MBAM and HJT log for browser redirect

[fuddrha]

All,

I have run a number of programs to solve this issue - Malwarebytes, Spybot, Adaware, NOD32 - but none have removed it. I use Firefox 3.0.7, and every so often, I'll get redirected when clicking on Google search results. It doesn't happen all the time, and there's no prevailing pattern to when it does happen. It tends to redirect to the same sites - www.shopica.com was my last one, and www.findstuff.com seems to crop up a lot. When I hit the back button to go back to Google, the link is still listed as "unclicked" - blue instead of purple. I can then click it again and get it to work properly.

So, to sum up - intermittent redirects with no discernible pattern and that are not "persistent." It's really just an annoyance more so than anything else.

Reading through other people's posts, it looks like they have resolved this by running ComboFix and/or GooRedFix. Both have warnings not to use them without being told to do so, so I was hoping to make sure that's the right path to take. Any input would be very appreciated.

Thanks in advance,

Robert

Malwarebytes' Anti-Malware 1.34

Database version: 1882

Windows 5.1.2600 Service Pack 3

3/21/2009 11:13:57 AM

mbam-log-2009-03-21 (11-13-57).txt

Scan type: Full Scan (C:\|)

Objects scanned: 134075

Time elapsed: 19 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

===

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:14:45 AM, on 3/21/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Sandboxie\SbieCtrl.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Launchy\Launchy.exe

C:\Program Files\Dropbox\Dropbox.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\LordJeb Software\Trinket.exe

C:\Program Files\Sandboxie\SbieSvc.exe

c:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\Robert\Desktop\utorrent.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O3 - Toolbar: (no name) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - (no file)

O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"

O4 - HKLM\..\Run: [intelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKCU\..\Run: [sandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"

O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\Dropbox.exe

O4 - Startup: Shortcut to Trinket.exe.lnk = C:\Program Files\LordJeb Software\Trinket.exe

O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1211351221557

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab

O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} (Pearson MyEconLab Player Control) - http://asp.mathxl.com/books/_Players/EconPlayer.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: OLAKCK - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Robert\LOCALS~1\Temp\OLAKCK.exe

O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe

--

End of file - 6588 bytes

[miekiemoes]

Hi,

Please download DDS and save it to your desktop.

• Disable any script blocking protection
  
• Double click dds.scr to run the tool.
  
• When done, DDS.txt will open.
  
• Click Yes at the next prompt for Optional Scan.
  
• Save both reports to your desktop.
  

---------------------------------------------------

Copy and paste the contents of DDS.txt in your next reply. Do not copy and paste the contents of Attach.txt, but attach it to your reply instead.

[fuddrha]

Hi,

Please download DDS and save it to your desktop.

• Disable any script blocking protection

• Double click dds.scr to run the tool.

• When done, DDS.txt will open.

• Click Yes at the next prompt for Optional Scan.

• Save both reports to your desktop.

---------------------------------------------------

Copy and paste the contents of DDS.txt in your next reply. Do not copy and paste the contents of Attach.txt, but attach it to your reply instead.

Thanks,

Robert

DDS (Ver_09-03-16.01) - NTFSx86

Run by Robert at 10:24:05.98 on Sun 03/22/2009

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1434 [GMT -7:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\Sandboxie\SbieCtrl.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Launchy\Launchy.exe

C:\Program Files\Dropbox\Dropbox.exe

C:\Program Files\Sandboxie\SbieSvc.exe

C:\Program Files\LordJeb Software\Trinket.exe

c:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Robert\Desktop\utorrent.exe

C:\Documents and Settings\Robert\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [sandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice

StartupFolder: c:\docume~1\robert\startm~1\programs\startup\dropbox.lnk - c:\program files\dropbox\Dropbox.exe

StartupFolder: c:\docume~1\robert\startm~1\programs\startup\shortc~1.lnk - c:\program files\lordjeb software\Trinket.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1211351221557

DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab

DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} - hxxp://asp.mathxl.com/books/_Players/EconPlayer.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\robert\applic~1\mozilla\firefox\profiles\n9np3fkb.default\

FF - plugin: c:\documents and settings\robert\application data\mozilla\firefox\profiles\n9np3fkb.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npRACtrl.dll

FF - HiddenExtension: XUL Cache: {97DF4EC2-7980-4318-B4D1-80714F8CAB82} - c:\documents and settings\robert\local settings\application data\{97DF4EC2-7980-4318-B4D1-80714F8CAB82}

============= SERVICES / DRIVERS ===============

R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]

R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2009-1-8 3968]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-3-13 33800]

R1 FSLX;FSLX;c:\windows\system32\drivers\fslx.sys [2007-8-10 191360]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-4 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 55024]

R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2008-12-20 100368]

R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2008-12-20 41680]

R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]

R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-3-13 472320]

R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-1-5 103936]

R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2008-12-20 81360]

S3 CrystalSysInfo;CrystalSysInfo;\??\c:\program files\mediacoder\sysinfo.sys --> c:\program files\mediacoder\SysInfo.sys [?]

S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-12-20 33752]

S3 hitmanpro3;Hitman Pro 3 Support Driver;c:\windows\system32\drivers\hitmanpro3.sys [2008-10-8 3328]

S3 OLAKCK;OLAKCK;c:\docume~1\robert\locals~1\temp\OLAKCK.exe [2009-1-3 527232]

S3 PORTMON;PORTMON;\??\c:\documents and settings\robert\desktop\sysinternalssuite\portmsys.sys --> c:\documents and settings\robert\desktop\sysinternalssuite\PORTMSYS.SYS [?]

S3 PsSdk31;PsSdk31;c:\windows\system32\drivers\pssdk31.drv [2008-11-14 30272]

S3 PsSdkLBF;PsSdkLBF;c:\windows\system32\drivers\pssdklbf.drv [2008-11-14 37440]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]

S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [2008-12-20 31824]

=============== Created Last 30 ================

2009-03-21 10:23 <DIR> --d----- c:\docume~1\robert\applic~1\wsInspector

2009-03-21 10:21 <DIR> --d----- c:\program files\Startup Inspector for Windows

2009-02-28 13:44 <DIR> --d----- c:\program files\HandBrake

2009-02-28 12:43 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat

==================== Find3M ====================

2009-02-11 11:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 11:19 15,504 a------- c:\windows\system32\drivers\mbam.sys

2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys

============= FINISH: 10:24:50.17 ===============

Attach.zip

Attach.zip

[miekiemoes]

Hi,

Can you zip the following folder first:

c:\documents and settings\robert\local settings\application data\{97DF4EC2-7980-4318-B4D1-80714F8CAB82}

Then upload it here:

http://www.malwarebytes.org/forums/index.php?showforum=55

create a thread first and upload it.

Let me know in this thread once you've done that. Don't take any other actions yet.

[fuddrha]

Hi,

Can you zip the following folder first:

c:\documents and settings\robert\local settings\application data\{97DF4EC2-7980-4318-B4D1-80714F8CAB82}

Then upload it here:

http://www.malwarebytes.org/forums/index.php?showforum=55

create a thread first and upload it.

Let me know in this thread once you've done that. Don't take any other actions yet.

Mieke,

I've done that. The new thread is located here - http://www.malwarebytes.org/forums/index.php?showtopic=12984 .

Thanks,

Robert

[miekiemoes]

Hi,

Thank you for the file.

1. Please download GooredFix and save it to your Desktop.

• Select "2. Fix Goored" by typing 2 and pressing Enter.
  
• Make sure all instances of Firefox are closed at this point.
  
• Type y at the prompt and press Enter again.
  
• A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
  

Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

[fuddrha]

Hi,

Thank you for the file.

1. Please download GooredFix and save it to your Desktop.

• Select "2. Fix Goored" by typing 2 and pressing Enter.

• Make sure all instances of Firefox are closed at this point.

• Type y at the prompt and press Enter again.

• A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

Mieke,

I think that fixed it. I've just run a few Google searches, and clicked a number of links for each search, and haven't been redirected once. Thanks so much!

GooredFix v1.92 by jpshortstuff

Log created at 11:52 on 22/03/2009 running Option #2 (Robert)

Firefox version 3.0.7 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]

"{97DF4EC2-7980-4318-B4D1-80714F8CAB82}"="C:\Documents and Settings\Robert\Local Settings\Application Data\{97DF4EC2-7980-4318-B4D1-80714F8CAB82}"

->Backing up value... Done.

->Deleting value... Done.

C:\Documents and Settings\Robert\Local Settings\Application Data\{97DF4EC2-7980-4318-B4D1-80714F8CAB82}

->Backing up folder... Done.

->Emptying folder... Done.

->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]

"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]

"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]

"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"

[miekiemoes]

Hi,

Yes, that indeed fixed it.

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.