Solved IE & Firefox Browsers Hijacked

Ok. Everything in both browsers seems to be working great now! Fantastic! So I was being redirected to some Proxy server right? Argh!

Only thing I see that seems strange is my IE Favorites links only refer to where they were saved on my drive and not to an actual link, but this might be an error I made since they were once transferred from another pc to the current desktop I am using and I never use IE, mainly Firefox, so they might have been that way all along. Firefox Favorites working perfectly.

Tried loading links in tabs and current windows and all was working without a hitch... must have loaded about 20 sites on each browser with expected results.

I am inserting a current log from HJT I JUST made:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:58:17 AM, on 6/11/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Razer\DeathAdder\razertra.exe
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe "
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{92B1E076-4208-43B0-8999-C40A64DAD4DF}: NameServer = 66.174.95.44 69.78.96.14
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 4853 bytes


Is there more I need to do? If so, I will resume tomorrow afternoon. Past 1AM here and work again in the morning, lol! Can't thank you enough for all your help. Just reply with anything additional I need to do. THANKS!

 

Will just get you to try an on-line scan and see what may be found.

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run.
• Once the scan is complete, click on View scan report
• Now, click on the Save Report as button.
• In the drop down box labeled Files of type change the type to Text file.
• Save the file to your Desktop.
• Copy and paste that information in your next post.

 

Getting ready to scan with the online Kaspersky scanner. If it takes as long as the first time to update the definition file, and then an hour to scan, I'll leave it while we have to go do some errands. Thanks and I'll post the scan results a bit later this evening.

 

No worries

 

Here is last Kaspersky scan log. Appears it detected a quarantined rootkit threat that must have been removed already? Or not? :

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, June 11, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, June 11, 2010 17:15:26
Records in database: 4259186
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Objects scanned: 51846
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 01:00:29


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\cdrom.sys.vir Infected: Rootkit.Win32.TDSS.ap 1

Selected area has been scanned.


Let me know next step. THANKS A TON!

 

Launch OTL and click on the Cleanup button. Follow the prompts.

That should sort out everything needed.

No worries .

 

Ran the CLEANUP option in OTL. It deleted the directory with that infected file that was quarantined.

Everything appears to be working well with the browsers functioning just like they should.

Can I go ahead and delete all the different tools we used like JavaRa, HiJackThis, GooredFix (Goored has a directory of backups also) and their associated TXT logs I have on the desktop?

I imagine when I need this forum's help again there will be newer versions to download.

I want to thank you very much for your time, patience, and expertise! I will definitely be coming back for any problems I pray I DON'T end up having in the future! THANK YOU! And if I need to do anything further, just let me know!

EDIT:

Also wondering about your opinion of the latest Avast Free AV software. I have used AVG for years (Free Version) but the AVG Free 9 I have just been trying to use is acting up. It's tray icon is intermittent and the link scanner appears to be crashing Firefox. I also don't like it's preference of Yahoo! as a search engine (although you can disable it or pick another engine, Google is not an option apparently) Most times I try to open links in tabs it keeps crashing with a "Firefox has encountered a problem and needs to close" error message. I uninstalled AVG Free 9 and Firefox is back to it's old reliable self.

Heard a lot of good things about Avast and am currently downloading the installation package for the free version.

 

I much prefer Avast over AVG. Personal preference . Comodo is also a good choice.

You can uninstall/remove those other tools as you see fit.

Happy surfing.

 

Fabulous! Just installed the Free version of Avast. Looks nice to me. Doing a full scan right now. Thanks for everything!

 

No worries

 

Avast just found a virus in a restore point file I believe. It is called Win32: Alureon-FZ (Root-kit virus?) It was set by default to put it in the "CHEST" but I picked to delete it and it said "Action Successful ". Rescanning to make sure it's not re-detected.

 

You can reset your restore points if you wish by disabling it first, then re-enabling it.
Note that ALL your previous restore points will be lost.

 

After that one restore point was deleted I did a full scan with Avast again and it came up absolutely clean.

I still have one weird problem. Remember I said my favorites in IE would not work? Instead of showing little icons referring to the sites they were linked to, they now only show a generic icon that looks like a little piece of paper with the upper right-hand corner folded down and a window on it. They don't open anything when clicked on, the hourglass icon just pops up extremely quickly and then disappears with nothing happening.

The same problem exists with all my internet shortcuts I had made on the desktop to quickly take me to my favorite sites, and one I had on my Quick-launch toolbar. They all show as being "Internet Shortcuts ", but when you look at the Properties for each one, they appear like this:



Hope I did this right. I can't find anything actually referring to the page links in the actual shortcuts anymore. AND when I try to paste a NEW shortcut to the desktop, it ends up the same way and won't work.

If I need to start a new thread on this just tell me. It seems to have happened after we started using the tools to solve my hi-jacked browsers problem. Thanks!

 

Try running this fix;
http://www.dougknox.com/xp/fileassoc/xp_url_shortcut_fix.zip

 

Tried this fix already. Came across it while doing research on the problem, but it didn't change the problem any. Hmmm. Perplexing.

Firefox Favorites still work fine. IE Favorites and Desktop URL's still do nothing. (Even adding new one's do nothing.)

Thanks for any additional help you can give me.

 

OK! I think I have solved this through some online articles and some trial and error.

One online article talked about going into the file associations and turning off DDE.

I was able to resolve the problems by doing exactly the following:

1. I made sure both browsers were closed. (Not sure this is required, but followed directions from an article.)

2. Opened Windows Explorer and clicked "Tools" Menu then picked "Folder Options" then the "File Types" tab.

3. I scrolled down to "Internet Shortcut" (I chose this since some people having this problem in the article were trying different URL choices to no avail, although some worked, and the Properties of my shortcuts were all described as Internet Shortcuts) I highlighted this and clicked "Advanced ".

4. I highlighted "Open" under Actions and then clicked "Edit ".

5. I unticked DDE (removed the check from it's box) and clicked OK. And then OK again.

6. I clicked "Apply" when back to the Folder Options window and then "OK" to close the window.

At this time all my desktop shortcuts were now working again and so were my IE favorites, but a funny thing was happening. Not only were my desktop shortcuts and quick-launch shortcuts opening in Firefox (my chosen default browser), but any click of a Favorite inside of IE would open the link in a Firefox window or tab, lol. So I did a couple of final things to fix this and seemingly end this drama.

7. In IE I picked the "Tools" Menu and selected "Internet Options" then the "Programs" tab.

8. I picked "Reset Web Settings" and clicked "Yes" when asked to restore defaults and homepage. (This sets IE as default browser again, also.)

9. At this point everything was working just fine except I wanted Firefox as my default browser. So I went into the "Tools" menu, picked "Options" and the "Advanced" tab in Firefox. I clicked the "Check Now" button beside "Always check to see if Firefox is your default browser ". It wasn't, so I made it so. I then backed out of these windows picking "OK" to close them out.

10. Finally, I did a last check to make sure IE favorites were loading in IE and not Firefox, and that all my desktop and quick-launch shortcuts were loading in Firefox, my default browser. They were, so I hope this is now fixed!

Thanks again for the assistance. Here are pics of the properties window from one of my desktop shortcuts showing the additional "Web Document" tab where you can see and change the URL if you want, which was missing when the original problem existed:

 

Thats what I like to see. Glad you have it all sorted

 

BTW: The DDE re-enables itself later, but it still fixes the problem.

And many many thanks to you for all your expert help! This is a GREAT place to come for assistance!

Now I can get back to finishing my planning for next weekend's LAN party I am supposed to host, lol!