007-08-19 19979192]

Run Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2007-11-20 1175552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.3IV2"= 3ivxVfWCodec_dec.dll

"VIDC.MJPG"= Pvmjpg30.dll

"VIDC.PIM1"= pclepim1.dll

"aux2"= wdmaud.sys

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=

"c:\\Program Files\\Common Files\\AOL\\1127779177\\ee\\AOLServiceHost.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=

"c:\\Program Files\\Common Files\\AOL\\1127779177\\ee\\aolsoftware.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\3ivx\\3ivx D4 4.5.1 Decoder\\3ivxConfig.exe"=

"c:\\Documents and Settings\\User\\My Documents\\iTunesSetup.exe"=

"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=

"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=

"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=

"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=

"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=

"c:\\Program Files\\AOL 9.0\\waol.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AOL 9.1\\waol.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping

"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

S3 AKDWC20ET;Creation Station;c:\windows\system32\Drivers\csvid.sys --> c:\windows\system32\Drivers\csvid.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.

Contents of the 'Scheduled Tasks' folder

2009-02-01 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2005-02-13 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1100110607.job

- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52]

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-Microsoft Works Update Detection - c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

HKLM-Run-SoundMAXPnP - c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe

HKLM-Run-IMONTRAY - c:\program files\Intel\Intel® Active Monitor\imontray.exe

HKLM-Run-AOL Spyware Protection - c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

HKLM-Run-PCLEUSBTip - c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe

HKLM-Run-NWEReboot - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.aol.com/?src=toolbar

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uInternet Settings,ProxyOverride = 127.0.0.1

uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com

IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Download All by FlashGet - c:\progra~1\FlashGet\jc_all.htm

IE: Download using FlashGet - c:\progra~1\FlashGet\jc_link.htm

Trusted Zone: aol.com\free

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\vqos985a.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=

FF - prefs.js: browser.search.selectedEngine - AOL Search

FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com?src=toolbar

FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ab&query=

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-01 18:07:24

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]

"ThreadingModel"="Apartment"