Firefox redirect

[Osiris]

Remove

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html

Are you on a domain?

Are these legits? If not then remove as well.

O17 - HKLM\System\CCS\Services\Tcpip\..\{BBF9CB3F-ADA7-4A88-A162-97BF3AFD59BB}: NameServer = 205.152.37.23,205.152.144.23

O17 - HKLM\System\CS1\Services\Tcpip\..\{BBF9CB3F-ADA7-4A88-A162-97BF3AFD59BB}: NameServer = 205.152.37.23,205.152.144.23

O17 - HKLM\System\CS2\Services\Tcpip\..\{BBF9CB3F-ADA7-4A88-A162-97BF3AFD59BB}: NameServer = 205.152.37.23,205.152.144.23

 

[canooten]

Not on a domain.

Removed all 4 items and still displaying the same symptom.

Strange though....the last 3 items are legit, but I removed them anyway knowing I could go back in and add back. These systems were originally set up with the actual ISP DNS servers in the TCP/IP settings instead of just pointing to the default gateway. Either way works so I've left them as is (they were originally set before my time)
Anyway after removing those 3 DNS entries via HJT, of course I had no internet connectivity, but if I tried google or yahoo, it would try to load the page (and fail of course since no DNS servers were set), but it would still attempt forward and suspect webpage would load successfully.

BTW, below is the full URL that loads -

"http://fileinxt.com/?flrdr=yes&nxte=js&dn=photo7li.com&fp=f7HbxcqrGoLCBzDHKFzOGsTfYD5el0FMJIYbECeXiXOXORTCui0nxuyRGiG2jdlM5nyvP9ULaD82At1sWYpvsw%3D%3D&prvtof=lBTEetUWtScqQqf6KZ17b9NA%2BiwbOP3pn9gcp9liQzkKgEv%2BOIbQ8crZNNNRPVM2&poru=GSajqKbwzN8mIMSiXb1xlGGUD6z3USmRun90fdI5nWpfyezGZGImsy95mSI%2FBcbrOYMtGpU2YCeDIphhUlYmj6PJu6qh9hykos%2BdrLEgwSw%3D&cifr=1"

=============================

New HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:26:03 PM, on 4/20/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\logon.scr
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-362427707-3480632566-3415422401-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Sheila Boggs')
O4 - HKUS\S-1-5-21-362427707-3480632566-3415422401-1006\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Sheila Boggs')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBF9CB3F-ADA7-4A88-A162-97BF3AFD59BB}: NameServer = 192.168.1.254
O17 - HKLM\System\CS1\Services\Tcpip\..\{BBF9CB3F-ADA7-4A88-A162-97BF3AFD59BB}: NameServer = 192.168.1.254
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe (file missing)

--
End of file - 4786 bytes

================================

 

[Osiris]

Can you run combofix and post its log next?

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

[canooten]

OK, I ran combofix and it went pretty much according to the instructions, but it did require a reboot at the end of the process. I allowed it to reboot and when I logged back in, the blue program window popped up for a split second, but never displayed a log.

I've checked the c\combofix directory and there is no 'log.txt' file there, nor at c:

Where else could it be?

 

[Osiris]

thats werid, well are you still having the same issue?

 

[canooten]

HA! Guess it would have made sense to check that, huh?

Actually, it did seem to fix it. I can browse to google and yahoo and the pages load and stay.

I've also added google back to the firefox search engine list and it seems to be functioning as it should.

Well, not sure what the actual issue was, but at least I know what seems to fix it if it happens again.

Thanks a ton for the help....doubt I would have though of combofix without your suggestion.

 

[Osiris]

Usually when combofix reboots, it found something which needed a reboot to remove. But still not sure why no log was presented. But at least its fixed now.

 

[canooten]

That's what I was thinking.....I've used the program a few times before and remember the program displaying again after reboot. Did not for whatever reason.

All's well if the fix holds though.

Thanks again.

 

[canooten]

Follow-up question on this.

The only issue I've had since running these scans/fixes is that one program is not able to open. The program in question is very old database program that opens in a DOS window (it's not used enough to dedicate the resources to update). When the user tries to open this program she gets the following -

A temporary file needed for initialization could not be created or could not be written to. Make sure that the directory path exists and disk space is available.

Path in question is /documents and settings/user/local settings/temp

The temp folder is set to read only (checkbox is checked and grayed out). If I change it and apply/OK it immediately reverts back to read only.

The user has a limited user account on this system and the program has always worked in the past. I think that one of the scans probably deleted all contents of the temp folder and now it can not write needed data to this directory.

If I 'run as' with admin credentials or run the program logged in as an admin, it works fine. Only has an issue with the limited user.