Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Intermittant Google redirects


  • This topic is locked This topic is locked
3 replies to this topic

#1 Virtigod

Virtigod

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 28 May 2010 - 01:57 PM

I have been getting recurring google redirects and occasional new browser windows opening with unrequested websites... please help!


DDS (Ver_10-03-17.01) - NTFSx86
Run by Virtigod at 13:39:26.10 on Fri 05/28/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2815.2288 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Virtigod\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = <local>
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [DVDBitSet] "c:\program files\hp dvd\umbrella\DVDBitSet.exe" /NOUI
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
StartupFolder: c:\docume~1\virtigod\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
uPolicies-explorer: NoSMHelp = 01000000
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\virtigod\applic~1\mozilla\firefox\profiles\bf1lhqn1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.threadparadise.com/
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 aar1210;aar1210;c:\windows\system32\drivers\aar1210.sys [2003-11-17 220114]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-5-14 64288]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2003-6-9 10112]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 67656]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-9-1 10384]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-4-29 2789672]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-4-29 15656]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
S3 Ch2kPS2;Cherry PS/2 Keyboard Driver (CDI);c:\windows\system32\drivers\Ch2kPS2.sys [2008-1-24 130560]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\androidusb.sys --> c:\windows\system32\drivers\ANDROIDUSB.sys [?]
S3 maa950c;maa950c;c:\windows\system32\drivers\maa950c.sys [2009-10-31 24784]
S3 maa950m;maa950m;c:\windows\system32\drivers\maa950m.sys [2009-10-31 25044]
S3 maa950u;maa950u;c:\windows\system32\drivers\maa950u.sys [2009-10-31 49237]
S3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\drivers\ss.sys --> c:\windows\system32\drivers\ss.sys [?]
S4 hpdj00;hpdj00;c:\docume~1\virtigod\locals~1\temp\hpdj00.exe -servicerunning=true -uninstall=hp psc 1400 series -product=aio --> c:\docume~1\virtigod\locals~1\temp\hpdj00.exe -servicerunning=true -uninstall=hp psc 1400 series -product=aio [?]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1314704]

=============== Created Last 30 ================

2010-05-28 18:37:20 0 ----a-w- c:\documents and settings\virtigod\defogger_reenable
2010-05-28 17:20:34 0 d-----w- c:\program files\Zards software
2010-05-21 02:42:57 0 d-sha-r- C:\cmdcons
2010-05-21 02:40:58 98816 ----a-w- c:\windows\sed.exe
2010-05-21 02:40:58 77312 ----a-w- c:\windows\MBR.exe
2010-05-21 02:40:58 256512 ----a-w- c:\windows\PEV.exe
2010-05-21 02:40:58 161792 ----a-w- c:\windows\SWREG.exe
2010-05-14 21:05:53 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-05-14 19:01:33 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-14 19:01:30 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-14 18:59:02 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-14 18:58:47 0 d-----w- c:\program files\Lavasoft
2010-05-14 17:41:57 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-14 17:41:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-05-14 17:21:18 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-14 17:21:07 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-14 17:21:07 0 d-----w- c:\docume~1\virtigod\applic~1\SUPERAntiSpyware.com
2010-05-14 17:17:31 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2010-05-14 17:01:08 0 d--h--w- c:\windows\system32\GroupPolicy
2010-05-14 16:59:21 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-05-14 16:58:32 0 d-----w- c:\docume~1\virtigod\applic~1\Malwarebytes
2010-05-14 16:58:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-14 16:58:17 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-14 16:58:17 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-14 16:58:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-04 01:40:34 0 d-----w- c:\program files\SIERRA
2010-05-04 01:38:53 387 ----a-w- c:\windows\SIERRA.INI
2010-05-03 21:35:16 0 d-----w- c:\program files\Nobilis
2010-05-03 02:29:59 0 d-----w- c:\program files\DVD Shrink
2010-04-30 20:49:00 0 d-----w- c:\program files\Cheat Engine
2010-04-28 21:43:12 0 d-----w- c:\program files\Orb Networks
2010-04-28 21:12:48 0 d-----w- c:\docume~1\virtigod\applic~1\OpenCandy

==================== Find3M ====================

2010-05-28 18:01:57 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2010-05-22 08:52:33 36352 ----a-w- c:\windows\system32\drivers\intelppm.sys
2010-04-23 23:17:06 59392 ----a-w- c:\windows\fonts\draft-beer.ttf
2010-03-27 21:57:34 15620 ----a-w- c:\windows\system32\SystemRes13.sm.SYS
2010-03-13 07:00:00 7124 ----a-w- c:\windows\fonts\Jersey M54.ttf
2010-03-13 06:54:00 11476 ----a-w- c:\windows\fonts\COLLEGEB.TTF

============= FINISH: 13:39:42.17 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:13 AM

Posted 31 May 2010 - 01:08 AM

Hello, Virtigod.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Should you still require assistance, please take note of the points below:
  • Please track this topic by either adding it to your favourites or clicking the Options button at the top of this thread and then Track this topic.
  • Please disable word-wrap before posting logs. This can be done by clicking Format and un-ticking the word-wrap feature in notepad.
  • The logs that you post should be copied and pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • If you do not reply within 5 days, I will have to close your topic. Should you not be able to meet this, please notify me so that I will leave the topic open.
  • Please do not install, update, or run any programs for the duration of the fix.
  • If you do not understand the instructions I provide, please don't hesitate to ask. That's what I'm here for smile.gif
  • Please continue to reply to this topic until I give you the all clean. Just because there are no symptoms of infection doesn't mean that the computer is clean.
  • If you are running Vista, please run all the fixes as an administrator. This is done by right-clicking the program and clicking "Run as Administrator".

Please do the following so I can take a look at the current state of your system.

We need to run RSIT
  1. Download random's system information tool (RSIT) by random/random and save it to your desktop.
  2. Double click on RSIT.exe.
  3. Click Continue at the disclaimer screen.
  4. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

NEXT:
(This step may produce a blank log. Let me know if that is the case)
We need to run a GMER scan
  1. Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  2. Close all other open programs as there is a slight chance your computer will crash.
  3. Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
  4. You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  5. Make sure all options are checked except:
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
  6. When the scan is complete, click Save and save the log onto your desktop.

In your next reply, please include the following:
  • Log.txt
  • info.txt
  • gmer.log

My website: http://www.aommaster.com
Posted Image
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM

#3 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:13 AM

Posted 02 June 2010 - 11:30 PM

Hello Virtigod
Are you still with us?
My website: http://www.aommaster.com
Posted Image
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM

#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:13 AM

Posted 06 June 2010 - 12:33 AM

Due to lack of feedback, this topic has been closed. If you need this topic reopened, please send me a PM with the address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
My website: http://www.aommaster.com
Posted Image
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users