Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Another Redirect with firefox

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived Spyware Removal Help Topics
View previous topic :: View next topic  
Author Message
ganther
Newbie


Joined: 08 Oct 2011
Last Visit: 11 Oct 2011
Posts: 7

PostPosted: Sat Oct 08, 2011 7:57 am    Post subject: Another Redirect with firefox Reply with quote

First Thanks in advance

Problem is when I used the navigation tool bar to search on Google any link would redirect to some ad site but if I did a search using Google's home page it would not redirect. Yesterday the Google home page started to redirect as well as Firefox's navigation bar.

Also on log in I am getting this message poping up in a notepad type window [.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787

I have noticed in the start --> all programs alot of my folders are empty.

And last thing I can see is I am missing computer management under administrator tools.

I have been fighting with this for 3 weeks and need help.

Here is the DDS log

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20
Run by Ganther at 10:26:01 on 2011-10-08
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1161 [GMT -5:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: avast! antivirus 4.7.1098 [VPS 111008-0] *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uWindow Title =
mDefault_Search_URL = hxxp://www.google.com/ie
mWindow Title =
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {D593DE91-7B41-45C2-830E-E9A99AB142AA} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://fb.familylink.com/we_are_related/stream/core/lib/AurigmaImageUploader/ImageUploader5.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1282711757643
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1282711745283
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.walmartphotocentre.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} - hxxp://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{9F00E4F3-412C-46F1-A20B-E6D95AC97B0E} : DhcpNameServer = 192.168.1.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ganther\application data\mozilla\firefox\profiles\b6hj97cb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=ConduitEngine&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=119&systemid=406&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\ganther\application data\mozilla\firefox\profiles\b6hj97cb.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-10-7 64512]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2007-3-9 140664]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-11-30 54752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-8-18 2151640]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2007-3-9 247160]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2007-3-9 345464]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-8-18 15232]
S0 hcelqvs;hcelqvs;c:\windows\system32\drivers\yhclm.sys --> c:\windows\system32\drivers\yhclm.sys [?]
S3 dcdbas;System Management Driver;c:\windows\system32\drivers\dcdbas32.sys --> c:\windows\system32\drivers\dcdbas32.sys [?]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 SaiH0464;SaiH0464;c:\windows\system32\drivers\SaiH0464.sys [2005-11-3 176640]
S3 SiwvidStart;SiwvidStart;\??\c:\docume~1\ganther\locals~1\temp\_istmp1.dir\_istmp0.dir\siwvid.sys --> c:\docume~1\ganther\locals~1\temp\_istmp1.dir\_istmp0.dir\siwvid.sys [?]
S4 Licmgm;Licmgm;c:\windows\system32\drivers\crusoe.sys [2004-8-3 36736]
S4 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336]
S4 Winsermtaasu;Winsermtaasu; [x]
.
=============== Created Last 30 ================
.
2011-10-08 12:38:20 642 ---ha-w- C:\aaw7boot.cmd
2011-10-07 23:25:35 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-10-07 19:58:45 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-10-07 19:55:34 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-10-07 19:55:01 -------- d-----w- c:\program files\Lavasoft
2011-10-07 19:49:22 -------- d-----w- c:\documents and settings\ganther\application data\SUPERAntiSpyware.com
2011-10-07 19:48:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-10-07 19:48:49 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-10-03 03:47:25 -------- d-----w- c:\program files\Hidden Object Crosswords
2011-09-27 23:26:48 -------- d-----w- c:\documents and settings\ganther\application data\thTXwjUCeItPyAi
2011-09-27 23:26:48 -------- d-----w- c:\documents and settings\ganther\application data\kS2ibD3pn5Q6W8R
2011-09-27 04:58:11 -------- d-----w- c:\documents and settings\ganther\application data\uCCCellIBrzN
2011-09-27 04:58:11 -------- d-----w- c:\documents and settings\ganther\application data\H1uuvDD2onFpm5s
2011-09-24 19:48:02 -------- d-----w- c:\windows\system32\rH6sWK7fE9TqYeI
2011-09-16 05:01:08 -------- d-----w- c:\windows\system32\CatRoot2
2011-09-12 23:10:56 709968 ----a-w- c:\windows\isRS-000.tmp
.
==================== Find3M ====================
.
2011-09-04 21:09:41 0 ----a-w- c:\documents and settings\all users\application data\xwqp.exe
2011-09-04 21:09:41 0 ----a-w- c:\documents and settings\all users\application data\tnyt.exe
2011-09-04 21:09:41 0 ----a-w- c:\documents and settings\all users\application data\htgh.exe
2011-09-04 21:09:41 0 ----a-w- c:\documents and settings\all users\application data\erux.exe
2011-08-31 22:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-10 07:13:32 445 ----a-w- c:\program files\081020112133190.bat
2011-08-10 06:39:06 709968 ----a-w- c:\windows\is-8COC9.exe
2011-07-12 16:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 16:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 16:20:54 178536 ----a-w- c:\windows\system32\dnssdX.dll
2010-11-04 12:58:48 440 ----a-w- c:\program files\110420107584871.bat
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3200822AS rev.3.01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A65B4D0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a6617d0]; MOV EAX, [0x8a66184c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8A6F6AB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E13B9] -> [0x8A6F6448]
\Driver\atapi[0x8A6E3F38] -> IRP_MJ_CREATE -> 0x8A65B4D0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A65B31B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 10:28:53.87 ===============
Back to top
View user's profile Send private message
Gary R
Moderator


Joined: 03 May 2005
Last Visit: 30 Oct 2014
Posts: 9982
Location: Yorkshire

PostPosted: Sat Oct 08, 2011 4:56 pm    Post subject: Reply with quote

http://spywarewarrior.com/viewtopic.php?t=34064&highlight=

Quote:
This is a Duplicate Post, and has therefore been closed.

_________________
Gary R Administrator at Malware Removal University



If you've been helped, please donate to help with the costs of this volunteer site .... Spyware Warrior Donations
Back to top
View user's profile Send private message
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived Spyware Removal Help Topics All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group