Firefox redirects and pop-ups

YSRRider · 11-13-2008, 05:43 PM

When I do searches on YAHOO and click a link it often redirects to INFO.COM. I get random pop-ups now even though the firefox blocker is on. Randomly when I click my AIM messenger out of the system tray, it will open IE and I get 100 pop ups a minute, the only way to stop it is to open the task manager and shut AIM down.

-----------------------------------------------------------------------
HJT LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:42:06 PM, on 11/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~2\COMCAS~1.DLL
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1194377256140
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

--
End of file - 2865 bytes
---------------------------------------------------------------------

DDS LOG 1

DDS (Version 1.0) - NTFSx86
Run by Drake1 at 18:41:24.01 on Thu 11/13/2008
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.268 [GMT -6:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Drake1\Desktop\dds.scr

============== Psuedo HJT Report ===============

uStart Page = hxxp://www.aol.com/
uSearch Bar = hxxp://www.comcast.net/toolbar2.0/search/
mSearchAssistant = hxxp://www.comcast.net/toolbar2.0/search/
BHO: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - c:\progra~1\comcas~2\COMCAS~1.DLL
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - c:\progra~1\comcas~2\COMCAS~1.DLL
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - c:\progra~1\comcas~2\COMCAS~1.DLL
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
mRun: [nForce Tray Options] sstray.exe /r
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_03\bin\jusched.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

============= SERVICES / DRIVERS ===============

S3 slicedisk.sys;slicedisk.sys;\??\c:\windows\system32\slicedisk.sys
S4 hpt3xx;hpt3xx;

=============== Created Last 30 ================

2008-11-13 18:27 <DIR> --d----- c:\program files\Trend Micro
2008-11-12 11:09 250 a------- c:\windows\gmer.ini

==================== Find3M ====================

2008-11-12 23:54 <DIR> --d----- c:\docume~1\drake1\applic~1\ComcastToolbar
2008-05-21 11:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SupportSoft
2007-11-18 16:14 <DIR> --d----- c:\docume~1\drake1\applic~1\Viewpoint
2007-11-06 13:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint

============= FINISH: 18:41:28.95 ===============

DDS LOG 2

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Version 1.0)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/6/2007 3:04:10 AM
System Uptime: 11/13/2008 6:31:14 PM (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | A7N8X-E
Processor: AMD Athlon(tm) XP 3000+ | Socket A | 2091/200mhz
BIOS: Phoenix - AwardBIOS v6.00PG | Nvidia - 42302e31 | ASUS A7N8X-E Deluxe ACPI BIOS Rev 1009 | 2/3/2004 6:00:00 PM

==== Disk Partitions =========================

C: is FIXED (NTFS) - 128 GiB total, 6.277 GiB free.
D: is FIXED (NTFS) - 79 GiB total, 25.476 GiB free.
E: is FIXED (NTFS) - 80 GiB total, 6.958 GiB free.
F: is CDROM (CDFS)
G: is CDROM (CDFS)
H: is FIXED (NTFS) - 56 GiB total, 26.497 GiB free.
I: is FIXED (NTFS) - 134 GiB total, 116.629 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Universal Serial Bus (USB) Controller
Device ID: PCI\VEN_10DE&DEV_0068&SUBSYS_0C111043&REV_A4\3&13C0B0C5&0&12
Manufacturer:
Name: Universal Serial Bus (USB) Controller
PNP Device ID: PCI\VEN_10DE&DEV_0068&SUBSYS_0C111043&REV_A4\3&13C0B0C5&0&12
Service:

==== System Restore Points ===================

RP283: 8/15/2008 10:33:12 PM - System Checkpoint
RP284: 8/16/2008 11:27:53 PM - System Checkpoint
RP285: 8/18/2008 12:23:39 AM - System Checkpoint
RP286: 8/19/2008 1:16:11 AM - System Checkpoint
RP287: 8/20/2008 2:26:31 AM - System Checkpoint
RP288: 8/21/2008 2:30:13 AM - System Checkpoint
RP289: 8/22/2008 3:01:18 AM - System Checkpoint
RP290: 8/23/2008 3:55:59 AM - System Checkpoint
RP291: 8/24/2008 4:50:39 AM - System Checkpoint
RP292: 8/25/2008 5:42:19 AM - System Checkpoint
RP293: 8/26/2008 6:39:06 AM - System Checkpoint
RP294: 8/27/2008 7:33:49 AM - System Checkpoint
RP295: 8/28/2008 8:28:30 AM - System Checkpoint
RP296: 8/29/2008 9:23:10 AM - System Checkpoint
RP297: 8/30/2008 10:17:52 AM - System Checkpoint
RP298: 8/31/2008 11:12:33 AM - System Checkpoint
RP299: 9/1/2008 1:26:11 PM - System Checkpoint
RP300: 9/2/2008 1:28:34 PM - System Checkpoint
RP301: 9/3/2008 2:28:32 PM - System Checkpoint
RP302: 9/4/2008 3:02:09 PM - System Checkpoint
RP303: 9/5/2008 3:04:04 PM - System Checkpoint
RP304: 9/6/2008 3:58:33 PM - System Checkpoint
RP305: 9/7/2008 4:52:53 PM - System Checkpoint
RP306: 9/8/2008 5:48:24 PM - System Checkpoint
RP307: 9/9/2008 5:50:39 PM - System Checkpoint
RP308: 9/10/2008 6:39:35 PM - System Checkpoint
RP309: 9/11/2008 7:33:56 PM - System Checkpoint
RP310: 9/12/2008 8:08:56 PM - System Checkpoint
RP311: 9/13/2008 8:45:24 PM - System Checkpoint
RP312: 9/14/2008 9:30:58 PM - System Checkpoint
RP313: 9/15/2008 11:01:52 PM - System Checkpoint
RP314: 9/17/2008 2:13:37 AM - System Checkpoint
RP315: 9/18/2008 2:24:15 AM - System Checkpoint
RP316: 9/19/2008 2:39:43 AM - System Checkpoint
RP317: 9/20/2008 3:01:57 AM - System Checkpoint
RP318: 9/21/2008 3:56:29 AM - System Checkpoint
RP319: 9/22/2008 4:50:59 AM - System Checkpoint
RP320: 9/23/2008 5:46:36 AM - System Checkpoint
RP321: 9/24/2008 6:41:11 AM - System Checkpoint
RP322: 9/25/2008 7:35:42 AM - System Checkpoint
RP323: 9/26/2008 8:30:13 AM - System Checkpoint
RP324: 9/27/2008 9:24:43 AM - System Checkpoint
RP325: 9/28/2008 10:19:14 AM - System Checkpoint
RP326: 9/29/2008 11:14:46 AM - System Checkpoint
RP327: 9/30/2008 12:08:10 PM - System Checkpoint
RP328: 10/1/2008 1:01:42 PM - System Checkpoint
RP329: 10/2/2008 1:13:46 PM - System Checkpoint
RP330: 10/3/2008 1:51:48 PM - System Checkpoint
RP331: 10/4/2008 2:47:23 PM - System Checkpoint
RP332: 10/5/2008 3:28:50 PM - System Checkpoint
RP333: 10/6/2008 3:32:10 PM - System Checkpoint
RP334: 10/7/2008 4:30:03 PM - System Checkpoint
RP335: 10/8/2008 5:56:35 PM - System Checkpoint
RP336: 10/9/2008 7:25:29 PM - System Checkpoint
RP337: 10/10/2008 9:47:49 PM - System Checkpoint
RP338: 10/11/2008 10:14:36 PM - System Checkpoint
RP339: 10/12/2008 11:07:48 PM - System Checkpoint
RP340: 10/14/2008 12:26:09 AM - System Checkpoint
RP341: 10/15/2008 12:56:26 AM - System Checkpoint
RP342: 10/16/2008 2:09:57 AM - System Checkpoint
RP343: 10/17/2008 2:43:33 AM - System Checkpoint
RP344: 10/18/2008 3:39:02 AM - System Checkpoint
RP345: 10/19/2008 4:32:16 AM - System Checkpoint
RP346: 10/20/2008 5:26:35 AM - System Checkpoint
RP347: 10/21/2008 6:20:59 AM - System Checkpoint
RP348: 10/22/2008 6:29:20 AM - System Checkpoint
RP349: 10/23/2008 7:23:55 AM - System Checkpoint
RP350: 10/24/2008 8:20:21 AM - System Checkpoint
RP351: 10/25/2008 9:14:24 AM - System Checkpoint
RP352: 10/26/2008 9:04:31 AM - System Checkpoint
RP353: 10/27/2008 9:58:32 AM - System Checkpoint
RP354: 10/28/2008 10:53:57 AM - System Checkpoint
RP355: 10/29/2008 11:48:04 AM - System Checkpoint
RP356: 10/30/2008 11:56:47 AM - System Checkpoint
RP357: 10/31/2008 11:59:21 AM - System Checkpoint
RP358: 11/1/2008 12:58:10 PM - System Checkpoint
RP359: 11/2/2008 1:28:56 PM - System Checkpoint
RP360: 11/3/2008 2:24:15 PM - System Checkpoint
RP361: 11/4/2008 2:56:50 PM - System Checkpoint
RP362: 11/5/2008 3:49:45 PM - System Checkpoint
RP363: 11/6/2008 4:46:47 PM - System Checkpoint
RP364: 11/7/2008 5:42:26 PM - System Checkpoint
RP365: 11/8/2008 6:35:42 PM - System Checkpoint
RP366: 11/9/2008 9:25:11 PM - System Checkpoint
RP367: 11/10/2008 11:03:13 PM - System Checkpoint
RP368: 11/11/2008 10:40:15 AM - Restore Operation
RP369: 11/12/2008 12:03:48 PM - System Checkpoint
RP370: 11/13/2008 12:34:15 PM - System Checkpoint

==== Installed Programs ======================

Active@ Partition Recovery Enterprise
Adobe Shockwave Player
AOL Instant Messenger
ATI Control Panel
ATI Display Driver
ATI DVD Decoder 2.2.0.0
ATI HydraVision
ATI Multimedia Center 8.1.0.0
Comcast Toolbar
Comcast Universal Installer v1.2
DAO
Desktop Doctor
DVDDec
Find and Mount 2.3
HijackThis 2.0.2
J2SE Runtime Environment 5.0 Update 3
LimeWire PRO 4.9.32
Marvell Miniport Driver
MMC81
Mozilla Firefox (2.0.0.18)
NVIDIA nForce Drivers
PartitionMagic
PowerQuest PartitionMagic 8.0
Recover My Files
Viewpoint Media Player
WebFldrs XP
Windows Live Messenger
Windows Media Encoder 9 Series
Windows XP Service Pack 2
WinMX
Winmx 3.53 3.0 Patch

==== Event Viewer Messages ===================

11/8/2008 2:23:37 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.100 with the system having network hardware address 00:90:F5:57:7E:98. Network operations on this system may be disrupted as a result.
11/12/2008 1:12:15 AM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================

I have attached the HJT log and both of the DDS logs.

thanks!

Ried · 11-13-2008, 10:11 PM

Hello YSRRider,

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

It will require more than one round to properly clean your system. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on combofix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with an update on system behavior.

YSRRider · 11-14-2008, 12:36 AM

I'm not running any anti virus at this time :) the hard drive that I am on is temporary right now till I get my other one cleaned and reloaded with an OS... most everything I have is backed up so in the event I have a major problem I can just format and start from scratch. since switching to firefox, I have had zero problems with any kind of malware in 3 years with no anti virus programs running. Windows security center is running in my sys tray, is there a way to shut that off? do I need to? This virus is also on 2 other computers in the house on this network, does that matter? All 3 have the same problem and we're trying to figure out how all 3 got infected with the same problem at the same time.

Ried · 11-14-2008, 06:57 AM

I am not quite understanding what you're saying.

Temporary or not, you're using this hdd to access the internet so you must install an Anti Virus or you'll infect this one as well.

Which hdd or machine is the log you posted belong to?

Do you not intend to carry out the instructions I just gave you?

YSRRider · 11-14-2008, 08:47 AM

yes, I'm going to go through with the process... do I need to disable the windows security center? I will install a fresh anti virus program when I get this cleaned up.

Ried · 11-14-2008, 08:50 AM

No. Just onboard protective programs. Please just run the tool so we can get started. The longer you delay, the worse this is going to get.

YSRRider · 11-14-2008, 09:20 AM

ok, I will run it now.

another note for you..... the 2 other PC's on this network in other rooms have a DNS charger found using some other program and ZLOB. after some reading, I was informed that my router can some how be infected? after running this, will THIS computer get reinfected? should I change out the router?

thanks!

Ried · 11-14-2008, 09:27 AM

No,what you need to do is perform a hard reset on the router, and change your username and password for the router. Make it a good long strong password. See this page for info if needed.

Understand that this all needs to be done in a methodical manner or we'll be going in circles.

Reset router

Run ComboFix and be sure to install the RC if prompted

Disconnect--unplug--from the internet.

Reconnect and send me reports. This won't be the end of it.

YSRRider · 11-14-2008, 09:33 AM

I'm logged onto one of the other PC in the house now while the other PC is running ComboFix....... I clicked YES to install the console, and the blue box appears to have stalled..........

I will reset the router and restart as you instruct. thank you.

YSRRider · 11-14-2008, 10:24 AM

couldnt find the password for the router so it was swapped for a newer one, new ID and pass. ComboFix was restarted on the other PC and is now in the process of searcing for malware.......................

Would you like me to post HJT and DDS logs for the other 2 PC's or should I just run ComboFix on them aswell?

thank you

YSRRider · 11-14-2008, 10:28 AM

ComboFix 08-11-12.02 - Drake1 2008-11-14 11:22:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.347 [GMT -6:00]
Running from: c:\documents and settings\Drake1\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-10-14 to 2008-11-14 )))))))))))))))))))))))))))))))
.

2008-11-13 18:27 . 2008-11-13 18:27 <DIR> d-------- c:\program files\Trend Micro
2008-11-12 11:09 . 2008-11-13 18:34 250 --a------ c:\windows\gmer.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-13 05:54 --------- d-----w c:\documents and settings\Drake1\Application Data\ComcastToolbar
.

Code:

<pre>
----a-w         3,687,956 2005-10-06 22:17:30  c:\documents and settings\Drake1\Desktop\LimeWire Pro v4.9.32\LimeWire Pro v4.9.32 .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-04-28 323584]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2007-04-19 198184]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 36975]
"nForce Tray Options"="sstray.exe" [2003-08-12 c:\windows\system32\sstray.exe]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

S3 slicedisk.sys;slicedisk.sys;c:\windows\system32\slicedisk.sys [2007-05-31 8832]

*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Drake1\Application Data\Mozilla\Firefox\Profiles\byowlath.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.netscape.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-14 11:23:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-14 11:23:24
ComboFix-quarantined-files.txt 2008-11-14 17:23:18

Pre-Run: 8,320,802,816 bytes free
Post-Run: 8,783,405,056 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

68

YSRRider · 11-15-2008, 12:53 PM

waiting for further instructions to proceed....................

Ried · 11-15-2008, 08:29 PM

Is Limewire still installed? If so, uninstall it as the program is infected.

Are you still getting redirects? What issues remain with this machine?

Quote:

Would you like me to post HJT and DDS logs for the other 2 PC's or should I just run ComboFix on them aswell?

What I'd like you to do is begin new threads for each of those other machines to make it easier to keep track of what to do on each machine.

Do NOT run Combofix on any of those machines until I see preliminary scans. Just run DDS.scr and gmer.exe and post those reports.

Entitle the new threads Ried #2 and Ried #3. Please PM me to let me know when you've posted those new threads.

YSRRider · 11-16-2008, 11:57 AM

limewire is installed, when I first installed it, it wouldnt connect so i never used it... that was months ago. I finally got it to connect but didnt download anything and it is never left running. can I uninstall it and then reinstall it?

not really getting any pop-ups anymore and no more redirects but some links that I click on from a website wont load at all. no other issues.

YSRRider · 11-16-2008, 11:58 AM

Limewire uninstall has been done.

Ried · 11-16-2008, 01:56 PM

Thank you.

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

---------------------------------------------------------

Quote:

Originally Posted by Ried

What I'd like you to do is begin new threads for each of those other machines to make it easier to keep track of what to do on each machine.

Do NOT run Combofix on any of those machines until I see preliminary scans. Just run DDS.scr and gmer.exe and post those reports.

Entitle the new threads Ried #2 and Ried #3. Please PM me to let me know when you've posted those new threads.

What is the status of the above? Do you intend to post threads for those machines as well?

YSRRider · 11-16-2008, 02:50 PM

I will post #2 and #3.........

YSRRider · 11-16-2008, 03:39 PM

firefox keeps crashing during the scan, and when i use IE the ACCEPT button wont light up for me to click it.

Ried · 11-16-2008, 03:46 PM

See if this online scanner works better for you:

Perform an online scan with Panda ActiveScan

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Click on Scan Your PC Now
A "pop up" window will appear, or a new tab will open.
Click on Register
Choose the option you like most, but we recommend the Free Registration.
Click on Register
Enter your e-mail address, and create a password.
Select "I do not want to receive any type of information". (unless you want to receive such information)
Click on Send
Confirm registration, and continue by entering your user name and password, then click on Enter
Select Full Scan, then Click on Scan Now
Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
Please ignore the offer to buy the program. Click on Export To
Export the log and save it to your desktop.
Please attach the contents of that log in your next reply.

YSRRider · 11-16-2008, 05:11 PM

log attached........

working on PC #2 and #3

11-13-2008, 10:11 PM	#2 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,615 OS: WinXP and Vista	Re: Firefox redirects and pop-ups Hello YSRRider, Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. It will require more than one round to properly clean your system. Please stay with me until given the 'all clear' even if symptoms seemingly abate. Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. ************************************************* Download ComboFix from one of these locations: Link 1 Link 2 Link 3** * IMPORTANT !!! Save ComboFix.exe to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools Double click on combofix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt** in your next reply along with an update on system behavior. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

11-14-2008, 12:36 AM	#3 (permalink)
YSRRider Registered User Join Date: Jan 2005 Posts: 70 OS: XP	Re: Firefox redirects and pop-ups I'm not running any anti virus at this time :) the hard drive that I am on is temporary right now till I get my other one cleaned and reloaded with an OS... most everything I have is backed up so in the event I have a major problem I can just format and start from scratch. since switching to firefox, I have had zero problems with any kind of malware in 3 years with no anti virus programs running. Windows security center is running in my sys tray, is there a way to shut that off? do I need to? This virus is also on 2 other computers in the house on this network, does that matter? All 3 have the same problem and we're trying to figure out how all 3 got infected with the same problem at the same time.

11-14-2008, 06:57 AM	#4 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,615 OS: WinXP and Vista	Re: Firefox redirects and pop-ups I am not quite understanding what you're saying. Temporary or not, you're using this hdd to access the internet so you must install an Anti Virus or you'll infect this one as well. Which hdd or machine is the log you posted belong to? Do you not intend to carry out the instructions I just gave you? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul." Last edited by Ried; 11-14-2008 at 07:00 AM.

11-14-2008, 08:47 AM	#5 (permalink)
YSRRider Registered User Join Date: Jan 2005 Posts: 70 OS: XP	Re: Firefox redirects and pop-ups yes, I'm going to go through with the process... do I need to disable the windows security center? I will install a fresh anti virus program when I get this cleaned up.

11-14-2008, 08:50 AM	#6 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,615 OS: WinXP and Vista	Re: Firefox redirects and pop-ups No. Just onboard protective programs. Please just run the tool so we can get started. The longer you delay, the worse this is going to get. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

11-14-2008, 09:20 AM	#7 (permalink)
YSRRider Registered User Join Date: Jan 2005 Posts: 70 OS: XP	Re: Firefox redirects and pop-ups ok, I will run it now. another note for you..... the 2 other PC's on this network in other rooms have a DNS charger found using some other program and ZLOB. after some reading, I was informed that my router can some how be infected? after running this, will THIS computer get reinfected? should I change out the router? thanks!

11-14-2008, 09:27 AM	#8 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,615 OS: WinXP and Vista	Re: Firefox redirects and pop-ups No,what you need to do is perform a hard reset on the router, and change your username and password for the router. Make it a good long strong password. See this page for info if needed. Understand that this all needs to be done in a methodical manner or we'll be going in circles. Reset router Run ComboFix and be sure to install the RC if prompted Disconnect--unplug--from the internet. Reconnect and send me reports. This won't be the end of it. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

11-14-2008, 09:33 AM	#9 (permalink)
YSRRider Registered User Join Date: Jan 2005 Posts: 70 OS: XP	Re: Firefox redirects and pop-ups I'm logged onto one of the other PC in the house now while the other PC is running ComboFix....... I clicked YES to install the console, and the blue box appears to have stalled.......... I will reset the router and restart as you instruct. thank you.

11-14-2008, 10:24 AM	#10 (permalink)
YSRRider Registered User Join Date: Jan 2005 Posts: 70 OS: XP	Re: Firefox redirects and pop-ups couldnt find the password for the router so it was swapped for a newer one, new ID and pass. ComboFix was restarted on the other PC and is now in the process of searcing for malware....................... Would you like me to post HJT and DDS logs for the other 2 PC's or should I just run ComboFix on them aswell? thank you

11-14-2008, 10:28 AM	#11 (permalink)
YSRRider Registered User Join Date: Jan 2005 Posts: 70 OS: XP	Re: Firefox redirects and pop-ups ComboFix 08-11-12.02 - Drake1 2008-11-14 11:22:15.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.347 [GMT -6:00] Running from: c:\documents and settings\Drake1\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2008-10-14 to 2008-11-14 ))))))))))))))))))))))))))))))) . 2008-11-13 18:27 . 2008-11-13 18:27 <DIR> d-------- c:\program files\Trend Micro 2008-11-12 11:09 . 2008-11-13 18:34 250 --a------ c:\windows\gmer.ini . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-13 05:54 --------- d-----w c:\documents and settings\Drake1\Application Data\ComcastToolbar . Code: <pre> ----a-w 3,687,956 2005-10-06 22:17:30 c:\documents and settings\Drake1\Desktop\LimeWire Pro v4.9.32\LimeWire Pro v4.9.32 .exe </pre> ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352] "AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-04-28 323584] "ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2007-04-19 198184] "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 36975] "nForce Tray Options"="sstray.exe" [2003-08-12 c:\windows\system32\sstray.exe] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\WinMX\\WinMX.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= S3 slicedisk.sys;slicedisk.sys;c:\windows\system32\slicedisk.sys [2007-05-31 8832] Newly Created Service - PROCEXP90 . . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\Drake1\Application Data\Mozilla\Firefox\Profiles\byowlath.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - www.netscape.com . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-14 11:23:01 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-11-14 11:23:24 ComboFix-quarantined-files.txt 2008-11-14 17:23:18 Pre-Run: 8,320,802,816 bytes free Post-Run: 8,783,405,056 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn 68

11-15-2008, 12:53 PM	#12 (permalink)
YSRRider Registered User Join Date: Jan 2005 Posts: 70 OS: XP	Re: Firefox redirects and pop-ups waiting for further instructions to proceed....................

11-16-2008, 11:57 AM	#14 (permalink)
YSRRider Registered User Join Date: Jan 2005 Posts: 70 OS: XP	Re: Firefox redirects and pop-ups limewire is installed, when I first installed it, it wouldnt connect so i never used it... that was months ago. I finally got it to connect but didnt download anything and it is never left running. can I uninstall it and then reinstall it? not really getting any pop-ups anymore and no more redirects but some links that I click on from a website wont load at all. no other issues.

11-16-2008, 11:58 AM	#15 (permalink)
YSRRider Registered User Join Date: Jan 2005 Posts: 70 OS: XP	Re: Firefox redirects and pop-ups Limewire uninstall has been done.

11-16-2008, 02:50 PM	#17 (permalink)
YSRRider Registered User Join Date: Jan 2005 Posts: 70 OS: XP	Re: Firefox redirects and pop-ups I will post #2 and #3.........

11-16-2008, 03:39 PM	#18 (permalink)
YSRRider Registered User Join Date: Jan 2005 Posts: 70 OS: XP	Re: Firefox redirects and pop-ups firefox keeps crashing during the scan, and when i use IE the ACCEPT button wont light up for me to click it.

11-16-2008, 03:46 PM	#19 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,615 OS: WinXP and Vista	Re: Firefox redirects and pop-ups See if this online scanner works better for you: Perform an online scan with Panda ActiveScan * Turn off the real time scanner of any existing antivirus program while performing the online scan Click on Scan Your PC Now A "pop up" window will appear, or a new tab will open. Click on Register Choose the option you like most, but we recommend the Free Registration. Click on Register Enter your e-mail address, and create a password. Select "I do not want to receive any type of information". (unless you want to receive such information) Click on Send Confirm registration, and continue by entering your user name and password, then click on Enter Select Full Scan, then Click on Scan Now Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser. If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect Please ignore the offer to buy the program. Click on Export To Export the log and save it to your desktop. Please attach the contents of that log in your next reply. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."