Author Topic: [Resolved] "XP Security" infection removed Firefox and IE being redirected. (Read 6874 times)

ShaneJack · « **Reply #30 on:** April 19, 2010, 12:44:46 PM »

Here's the SUPERAntiSpyware and Hijackthis logs and the Bitdefender log is attached since it was html. I've done some more playing around with Firefox in safe mode and Google is in fact being redirected as well. Every few links on a search I get redirected, and it seems that even if I go back and try that link again, I get redirected somewhere else. So all three of the search engines are affected. Also, that computer is still not letting me post on the forum (as if the designer doesn't want me to be able to get help).

Should I not do that Windows Update that I recently received?

Thanks.

--------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/18/2010 at 07:16 AM

Application Version : 4.35.1000

Core Rules Database Version : 4818
Trace Rules Database Version: 2630

Scan type : Complete Scan
Total Scan Time : 04:04:43

Memory items scanned : 596
Memory threats detected : 0
Registry items scanned : 7083
Registry threats detected : 0
File items scanned : 340652
File threats detected : 139

Adware.Tracking Cookie
   C:\Documents and Settings\Shane\Cookies\shane@adknowledge[1].txt
   C:\Documents and Settings\Shane\Cookies\shane@insightexpressai[1].txt
   C:\Documents and Settings\Shane\Cookies\shane@www.stopzilla[1].txt
   C:\Documents and Settings\Shane\Cookies\shane@gostats[2].txt
   C:\Documents and Settings\Shane\Cookies\shane@app.insightgrit[1].txt
   C:\Documents and Settings\Shane\Cookies\shane@overture[1].txt
   C:\Documents and Settings\Shane\Cookies\shane@media6degrees[2].txt
   C:\Documents and Settings\Shane\Cookies\shane@stopzilla[1].txt
   C:\Documents and Settings\Shane\Cookies\shane@revsci[2].txt
   C:\Documents and Settings\Shane\Cookies\shane@ad.yieldmanager[2].txt
   C:\Documents and Settings\Shane\Cookies\shane@serving-sys[1].txt
   C:\Documents and Settings\Shane\Cookies\shane@xml.trafficengine[1].txt
   C:\Documents and Settings\Shane\Cookies\shane@ads.undertone[2].txt
   C:\Documents and Settings\Shane\Cookies\shane@network.realmedia[2].txt
   C:\Documents and Settings\Shane\Cookies\shane@bridge1.admarketplace[1].txt
   C:\Documents and Settings\Shane\Cookies\shane@specificmedia[1].txt
   C:\Documents and Settings\Shane\Cookies\shane@counter.surfcounters[1].txt
   C:\Documents and Settings\Shane\Cookies\shane@bizzclick[2].txt
   C:\Documents and Settings\Shane\Cookies\shane@ads.pointroll[1].txt
   C:\Documents and Settings\Shane\Cookies\shane@specificclick[2].txt
   C:\Documents and Settings\Shane\Cookies\shane@www.findstuff[2].txt
   C:\Documents and Settings\Shane\Cookies\shane@admarketplace[1].txt
   C:\Documents and Settings\Shane\Cookies\shane@247realmedia[1].txt
   C:\Documents and Settings\Shane\Cookies\shane@collective-media[1].txt
   C:\Documents and Settings\Shane\Cookies\shane@trafficmp[2].txt
   C:\Documents and Settings\Shane\Cookies\shane@questionmarket[2].txt
   C:\Documents and Settings\Shane\Cookies\shane@adbrite[1].txt
   C:\Documents and Settings\Shane\Cookies\shane@cdn4.specificclick[1].txt
   C:\Documents and Settings\Shane\Cookies\shane@msnbc.112.2o7[1].txt
   C:\Documents and Settings\Shane\Cookies\shane@pointroll[1].txt
   C:\Documents and Settings\Shane\Cookies\shane@microsoftwindows.112.2o7[1].txt
   C:\Documents and Settings\Shane\Cookies\shane@realmedia[1].txt
   C:\Documents and Settings\Shane\Cookies\shane@interclick[2].txt
   C:\Documents and Settings\Shane\Cookies\shane@kanoodle[2].txt
   C:\Documents and Settings\Shane\Cookies\shane@msnportal.112.2o7[1].txt
   C:\Documents and Settings\Shane\Cookies\shane@cgm.adbureau[1].txt
   C:\Documents and Settings\Shane\Cookies\shane@bs.serving-sys[2].txt
   C:\Documents and Settings\Shane\Cookies\shane@invitemedia[2].txt
   C:\Documents and Settings\Shane\Cookies\shane@ad.wsod[2].txt
   C:\Documents and Settings\Shane\Cookies\shane@oasn04.247realmedia[1].txt
   C:\Documents and Settings\Alex\Cookies\alex@a1.interclick[1].txt
   C:\Documents and Settings\Alex\Cookies\alex@ad.yieldmanager[2].txt
   C:\Documents and Settings\Alex\Cookies\alex@adinsert.buddymedia[1].txt
   C:\Documents and Settings\Alex\Cookies\alex@adlegend[2].txt
   C:\Documents and Settings\Alex\Cookies\alex@ads.lucidmedia[1].txt
   C:\Documents and Settings\Alex\Cookies\alex@ads.pointroll[2].txt
   C:\Documents and Settings\Alex\Cookies\alex@at.atwola[2].txt
   C:\Documents and Settings\Alex\Cookies\alex@cdn4.specificclick[2].txt
   C:\Documents and Settings\Alex\Cookies\alex@citi.bridgetrack[2].txt
   C:\Documents and Settings\Alex\Cookies\alex@interclick[2].txt
   C:\Documents and Settings\Alex\Cookies\alex@invitemedia[2].txt
   C:\Documents and Settings\Alex\Cookies\alex@kontera[2].txt
   C:\Documents and Settings\Alex\Cookies\alex@lfstmedia[2].txt
   C:\Documents and Settings\Alex\Cookies\alex@media.photobucket[1].txt
   C:\Documents and Settings\Alex\Cookies\alex@media6degrees[1].txt
   C:\Documents and Settings\Alex\Cookies\alex@microsoftwindows.112.2o7[1].txt
   C:\Documents and Settings\Alex\Cookies\alex@socialmedia[1].txt
   C:\Documents and Settings\Alex\Cookies\alex@specificclick[2].txt
   C:\Documents and Settings\Alex\Cookies\alex@specificmedia[1].txt
   C:\Documents and Settings\Alex\Cookies\alex@stat.onestat[2].txt
   C:\Documents and Settings\Alex\Cookies\alex@tripod[1].txt
   C:\Documents and Settings\Alex\Cookies\alex@viacom.adbureau[2].txt
   C:\Documents and Settings\Ami\Cookies\ami@ad.yieldmanager[2].txt
   C:\Documents and Settings\Ami\Cookies\ami@ads.ad4game[2].txt
   C:\Documents and Settings\Ami\Cookies\ami@ads.pointroll[1].txt
   C:\Documents and Settings\Ami\Cookies\ami@ads.undertone[1].txt
   C:\Documents and Settings\Ami\Cookies\ami@adserver.adtechus[1].txt
   C:\Documents and Settings\Ami\Cookies\ami@adxpose[1].txt
   C:\Documents and Settings\Ami\Cookies\ami@at.atwola[1].txt
   C:\Documents and Settings\Ami\Cookies\ami@atwola[2].txt
   C:\Documents and Settings\Ami\Cookies\ami@beacon.dmsinsights[2].txt
   C:\Documents and Settings\Ami\Cookies\ami@bs.serving-sys[1].txt
   C:\Documents and Settings\Ami\Cookies\ami@content.yieldmanager[2].txt
   C:\Documents and Settings\Ami\Cookies\ami@kontera[2].txt
   C:\Documents and Settings\Ami\Cookies\ami@microsoftsto.112.2o7[1].txt
   C:\Documents and Settings\Ami\Cookies\ami@pointroll[2].txt
   C:\Documents and Settings\Ami\Cookies\ami@revsci[2].txt
   C:\Documents and Settings\Ami\Cookies\ami@serving-sys[2].txt
   C:\Documents and Settings\Ami\Cookies\ami@sojern.122.2o7[1].txt
   C:\Documents and Settings\Ami\Cookies\ami@specificclick[2].txt
   C:\Documents and Settings\Ami\Cookies\ami@tacoda[1].txt
   C:\Documents and Settings\Ami\Cookies\ami@tribalfusion[1].txt
   C:\Documents and Settings\LocalService\Cookies\system@advertise[1].txt
   C:\Documents and Settings\LocalService\Cookies\system@advertise[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@a1.interclick[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@ad.jmg[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@ad.spreety[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@ad.wsod[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[4].txt
   C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[5].txt
   C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[6].txt
   C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[7].txt
   C:\Documents and Settings\NetworkService\Cookies\system@adbrite[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@adbrite[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@adbrite[4].txt
   C:\Documents and Settings\NetworkService\Cookies\system@admarketplace[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@ads.undertone[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@adserver.adtechus[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@advertise[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@advertise[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@advertise[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@advertise[4].txt
   C:\Documents and Settings\NetworkService\Cookies\system@at.atwola[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@bridge1.admarketplace[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@clickpayz10.91456.asklots[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@clickpayz10.91462.blueseek[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@clickpayz10.91469.blueseek[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[4].txt
   C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[5].txt
   C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[6].txt
   C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[7].txt
   C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@google.lucidmedia[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@interclick[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@lucidmedia[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@lucidmedia[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[4].txt
   C:\Documents and Settings\NetworkService\Cookies\system@pointroll[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@realmedia[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@revsci[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@revsci[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@trafficmp[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[3].txt

Adware.CouponBar
   C:\WINDOWS\SYSTEM32\CPNPRT2.CID

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 2:18:24 PM, on 4/19/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\MediaMall\MediaMallServer.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://spywarehammer.com/simplemachinesforum/index.php?topic=7454.15#bot
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231993424531
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Amazon Download Agent - Amazon.com - C:\Program Files\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MediaMall Server - MediaMall Technologies, Inc. - C:\Program Files\MediaMall\MediaMallServer.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TVersityMediaServer - Unknown owner - D:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 9387 bytes

Hoov · « **Reply #31 on:** April 19, 2010, 01:01:11 PM »

Don't do updates until we can clear up the problem. I am going to have to go back over everything. So it may take me a while to get something else for you to do.

Hoov · « **Reply #32 on:** April 19, 2010, 06:43:46 PM »

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

Ensure all Firefox windows are closed.
To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
When prompted to run the scan, click Yes.
GooredFix will check for infections, and then a log will appear.

Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).[/list]

Test the browsers again and let me know if you are still being redirected.

ShaneJack · « **Reply #33 on:** April 20, 2010, 02:51:18 AM »

Browsers still redirecting. Checked IE and Firefox in safe mode. Bing and Yahoo redirect a lot. Couldn't get Google to do it, but I'm not convinced that it won't since that was the way it behaved before.

GooredFix by jpshortstuff (08.01.10.1)
Log created at 03:54 on 20/04/2010 (Shane)
Firefox version 3.6.3 (en-US)

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [04:05 15/01/2009]
{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} [08:12 11/03/2009]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [06:28 16/05/2009]
{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [16:27 10/08/2009]
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [11:02 10/11/2009]

C:\Documents and Settings\Shane\Application Data\Mozilla\Firefox\Profiles\bhn8a1vm.default\extensions\
GameTap@gametap.com [08:00 06/09/2009]
moveplayer@movenetworks.com [08:40 29/01/2009]
{20a82645-c095-46ed-80e3-08825760534b} [21:36 05/09/2009]
{a7c6cf7f-112c-4500-a7ea-39801a327e5f} [09:16 08/01/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [06:36 17/09/2009]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG9\Firefox" [17:12 02/11/2009]
"avg@igeared"="C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared" [16:30 27/12/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [08:11 11/03/2009]

-=E.O.F=-

Hoov · « **Reply #34 on:** April 20, 2010, 01:53:58 PM »

Scroll down to "JDK 6 Update 20 (JDK or JRE).
Click the Download JRE button to the right.
Select your Platform: "Windows".
Select your Language: "Multi-language".
Read the License Agreement, and then check the box that says: "Accept License Agreement".
Click Continue and the page will refresh.
Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version.

-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications.
To disable the JQS service if you don't want to use it:

Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
Click Ok and reboot your computer.

After only update 20 is installed, then clear your java cache using the instructions below.

To clear the Java Runtime Environment (JRE) cache:

Click Start > Control Panel.
Double-click the Java icon in the control panel.

-The Java Control Panel appears.

Click Settings under Temporary Internet Files.

-The Temporary Files Settings dialog box appears.

Click Delete Files.

-The Delete Temporary Files dialog box appears.

-There are three options on this window to clear the cache.

Delete Files
View Applications
View Applets

Click OK on Delete Temporary Files window.

-Note: This deletes all the Downloaded Applications and Applets from the cache.

Click OK on Temporary Files Settings window.
Close the Java Control Panel

You can view those instructions along with graphics Here

Let me know when you get this far.

Hoov · « **Reply #35 on:** April 21, 2010, 03:54:33 AM »

Sorry, somehow I left out the link to download Java. The procedure should be

Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
Scroll down to "JDK 6 Update 20 (JDK or JRE).
Click the Download JRE button to the right.
Select your Platform: "Windows".
Select your Language: "Multi-language".
Read the License Agreement, and then check the box that says: "Accept License Agreement".
Click Continue and the page will refresh.
Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version.

-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications.
To disable the JQS service if you don't want to use it:

Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
Click Ok and reboot your computer.

ShaneJack · « **Reply #36 on:** April 21, 2010, 04:14:15 AM »

I uninstalled the version of Java I had (16) and installed this one. I never saw an option to replace the control panel applet, and when I open up the Java control panel, the options are different than the illustrations on the website you linked to. There are no buttons on the top, but there is a 'Delete Files' at the bottom which pops up a 'Delete Temporary Files' box with check boxes for 'Applications and Applets' and 'Trace and Log files', so I deleted those.

I went ahead and checked the browser and I'm still getting redirected.

What's next?

Hoov · « **Reply #37 on:** April 21, 2010, 08:56:48 AM »

Start your browser and do a search, and then click on the results while the process below is running.

Click start-->run
Type cmd in the Run box.
In the command prompt that opens, type or copy and paste the following:
netstat -b 5 > activity.txt

Press Enter. Wait 2 minutes (Or as long as it takes you to get redirected) then press Ctrl+C.
Type activity.txt on the command line to open the log file in notepad.

ShaneJack · « **Reply #38 on:** April 21, 2010, 12:27:28 PM »

So I did a search for "tequila lime chicken" on bing and clicked on the first four links and was redirected all four times, which is way more aggressive than its normally been. It had been about two minutes and the fourth redirect was to porn, so I decided that was enough and wrapped the activity log up for you:

Active Connections

Proto Local Address Foreign Address State PID
TCP daleksec:3561 localhost:3562 ESTABLISHED 1332
[firefox.exe]

TCP daleksec:3562 localhost:3561 ESTABLISHED 1332
[firefox.exe]

TCP daleksec:3586 localhost:3587 ESTABLISHED 1332
[firefox.exe]

TCP daleksec:3587 localhost:3586 ESTABLISHED 1332
[firefox.exe]

TCP daleksec:1034 210-202.amazon.com:http ESTABLISHED 1568
[AmazonGSDownloaderService.exe]

TCP daleksec:1955 yi-in-f17.1e100.net:https ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2254 yi-in-f17.1e100.net:https ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2311 65.199.63.73:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:1026 210-202.amazon.com:https CLOSE_WAIT 1568
[AmazonGSDownloaderService.exe]

TCP daleksec:1038 host.playon.tv:http CLOSE_WAIT 988
[MediaMallServer.exe]

TCP daleksec:1440 a72-246-30-18.deploy.akamaitechnologies.com:http CLOSE_WAIT 3620
[jusched.exe]

TCP daleksec:1641 static.78-47-248-116.clients.your-server.de:http CLOSE_WAIT 1332
[firefox.exe]

TCP daleksec:3687 82.99.19.52:http CLOSE_WAIT 252
[AAWService.exe]

TCP daleksec:3688 82.99.19.52:http CLOSE_WAIT 252
[AAWService.exe]

TCP daleksec:4579 ec2-174-129-1-166.compute-1.amazonaws.com:http CLOSE_WAIT 1316
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\system32\WININET.dll
[svchost.exe]

TCP daleksec:1712 yi-in-f17.1e100.net:https TIME_WAIT 0

Active Connections

Proto Local Address Foreign Address State PID
TCP daleksec:3561 localhost:3562 ESTABLISHED 1332
[firefox.exe]

TCP daleksec:3562 localhost:3561 ESTABLISHED 1332
[firefox.exe]

TCP daleksec:3586 localhost:3587 ESTABLISHED 1332
[firefox.exe]

TCP daleksec:3587 localhost:3586 ESTABLISHED 1332
[firefox.exe]

TCP daleksec:1034 210-202.amazon.com:http ESTABLISHED 1568
[AmazonGSDownloaderService.exe]

TCP daleksec:1955 yi-in-f17.1e100.net:https ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2254 yi-in-f17.1e100.net:https ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2311 65.199.63.73:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2356 a72-246-30-41.deploy.akamaitechnologies.com:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:1026 210-202.amazon.com:https CLOSE_WAIT 1568
[AmazonGSDownloaderService.exe]

TCP daleksec:1038 host.playon.tv:http CLOSE_WAIT 988
[MediaMallServer.exe]

TCP daleksec:1440 a72-246-30-18.deploy.akamaitechnologies.com:http CLOSE_WAIT 3620
[jusched.exe]

TCP daleksec:2395 62.212.69.84:http CLOSE_WAIT 1332
[firefox.exe]

TCP daleksec:2397 62.212.69.84:http CLOSE_WAIT 1332
[firefox.exe]

TCP daleksec:2400 hosted-by.leaseweb.com:http CLOSE_WAIT 1332
[firefox.exe]

TCP daleksec:3687 82.99.19.52:http CLOSE_WAIT 252
[AAWService.exe]

TCP daleksec:3688 82.99.19.52:http CLOSE_WAIT 252
[AAWService.exe]

TCP daleksec:4579 ec2-174-129-1-166.compute-1.amazonaws.com:http CLOSE_WAIT 1316
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\system32\WININET.dll
[svchost.exe]

TCP daleksec:2362 65.199.63.18:http TIME_WAIT 0
TCP daleksec:2394 hosted-by.leaseweb.com:http TIME_WAIT 0
TCP daleksec:2398 hosted-by.leaseweb.com:http TIME_WAIT 0
TCP daleksec:2399 62.212.69.84:http TIME_WAIT 0

Active Connections

Proto Local Address Foreign Address State PID
TCP daleksec:3561 localhost:3562 ESTABLISHED 1332
[firefox.exe]

TCP daleksec:3562 localhost:3561 ESTABLISHED 1332
[firefox.exe]

TCP daleksec:3586 localhost:3587 ESTABLISHED 1332
[firefox.exe]

TCP daleksec:3587 localhost:3586 ESTABLISHED 1332
[firefox.exe]

TCP daleksec:1034 210-202.amazon.com:http ESTABLISHED 1568
[AmazonGSDownloaderService.exe]

TCP daleksec:1955 yi-in-f17.1e100.net:https ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2311 65.199.63.73:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2356 a72-246-30-41.deploy.akamaitechnologies.com:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2408 ec2-184-72-58-10.us-west-1.compute.amazonaws.com:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2417 yellowpages.superpages.com:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2418 yellowpages.superpages.com:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2419 yellowpages.superpages.com:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2420 204.2.241.144:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2421 yellowpages.superpages.com:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2422 204.2.241.144:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2423 204.2.241.144:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2424 204.2.241.144:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2434 208.71.125.129:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2435 yi-in-f154.1e100.net:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2438 168.75.207.20:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2442 72.21.202.194:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2443 72.21.202.194:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2444 72.21.202.194:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2447 yi-in-f17.1e100.net:https ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2448 63.116.243.147:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2478 209.160.58.88:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2479 uk.othellotech.net:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2480 209.160.58.88:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2481 209.160.58.87:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2482 209.160.58.87:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2483 209.160.58.87:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2484 google.navigation.opendns.com:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2488 iad-agg-n2.panthercdn.com:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2491 static.90.177.46.78.clients.your-server.de:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:1026 210-202.amazon.com:https CLOSE_WAIT 1568
[AmazonGSDownloaderService.exe]

TCP daleksec:1038 host.playon.tv:http CLOSE_WAIT 988
[MediaMallServer.exe]

TCP daleksec:1440 a72-246-30-18.deploy.akamaitechnologies.com:http CLOSE_WAIT 3620
[jusched.exe]

TCP daleksec:2254 yi-in-f17.1e100.net:https CLOSE_WAIT 1332
[firefox.exe]

TCP daleksec:2395 62.212.69.84:http CLOSE_WAIT 1332
[firefox.exe]

TCP daleksec:2410 poolsystems.us:http CLOSE_WAIT 1332
[firefox.exe]

TCP daleksec:3687 82.99.19.52:http CLOSE_WAIT 252
[AAWService.exe]

TCP daleksec:3688 82.99.19.52:http CLOSE_WAIT 252
[AAWService.exe]

TCP daleksec:4579 ec2-174-129-1-166.compute-1.amazonaws.com:http CLOSE_WAIT 1316
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\system32\WININET.dll
[svchost.exe]

TCP daleksec:2362 65.199.63.18:http TIME_WAIT 0
TCP daleksec:2394 hosted-by.leaseweb.com:http TIME_WAIT 0
TCP daleksec:2398 hosted-by.leaseweb.com:http TIME_WAIT 0
TCP daleksec:2399 62.212.69.84:http TIME_WAIT 0
TCP daleksec:2402 65.199.63.18:http TIME_WAIT 0
TCP daleksec:2411 ld-interstitial.phl.marchex.com:http TIME_WAIT 0
TCP daleksec:2412 ld-interstitial.phl.marchex.com:http TIME_WAIT 0
TCP daleksec:2414 bwcontent.phl.marchex.com:http TIME_WAIT 0
TCP daleksec:2415 bwcontent.phl.marchex.com:http TIME_WAIT 0
TCP daleksec:2416 bwclick.phl.marchex.com:http TIME_WAIT 0
TCP daleksec:2425 208.71.123.86:http TIME_WAIT 0
TCP daleksec:2426 yx-in-f166.1e100.net:http TIME_WAIT 0
TCP daleksec:2427 yx-in-f149.1e100.net:http TIME_WAIT 0
TCP daleksec:2428 yx-in-f149.1e100.net:http TIME_WAIT 0
TCP daleksec:2429 hit-nxdomain.opendns.com:http TIME_WAIT 0
TCP daleksec:2430 hit-nxdomain.opendns.com:http TIME_WAIT 0
TCP daleksec:2431 ads-pd04.revsci.net:http TIME_WAIT 0
TCP daleksec:2432 yx-in-f149.1e100.net:http TIME_WAIT 0
TCP daleksec:2433 yx-in-f149.1e100.net:http TIME_WAIT 0
TCP daleksec:2436 a204-245-162-51.deploy.akamaitechnologies.com:http TIME_WAIT 0
TCP daleksec:2437 mpr1.2ngd.vip.ac4.yahoo.com:http TIME_WAIT 0
TCP daleksec:2439 site1imss01.jeeves.ask.info:http TIME_WAIT 0
TCP daleksec:2441 promos.onlinepersonals.com:http TIME_WAIT 0
TCP daleksec:2472 65.199.63.18:http TIME_WAIT 0
TCP daleksec:2476 static.90.177.46.78.clients.your-server.de:http TIME_WAIT 0

Active Connections

Proto Local Address Foreign Address State PID
TCP daleksec:3561 localhost:3562 ESTABLISHED 1332
[firefox.exe]

TCP daleksec:3562 localhost:3561 ESTABLISHED 1332
[firefox.exe]

TCP daleksec:3586 localhost:3587 ESTABLISHED 1332
[firefox.exe]

TCP daleksec:3587 localhost:3586 ESTABLISHED 1332
[firefox.exe]

TCP daleksec:1034 210-202.amazon.com:http ESTABLISHED 1568
[AmazonGSDownloaderService.exe]

TCP daleksec:1955 yi-in-f17.1e100.net:https ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2311 65.199.63.73:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2356 a72-246-30-41.deploy.akamaitechnologies.com:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2408 ec2-184-72-58-10.us-west-1.compute.amazonaws.com:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2417 yellowpages.superpages.com:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2418 yellowpages.superpages.com:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2419 yellowpages.superpages.com:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2420 204.2.241.144:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2421 yellowpages.superpages.com:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2422 204.2.241.144:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2423 204.2.241.144:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2424 204.2.241.144:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2434 208.71.125.129:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2438 168.75.207.20:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2442 72.21.202.194:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2443 72.21.202.194:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2444 72.21.202.194:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2448 63.116.243.147:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2478 209.160.58.88:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2479 uk.othellotech.net:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2481 209.160.58.87:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2482 209.160.58.87:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2483 209.160.58.87:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2484 google.navigation.opendns.com:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:2547 65.199.63.18:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:1026 210-202.amazon.com:https CLOSE_WAIT 1568
[AmazonGSDownloaderService.exe]

TCP daleksec:1038 host.playon.tv:http CLOSE_WAIT 988
[MediaMallServer.exe]

TCP daleksec:1440 a72-246-30-18.deploy.akamaitechnologies.com:http CLOSE_WAIT 3620
[jusched.exe]

TCP daleksec:2254 yi-in-f17.1e100.net:https CLOSE_WAIT 1332
[firefox.exe]

TCP daleksec:2395 62.212.69.84:http CLOSE_WAIT 1332
[firefox.exe]

TCP daleksec:2493 fxfeeds.acelb.sj.mozilla.com:http CLOSE_WAIT 1332
[firefox.exe]

TCP daleksec:3687 82.99.19.52:http CLOSE_WAIT 252
[AAWService.exe]

TCP daleksec:3688 82.99.19.52:http CLOSE_WAIT 252
[AAWService.exe]

TCP daleksec:4579 ec2-174-129-1-166.compute-1.amazonaws.com:http CLOSE_WAIT 1316

Hoov · « **Reply #39 on:** April 21, 2010, 01:51:13 PM »

How many downloader services do you have running?

ShaneJack · « **Reply #40 on:** April 22, 2010, 01:09:17 AM »

What's a downloader service? I may have had something downloading on my other computer. Is that what you mean? Should I check when the other computer isn't doing anything?

ShaneJack · « **Reply #41 on:** April 22, 2010, 02:32:31 AM »

I went ahead and did another log when my clean computer wasn't doing anything on the internet. I did notice that there is reference to Amazon's downloader which I've used to download some games from Amazon.com. Maybe music as well, but I don't know of any other downloader service on the infected computer. Anyway, here's another log:

Active Connections

Proto Local Address Foreign Address State PID
TCP daleksec:3561 localhost:3562 ESTABLISHED 1332
[firefox.exe]

TCP daleksec:3562 localhost:3561 ESTABLISHED 1332
[firefox.exe]

TCP daleksec:3586 localhost:3587 ESTABLISHED 1332
[firefox.exe]

TCP daleksec:3587 localhost:3586 ESTABLISHED 1332
[firefox.exe]

TCP daleksec:1034 210-202.amazon.com:http ESTABLISHED 1568
[AmazonGSDownloaderService.exe]

TCP daleksec:1736 yw-in-f18.1e100.net:https ESTABLISHED 1332
[firefox.exe]

TCP daleksec:1737 yw-in-f17.1e100.net:https ESTABLISHED 1332
[firefox.exe]

TCP daleksec:1026 210-202.amazon.com:https CLOSE_WAIT 1568
[AmazonGSDownloaderService.exe]

TCP daleksec:1440 a72-246-30-18.deploy.akamaitechnologies.com:http CLOSE_WAIT 3620
[jusched.exe]

TCP daleksec:2195 a204-245-162-42.deploy.akamaitechnologies.com:http CLOSE_WAIT 1316
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\system32\WININET.dll
[svchost.exe]

TCP daleksec:3102 a72-246-30-174.deploy.akamaitechnologies.com:https CLOSE_WAIT 1316
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\system32\Macromed\Flash\Flash10e.ocx
-- unknown component(s) --
[svchost.exe]

TCP daleksec:3906 82.99.19.52:http CLOSE_WAIT 3028
[AAWService.exe]

TCP daleksec:3907 82.99.19.52:http CLOSE_WAIT 3028
[AAWService.exe]

TCP daleksec:3943 static.78-47-248-116.clients.your-server.de:http CLOSE_WAIT 1332
[firefox.exe]

TCP daleksec:4579 ec2-174-129-1-166.compute-1.amazonaws.com:http CLOSE_WAIT 1316
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\system32\WININET.dll
-- unknown component(s) --
[svchost.exe]

TCP daleksec:4723 host.playon.tv:http CLOSE_WAIT 2672
[MediaMallServer.exe]

TCP daleksec:4749 host.playon.tv:http CLOSE_WAIT 2672
[MediaMallServer.exe]

TCP daleksec:1250 yw-in-f19.1e100.net:https TIME_WAIT 0
TCP daleksec:1546 yw-in-f18.1e100.net:https TIME_WAIT 0

Active Connections

Proto Local Address Foreign Address State PID
TCP daleksec:1986 static.252.85.40.188.clients.your-server.de:http SYN_SENT 1332
[firefox.exe]

TCP daleksec:1987 wc40-alt.medialogik.com:http SYN_SENT 1332
[firefox.exe]

TCP daleksec:3561 localhost:3562 ESTABLISHED 1332
[firefox.exe]

TCP daleksec:3562 localhost:3561 ESTABLISHED 1332
[firefox.exe]

TCP daleksec:3586 localhost:3587 ESTABLISHED 1332
[firefox.exe]

TCP daleksec:3587 localhost:3586 ESTABLISHED 1332
[firefox.exe]

TCP daleksec:1034 210-202.amazon.com:http ESTABLISHED 1568
[AmazonGSDownloaderService.exe]

TCP daleksec:1736 yw-in-f18.1e100.net:https ESTABLISHED 1332
[firefox.exe]

TCP daleksec:1833 65.216.161.56:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:1834 65.216.161.72:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:1838 65.216.161.48:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:1839 65.216.161.48:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:1841 65.216.161.11:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:1846 64.106.198.74:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:1858 gy-in-f100.1e100.net:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:1859 74.125.0.91:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:1931 host-113.pl1071332-1.fiber.net:https ESTABLISHED 1332
[firefox.exe]

TCP daleksec:1932 gx-in-f100.1e100.net:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:1938 gx-in-f100.1e100.net:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:1942 210-107.amazon.com:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:1943 210-107.amazon.com:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:1952 a72-246-112-80.deploy.akamaitechnologies.com:https ESTABLISHED 1332
[firefox.exe]

TCP daleksec:1975 origin.bay.ux.search.live.com:http ESTABLISHED 1332
[firefox.exe]

TCP daleksec:1026 210-202.amazon.com:https CLOSE_WAIT 1568
[AmazonGSDownloaderService.exe]

TCP daleksec:1440 a72-246-30-18.deploy.akamaitechnologies.com:http CLOSE_WAIT 3620
[jusched.exe]

TCP daleksec:1946 64-120-148-168.hostnoc.net:https CLOSE_WAIT 1332
[firefox.exe]

TCP daleksec:1949 64-120-148-168.hostnoc.net:https CLOSE_WAIT 1332
[firefox.exe]

TCP daleksec:1950 64-120-148-168.hostnoc.net:https CLOSE_WAIT 1332
[firefox.exe]

TCP daleksec:1951 64-120-148-168.hostnoc.net:https CLOSE_WAIT 1332
[firefox.exe]

TCP daleksec:2195 a204-245-162-42.deploy.akamaitechnologies.com:http CLOSE_WAIT 1316
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\system32\WININET.dll
[svchost.exe]

TCP daleksec:3102 a72-246-30-174.deploy.akamaitechnologies.com:https CLOSE_WAIT 1316
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\system32\Macromed\Flash\Flash10e.ocx
-- unknown component(s) --
C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
C:\WINDOWS\system32\WININET.dll
[svchost.exe]

TCP daleksec:3906 82.99.19.52:http CLOSE_WAIT 3028
[AAWService.exe]

TCP daleksec:3907 82.99.19.52:http CLOSE_WAIT 3028
[AAWService.exe]

TCP daleksec:4579 ec2-174-129-1-166.compute-1.amazonaws.com:http CLOSE_WAIT 1316

Hoov · « **Reply #42 on:** April 22, 2010, 10:47:25 AM »

What is this? MediaMallServer.exe

ShaneJack · « **Reply #43 on:** April 22, 2010, 11:23:42 AM »

That's a program called PlayOn that lets me stream YouTube and Hulu and Netflix, etc. to my Wii.

Hoov · « **Reply #44 on:** April 22, 2010, 06:06:00 PM »

Please update Malwarebytes' Anti-Malware and then run a full scan instead of a quick scan. This will take hours.

Also I would like you to run runscanner. It may see something.

Please download RunScanner

Save it to a folder you create such as C:\Runscanner (this assumes Windows is installed on your C: drive).
Launch Runscanner by double-clicking runscanner.exe within the C:\Runscanner folder.
Vista users must also click Continue to open Runscanner when prompted by User Account Control (UAC)
Check Beginner Mode
Click Scan computer
Your will see a "Runscanner scan in progress" window displayed while Runscanner scans your system
At the conclusion of the scan, save the run file called runscanner.run to your documents folder or directly to the Runscanner folder. This is the file you will need to upload.
A runscanner.log file will automatically open in Notepad. Just close the Notepad window because, it is ONLY the runscanner.run file that we are interested in.
Next, zip up the runscanner.run file that you just saved.
I want you to upload the zipped runscanner.run file as an attachment in your next reply
To do that choose "Additional Options" under "Post Reply"
Browse to the zipped RUN file location and then click the "Post" button to attach the file.
I will review the run file, and then upload it back to you with items marked for deletion.
Please await my directions and the returned RUN file, and do not delete anything in the interim

News:

Author Topic: [Resolved] "XP Security" infection removed Firefox and IE being redirected. (Read 6874 times)

ShaneJack

Re: [In Progress] "XP Security" infection removed Firefox and IE being redirected.

Hoov

Re: [In Progress] "XP Security" infection removed Firefox and IE being redirected.

Hoov

Re: [In Progress] "XP Security" infection removed Firefox and IE being redirected.

ShaneJack

Re: [In Progress] "XP Security" infection removed Firefox and IE being redirected.

Hoov

Re: [In Progress] "XP Security" infection removed Firefox and IE being redirected.

Hoov

Re: [In Progress] "XP Security" infection removed Firefox and IE being redirected.

ShaneJack

Re: [In Progress] "XP Security" infection removed Firefox and IE being redirected.

Hoov

Re: [In Progress] "XP Security" infection removed Firefox and IE being redirected.

ShaneJack

Re: [In Progress] "XP Security" infection removed Firefox and IE being redirected.

Hoov

Re: [In Progress] "XP Security" infection removed Firefox and IE being redirected.

ShaneJack

Re: [In Progress] "XP Security" infection removed Firefox and IE being redirected.

ShaneJack

Re: [In Progress] "XP Security" infection removed Firefox and IE being redirected.

Hoov

Re: [In Progress] "XP Security" infection removed Firefox and IE being redirected.

ShaneJack

Re: [In Progress] "XP Security" infection removed Firefox and IE being redirected.

Hoov

Re: [In Progress] "XP Security" infection removed Firefox and IE being redirected.