Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: virtumonde.sdn, dynamically altered links, lots of bad stuff

  1. #11
    Junior Member
    Join Date
    May 2009
    Posts
    10

    Default

    Sorry for the delay, this scan took a long time.


    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0 REPORT
    Monday, May 25, 2009
    Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Program database last update: Sunday, May 24, 2009 14:09:37
    Records in database: 2233588
    --------------------------------------------------------------------------------

    Scan settings:
    Scan using the following database: extended
    Scan archives: yes
    Scan mail databases: yes

    Scan area - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\
    S:\
    T:\

    Scan statistics:
    Files scanned: 346008
    Threat name: 14
    Infected objects: 39
    Suspicious objects: 0
    Duration of the scan: 07:03:53


    File name / Threat name / Threats count
    C:\Documents and Settings\tyler\.housecall6.6\Quarantine\lmn_setup.exe.bac_a02192 Infected: Trojan-Dropper.Win32.Agent.apgo 1
    C:\Documents and Settings\tyler\Application Data\Thunderbird\Profiles\961z1n4u.default\Mail\localhost\Inbox Infected: Trojan.JS.Redirector.b 4
    C:\Documents and Settings\tyler\Desktop\regtools.vbs Infected: not-a-virus:RiskTool.VBS.DisReg.a 1
    C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 1
    C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\1055860099.exe.vir Infected: Trojan.Win32.Agent.cirp 1
    C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\916653139.exe.vir Infected: not-a-virus:FraudTool.Win32.MalwareDoctor.g 1
    C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\protect.dll.vir Infected: Trojan-Spy.Win32.Agent.argt 1
    C:\Qoobox\Quarantine\C\Documents and Settings\tyler\protect.dll.vir Infected: Trojan-Spy.Win32.Agent.argt 1
    C:\Qoobox\Quarantine\C\Documents and Settings\tyler\Start Menu\Programs\Startup\ChkDisk.dll.vir Infected: Trojan-Spy.Win32.Agent.argt 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\autochk.dll.vir Infected: Trojan-Spy.Win32.Agent.argt 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\protect.dll.vir Infected: Trojan-Spy.Win32.Agent.argt 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ovfsthvymesoyvdpmpiksmxxflewndjouobobu.sys.vir Infected: Trojan.Win32.Tdss.aalf 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\lmn_setup.exe.vir Infected: Trojan-Dropper.Win32.Agent.apgo 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthbxakoykveeojioyvfcjyhqpsbhojfsjj.dll.vir Infected: Trojan.Win32.Tdss.aalg 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthmbsjujgwtdfpxmbrfqqmoelydvugaitd.dll.vir Infected: Trojan.Win32.Tdss.aald 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthtueppkcrqsitkjhvtsgeqdxhfipurfke.dll.vir Infected: Trojan.Win32.Tdss.aalc 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthtueppkcrqsitkjhvtsgeqdxhfipurfke.dll_old.vir Infected: Trojan.Win32.Tdss.aalc 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir Infected: Trojan-PSW.Win32.LdPinch.agbf 1
    C:\Qoobox\Quarantine\[4]-Submit_2009-05-24_04.20.20.zip Infected: Trojan.Win32.Agent.cimn 2
    C:\System Volume Information\_restore{F8AA3596-A17B-46B6-A847-BA39BEB8D45C}\RP1430\A0130639.sys Infected: Trojan.Win32.Tdss.aalf 1
    C:\System Volume Information\_restore{F8AA3596-A17B-46B6-A847-BA39BEB8D45C}\RP1430\A0130640.dll Infected: Trojan.Win32.Tdss.aalc 1
    C:\System Volume Information\_restore{F8AA3596-A17B-46B6-A847-BA39BEB8D45C}\RP1430\A0130641.dll Infected: Trojan.Win32.Tdss.aalg 1
    C:\System Volume Information\_restore{F8AA3596-A17B-46B6-A847-BA39BEB8D45C}\RP1430\A0130642.dll Infected: Trojan.Win32.Tdss.aald 1
    C:\System Volume Information\_restore{F8AA3596-A17B-46B6-A847-BA39BEB8D45C}\RP1430\A0130663.dll Infected: Trojan-Spy.Win32.Agent.argt 1
    C:\System Volume Information\_restore{F8AA3596-A17B-46B6-A847-BA39BEB8D45C}\RP1430\A0130664.dll Infected: Trojan-Spy.Win32.Agent.argt 1
    C:\System Volume Information\_restore{F8AA3596-A17B-46B6-A847-BA39BEB8D45C}\RP1430\A0130666.exe Infected: Trojan-Dropper.Win32.Agent.apgo 1
    C:\System Volume Information\_restore{F8AA3596-A17B-46B6-A847-BA39BEB8D45C}\RP1430\A0130669.exe Infected: Trojan.Win32.Agent.cirp 1
    C:\System Volume Information\_restore{F8AA3596-A17B-46B6-A847-BA39BEB8D45C}\RP1430\A0130670.exe Infected: not-a-virus:FraudTool.Win32.MalwareDoctor.g 1
    C:\System Volume Information\_restore{F8AA3596-A17B-46B6-A847-BA39BEB8D45C}\RP1430\A0130671.dll Infected: Trojan-Spy.Win32.Agent.argt 1
    C:\System Volume Information\_restore{F8AA3596-A17B-46B6-A847-BA39BEB8D45C}\RP1430\A0130672.dll Infected: Trojan-Spy.Win32.Agent.argt 1
    C:\System Volume Information\_restore{F8AA3596-A17B-46B6-A847-BA39BEB8D45C}\RP1430\A0130673.dll Infected: Trojan-Spy.Win32.Agent.argt 1
    C:\System Volume Information\_restore{F8AA3596-A17B-46B6-A847-BA39BEB8D45C}\RP1430\A0130680.exe Infected: Trojan-PSW.Win32.LdPinch.agbf 1
    C:\System Volume Information\_restore{F8AA3596-A17B-46B6-A847-BA39BEB8D45C}\RP1430\A0130682.exe Infected: Trojan-PSW.Win32.LdPinch.agbf 1
    C:\WINDOWS\pss\ChkDisk.dllStartup Infected: Trojan-Spy.Win32.Agent.argt 1
    S:\s\complete\unsorted\Scene\ZhayTee\Star Systems - The Ideal City (Fourth Movement).mp3 Infected: Virus.DOS.VCC.Pocks.424 1

    The selected area was scanned.





    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:23:24 PM, on 5/25/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16827)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\tracking\protools\Digidesign\Drivers\MMERefresh.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\MessengerPlus! 3\MsgPlus.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Flock\flock.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Java\jre6\bin\java.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {c871956a-1bff-4b64-9254-6551494a43aa} - (no file)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\tracking\protools\Digidesign\Drivers\MMERefresh.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
    O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\office03\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
    O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\office03\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\tyler\Start Menu\Programs\IMVU\Run IMVU.lnk
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload.ijjimax.com/game...Plugin7USA.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O20 - AppInit_DLLs: C:\WINDOWS\system32\MsgPlusLoader.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O20 - Winlogon Notify: hggfdec - C:\WINDOWS\
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\tracking\protools\Digidesign\Drivers\MMERefresh.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: lxby_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbycoms.exe

    --
    End of file - 11231 bytes

  2. #12
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Yes it will

    Empty these folders:

    C:\Documents and Settings\tyler\.housecall6.6\Quarantine
    C:\Qoobox\Quarantine\

    Delete these:

    C:\WINDOWS\pss\ChkDisk.dllStartup
    S:\s\complete\unsorted\Scene\ZhayTee\Star Systems - The Ideal City (Fourth Movement).mp3

    Empty Recycle Bin.

    Still problems?
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  3. #13
    Junior Member
    Join Date
    May 2009
    Posts
    10

    Default

    Thank you so far. Unfortunately, yes, I still have problems. I've been using a browser called "Flock" as my emergency backup. When I start Firefox, it loads very slowly and suspiciously. Then, when I do a Google search for "stuff" and click on the result "Stuff White People Like" (a trustworthy, basic, humour sort of blog), I get redirected to a site other than the expected one.

    I've attached a few screenshots. Sear.jpg is an example of expected search results. The others show what happens when I click on the bottom result.

    Additionally, when I check my hotmail account, I can't click on any email messages. When I click, nothing happens.

    I suspect shenanigans and it has something to do with opening Firefox. Any ideas? Add ons or plugins within Firefox? I also suspect Firefox may be what triggers the reinstall of whatever has been spreading back on my system in the past. I hope I haven't undone any of your work.

  4. #14
    Junior Member
    Join Date
    May 2009
    Posts
    10

    Default

    Also, please note that I didn't click "OK" when that box came up.

  5. #15
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Yes you might have certain Firefox specific infection.

    Please download GooredFix by jpshortstuff ... save it to your desktop.
    1. Double-click Goored.exe to run it.
    2. Select "1. Find Goored (no fix)"... by typing 1 and pressing Enter.
    3. A log will open... it can also be found on your desktop... "Goored.txt".
    4. Please post the contents of the log Goored.txt in your next reply.

    Note: Do not run Option #2 unless instructed to do so!
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  6. #16
    Junior Member
    Join Date
    May 2009
    Posts
    10

    Default

    GooredFix v1.92 by jpshortstuff
    Log created at 01:10 on 26/05/2009 running Option #1 (tyler)
    Firefox version 3.0.10 (en-US)

    =====Suspect Goored Entries=====

    C:\Program Files\Mozilla Firefox\extensions\{C232E52F-23C9-4688-999E-6C512033249B}

    =====Dumping Registry Values=====

    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
    "Plugins"="C:\Program Files\Mozilla Firefox\plugins"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
    "Components"="C:\Program Files\Mozilla Firefox\components"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
    "jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
    "{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

  7. #17
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Important! Make sure all instances of Firefox are closed!
    1. Please double-click the GooredFix.exe icon... on your desktop to run it.
    2. Select "2. Fix Goored"... by typing 2 and pressing Enter.
    3. Type y... at the prompt ... press Enter again.
    4. A log will open... it can also be found on your desktop... "GooredLog.txt".
    5. Please post the contents of the log GooredLog.txt in your next reply.

    Note: Please also allow any registry changes that may be challenged by any of your security programs.
    If you receive a message indicating a system restart is needed, please save any work, close all applications and reboot your system.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  8. #18
    Junior Member
    Join Date
    May 2009
    Posts
    10

    Default

    No message asking for a restart. I ran it. I just tried Firefox and can't replicate my previous link alteration problem but I noticed in the past that it would go away sometimes after I ran Spybot, Malwarebytes, or AVG... then eventually return. I'll keep you updated if I see anything suspicious over the next week or so, I'd really prefer not to consider this case "closed" yet. I am very grateful for the help you've provided. You're a really nice person for volunteering your time like this. My results:


    GooredFix v1.92 by jpshortstuff
    Log created at 13:05 on 26/05/2009 running Option #2 (tyler)
    Firefox version 3.0.10 (en-US)
    (Subsequent Run)

    =====Goored Deletions=====
    C:\Program Files\Mozilla Firefox\extensions\{C232E52F-23C9-4688-999E-6C512033249B}
    ->Backing up folder... Done.
    ->Emptying folder... Done.
    ->Deleting folder... Done.

    =====Dumping Registry Values=====

    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
    "Plugins"="C:\Program Files\Mozilla Firefox\plugins"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
    "Components"="C:\Program Files\Mozilla Firefox\components"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
    "jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
    "{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

  9. #19
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Yes, Goored is gone now

    Test a bit and let me know.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  10. #20
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Due to the lack of feedback this Topic is closed.

    If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

    If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

    Everyone else please begin a New Topic.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •