[roland67]

Have done pretty much everything up to posting an HJT report so here it is. I am not sure what the no name toolbar thing is but I do not believe it has anything to do with my problem. I would like to know what it is and get rid of it though. When I do a search on google, I am redirected to ezanga, smartbidsearch and such ilk. Thanks in advance for any help.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:16:03 PM, on 1/28/10
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Roland\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Update Service (gupdate1c9c093d6268446) (gupdate1c9c093d6268446) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Program Files\SPAMfighter\sfus.exe

[Tarun]

Hi Roland, have you downloaded the tools for your OS from the Anti-Malware Toolkit?

You'll also want to get Avast, because v5 is now out.

[James_A]

roland67, on 28 January 2010 - 08:30 PM, said:

I am not sure what the no name toolbar thing is but I do not believe it has anything to do with my problem.

If you mean this:

roland67, on 28 January 2010 - 08:30 PM, said:

O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
...
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)

then it's (or rather, it was, since the file is missing) the AVG 8 toolbar (AVGTOOLBAR.DLL). Looks to me like AVG has been removed, but left the registry entries behind.

.

[roland67]

Have run all recommended utilities prior to posting HJT. Also did Trend Micro Housecall.

[Tarun]

The reason I asked is because I do not see the Malwarebytes Service listed. Your log appears clean, though.

[roland67]

I did run Malwarebytes antimalware but this has not fixed my problem. My browser has definitely been hijacked. Any ideas?

[Tarun]

Please post your scan log from Malwarebytes.

[roland67]

Malwarebytes' Anti-Malware 1.44
Database version: 3660
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/29/10 9:34:01 PM
mbam-log-2010-01-29 (21-34-01).txt

Scan type: Full Scan (C:\|)
Objects scanned: 235613
Time elapsed: 1 hour(s), 7 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\IE.ico (Malware.Trace) -> Quarantined and deleted successfully.

[Tarun]

Not seeing any issues. Are you still experiencing issues?

[roland67]

Finally gave up and switched to google chrome from Firefox. Problem appears to be gone unless I use Firefox.

[greenknight]

A Firefox problem? Ah, that's my specialty!

A quick search of the Mozillazine forums turned up this thread about exactly this problem:

Seems that a virus is installing itself as a Firefox extension, removal instructions here.

Probably easier to just delete the entire Extensions folder in your Firefox profile, then reinstall your extensions. See this page for help.

To simplify fixing problems like this, I recommend backing up your Firefox profile. With backups, you could fix this in about a minute.

[roland67]

Thanks guys. I have tried all these things and still have redirects. Maybe if I delete all references to firefox from my registry? Not sure how to do that safely.

[Tarun]

You could just create a new Firefox profile and that should fix it.

[roland67]

Ok. I have tried that now and am redirected to info.com. If I hit back button I go to intended site.

[roland67]

Google chrome seems to be clean. I like firefox better and this redirect thing is driving me crazy.

[Eldmannen]

Uninstall Firefox, then delete your Firefox profile, and all the extensions.

Like, you can remove C:\Documents and Settings\Roland\Application Data\Mozilla

Then you install Firfox again

[Tarun]

What you should be able to do is fully uninstall Firefox too, and remove prefs, etc.

Starting a new profile would be easier I think. Start Firefox in Safe Mode to access a way to create a new profile, if I recall correctly.

[greenknight]

Tarun, on 07 February 2010 - 06:02 PM, said:

<snip>
Starting a new profile would be easier I think. Start Firefox in Safe Mode to access a way to create a new profile, if I recall correctly.

Sorry, Tarun, you don't recall correctly. Those brilliant Firefox devs decided to make opening the Profile Manager command line. It differs in different Windows versions, for XP:

Quote

* Windows 2000 and XP

1. Exit Firefox. To close Firefox, at the top of the Firefox window, select the File menu, and then select Exit.
2. Open the Windows Start menu and click Run....
3. In the Run dialog, enter the following:

firefox.exe -ProfileManager

4. Click OK.

Note: If the Profile Manager window does not appear, you may need to specify the full path of the Firefox program, enclosed in quotes; for example:

"C:\Program Files\Mozilla Firefox\firefox.exe" -ProfileManager

On my XP machine I can use firefox.exe -p and it works. The main thing is, don't leave out the space after firefox.exe (a very common error). Full instructions here.

I was afraid this might be tough to get rid of; it's said to be a variant of the Vundo trojan, which has been evolving for a long time and getting increasingly hard to completely remove. It may be hiding in the Registry and reinstalling itself after you remove it.

Anyway, try a new profile; if that works, great. If not, try completely uninstalling Firefox and doing a clean install.

If still no joy, it means there's more work to do. You definitely need to get this malware off your machine, not just work around it by using Chrome.

[roland67]

Have followed your instructions. Unfortunately no joy. What next?

[greenknight]

Give VundoFix a try. Instructions on how to use it are on the download page. It removes many of the variants of Vundo, let's hope it works on this one.