When I click a Google link I sometimes get taken to random sites

Barnetbear
Barnetbear Posts: 374 Forumite
edited 15 July 2010 at 6:59PM in Techie Stuff
SOLUTION FOUND?
Update after posting the first post - solution possibly found, see my 6.17pm post update. Seems it was a trojan or virus which only Microsoft's own free Malware Remover found, called WIN32/ALUREON.

What follows now is my original post (for the record)...

Started 2 days ago. My XP is apparently up to date, I have PC Tools SD installed and updated and on and also Malware Bytes ditto and others.

Scanned and rebooted several times today, still got the problem. I thought it might be Suggested Sites in IE8 but I have now turned that off, still got the problem.

PCT firewall did alert me that a couple of executables in a temp folder, something like 0.1...exe and Redoa.exe were trying to access the internet, I blocked then deleted them, then scanned with SD it removed some "High" risk trojans (ADH and Mystic), rebooted, but no difference. The problem is if I do a search in Google, sometimes all is ok but other times the result or entry in the list that I click from Google doesn't take me where it should, but instead to some sort of random ad site such as 'sour' or 'info' or a whole load of others.

I also have that occasional problem with clicking a link and getting the "VScan7" pseudo-scan and virus has been found on your computer nonsense, can't get rid of that either. Here's a Hijackthis log, I don't remember putting Superadblocker and some of the progs there on the laptop but this laptop gets used by other people too so can't say for sure what they tried or did. Mostly just I use it, however, and am pretty careful, the Hijackthis log to my amateur eyes looks like it has too much loaded into memory but I can't spot the rogue program/malware.

Any ideas? Thank you.

[from Hijackthis scan a few moments ago]

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14:38:00, on 15/07/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\wgp.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\vsnpstd2.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\MYFILES\myfold\variousprograms\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.uk.gateway.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Fast4
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: (no name) - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [WinGuard Pro] C:\WINDOWS\system32\wgp.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IE Privacy Keeper] "C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" -startup
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {D799B0E4-BEDE-41d2-AEE0-1E3A1C4EF918} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe (HKCU)
O9 - Extra 'Tools' menuitem: IE Privacy Keeper - {D799B0E4-BEDE-41d2-AEE0-1E3A1C4EF918} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.fast4.net/
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - Unknown owner - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 8594 bytes

Start-up log
StartupList report, 15/07/2010, 15:04:20
StartupList version: 1.52.2
Started from : C:\MYFILES\myfold\variousprograms\HijackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v8.00 (8.00.6001.18702)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\wgp.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\vsnpstd2.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\MYFILES\myfold\variousprograms\HijackThis.exe
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\LeonF\Start Menu\Programs\Startup]
Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\SYSTEM32\userinit.exe,
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
RemoteControl = "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
VTTimer = VTTimer.exe
VTTrayp = VTtrayp.exe
AGRSMMSG = AGRSMMSG.exe
WinGuard Pro = C:\WINDOWS\system32\wgp.exe
PinnacleDriverCheck = C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
USB2Check = RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
ISTray = "C:\Program Files\Spyware Doctor\pctsTray.exe"
SNPSTD2 = C:\WINDOWS\vsnpstd2.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
avast5 = C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
Adobe Reader Speed Launcher = "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
Adobe ARM = "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
00PCTFW = "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
SunJavaUpdateSched = "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
NBJ = "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
IE Privacy Keeper = "C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" -startup
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[OptionalComponents]
=
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHelperStub - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll - {18DF081C-E8AD-4283-A596-FA578C2EBDC3}
Browser Defender BHO - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7}
(no name) - (no file) - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000}
(no name) - C:\Program Files\Java\jre6\bin\jp2ssv.dll - {DBC80044-A445-435b-BC74-9C25C1C588A9}
JQSIEStartDetectorImpl - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll - {E7E6F031-17CE-4C07-BC86-EABFE594F69C}
Enumerating Task Scheduler jobs:
AppleSoftwareUpdate.job
User_Feed_Synchronization-{EFA32B49-962F-4963-B9BB-A683A8028BBA}.job
Enumerating Download Program Files:
[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
[SABScanProcesses Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\sabspx.dll
CODEBASE = http://www.superadblocker.com/activex/sabspx.cab
[{E2883E8F-472F-4FB0-9522-AC9BF37916A7}]
CODEBASE = http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll
End of report, 7,308 bytes
Report generated in 0.359 seconds
Escaped from Barnet to freedom in the South-East!

Comments

  • you've done a full scan with MalwareBytes then? it seems like you've adware on your PC, MalwareBytes should find this, remove all it finds.
    [You also have PC Spyware Doctor, I would've thought that would help resolve this too.]

    HTH
    Friendly greeting!
  • pob1976
    pob1976 Posts: 165 Forumite
    Hi there, I've had this problem before, it sounds like your anti-spyware has missed some spyware. I use 3 different programs to find what the others don't find.

    Spyware S&D
    Noadware
    Malwarebytes

    I find if all 3 miss the spyware. then give it a few days, update all 3 programs and scan again. 9 times out of 10 it will work.


    Barnetbear wrote: »
    Started 2 days ago. My XP is apparently up to date, I have PC Tools SD installed and updated and on and also Malware Bytes ditto and others.

    Scanned and rebooted several times today, still got the problem. I thought it might be Suggested Sites in IE8 but I have now turned that off, still got the problem.

    PCT firewall did alert me that a couple of executables in a temp folder, something like 0.1...exe and Redoa.exe were trying to access the internet, I blocked then deleted them, then scanned with SD it removed some "High" risk trojans (ADH and Mystic), rebooted, but no difference. The problem is if I do a search in Google, sometimes all is ok but other times the result or entry in the list that I click from Google doesn't take me where it should, but instead to some sort of random ad site such as 'sour' or 'info' or a whole load of others.

    I also have that occasional problem with clicking a link and getting the "VScan7" pseudo-scan and virus has been found on your computer nonsense, can't get rid of that either. Here's a Hijackthis log, I don't remember putting Superadblocker and some of the progs there on the laptop but this laptop gets used by other people too so can't say for sure what they tried or did. Mostly just I use it, however, and am pretty careful, the Hijackthis log to my amateur eyes looks like it has too much loaded into memory but I can't spot the rogue program/malware.

    Any ideas? Thank you.

    [from Hijackthis scan a few moments ago]

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 14:38:00, on 15/07/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\system32\VTtrayp.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\system32\wgp.exe
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\WINDOWS\vsnpstd2.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\Program Files\PC Tools Firewall Plus\FWService.exe
    C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\Program Files\Spyware Doctor\pctsSvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\MYFILES\myfold\variousprograms\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.uk.gateway.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Fast4
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
    O2 - BHO: (no name) - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - (no file)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [WinGuard Pro] C:\WINDOWS\system32\wgp.exe
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
    O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
    O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [IE Privacy Keeper] "C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" -startup
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: (no name) - {D799B0E4-BEDE-41d2-AEE0-1E3A1C4EF918} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe (HKCU)
    O9 - Extra 'Tools' menuitem: IE Privacy Keeper - {D799B0E4-BEDE-41d2-AEE0-1E3A1C4EF918} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://www.fast4.net/
    O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
    O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\SYSTEM32\crypserv.exe
    O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
    O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - Unknown owner - C:\Program Files\PC Tools Firewall Plus\FWService.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    --
    End of file - 8594 bytes

    Start-up log
    StartupList report, 15/07/2010, 15:04:20
    StartupList version: 1.52.2
    Started from : C:\MYFILES\myfold\variousprograms\HijackThis.EXE
    Detected: Windows XP SP3 (WinNT 5.01.2600)
    Detected: Internet Explorer v8.00 (8.00.6001.18702)
    * Using default options
    ==================================================
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\system32\VTtrayp.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\system32\wgp.exe
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\WINDOWS\vsnpstd2.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\Program Files\PC Tools Firewall Plus\FWService.exe
    C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\Program Files\Spyware Doctor\pctsSvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\MYFILES\myfold\variousprograms\HijackThis.exe
    Listing of startup folders:
    Shell folders Startup:
    [C:\Documents and Settings\LeonF\Start Menu\Programs\Startup]
    Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    Checking Windows NT UserInit:
    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\SYSTEM32\userinit.exe,
    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
    RemoteControl = "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    VTTimer = VTTimer.exe
    VTTrayp = VTtrayp.exe
    AGRSMMSG = AGRSMMSG.exe
    WinGuard Pro = C:\WINDOWS\system32\wgp.exe
    PinnacleDriverCheck = C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
    USB2Check = RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
    ISTray = "C:\Program Files\Spyware Doctor\pctsTray.exe"
    SNPSTD2 = C:\WINDOWS\vsnpstd2.exe
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    avast5 = C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    Adobe Reader Speed Launcher = "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    Adobe ARM = "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    00PCTFW = "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
    SunJavaUpdateSched = "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
    NBJ = "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
    IE Privacy Keeper = "C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" -startup
    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    [OptionalComponents]
    =
    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*
    Shell & screensaver key from Registry:
    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
    drivers=*Registry value not found*
    Policies Shell key:
    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*
    Enumerating Browser Helper Objects:
    (no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    AcroIEHelperStub - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll - {18DF081C-E8AD-4283-A596-FA578C2EBDC3}
    Browser Defender BHO - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7}
    (no name) - (no file) - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000}
    (no name) - C:\Program Files\Java\jre6\bin\jp2ssv.dll - {DBC80044-A445-435b-BC74-9C25C1C588A9}
    JQSIEStartDetectorImpl - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll - {E7E6F031-17CE-4C07-BC86-EABFE594F69C}
    Enumerating Task Scheduler jobs:
    AppleSoftwareUpdate.job
    User_Feed_Synchronization-{EFA32B49-962F-4963-B9BB-A683A8028BBA}.job
    Enumerating Download Program Files:
    [{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
    CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    [SABScanProcesses Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\sabspx.dll
    CODEBASE = http://www.superadblocker.com/activex/sabspx.cab
    [{E2883E8F-472F-4FB0-9522-AC9BF37916A7}]
    CODEBASE = http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Enumerating ShellServiceObjectDelayLoad items:
    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\system32\webcheck.dll
    SysTray: C:\WINDOWS\system32\stobject.dll
    WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll
    End of report, 7,308 bytes
    Report generated in 0.359 seconds
  • Barnetbear
    Barnetbear Posts: 374 Forumite
    edited 15 July 2010 at 6:55PM
    Thank you above people for trying to help.
    I have bang up to date PC Tools SD, Malware Bytes' anti Malware, and Microsoft Malware Remover (July 2010 latest). Microsoft's said it partially removed some malware when I did a quick scan nearly 3 hrs ago, it recommended the full scan which am now doing. 630,000 files scanned later it says 0 files infected, but am hoping it will specify what it "partially removed" during the quick scan.

    Noadware I've never heard of, might give it a go. SD is usually good and it (or the PCT firewall) did at least last year intercept a keylogger about to nick my bank password and also alert me today to a program called 0 (o or zero) and one called Redoa.exe which were up to no good, where they came from I've no clue. I found them in the Documents & Settings folder later and deleted them, but they're nothing to do with the hijacking of my browser when I click a Google entry. I even clicked the blood bank service link and was taken to some nonsense page trying to sell me plasma TVs! Then if you press Back it takes you to somewhere else and you can't get back to Google. Sometimes the browser (IE8) crashes. This is like a new and more commercial version of that problem with the fake virus scan page, which I also can't get rid of, sometimes it's called "VScan7". Will post an update later if I have any positive news.

    ___________________________________________________
    ___________________________________________________

    Solution I think...
    18:50 update, hope this helps others
    All MS Malware Remover found was Win32/Alureon.H
    Apparently I have to restart the computer and then run an anti virus too. Why an a/v, I have no idea, it's either deleted or it isn't, surely?
    Anyway, if the problem remains I will post again, otherwise shall assume this sorted it. http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Virus:Win32/Alureon.H
    "
    Summary
    Virus:Win32/Alureon.H is a detection for system drivers infected by members of the Win32/Alureon family.




    Win32/Alureon is a multi-component family of trojans involved in a broad range of subversive activities online in order to generate revenue from various sources for its controllers. Mostly, Win32/Alureon is associated with moderating affected user's activities online to the attacker's benefit. As such, the various components of this family have been used for:
    • modifying affected user's search results (search hijacking) I CAN VOUCH FOR THAT ONE, YUP!
    • redirecting affected user's browsing to sites of the attacker's choice (browser hijacking)
    • changing Domain Name System (DNS) settings in order to redirect users to sites of the attacker's choice without the affected user's knowledge
    • downloading and executing arbitrary files, including additional components and other malware
    • serving illegitimate advertising
    • installing Rogue security software
    • banner clicking "
    Escaped from Barnet to freedom in the South-East!
  • GunJack
    GunJack Posts: 11,808 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    As a belt'n'braces, you may be advised to run combofix and/or Dr Web, just to be sure. Last deep-rooted browser hijacker I removed, combofix didn't get it but the good Dr did...
    ......Gettin' There, Wherever There is......

    I have a dodgy "i" key, so ignore spelling errors due to "i" issues, ...I blame Apple :D
  • Barnetbear
    Barnetbear Posts: 374 Forumite
    GunJack wrote: »
    As a belt'n'braces, you may be advised to run combofix and/or Dr Web, just to be sure. Last deep-rooted browser hijacker I removed, combofix didn't get it but the good Dr did...

    I've heard Combofix is for men not boys, so I steer clear of it, some say use Combofix wrong and XP won't load again. I've never heard of Dr Web, will look into it, thanks for the tip.

    PS So far so good, not being hijacked any more, I would praise Microsoft as their Malware Remover seems to have worked, but on the other hand they are the ones who leave IE open to hijacking in the first place, so :mad: 'em!
    Escaped from Barnet to freedom in the South-East!
  • You can run combofix (or possibly dr. web but most likely combofix) but wait for alienRIK to say ok before starting.
    He will tell you how to run it etcetera.

    Also can you post the last malwarebytes log please? Or any logs which indicate there was an infection?
  • Barnetbear
    Barnetbear Posts: 374 Forumite
    edited 16 July 2010 at 11:51AM
    You can run combofix (or possibly dr. web but most likely combofix) but wait for alienRIK to say ok before starting.
    He will tell you how to run it etcetera.

    Also can you post the last malwarebytes log please? Or any logs which indicate there was an infection?

    PCT SFD found Trojan.ADH and Heuristic.Mystic which was not the problem, although PCT firewall did stop 2 rogue progs from downloading more trojans and did stop a keylogger last year.
    Malware Bytes found nothing.
    The only prog that found something was MS Malware Remover, it listed the trojan or virus as in my earlier post, and that was it. I don't know how to interrogate MS MR to find out where that virus was hiding etc and I don't know where MS MR keeps its log. If you let me know, I will fish it out and copy/paste for you to see.

    update 16/07
    I ran a full Malware Bytes anti malware scan in Normal mode (previously ran in Safe Mode, nothing found).
    I updated MB yet again, they seem to update the database even twice a day or more!
    Anyway, MB log below, found 2 registry trojan entries. Ran MS MW again today (quick scan) - nothing found, but MW found the trojan entries as below and says it deleted them. Note that MS MR scanned far more than MB and so takes 3 times longer.

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org
    Database version: 4318
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702
    16/07/2010 11:45:29
    mbam-log-2010-07-16 (11-45-29).txt
    Scan type: Full scan (C:\|D:\|)
    Objects scanned: 293865
    Time elapsed: 1 hour(s), 22 minute(s), 22 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    HKEY_CURRENT_USER\Software\AVSolution (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\AVSolution (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)
    Registry Data Items Infected:
    (No malicious items detected)
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    (No malicious items detected)
    Escaped from Barnet to freedom in the South-East!
  • GunJack
    GunJack Posts: 11,808 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    I'd still be inclined to run Dr Web, just to be safe.

    http://www.freedrweb.com/download+cureit/

    download, run.If it starts a quick scan, stop it and set it off on a full scan. It may take a few hours, but it'll pick up on any deep-rooted lurking nasties. Leave it run overnight is usually a good option :)
    Delete anything it finds and you should be clear ;)
    ......Gettin' There, Wherever There is......

    I have a dodgy "i" key, so ignore spelling errors due to "i" issues, ...I blame Apple :D
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 350.3K Banking & Borrowing
  • 252.9K Reduce Debt & Boost Income
  • 453.2K Spending & Discounts
  • 243.3K Work, Benefits & Business
  • 597.8K Mortgages, Homes & Bills
  • 176.6K Life & Family
  • 256.4K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.