Highlighted
paulmcd123
2 Iron

Both Firefox and IE8 open tabs to random websites

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47:38 AM, on 11/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\AnVir Task Manager\AnVir.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PMX Daemon] ICO.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AnVir Task Manager] "C:\Program Files\AnVir Task Manager\AnVir.exe" Minimized
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201636395109
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5829 bytes

 

About two weeks ago, after updating Firefox to version 3.5.5(or3.5.4), I noticed that when doing a search in google and clicking on a link, FF would open up several tabs to seemingly random websites (one common one was lightseek.biz, although that doesn't occur anymore).

I was running AVG antivirus with ZoneAlarm firewall (free versions). I ran a full AVG antivirus scan and found nothing.  Then I ran a full Malwarebytes' Anti-Malware. Nothing.  I then ran Ad-Aware.  Nothing.  Then I ran Spybot Search and Destroy. Nothing.  Then I ran SUPERANti-Spyware with no results. I went to Windows Live OneCare Safety Scanner, and that found nothing.

So I uninstalled AVG Antivirus and installed Avira Antivir Personal Antivirus. I ran a full system scan. Nothing.  I downloaded  Spyware Blaster. I don't remember what happened (nothing useful).

Finally, at the end of my rope, I uninstalled (using RevoUninstaller) Skype, which had given me problems with my AdBlocker Plus Add-On to Firefox (SKype allowed ads to run in my FF browser even though previously AdBlocker has suppressed them before Skype). I rebooted. My home page on Firefox had changed. So I've done everything that I know how to do. Now I've come here hoping for a fairytale ending.

Thanks in advance,

Paul

0 Kudos
33 Replies
7 Gold

Re: Both Firefox and IE8 open tabs to random websites

Hi Paul,

I don't know about a "fairytale ending" but I'll try my best to figure out what's going on.

I am reviewing your log. In the meantime, you can help me by addressing the following:

* Have you have posted this issue on another forum? If so, please provide a link to the topic.

* If you have disabled System Restore in an attempt to begin cleaning malware, please enable it now. We will flush System Restore when we are finished cleaning and we are sure that everything is running smoothly.

* If you are using any cracked software, please remove it. In addition to being illegal, when you install cracked software, you are running executable files from dubious, unknown sources. You are giving these sources access to information on your hard disk, and potential control over operation of your computer. Definition of cracked software HERE.

* If you are using any P2P (file sharing) programs, please remove them before we clean your computer.  The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. That includes BitTorrent and similar programs. There is a partial list HERE.    

* If this computer belongs to someone else, do you have authority to apply the fixes we will use?

* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures. Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using. Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. It is understood by the trained analysts that once a helper replies to a log, he continues working with you until the issue is resolved.

* During the course of our cleanup please do not do any additional online work or surfing until we have verified that your system is clean.

* We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case. Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.

I look forward to your reply so we can begin cleaning.

Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please post a log at the top of this board to start a new forum topic.

 

 


Windows Insider MVP 2016 - Present

Microsoft MVP - Consumer Security 2006-2016

Social Media and Community Professional

0 Kudos
paulmcd123
2 Iron

Re: Both Firefox and IE8 open tabs to random websites

Hi Bugbatter,

In your order:

1) I have not posted this issue on another forum. I did as instructed with the HijackThis and the BitDefender website.  I don't know if that's a post or not.  I didn't see anything.

2) I did not disable System Restore.  I also did an external back-up using Acronis True Image, but I don't remember if that was before or after this problem started. Even if it was before this problem started, I don't know how to prevent it from happening again because I don't know how I got it in the first place. I don't use bit-torrent or limewire or any stolen software.  I find free versions (like OpenOffice and Octave) of what I want, and buy the rest (Acronis True Image, Ricochet Lost Worlds Recharged). I do play a flash based game in my browser called Boxhead where I shoot zombies (to let off steam).

3) I don't have or use any cracked software. I have downloaded songs of albums that are long out of print (never made it to CD). These are usually MP3s or are in RAR archives. Not sure if this changes anything.

4) I don't have or use any P2P software. (Against my sense of fairness.)

5)This is my computer. I am the only user.

6) I will copy instructions to Notepad and I will follow your instructions on software use/installation/re-installation etc.

7) I won't use the computer for anything except for your instructions (no surfing, etc) until officially clean.

😎 Okay on the fact that my anti-virus (or whatever program) may think something is bad when I am following your instructions in a good manner.

Let's begin cleaning. 🙂

0 Kudos
7 Gold

Re: Both Firefox and IE8 open tabs to random websites

Let's see what we can find.

First, please disable Teatimer so it does not block our tools or interfere with cleaning.

To disable TeaTimer:
Go to Start>Run. Type Msconfig > OK. On the next window that opens > Startup tab UNcheck the entry for TeaTimer until this is over...
1. Open Spybot
2. Click Mode > Advanced Mode
3. Click Yes
4. Click Tools (located in the bottom left corner) > Resident
5. Uncheck 'Resident "TeaTimer" (Protection of over-all system settings) active'
6. Then close Spybot.
Reboot.
Verify that TeaTimer is not running.
After ALL cleaning of your system has been completed and we have confirmed that your computer is clean, reverse these steps and re-enable the protection applets for TeaTimer.


We need to see some additional information about what is happening in your machine.

  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool.
  • Click Yes at the prompt for Optional Scan.
  • When done, DDS will open two (2) logs
  • 1. DDS.txt
    2. Attach.txt

  • Save both reports to your desktop.
  • Copy/paste both logs to your reply on the forum.
  • Close the program window, and delete the program from your desktop.
  • Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE.

     


    Windows Insider MVP 2016 - Present

    Microsoft MVP - Consumer Security 2006-2016

    Social Media and Community Professional

    0 Kudos
    paulmcd123
    2 Iron

    Re: Both Firefox and IE8 open tabs to random websites

    Hi Bugbatter,

    First, DDS.txt


    DDS (Ver_09-10-26.01) - NTFSx86  
    Run by Paul at 23:56:12.96 on Thu 11/19/2009
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
    Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1918.1480 [GMT -5:00]

    AV: AntiVir Desktop *On-access scanning enabled* (Updated)   {AD166499-45F9-482A-A743-FDD3350758C7}
    FW: ZoneAlarm Firewall *enabled*   {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\ICO.EXE
    C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AnVir Task Manager\AnVir.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
    C:\Documents and Settings\Paul\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.yahoo.com/
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [AnVir Task Manager] "c:\program files\anvir task manager\AnVir.exe" Minimized
    mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [PMX Daemon] ICO.EXE
    mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
    mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201636395109
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    LSA: Authentication Packages = msv1_0 relog_ap

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\paul\applic~1\mozilla\firefox\profiles\gyydsbit.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - component: c:\documents and settings\paul\application data\mozilla\firefox\profiles\gyydsbit.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
    FF - plugin: c:\documents and settings\paul\application data\mozilla\firefox\profiles\gyydsbit.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
    FF - plugin: c:\documents and settings\paul\application data\mozilla\firefox\profiles\gyydsbit.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npigl.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

    ============= SERVICES / DRIVERS ===============

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-13 64288]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-11 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-11 74480]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-17 108289]
    S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-8-12 12672]
    S3 getPlusHelper;getPlus(R) Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2004-8-4 14336]
    S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1179232]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-11 7408]
    S4 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2009-5-9 319488]

    =============== Created Last 30 ================

    2009-11-19 05:02:10    0    d-----w-    c:\docume~1\paul\applic~1\QuickScan
    2009-11-18 01:59:01    55656    ----a-w-    c:\windows\system32\drivers\avgntflt.sys
    2009-11-18 01:58:58    0    d-----w-    c:\program files\Avira
    2009-11-18 01:58:58    0    d-----w-    c:\docume~1\alluse~1\applic~1\Avira
    2009-11-17 02:21:30    0    d-----w-    c:\program files\common files\Logitech
    2009-11-14 07:11:49    118784    ----a-w-    c:\windows\system32\MSSTDFMT.DLL
    2009-11-14 07:11:49    0    d-----w-    c:\program files\SpywareBlaster
    2009-11-13 23:12:11    0    d-----w-    c:\program files\Trend Micro
    2009-11-13 23:00:46    15880    ----a-w-    c:\windows\system32\lsdelete.exe
    2009-11-13 22:49:30    64288    ----a-w-    c:\windows\system32\drivers\Lbd.sys
    2009-11-13 22:49:17    93360    ----a-w-    c:\windows\system32\drivers\SBREDrv.sys
    2009-11-13 22:45:28    0    dc-h--w-    c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
    2009-11-13 22:45:14    0    d-----w-    c:\program files\Lavasoft
    2009-11-13 19:48:33    15064    ----a-w-    c:\windows\system32\wuapi.dll.mui
    2009-11-13 00:21:18    0    d-----w-    c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
    2009-11-13 00:21:02    0    d-----w-    c:\program files\SUPERAntiSpyware
    2009-11-13 00:21:02    0    d-----w-    c:\docume~1\paul\applic~1\SUPERAntiSpyware.com
    2009-11-13 00:20:04    0    d-----w-    c:\program files\common files\Wise Installation Wizard
    2009-11-11 04:45:02    1885464    ----a-w-    c:\windows\system32\AutoPartNt.exe
    2009-11-11 04:45:02    1024    ----a-w-    c:\windows\system32\AutoPartNt.let
    2009-11-11 04:20:10    0    d-----w-    c:\windows\system32\NtmsData
    2009-11-08 18:06:03    0    d-----w-    c:\docume~1\paul\applic~1\Malwarebytes
    2009-11-08 18:05:55    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
    2009-11-08 18:05:54    19160    ----a-w-    c:\windows\system32\drivers\mbam.sys
    2009-11-08 18:05:54    0    d-----w-    c:\docume~1\alluse~1\applic~1\Malwarebytes
    2009-11-08 18:05:53    0    d-----w-    c:\program files\Malwarebytes' Anti-Malware
    2009-11-08 05:31:37    0    d--h--w-    C:\$AVG
    2009-11-08 05:28:06    0    d-----w-    c:\docume~1\alluse~1\applic~1\avg9
    2009-11-02 21:59:45    66    ----a-w-    C:\browserclean.bat
    2009-11-02 21:48:06    0    d-----w-    c:\program files\CCleaner
    2009-11-02 14:55:28    0    d-----w-    c:\program files\WinDirStat

    ==================== Find3M  ====================

    2009-11-17 15:36:30    0    ----a-w-    c:\windows\system32\drivers\lvuvc.hs
    2009-11-17 15:36:27    0    ----a-w-    c:\windows\system32\drivers\logiflt.iad
    2009-09-11 14:18:39    136192    ----a-w-    c:\windows\system32\msv1_0.dll
    2009-09-04 21:03:36    58880    ----a-w-    c:\windows\system32\msasn1.dll
    2009-08-29 08:08:21    916480    ----a-w-    c:\windows\system32\wininet.dll
    2009-08-26 08:00:21    247326    ----a-w-    c:\windows\system32\strmdll.dll
    2008-08-18 23:22:40    32768    --sha-w-    c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081820080819\index.dat

    ============= FINISH: 23:58:02.96 ===============

    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------And Attach.txt


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-10-26.01)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 1/29/2008 12:15:51 PM
    System Uptime: 11/19/2009 11:44:45 PM (0 hours ago)

    Motherboard: Dell Inc. |  | 0WY383
    Processor: AMD Athlon(tm) 64 X2 Dual-Core Processor TK-55 | Socket M2/S1G1 | 1795/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 102 GiB total, 83.931 GiB free.
    😧 is FIXED (NTFS) - 10 GiB total, 6.897 GiB free.
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP56: 12/9/2008 10:29:33 PM - System Checkpoint
    RP57: 12/22/2008 1:26:39 PM - Avg8 Update
    RP58: 12/22/2008 1:29:10 PM - Software Distribution Service 3.0
    RP59: 1/1/2009 6:41:33 PM - System Checkpoint
    RP60: 1/27/2009 9:40:49 AM - Software Distribution Service 3.0
    RP61: 3/3/2009 11:26:01 AM - Avg8 Update
    RP62: 3/3/2009 11:27:15 AM - Avg8 Update
    RP63: 3/3/2009 11:38:18 AM - Software Distribution Service 3.0
    RP64: 3/3/2009 5:04:47 PM - Software Distribution Service 3.0
    RP65: 3/4/2009 9:59:37 AM - Avg8 Update
    RP66: 3/7/2009 1:41:00 PM - System Checkpoint
    RP67: 3/8/2009 1:56:05 PM - System Checkpoint
    RP68: 3/12/2009 7:47:38 AM - Software Distribution Service 3.0
    RP69: 3/12/2009 10:31:14 PM - Removed Java(TM) 6 Update 10
    RP70: 3/12/2009 10:31:48 PM - Installed Java(TM) 6 Update 12
    RP71: 3/13/2009 12:07:14 AM - Installed Java Runtime Environment
    RP72: 3/27/2009 9:21:58 AM - Avg8 Update
    RP73: 3/27/2009 9:22:45 AM - Avg8 Update
    RP74: 4/7/2009 2:20:37 PM - Installed Java(TM) 6 Update 13
    RP75: 4/24/2009 5:08:10 PM - Avg8 Update
    RP76: 4/24/2009 5:31:30 PM - Software Distribution Service 3.0
    RP77: 5/5/2009 1:44:00 AM - Software Distribution Service 3.0
    RP78: 5/5/2009 9:20:27 AM - Installed Acronis True Image Home
    RP79: 5/5/2009 9:27:23 AM - Avg8 Update
    RP80: 5/5/2009 9:28:55 AM - Avg8 Update
    RP81: 5/5/2009 11:19:55 AM - Logitech QuickCam v11.50.1145
    RP82: 5/16/2009 12:16:21 PM - Avg8 Update
    RP83: 5/22/2009 11:34:05 AM - Avg8 Update
    RP84: 5/22/2009 11:34:48 AM - Avg8 Update
    RP85: 5/22/2009 1:59:32 PM - Software Distribution Service 3.0
    RP86: 6/22/2009 9:00:16 AM - Software Distribution Service 3.0
    RP87: 6/22/2009 9:15:22 AM - Installed Java(TM) 6 Update 14
    RP88: 6/27/2009 10:28:15 AM - Avg8 Update
    RP89: 6/27/2009 10:29:31 AM - Avg8 Update
    RP90: 7/1/2009 8:04:32 AM - Software Distribution Service 3.0
    RP91: 7/16/2009 1:53:56 PM - Software Distribution Service 3.0
    RP92: 7/24/2009 10:13:00 AM - Avg8 Update
    RP93: 7/24/2009 10:14:30 AM - Avg8 Update
    RP94: 7/24/2009 10:22:07 AM - Revo Uninstaller's restore point - GNU Octave 3.0.3
    RP95: 7/24/2009 10:35:18 AM - Installed WinZip 12.1
    RP96: 7/31/2009 11:48:27 AM - Software Distribution Service 3.0
    RP97: 8/5/2009 12:54:37 PM - Installed Java(TM) 6 Update 15
    RP98: 9/24/2009 11:54:22 AM - Avg8 Update
    RP99: 9/24/2009 11:55:34 AM - Avg8 Update
    RP100: 9/24/2009 1:14:17 PM - Software Distribution Service 3.0
    RP101: 10/6/2009 4:11:32 PM - Avg8 Update
    RP102: 10/6/2009 4:12:40 PM - Avg8 Update
    RP103: 10/7/2009 8:31:32 AM - Avg8 Update
    RP104: 10/7/2009 9:12:45 AM - Before installing WinRAR cracker.
    RP105: 10/7/2009 10:23:44 AM - Removed WinZip 12.1
    RP106: 10/14/2009 8:16:14 AM - Software Distribution Service 3.0
    RP107: 10/27/2009 10:24:01 PM - Avg8 Update
    RP108: 11/4/2009 9:31:37 PM - Avg8 Update
    RP109: 11/5/2009 9:05:03 PM - Avg8 Update
    RP110: 11/8/2009 12:27:53 AM - Installed AVG Free 9.0
    RP111: 11/9/2009 10:00:30 AM - Software Distribution Service 3.0
    RP112: 11/10/2009 9:07:39 AM - Avg8 Update
    RP113: 11/10/2009 9:08:34 AM - Avg8 Update
    RP114: 11/12/2009 9:33:05 AM - Avg8 Update
    RP115: 11/12/2009 7:21:01 PM - Installed SUPERAntiSpyware Free Edition
    RP116: 11/13/2009 2:49:49 PM - Software Distribution Service 3.0
    RP117: 11/13/2009 5:34:25 PM - Cleaned registry with Windows Live OneCare safety scanner
    RP118: 11/13/2009 6:00:43 PM - Ad-Aware Checkpoint
    RP119: 11/17/2009 8:45:46 PM - Revo Uninstaller's restore point - AVG Free 9.0
    RP120: 11/17/2009 8:47:48 PM - Removed AVG Free 9.0
    RP121: 11/17/2009 8:50:05 PM - Installed AVG Free 9.0
    RP122: 11/17/2009 8:56:13 PM - Avira AntiVir Personal - 11/17/2009 20:56
    RP123: 11/19/2009 11:04:12 AM - Revo Uninstaller's restore point - Skype™ 4.0
    RP124: 11/19/2009 11:05:16 AM - Removed Skype™ 4.0

    ==== Installed Programs ======================

    Acronis True Image Home
    Ad-Aware
    Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
    Adobe Download Manager
    Adobe Flash Player 10 Plugin
    Adobe Reader 8.1.2
    Adobe Reader 8.1.2 Security Update 1 (KB403742)
    Adobe Shockwave Player 11
    Amazon Games & Software Downloader
    Amazon MP3 Downloader 1.0.5
    AMD Processor Driver
    AnVir Task Manager
    ATI - Software Uninstall Utility
    ATI Catalyst Control Center
    ATI Display Driver
    Avira AntiVir Personal - Free Antivirus
    Broadcom 440x 10/100 Integrated Controller
    Broadcom Management Programs
    CCleaner
    Conexant HDA D330 MDC V.92 Modem
    CPUID HWMonitor 1.14
    Critical Update for Windows Media Player 11 (KB959772)
    Dell Resource CD
    Dell Touchpad
    Dell Wireless WLAN Card
    Digital Line Detect
    High Definition Audio Driver Package - KB835221
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Java(TM) 6 Update 15
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Logitech QuickCam
    Logitech QuickCam Driver Package
    Logitech Updater
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Modem Diagnostic Tool
    Mouse Suite for Laptop Computers
    Mozilla Firefox (3.5.5)
    MSN
    OpenOffice.org 2.3
    PrimoPDF
    Revo Uninstaller 1.83
    Ricochet Lost Worlds Recharged
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    SigmaTel Audio
    Spybot - Search & Destroy
    SpywareBlaster 4.2
    SUPERAntiSpyware Free Edition
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB968220)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB953356)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB973815)
    VC 9.0 Runtime
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    WebFldrs XP
    WinDirStat 1.1.2
    Windows Driver Package - Ricoh Company (rimsptsk) hdc  (11/14/2006 6.00.01.04)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live OneCare safety scanner
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    WinRAR archiver
    ZoneAlarm
    ZoneAlarm Spy Blocker

    ==== Event Viewer Messages From Past Week ========

    11/18/2009 10:16:43 PM, error: AmdK8 [2]  - The Acpi 2.0 _PCT object returned an invalid value of 3
    11/14/2009 12:59:30 AM, error: Service Control Manager [7034]  - The Acronis Try And Decide Service service terminated unexpectedly.  It has done this 1 time(s).
    11/14/2009 12:58:59 AM, error: Service Control Manager [7031]  - The Lavasoft Ad-Aware Service service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 5000 milliseconds: Restart the service.
    11/14/2009 12:57:51 AM, error: Service Control Manager [7031]  - The Lavasoft Ad-Aware Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 5000 milliseconds: Restart the service.
    11/14/2009 12:33:20 AM, error: Ftdisk [49]  - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
    11/14/2009 12:33:20 AM, error: Ftdisk [45]  - The system could not sucessfully load the crash dump driver.
    11/14/2009 1:03:11 AM, error: Service Control Manager [7034]  - The Lavasoft Ad-Aware Service service terminated unexpectedly.  It has done this 3 time(s).

    ==== End Of File ===========================

    ------------------------------------------------------------------------------------------------------------------ I didn't see note about disabling antivirus protection until after I ran DDS. But I did not get any errors or encounter any problems running DDS.

    Should I re-run DDS with Avira disabled?

    -Paul

    0 Kudos
    7 Gold

    Re: Both Firefox and IE8 open tabs to random websites

    As long as DDS ran, we don't need to do it again right now. However, please disable all security/AV if the instructions ask for that from now on. We will be using some more powerful tools that can have problems if AV's interfere.

    Download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

    Disable the active protection component of your antivirus and antispyware programs by following the directions that apply here:

    http://www.bleepingcomputer.com/forums/topic114351.html

    Next, please perform a "quick" rootkit scan:

    • Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to launch it

    • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.

    • When the "quick" scan is finished (a few seconds), save the scan log to the Windows clipboard

    • Open Notepad or a similar text editor

    • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V

    • Exit the Program

    • Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it, please.

    • Now, re-enable the active protection component of any antivirus/antimalware programs you disabled before performing the scan.


    Windows Insider MVP 2016 - Present

    Microsoft MVP - Consumer Security 2006-2016

    Social Media and Community Professional

    0 Kudos
    paulmcd123
    2 Iron

    Re: Both Firefox and IE8 open tabs to random websites

    Hi Bugbatter,

    I'm not sure if this info is important or not. I left the computer on all night (I set power options so it does not go to sleep). When I saw the computer this morning, I saw the following warning message : "AntiVir Guard:Attention.Detected" ,  "A virus or unwanted program was found", "What should happen with this fie?", "C:/Documents and Settings/Paul/Local Settings/.../_CACHE_002_" , "Contains recognition pattern of the HTML/Infected WebPage.Gen HTML script virus".  It (Antivir Guard) defaulted to "Deny Access" (options were: Move to quarantine, Delete, Rename, Deny Access, Ignore).

    I couldn't get Firefox to run this morning because I got an error that it was still running. I opened Task Manager and tried to kill firefox.exe without success.  Then I opened Anvir Task Manager to try and kill firefox.exe without success.  So I tried running IE8 which immediately took me to the Yellowcom.addresses.com website, even though my startup page is yahoo.com. Clearly bad things are still happening.

    So I am typing this to you on my much older Toshiba laptop. I will type "OK" to Antivir Guard to "Deny Access" to the script access.  Then reboot the Dell machine, and follow your latest instructions.

    -Paul

    0 Kudos
    paulmcd123
    2 Iron

    Re: Both Firefox and IE8 open tabs to random websites

    Hi Bugbatter,

    I'm not sure if this info is important or not. I left the computer on all night (I set power options so it does not go to sleep). When I saw the computer this morning, I saw the following warning message : "AntiVir Guard:Attention.Detected" ,  "A virus or unwanted program was found", "What should happen with this fie?", "C:/Documents and Settings/Paul/Local Settings/.../_CACHE_002_" , "Contains recognition pattern of the HTML/Infected WebPage.Gen HTML script virus".  It (Antivir Guard) defaulted to "Deny Access" (options were: Move to quarantine, Delete, Rename, Deny Access, Ignore).

    I couldn't get Firefox to run this morning because I got an error that it was still running. I opened Task Manager and tried to kill firefox.exe without success.  Then I opened Anvir Task Manager to try and kill firefox.exe without success.  So I tried running IE8 which immediately took me to the Yellowcom.addresses.com website, even though my startup page is yahoo.com. Clearly bad things are still happening.

    So I am typing this to you on my much older Toshiba laptop. I will type "OK" to Antivir Guard to "Deny Access" to the script access.  Then reboot the Dell machine, and follow your latest instructions.

    -Paul

    0 Kudos
    paulmcd123
    2 Iron

    Re: Both Firefox and IE8 open tabs to random websites

    Hi Bugbatter,

    I downloaded the GMER rootkit detector to c:/ARK, then proceeded to read about turning off the antivirus. Some window came up very quickly and beeped at me, then was gone. I'm assuming Avira Antivir thought it was a virus. So I disabled the Avira Antivir and dowloaded the GMER rootkit to C:/ARK2.  I ran GMER and got the results in a small window. I didn't know how to send it to the clipboard, so I did a PRNTSCRN of it and went to PAINT and saved it as a JPG image file. Hope this is okay. If not, please tell me how to do it again. I've attached  ARK.jpg to this message.

    0 Kudos
    paulmcd123
    2 Iron

    Re: Both Firefox and IE8 open tabs to random websites

    Hi Bugbatter,

    I figured out how to send the GMER output to the clipboard, then paste the clipboard to Notepad, and paste it here. Sorry about that.

    GMER 1.0.15.15227 - http://www.gmer.net
    Rootkit quick scan 2009-11-20 10:25:00
    Windows 5.1.2600 Service Pack 3
    Running: iv9ouwin.exe; Driver: C:\DOCUME~1\Paul\LOCALS~1\Temp\kgpcraog.sys


    ---- Devices - GMER 1.0.15 ----

    Device          \Driver\Tcpip \Device\Ip                                 vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    Device          \Driver\Tcpip \Device\Tcp                                vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    Device          \Driver\Tcpip \Device\Udp                                vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    Device          \Driver\Tcpip \Device\RawIp                              vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

    AttachedDevice  \Driver\Kbdclass \Device\KeyboardClass0                  SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice  \Driver\Kbdclass \Device\KeyboardClass1                  SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

    Device          \Driver\00001432 -> \Driver\atapi \Device\Harddisk0\DR0  8A53550C

    ---- EOF - GMER 1.0.15 ----

    0 Kudos