Jump to content

HELP =( Redirect malware of some sorts


Recommended Posts

So, I picked up something somewhere, no idea what it is, apparently redirecting all my searches in any search engine, in any browser. (Somehow got past my AVG anti-virus, which I know its all resiliant). Anyways, I quickly ran malware, and my avg and malware caught the problem, and fixed it, and all was good. Then after a while it came back, ran it again, and it fixed it again, and then came back AGAIN, and now i'm totally hooped, can't even run Malwarebytes, ran Ad-Aware, and it did nothing. I am at the end of my leash here, as starting up in safe mode, or anything like that does not allow me to run the program. -=( Here is my HijackThis Log.

Appreciate any help that I can get, thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:18:13 PM, on 10/11/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Safe mode

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=4070102

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.ca/hws/sb/dell-row-rel/e...html?channel=ca

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca/hws/sb/dell-row-rel/e...html?channel=ca

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=4070102

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=4070102

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www1.ca.dell.com/content/default.as...;l=en&s=gen

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\RunOnce: [NeroHomeFirstStart] "C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe"

O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: VPN Client.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) -

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/...upv2.0.0.10.cab?

O17 - HKLM\System\CCS\Services\Tcpip\..\{3869FD2C-AFDF-497A-8180-02625A4B6D01}: NameServer = 192.168.1.1

O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--

End of file - 8933 bytes

Link to post
Share on other sites

I am unable to run Malewarebytes anymore, it will not load in safe or normal mode.

=(

Here is my hijack log in normal mode.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:37:15 PM, on 11/11/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\PROGRA~1\DELLSU~1\DSAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\java.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=4070102

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=4070102

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: SmarThru4 Capture Selection - C:\Program Files\SmarThru 4\WebCapture.dll2.htm

O8 - Extra context menu item: SmarThru4 Save as HTML - C:\Program Files\SmarThru 4\WebCapture.dll1.htm

O8 - Extra context menu item: SmarThru4 Save Selected Text - C:\Program Files\SmarThru 4\WebCapture.dll.htm

O8 - Extra context menu item: SmarThru4 Web Capture - C:\Program Files\SmarThru 4\WebCapture.dll

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: SmarThru4 Web Capture - {5941A0E4-56C1-4a49-9B18-05762CAC5F9B} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)

O9 - Extra 'Tools' menuitem: SmarThru4 Web Capture - {5941A0E4-56C1-4a49-9B18-05762CAC5F9B} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)

O9 - Extra button: SmarThru4 Capture Selection - {A07BFEF7-DD11-4937-B23B-E70C11D2EDF4} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)

O9 - Extra 'Tools' menuitem: SmarThru4 Capture Selection - {A07BFEF7-DD11-4937-B23B-E70C11D2EDF4} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)

O9 - Extra button: SmarThru4 Save as HTML - {E753A93F-2367-4978-BFA0-83048C1E61CB} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)

O9 - Extra 'Tools' menuitem: SmarThru4 Save as HTML - {E753A93F-2367-4978-BFA0-83048C1E61CB} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)

O9 - Extra button: SmarThru4 Save Selected Text - {F1F53366-3E11-47ab-BF84-580C94F9C9AD} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)

O9 - Extra 'Tools' menuitem: SmarThru4 Save Selected Text - {F1F53366-3E11-47ab-BF84-580C94F9C9AD} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) -

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://costco.pnimedia.com/upload/activex/...upv2.0.0.10.cab?

O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--

End of file - 10713 bytes

Link to post
Share on other sites

Open HijackThis. Click-->Open the Misc Tools section-->Open Uninstall Manager-->Save list...and save the list to your Desktop, then close HijackThis.

A notepad file will open. Copy and paste the content of that text file back here on your next reply. Thanks!

Link to post
Share on other sites

Open HijackThis. Click-->Open the Misc Tools section-->Open Uninstall Manager-->Save list...and save the list to your Desktop, then close HijackThis.

A notepad file will open. Copy and paste the content of that text file back here on your next reply. Thanks!

Here we go:

Ad-Aware

Adobe Flash Player ActiveX

Adobe Reader 7.1.0

Apple Mobile Device Support

Apple Software Update

AVG Free 8.0

Bonjour

Bullzip PDF Printer 5.0.0.609

CCleaner (remove only)

Cisco Systems VPN Client 5.0.03.0560

Command & Conquer 3

Compatibility Pack for the 2007 Office system

ConvertXtoDVD 3.0.0.1

Dell CinePlayer

Dell Driver Reset Tool

Dell Support 3.2.1

Dell Support Center (Support Software)

DellConnect

DivX Codec

DivX Content Uploader

DivX Converter

DivX Player

DivX Web Player

DVD Identifier

FinalBurner Free v1.30.0.127

Google Toolbar for Internet Explorer

Google Toolbar for Internet Explorer

GPL Ghostscript Lite 8.61

GPL MPEG-1/2 DirectShow Decoder Filter

HijackThis 2.0.2

Hotfix for Windows Internet Explorer 7 (KB947864)

Intel® Matrix Storage Manager

iTunes

J2SE Runtime Environment 5.0 Update 10

J2SE Runtime Environment 5.0 Update 11

J2SE Runtime Environment 5.0 Update 6

Java DB 10.3.1.4

Java 6 Update 2

Java 6 Update 3

Java 6 Update 5

Java 6 Update 6

Java 6 Update 7

Java SE Development Kit 6 Update 6

Java SE Runtime Environment 6 Update 1

K-Lite Codec Pack 3.3.0 Basic

Linksys Updater

Magic ISO Maker v5.4 (build 0239)

MagicDisc 2.7.97

Malwarebytes' Anti-Malware

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Hotfix (KB928366)

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office 2000 Professional

Microsoft Plus! Digital Media Edition Installer

Microsoft Plus! Photo Story 2 LE

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 Redistributable

Microsoft Works

mIRC

MobileMe Control Panel

Mozilla Firefox (3.0.3)

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 6.0 Parser (KB933579)

neroxml

NICI (Shared) U.S./Worldwide (128 bit) (2.7.3-1)

NVIDIA Drivers

OpenAL

Otto

Panda ActiveScan 2.0

PeerGuardian 2.0

Picasa 2

QuickTax 2007

QuickTime

Readiris Pro 10

RealPlayer

Rhapsody Player Engine

Samsung SCX-4300 Series

SearchAssist

Security Update for CAPICOM (KB931906)

Security Update for CAPICOM (KB931906)

Security Update for Windows Internet Explorer 7 (KB928090)

Security Update for Windows Internet Explorer 7 (KB929969)

Security Update for Windows Internet Explorer 7 (KB931768)

Security Update for Windows Internet Explorer 7 (KB933566)

Security Update for Windows Internet Explorer 7 (KB937143)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB939653)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Sid Meier's Civilization 4

Sid Meier's Civilization 4 - Beyond the Sword

Sid Meier's Civilization 4 - Warlords

Skype

Link to post
Share on other sites

Thanks again for the help

I was able to uninstall all of those, and restarted when prompted to, I was unable to go to that website as it seems 'blocked' and anything else is redirected to well these malware sites.

This is the error I get, (this is the same when trying to update any antivirus program), I am currently on my labtop right now, hence why I am on the net, because I can't even access this site via my computer, and everything runs 'super slow'.

Hope we can find a workaround to this, because as I said I can not go to that site.

9e75001ferror.jpg

This is an screenshot of the error I get from firefox, but as I said some sites I can access, anything to do with malware removal apparently I can not.

Uninstall these:

Adobe Flash Player ActiveX

Adobe Reader 7.1.0

2SE Runtime Environment 5.0 Update 10

J2SE Runtime Environment 5.0 Update 11

J2SE Runtime Environment 5.0 Update 6

Java

Link to post
Share on other sites

Download HostsXpert

  • Extract the zip file to your desktop or a permanent folder on your hard drive.
  • Open the folder and double-click on the HostsXpert.exe
  • Press "Restore Original Hosts"
  • Press "OK" and exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Now return to the previous instruction again and perform the kaspersky scan. Thanks!

Link to post
Share on other sites

I ran that program and clicked on the "Restore MS Hosts File" and then tried again to go to the Kaspersky.com website, and was unable to, again here is a screen shot of it.

78e8784cerror2.jpg

As I said I'm at my wits end here, =S I'm not that computer savy and its getting to me.....

Really appreciate the help 1972vet.

If I should stop posting screen shots or anything please let me know, as I don't want to put anything compromising online either.

Download HostsXpert
  • Extract the zip file to your desktop or a permanent folder on your hard drive.
  • Open the folder and double-click on the HostsXpert.exe
  • Press "Restore Original Hosts"
  • Press "OK" and exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Now return to the previous instruction again and perform the kaspersky scan. Thanks!

Link to post
Share on other sites

Well I have nothing but time...and plenty of tricks. Let's just try a bigger gun:

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***

Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please post back the following on your next reply:

C:\ComboFix.txt

New HijackThis log.

Link to post
Share on other sites

Well I am unable to access those sites on a computer so I had to access them via my labtop and put all the required files on a thumb drive (and then transferred them to the 'infected computer'), I did so, and followed the instructions as per the website on the combofix. When trying to combine the 'windowsXP' (the one downloaded from the website, [as I do not have a Windows disk, just what came with the computer which I purchased through Dell.ca] URL for the link to the windowsXP that I downloaded is http://www.microsoft.com/downloads/details...displaylang=en) I do not get a 'progress' bar, (what I am assuming is 'proof' that these two are being combined).

I do get the sand timer though, so I thought that this might be the same. Although, reading the instructions leads me to believe that something should happen.

(So under the impression that the sand timer was the same as the progress bar) I double clicked on the Combofix icon, and nothing happens, a lill sand timer goes on, and then goes off. Tried again unsuccessfully to combine the two and nothing. Redownloaded the files from different sites (the combofix that is) and the Windows thing again, and transferred them again to the 'infected' computer, again tried to combine them, and nothing happened.

Hopefully you have some more tricks up your sleeve, cause I dont know what to do, again I hope that you have something else left.....

On a different but perhaps relevant note, I have been prompted to download updates via microsoft for my computer (I have not done so becuase well I don't want to change anything that may affect my computer being 'fixed'.

FYI these are the updates that are from Microsoft in my 'automatic updates'

Security update for Microsoft Office (KB951550)

Security update for Mirosoft XML Core Services 4.0 Service Pack (KB954430)

Security update for Windows XP (KB954459)

Secuirty update for Windows XP (KB955069)

Security update for Windows XP (KB957097)

Windows Malicious Software Removal Tool - November 2008 (KB890830)

This will probably be the last post of the day as I have to go to bed, hopefully in the AM you may have something else to suggest? or if you need more information let me know.

Thanks again.

Well I have nothing but time...and plenty of tricks. Let's just try a bigger gun:

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***

Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please post back the following on your next reply:

C:\ComboFix.txt

New HijackThis log.

Link to post
Share on other sites

Just an update here in the morning....... Apparently somehow the auto-updates from windows installed with or without my knowledge, as I woke up and get the little green shield saying that my computer was updated (wow, isn't that something) so, I thought maybe everything would be great.

So I go to google search, and type in "stuff" I scroll over the first result that is shown, and it says "stuffmagazine.com" OMG ITS FIXED, no, unfortunatly not, I try to go to Kaspersky online webscan, and nothing happens again, plus once i click on one search and then 'go back' to google, once I scroll over search links it shows that it will be redirected by "go.google.com" to whatever malicious sites it goes to.

I also tried recombining the combofix and the downloaded file from windows and again nothing happened..... (thought maybe the computer might want a rest from last nite.... =S)

I hope once you read this all you might have a new idea..... =S

Link to post
Share on other sites

Click Start/Run/Type the following command:

rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %windir%\inf\ie.inf

Next, Click Start-->Control Panel-->Internet Options

In the General tab under the "Search" section, click the Settings button. Remove everything listed there except for your Google (Default) entry. If Google is not designated as default, then click on it and then click the Set Default button. Click "Apply" and "OK". Reboot. When the system comes back up, visit the Kaspersky web site again and post back that log. Thanks!

Link to post
Share on other sites

Thanks again for your quick reply 1972vet.

So again did as instructed.

And it didn't work. Sounds like an ongoing joke with me and this computer =(

When running that command in "run" it prompted me for a iexplore.exe' on windows xpprofessional service pack 3 cd is needed.

Seen here.

4580a176error3.jpg

Because I don't have the windows disk, I thought it might be prompting me from the dell disk (entitled Operating System Already Installed on your computer....... Reinstallation DVD Microsoft Windows XP Media Ceter Version 2005 with Update Rollout 2) So I inserted that disk, found the iexplore.exe, and then followed your other instructions. After it was done, I was shown this error.

30e90a7cerror4.jpg

Tried typing in the Kaspersky website as shown in the link, and it did not work, with both Firefox and Iexplorer.

Any further ideas.... =(

Click Start/Run/Type the following command:

rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %windir%\inf\ie.inf

Next, Click Start-->Control Panel-->Internet Options

In the General tab under the "Search" section, click the Settings button. Remove everything listed there except for your Google (Default) entry. If Google is not designated as default, then click on it and then click the Set Default button. Click "Apply" and "OK". Reboot. When the system comes back up, visit the Kaspersky web site again and post back that log. Thanks!

Link to post
Share on other sites

Download Hitman Pro and run the tool. Post back your results. Thanks!

I've run the tool - it's found three things that are a problem and it wants me to remove them - however I haven't done so yet because it prompts me and says - do I want to do so even though it can't set a system restore point. Should i go ahead and remove them anyway?

Link to post
Share on other sites

This may not be clear - sorry. What I was trying to say is - I ran the Hitman Pro, and it says it's found three malware files. They have them classified - I can't read entirely what they classify them as, but here is what I see:

Classification Filename

TR/PSW.IEPass.... 1.exe (c:\documents and settings\home\local settings\temp)

NSIS/TrojanDow... 4.exe (c:\documents and settings\home\local settings\temp)

Convert.Sys.Exec tdssmriv.dll (c:\windows\system32)

Then I proceed to "next" and it prompts me and says:

Unable to create a restore point. System Restore could be disabled. Would you like to continue removing malicious software anyway?

My question is - should I go ahead anyway?

Link to post
Share on other sites

Click start-->control panel-->system-->system restore...if a check mark appears in the box "turn off system restore on all drives" then remove that check. Regardless, click the Settings button and move the slider to the right until it shows 500 MB's or as close to it as you can get.

If the above is disabled or grayed out, it undoubtedly has been done by the rootkit infection you have...proceed with the removal.

Link to post
Share on other sites

Uh something in German came up.....????????

De schadelijke software is gedeelteljik van de cmputer verwijderd. Start de computer opnieuw op omhet verwijderen te voltooien Wanneer u de computer opnieuw heeft opgestart zal dit hulpprogramma automatisch uw computer opnieuw doorzoeken.

Wilt u de computer nu opinieuw opstarten (Aanbevolen)

Yes or No?

Ha ha had to type that all out from my other computer.... so.. ummmm yes or no..? lol...

Link to post
Share on other sites

It's telling you that malicious software has been removed and is asking you to restart the computer to complete the removal. Upon restarting, the program wants to scan again...but it wants you to answer "Yes" to restart now so it can continue on it's agenda. So...lol answer yes.

Link to post
Share on other sites

Ok, so clicked on yes, computer restarted, then another screen came up, which looked like an old school 'safe mode' in 16 bit colour, where it was showing it deleiting things etc....

But upon restart the entire computer screen is just well black.... I am going to try a manual restart as all there is, is a mouse icon and thats it.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.