niarb_innel
asked on
Firefox will not always go to deired website
After successfully googling a term I do not always get to the website available on Google's return page.
MS_help_guy
Try to run updates first on FF
You have what is called a browser hijack. When you go to google and search for something and the sites come up and when you click on say www.ebay.com it goes some where else.
Go to www.safer-networking.com and download spybot defender and update it and run it. when it is done select all items and select "fix selected items"
Go to www.safer-networking.com and download spybot defender and update it and run it. when it is done select all items and select "fix selected items"
Hello niarb_innel,
You may have a Wareout infection. Run FixWareout
http://files.filefront.com/Fixwareoutexe/;9892936;/fileinfo.html
If no joy, run Mailwarebytes
http://www.malwarebytes.org/
Hope this helps!
war1
You may have a Wareout infection. Run FixWareout
http://files.filefront.com/Fixwareoutexe/;9892936;/fileinfo.html
If no joy, run Mailwarebytes
http://www.malwarebytes.org/
Hope this helps!
war1
ASKER
I have already ran spybot and it didn't come up with anything. It may be a virus named packed.generic.45. I say that because it was identified by Norton and Malwarebytes. In addition to Spybot I have aso ran scans with Norton 2009 and Spyware Doctor and re-ran Malwarebytes with no hists
ASKER
When running fixaware I get a message "Unsupported Windows Version"
I am running Vista Ultimate 6.0 SP1.
I am running Vista Ultimate 6.0 SP1.
Please run Hijackthis from http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html and upload report file.
ASKER
Hijack this is running ... what do I need to do to get the report?
select main menu
select do a system scan and save a log file
then go to C:\Program Files\Trend Micro\HijackThis
There will be a text file upload that.
select do a system scan and save a log file
then go to C:\Program Files\Trend Micro\HijackThis
There will be a text file upload that.
ASKER
The only file in this folder is the .exe.
ASKER
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:53:26 PM, on 4/9/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\System32\smss.e
C:\Windows\system32\csrss.
C:\Windows\system32\winini
C:\Windows\system32\csrss.
C:\Windows\system32\servic
C:\Windows\system32\lsass.
C:\Windows\system32\lsm.ex
C:\Windows\system32\winlog
C:\Windows\system32\svchos
C:\Windows\system32\nvvsvc
C:\Windows\system32\svchos
C:\Windows\System32\svchos
C:\Windows\System32\svchos
C:\Windows\system32\svchos
C:\Windows\system32\SLsvc.
C:\Windows\system32\svchos
C:\Windows\system32\rundll
C:\Windows\system32\svchos
C:\Windows\system32\Dwm.ex
C:\Windows\Explorer.EXE
C:\Windows\System32\spools
C:\Windows\system32\svchos
C:\Windows\system32\tasken
C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe
C:\Program Files\AWS\WeatherBug\Weath
C:\Program Files\Google\GoogleToolbar
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.e
C:\Windows\system32\tasken
C:\Windows\system32\agrsms
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
C:\Program Files\Bonjour\mDNSResponde
C:\Windows\system32\svchos
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Acer\Empowering Technology\eDataSecurity\e
C:\Acer\Empowering Technology\eLock\Service\e
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.e
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\CDBurnerXP\NMSAccess
C:\Program Files\Norton AntiVirus\Engine\16.5.0.13
C:\Windows\system32\svchos
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchos
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\System32\svchos
C:\Windows\system32\Search
C:\Acer\Empowering Technology\eRecovery\eReco
C:\Acer\Empowering Technology\eSettings\Servi
C:\Acer\Empowering Technology\ePower\ePowerSv
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\wbem\w
C:\Windows\system32\wbem\w
C:\Windows\system32\wbem\u
C:\Program Files\Norton AntiVirus\Engine\16.5.0.13
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EX
C:\Program Files\Skype\Phone\Skype.ex
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\explorer.exe
C:\Program Files\MediaMonkey\MediaMon
C:\Program Files\Rhapsody\rhaphlpr.ex
C:\Windows\system32\svchos
C:\Program Files\uTorrent\uTorrent.ex
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\NOTEPA
C:\Windows\system32\vssvc.
C:\Windows\System32\svchos
C:\Program Files\Common Files\Intel\WirelessCommon
C:\Program Files\Intel\WiFi\bin\EvtEn
C:\Windows\system32\WLANEx
C:\Windows\system32\tasken
C:\Program Files\Trend Micro\HijackThis\HijackThi
C:\Windows\system32\NOTEPA
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R0 - HKCU\Software\Microsoft\In
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-0
F2 - REG:system.ini: UserInit=C:\Windows\system
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-F
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-0
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-4
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-0
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-7
O2 - BHO: WinAVI FLVSense - {E8DF67A1-B618-4F3F-9E7C-C
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-3
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-3
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-0
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-3
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6655] command.com /c del "C:\Program Files\AskTBar\bar\1.bin\A5
O4 - HKLM\..\RunOnce: [SpybotDeletingC7737] cmd.exe /c del "C:\Program Files\AskTBar\bar\1.bin\A5
O4 - HKLM\..\RunOnce: [SpybotDeletingA2521] command.com /c del "C:\Program Files\AskTBar\bar\1.bin\AS
O4 - HKLM\..\RunOnce: [SpybotDeletingC6238] cmd.exe /c del "C:\Program Files\AskTBar\bar\1.bin\AS
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [CleanSetup] cmd /C rmdir /S /Q "C:\Users\Bri\AppData\Loca
O4 - HKCU\..\Run: [SRS Audio Sandbox] "C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weath
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbar
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.e
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.ex
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\Update
O4 - HKCU\..\RunOnce: [SpybotDeletingB9711] command.com /c del "C:\Program Files\AskTBar\bar\1.bin\A5
O4 - HKCU\..\RunOnce: [SpybotDeletingD6006] cmd.exe /c del "C:\Program Files\AskTBar\bar\1.bin\A5
O4 - HKCU\..\RunOnce: [SpybotDeletingB650] command.com /c del "C:\Program Files\AskTBar\bar\1.bin\AS
O4 - HKCU\..\RunOnce: [SpybotDeletingD6412] cmd.exe /c del "C:\Program Files\AskTBar\bar\1.bin\AS
O4 - HKUS\S-1-5-18\..\Run: [nDler2] \\?\globalroot\systemroot\
O4 - HKUS\.DEFAULT\..\Run: [nDler2] \\?\globalroot\systemroot\
O8 - Extra context menu item: &Download FLV by WinAVI... - C:\Program Files\WinAVI FLV Converter\flv_link.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustom
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillFo
O8 - Extra context menu item: Identities Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditId
O8 - Extra context menu item: Passcards Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPa
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowTo
O8 - Extra context menu item: Safenotes Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditNo
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePa
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C
O9 - Extra button: Identities - {45DB34C3-955C-11D3-ABEF-4
O9 - Extra 'Tools' menuitem: Identities Editor - {45DB34C3-955C-11D3-ABEF-4
O9 - Extra button: Safenotes - {45DB34C3-955C-11D3-ABEF-4
O9 - Extra 'Tools' menuitem: Safenotes Editor - {45DB34C3-955C-11D3-ABEF-4
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-0
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5
O9 - Extra button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7
O9 - Extra 'Tools' menuitem: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsms
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponde
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\e
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\e
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eReco
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Servi
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEn
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.e
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\Srv
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccess
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.5.0.13
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: WisLMSvc - Wistron Corp. - C:\Program Files\Launch Manager\WisLMSvc.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSv
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: WisLMSvc - Wistron Corp. - C:\Program Files\Launch Manager\WisLMSvc.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSv
--
End of file - 15547 bytes
hijackthis.log
Scan saved at 7:53:26 PM, on 4/9/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\System32\smss.e
C:\Windows\system32\csrss.
C:\Windows\system32\winini
C:\Windows\system32\csrss.
C:\Windows\system32\servic
C:\Windows\system32\lsass.
C:\Windows\system32\lsm.ex
C:\Windows\system32\winlog
C:\Windows\system32\svchos
C:\Windows\system32\nvvsvc
C:\Windows\system32\svchos
C:\Windows\System32\svchos
C:\Windows\System32\svchos
C:\Windows\system32\svchos
C:\Windows\system32\SLsvc.
C:\Windows\system32\svchos
C:\Windows\system32\rundll
C:\Windows\system32\svchos
C:\Windows\system32\Dwm.ex
C:\Windows\Explorer.EXE
C:\Windows\System32\spools
C:\Windows\system32\svchos
C:\Windows\system32\tasken
C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe
C:\Program Files\AWS\WeatherBug\Weath
C:\Program Files\Google\GoogleToolbar
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.e
C:\Windows\system32\tasken
C:\Windows\system32\agrsms
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
C:\Program Files\Bonjour\mDNSResponde
C:\Windows\system32\svchos
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Acer\Empowering Technology\eDataSecurity\e
C:\Acer\Empowering Technology\eLock\Service\e
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.e
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\CDBurnerXP\NMSAccess
C:\Program Files\Norton AntiVirus\Engine\16.5.0.13
C:\Windows\system32\svchos
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchos
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\System32\svchos
C:\Windows\system32\Search
C:\Acer\Empowering Technology\eRecovery\eReco
C:\Acer\Empowering Technology\eSettings\Servi
C:\Acer\Empowering Technology\ePower\ePowerSv
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\wbem\w
C:\Windows\system32\wbem\w
C:\Windows\system32\wbem\u
C:\Program Files\Norton AntiVirus\Engine\16.5.0.13
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EX
C:\Program Files\Skype\Phone\Skype.ex
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\explorer.exe
C:\Program Files\MediaMonkey\MediaMon
C:\Program Files\Rhapsody\rhaphlpr.ex
C:\Windows\system32\svchos
C:\Program Files\uTorrent\uTorrent.ex
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\NOTEPA
C:\Windows\system32\vssvc.
C:\Windows\System32\svchos
C:\Program Files\Common Files\Intel\WirelessCommon
C:\Program Files\Intel\WiFi\bin\EvtEn
C:\Windows\system32\WLANEx
C:\Windows\system32\tasken
C:\Program Files\Trend Micro\HijackThis\HijackThi
C:\Windows\system32\NOTEPA
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R0 - HKCU\Software\Microsoft\In
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-0
F2 - REG:system.ini: UserInit=C:\Windows\system
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-F
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-0
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-4
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-0
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-7
O2 - BHO: WinAVI FLVSense - {E8DF67A1-B618-4F3F-9E7C-C
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-3
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-3
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-0
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-3
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6655] command.com /c del "C:\Program Files\AskTBar\bar\1.bin\A5
O4 - HKLM\..\RunOnce: [SpybotDeletingC7737] cmd.exe /c del "C:\Program Files\AskTBar\bar\1.bin\A5
O4 - HKLM\..\RunOnce: [SpybotDeletingA2521] command.com /c del "C:\Program Files\AskTBar\bar\1.bin\AS
O4 - HKLM\..\RunOnce: [SpybotDeletingC6238] cmd.exe /c del "C:\Program Files\AskTBar\bar\1.bin\AS
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [CleanSetup] cmd /C rmdir /S /Q "C:\Users\Bri\AppData\Loca
O4 - HKCU\..\Run: [SRS Audio Sandbox] "C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weath
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbar
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.e
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.ex
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\Update
O4 - HKCU\..\RunOnce: [SpybotDeletingB9711] command.com /c del "C:\Program Files\AskTBar\bar\1.bin\A5
O4 - HKCU\..\RunOnce: [SpybotDeletingD6006] cmd.exe /c del "C:\Program Files\AskTBar\bar\1.bin\A5
O4 - HKCU\..\RunOnce: [SpybotDeletingB650] command.com /c del "C:\Program Files\AskTBar\bar\1.bin\AS
O4 - HKCU\..\RunOnce: [SpybotDeletingD6412] cmd.exe /c del "C:\Program Files\AskTBar\bar\1.bin\AS
O4 - HKUS\S-1-5-18\..\Run: [nDler2] \\?\globalroot\systemroot\
O4 - HKUS\.DEFAULT\..\Run: [nDler2] \\?\globalroot\systemroot\
O8 - Extra context menu item: &Download FLV by WinAVI... - C:\Program Files\WinAVI FLV Converter\flv_link.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustom
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillFo
O8 - Extra context menu item: Identities Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditId
O8 - Extra context menu item: Passcards Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditPa
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowTo
O8 - Extra context menu item: Safenotes Editor - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComEditNo
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePa
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C
O9 - Extra button: Identities - {45DB34C3-955C-11D3-ABEF-4
O9 - Extra 'Tools' menuitem: Identities Editor - {45DB34C3-955C-11D3-ABEF-4
O9 - Extra button: Safenotes - {45DB34C3-955C-11D3-ABEF-4
O9 - Extra 'Tools' menuitem: Safenotes Editor - {45DB34C3-955C-11D3-ABEF-4
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-0
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5
O9 - Extra button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7
O9 - Extra 'Tools' menuitem: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsms
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponde
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\e
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\e
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eReco
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Servi
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEn
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.e
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\Srv
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccess
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.5.0.13
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: WisLMSvc - Wistron Corp. - C:\Program Files\Launch Manager\WisLMSvc.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSv
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: WisLMSvc - Wistron Corp. - C:\Program Files\Launch Manager\WisLMSvc.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSv
--
End of file - 15547 bytes
hijackthis.log
Download Autoruns from the sysinternals website. This works alot like hijackthis, and will show you everything that starts to run during startup. Make sure you change the settings to Verify Sigs and Hide microsoft entries, then click refresh. It will list everything that is running, including what shouldn't be. Get it from
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
If you can't get a log then nobody here can help because we can't see whats causing it. Esp if spybot and malwarebytes found nothing. The only thing I can think of is remove firefox and delete any folders that say firefox and mozilla. Note this will remove all firefox settings and thunderbird if installed. Then clean the registry using a free registry cleaner from www.download.com. Then reinstall firefox. Good luck though.
On a back note I wonder if you can copy the output and paste it into notepad.
On a back note I wonder if you can copy the output and paste it into notepad.
Spybot found it but you haven't restarted your computer (reboot now) I will repost more.
not all of these entries are negative but it will speed up your pc the last two entries and what spybot removed are main source of infection.
Run hijackthis and select the entries posted for "fix" then select fix. Restart PC and google away.
Run hijackthis and select the entries posted for "fix" then select fix. Restart PC and google away.
sorry here is the file
hijackthis.log.txt
hijackthis.log.txt
ASKER
I did restart my PC and Spybot started which it told me it would but I forgot. I will resatrt again and wait for Spybot to complete.
Also: On startup Norton still flashes a window in the lower right corner stating that it has recognized packed.generic.45 as virus / trojan.
Since the spybot scan will run for about 2 hours, I may not get back to you all until tomorrow.
Thanks!!!
Also: On startup Norton still flashes a window in the lower right corner stating that it has recognized packed.generic.45 as virus / trojan.
Since the spybot scan will run for about 2 hours, I may not get back to you all until tomorrow.
Thanks!!!
ASKER
OK, I'm back. I ran Spybot. But unfortunately. Firefox will not consistently go to the website chosen. This is particularly true when perform a Google search and opening one of the results.
additionally Norton continues to give a related warning after restart ...
See attached.doc
packd.generic.45.doc
additionally Norton continues to give a related warning after restart ...
See attached.doc
packd.generic.45.doc
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hey guys this lady is kicking your buts!!! :-0
>>>"Hey guys this lady is kicking your buts!!! :-0 "<<<
Amusing feedback... they can't see your comment so I pasted it here.
Thanks for the points! :)
Amusing feedback... they can't see your comment so I pasted it here.
Thanks for the points! :)
WOW didn't know that a plug-in could cause Firefox to that especially when there was an existing infection that can do the same thing.
@dmathwizard,
Welcome to 'rpg' world - if there is something she doesn't know about malware, it ain't worth knowing.
Welcome to 'rpg' world - if there is something she doesn't know about malware, it ain't worth knowing.
younghv,
Thanks for the compliments... so nice of you, :)
@ niarb_innel:
To uninstall GooredFix.exe:
Click Start > Run and then copy/paste the following into the box and hit Enter: (the procedure will delete backups, log and itself).
"%userprofile%\Desktop\Goo
If any of your security programs query a new Registry/AutoStart value being added please allow the changes.
>>>"... could cause Firefox to that especially when there was an existing infection that can do the same thing."<<<
That was the infection(Goored infection)... called Goored, zfsearch or google.goougly(based from older variants), as these domains will appear before search results are displayed and goougly domain appears after a link is clicked.
Older variants creates a random CLSID in App Data and a loading point. Deleting just the CLSID folder stops the redirects(if you know which one)
Latest variant redirects to new domains and random CLSID is in different location, so it's easier to use GooredFix tool to take care of everything.
Thanks for the compliments... so nice of you, :)
@ niarb_innel:
To uninstall GooredFix.exe:
Click Start > Run and then copy/paste the following into the box and hit Enter: (the procedure will delete backups, log and itself).
"%userprofile%\Desktop\Goo
If any of your security programs query a new Registry/AutoStart value being added please allow the changes.
>>>"... could cause Firefox to that especially when there was an existing infection that can do the same thing."<<<
That was the infection(Goored infection)... called Goored, zfsearch or google.goougly(based from older variants), as these domains will appear before search results are displayed and goougly domain appears after a link is clicked.
Older variants creates a random CLSID in App Data and a loading point. Deleting just the CLSID folder stops the redirects(if you know which one)
Latest variant redirects to new domains and random CLSID is in different location, so it's easier to use GooredFix tool to take care of everything.