Google keeps redirecting

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

4 Pages
1
2
3
→
Last »

You cannot start a new topic
This topic is locked

Google keeps redirecting Do not know how to remove it

#1 Kristal08

Member

Group: Members
Posts: 26
Joined: 19-December 11

Posted 26 December 2011 - 08:18 PM

I have previously posted a thread in the 'am i infected' forum and explained that google kept redirecting me to different ad sites. A member named 'Broni' then helped with step by step guides which can be seen in this thread http://www.bleepingcomputer.com/forums/topic433353.html/page__pid__2515756#entry2515756 but then he asked me to run aswMBR.exe which would not work on my laptop. Whenever i double clicked nothing would appear at all so he told me to follow the steps in a guide called 'Preparation Guide for use before using Malware Removal Tools and Asking for Help'. I then followed the step starting from no. 6 and am told to post the DDS logs, i have also attached the second log of this DDS log and also ran a GMER scan and attached the results of that. Thanks for any help :D

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19088
Run by Acer 2009 at 23:34:35 on 2011-12-26
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.44.1033.18.1013.124 [GMT 0:00]
.
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Giraffic\Veoh_GirafficWatchdog.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Giraffic\Veoh_Giraffic.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uWindow Title = Internet Explorer Provided By Sky Broadband
uDefault_Page_URL = hxxp://www.sky.com
mStart Page = hxxp://en.uk.acer.yahoo.com
mDefault_Page_URL = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyOverride = <local>
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [yEfRqQhDUGAmlI.exe] c:\programdata\yEfRqQhDUGAmlI.exe
mRun: [eRecoveryService]
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Free YouTube Download - c:\users\acer 2009\appdata\roaming\dvdvideosoftiehelpers\freeyoutubedownload.htm
IE: Free YouTube to MP3 Converter - c:\users\acer 2009\appdata\roaming\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{A01859D8-DC80-4449-93B7-05FA95BA2E05} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{A2A092FA-63C8-4332-A5DD-E73F996591CE} : DhcpNameServer = 192.168.0.1
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-12-23 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-12-23 314456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-12-23 20568]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-12-23 55128]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-12-23 44768]
R2 Giraffic;Veoh Giraffic Video Accelerator;c:\program files\giraffic\veoh_girafficwatchdog.exe --service --> c:\program files\giraffic\Veoh_GirafficWatchdog.exe --service [?]
R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.SYS [2010-6-6 5120]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-12-21 136176]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-3-21 180736]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-12-21 136176]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-10-30 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-10-30 40552]
.
=============== Created Last 30 ================
.
2011-12-23 12:58:15 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-12-23 12:58:13 55128 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-12-23 12:55:14 41184 ----a-w- c:\windows\avastSS.scr
2011-12-21 11:57:50 -------- d-----w- c:\programdata\AVAST Software
2011-12-21 11:57:49 -------- d-----w- c:\program files\AVAST Software
2011-12-20 18:20:35 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-20 16:17:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-18 10:55:32 1008141 ----a-w- C:\rkill.exe
.
==================== Find3M ====================
.
2011-12-26 22:26:35 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 23:43:51.09 ===============

Attached File(s)

Attach.txt (5.03K)
Number of downloads: 2
ark.txt (574bytes)
Number of downloads: 4

#2 RPMcMurphy

Bleeping *^#@%~

Group: Malware Response Team
Posts: 2,398
Joined: 16-May 10
Gender:Male

Posted 27 December 2011 - 12:45 AM

Hello and welcome. Please follow these guidelines while we work on your PC:

Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
Please do not run any scans or install/uninstall any applications without being directed to do so.
Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.

Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
When finished, it will produce a report for you.

.
Please include the following in your next post:

ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member

The help you receive here is free. If you wish to show your appreciation, then you may

#3 Kristal08

Member

Group: Members
Posts: 26
Joined: 19-December 11

Posted 28 December 2011 - 01:31 PM

I have ran combofix only twice just to make sure it isn't working. When i double clicked on it i box appeared extracting something then it disappeared and nothing is happening. Although a blue box has just appeared saying 'Administrator' but nothing is happening so i just closed the program. Is that what was meant to happen?

#4 RPMcMurphy

Bleeping *^#@%~

Group: Malware Response Team
Posts: 2,398
Joined: 16-May 10
Gender:Male

Posted 28 December 2011 - 02:03 PM

Kristal08:

No, that isn't normal - please try running ComboFix from the Safe Mode

Please include the following in your next post:

ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member

The help you receive here is free. If you wish to show your appreciation, then you may

#5 Kristal08

Member

Group: Members
Posts: 26
Joined: 19-December 11

Posted 29 December 2011 - 05:20 PM

ComboFix 11-12-29.04 - Acer 2009 29/12/2011 21:30:22.1.1 - x86 NETWORK
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.44.1033.18.1013.344 [GMT 0:00]
Running from: c:\users\Acer 2009\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Acer 2009\Documents\iexplore.exe
D:\install.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-29 )))))))))))))))))))))))))))))))
.
.
2011-12-29 21:59 . 2011-12-29 22:00 -------- d-----w- c:\users\Acer 2009\AppData\Local\temp
2011-12-29 21:59 . 2011-12-29 21:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-21 11:57 . 2011-12-29 21:07 -------- d-----w- c:\programdata\AVAST Software
2011-12-21 11:57 . 2011-12-21 11:57 -------- d-----w- c:\program files\AVAST Software
2011-12-20 16:17 . 2011-12-27 00:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-18 10:55 . 2011-12-18 10:55 1008141 ----a-w- C:\rkill.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-26 22:26 . 2011-06-28 09:10 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 09:00 39472 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2011-08-25 2816328]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Acer 2009^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Orion.lnk]
path=c:\users\Acer 2009\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Orion.lnk
backup=c:\windows\pss\Orion.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-03-08 11:38 40048 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2006-11-02 09:45 8704 ----a-w- c:\windows\System32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2008-03-05 13:15 525360 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-01-22 14:21 166424 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-01-22 14:21 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2008-01-04 17:30 768520 ----a-w- c:\progra~1\LAUNCH~1\LManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 22:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\System32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-01-22 14:21 133656 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-03-11 09:53 5296128 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung PanelMgr]
2008-09-03 07:52 536576 ----a-w- c:\windows\Samsung\PanelMgr\SSMMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2008-01-21 02:32 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
2007-11-20 10:15 1826816 ----a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPStart]
2007-09-07 03:35 102400 ----a-w- c:\program files\Synaptics\SynTP\SynTPStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WarReg_PopUp]
2008-01-29 08:03 303104 ----a-w- c:\program files\Acer\WR_PopUp\WarReg_PopUp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:33 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:35 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 Giraffic;Veoh Giraffic Video Accelerator;c:\program files\Giraffic\Veoh_GirafficWatchdog.exe [2011-09-19 2221200]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-12-21 136176]
R2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [2008-01-10 5120]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-07-22 180736]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-12-21 136176]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-05-08 691696]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-21 12:08]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-21 12:08]
.
2011-01-03 c:\windows\Tasks\User_Feed_Synchronization-{4E45FEAF-D4FF-4868-9835-CC6A238AC781}.job
- c:\windows\system32\msfeedssync.exe [2011-06-16 04:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Free YouTube Download - c:\users\Acer 2009\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
IE: Free YouTube to MP3 Converter - c:\users\Acer 2009\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-yEfRqQhDUGAmlI.exe - c:\programdata\yEfRqQhDUGAmlI.exe
HKLM-Run-eRecoveryService - (no file)
MSConfigStartUp-Acer Tour Reminder - c:\acer\AcerTour\Reminder.exe
MSConfigStartUp-advMouse3xx - c:\users\Acer 2009\AppData\Local\isaPathclass\advMouse3xx.dll
MSConfigStartUp-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe
MSConfigStartUp-djvsl - c:\users\Acer 2009\AppData\Roaming\gggwpi.dll
MSConfigStartUp-Malwarebytes' Anti-Malware - c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
MSConfigStartUp-PCMService - c:\program files\Acer\Acer Arcade\PCMService.exe
MSConfigStartUp-SetPanel - c:\acer\APanel\APanel.cmd
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-29 22:00
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\users\ACER20~1\AppData\Local\Temp\catchme.dll 53248 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(248)
c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
c:\windows\system32\igfxsrvc.dll
.
Completion time: 2011-12-29 22:16:23
ComboFix-quarantined-files.txt 2011-12-29 22:16
.
Pre-Run: 7,184,519,168 bytes free
Post-Run: 8,405,598,208 bytes free
.
- - End Of File - - 80656D588425BE3EF49ABA4D2C6FFA66

#6 RPMcMurphy

Bleeping *^#@%~

Group: Malware Response Team
Posts: 2,398
Joined: 16-May 10
Gender:Male

Posted 29 December 2011 - 11:02 PM

Kristal08:

Are you still having the redirect issue? Please do this next:

Posted Image

Please download MiniToolBox and run it.

Check the following items:

Flush DNS
List content of Hosts
List IP configuration

Click Go and copy/paste the log (Result.txt) into your next post.

Posted Image

You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

Click the Update tab
Click Check for Updates
If an update is found, it will download and install the latest version.
The program will close to update and reopen.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Uncheck any entries from C:\System Volume Information or C:\Qoobox
Make sure that everything else is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:

Are you still being redirected?
MiniToolBox log

MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member

The help you receive here is free. If you wish to show your appreciation, then you may

#7 Kristal08

Member

Group: Members
Posts: 26
Joined: 19-December 11

Posted 30 December 2011 - 08:55 AM

Yes i am still getting redirected

Minibox Log:

MiniToolBox by Farbar
Ran by Acer 2009 (administrator) on 30-12-2011 at 13:54:17
Microsoft® Windows Vista™ Home Basic Service Pack 1 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.
========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

Broadcom NetLink ™ Fast Ethernet = Local Area Connection (Disconnected)
Atheros AR5007EG Wireless Network Adapter = Wireless Network Connection (Connected)

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled

popd
# End of IPv4 configuration

Windows IP Configuration

Host Name . . . . . . . . . . . . : Acer2009-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : Home

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : Home
Description . . . . . . . . . . . : Atheros AR5007EG Wireless Network Adapter
Physical Address. . . . . . . . . : 00-1F-E2-A1-DF-EF
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::6152:f860:dac2:45a2%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.0.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 30 December 2011 12:15:10
Lease Expires . . . . . . . . . . : 31 December 2011 12:15:09
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 11:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fb:102d:9b7:3f57:fffc(Preferred)
Link-local IPv6 Address . . . . . : fe80::102d:9b7:3f57:fffc%12(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Local Area Connection* 17:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : Home
Description . . . . . . . . . . . : isatap.Home
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: UnKnown
Address: 192.168.0.1

Name: google.com
Addresses: 209.85.229.104
209.85.229.105
209.85.229.147
209.85.229.99
209.85.229.103

Pinging google.com [209.85.229.104] with 32 bytes of data:

Reply from 209.85.229.104: bytes=32 time=52ms TTL=54

Reply from 209.85.229.104: bytes=32 time=53ms TTL=54

Ping statistics for 209.85.229.104:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 52ms, Maximum = 53ms, Average = 52ms

Server: UnKnown
Address: 192.168.0.1

Name: yahoo.com
Addresses: 98.139.180.149
209.191.122.70
72.30.2.43
98.137.149.56

Pinging yahoo.com [98.139.180.149] with 32 bytes of data:

Reply from 98.139.180.149: bytes=32 time=299ms TTL=45

Reply from 98.139.180.149: bytes=32 time=166ms TTL=46

Ping statistics for 98.139.180.149:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 166ms, Maximum = 299ms, Average = 232ms

Server: UnKnown
Address: 192.168.0.1

Name: bleepingcomputer.com
Address: 208.43.87.2

Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:

Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.

Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
11 ...00 1f e2 a1 df ef ...... Atheros AR5007EG Wireless Network Adapter
1 ........................... Software Loopback Interface 1
12 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
22 ...00 00 00 00 00 00 00 e0 isatap.Home
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.3 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.3 281
192.168.0.3 255.255.255.255 On-link 192.168.0.3 281
192.168.0.255 255.255.255.255 On-link 192.168.0.3 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.0.3 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.0.3 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
12 18 ::/0 On-link
1 306 ::1/128 On-link
12 18 2001::/32 On-link
12 266 2001:0:5ef5:79fb:102d:9b7:3f57:fffc/128
On-link
11 281 fe80::/64 On-link
12 266 fe80::/64 On-link
12 266 fe80::102d:9b7:3f57:fffc/128
On-link
11 281 fe80::6152:f860:dac2:45a2/128
On-link
1 306 ff00::/8 On-link
12 266 ff00::/8 On-link
11 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

**** End of log ****

Malwarebytes Log:

Objects scanned: 251255
Time elapsed: 57 minute(s), 34 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#8 RPMcMurphy

Bleeping *^#@%~

Group: Malware Response Team
Posts: 2,398
Joined: 16-May 10
Gender:Male

Posted 30 December 2011 - 11:15 AM

Hi,

What is the make & model of your wireless router, (ie: Linksys WRT54G)?

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member

The help you receive here is free. If you wish to show your appreciation, then you may

#9 Kristal08

Member

Group: Members
Posts: 26
Joined: 19-December 11

Posted 30 December 2011 - 04:37 PM

SKY81217

#10 RPMcMurphy

Bleeping *^#@%~

Group: Malware Response Team
Posts: 2,398
Joined: 16-May 10
Gender:Male

Posted 30 December 2011 - 11:31 PM

Kristal08:

Posted Image

Do a hard reset (back to factory defaults) on your router. A simple power cycle will not suffice - you must do a hard reset. I'm not familiar with your router, but usually there is a small button to push on the back of the router or a small hole that you need to put a pin or paperclip into, but check you router's documentation to be sure. When you set it back up change the default admin login and password.

Posted Image

Please download MBRCheck.exe to your desktop.

Be sure to disable your security programs
Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
A small window should open on your desktop
if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
If nothing unusual is found just press Enter
A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.

Please include the following in your next post:

MBRCheck log

Let me know if the router reset cleared up the redirects

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member

The help you receive here is free. If you wish to show your appreciation, then you may

#11 Kristal08

Member

Group: Members
Posts: 26
Joined: 19-December 11

Posted 03 January 2012 - 05:37 AM

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows Vista Home Basic Edition
Windows Information: Service Pack 1 (build 6001), 32-bit
Base Board Manufacturer: Acer
BIOS Manufacturer: Acer
System Manufacturer: Acer
System Product Name: Aspire 5315
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 140):
0x81E12000 \SystemRoot\system32\ntkrnlpa.exe
0x821CB000 \SystemRoot\system32\hal.dll
0x8060D000 \SystemRoot\system32\kdcom.dll
0x8060F000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8066F000 \SystemRoot\system32\PSHED.dll
0x80680000 \SystemRoot\system32\BOOTVID.dll
0x80688000 \SystemRoot\system32\CLFS.SYS
0x806C9000 \SystemRoot\system32\CI.dll
0x82406000 \SystemRoot\system32\drivers\Wdf01000.sys
0x82482000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8248F000 \SystemRoot\system32\drivers\acpi.sys
0x824D5000 \SystemRoot\system32\drivers\WMILIB.SYS
0x824DE000 \SystemRoot\system32\drivers\msisadrv.sys
0x824E6000 \SystemRoot\system32\drivers\pci.sys
0x8250D000 \SystemRoot\System32\drivers\partmgr.sys
0x8251C000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x8251F000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x82529000 \SystemRoot\system32\drivers\volmgr.sys
0x82538000 \SystemRoot\System32\drivers\volmgrx.sys
0x82582000 \SystemRoot\system32\drivers\intelide.sys
0x82589000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x82597000 \SystemRoot\System32\drivers\mountmgr.sys
0x825A7000 \SystemRoot\system32\drivers\atapi.sys
0x825AF000 \SystemRoot\system32\drivers\ataport.SYS
0x825CD000 \SystemRoot\system32\drivers\msahci.sys
0x807A9000 \SystemRoot\system32\drivers\fltmgr.sys
0x825D7000 \SystemRoot\system32\drivers\fileinfo.sys
0x825E7000 \SystemRoot\system32\DRIVERS\psdfilter.sys
0x82603000 \SystemRoot\System32\Drivers\ksecdd.sys
0x82674000 \SystemRoot\system32\drivers\ndis.sys
0x8277F000 \SystemRoot\system32\drivers\msrpc.sys
0x827AA000 \SystemRoot\system32\drivers\NETIO.SYS
0x86009000 \SystemRoot\System32\Drivers\Ntfs.sys
0x86118000 \SystemRoot\system32\drivers\volsnap.sys
0x86151000 \SystemRoot\System32\Drivers\spldr.sys
0x86159000 \SystemRoot\System32\Drivers\mup.sys
0x86168000 \SystemRoot\System32\drivers\ecache.sys
0x8618F000 \SystemRoot\system32\drivers\disk.sys
0x861A0000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x861C1000 \SystemRoot\system32\drivers\crcdisk.sys
0x861EC000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x861F7000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x827E4000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x89802000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
0x89E4F000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x89EEE000 \SystemRoot\System32\drivers\watchdog.sys
0x89EFB000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x89F06000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x89F44000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x89F53000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8A20A000 \SystemRoot\system32\DRIVERS\athr.sys
0x8A2C5000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8A2D8000 \SystemRoot\system32\DRIVERS\DKbFltr.sys
0x8A2E2000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8A2ED000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x8A31B000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8A31D000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8A328000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x8A32C000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8A344000 \SystemRoot\system32\DRIVERS\NTIDrvr.sys
0x8A346000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x8A34F000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8A37D000 \SystemRoot\system32\DRIVERS\storport.sys
0x8A3BE000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8A3C9000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8A3E0000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x89F65000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8A3EB000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x89F88000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x89F9C000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x89FB1000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8A3FA000 \SystemRoot\system32\DRIVERS\swenum.sys
0x89FC1000 \SystemRoot\system32\DRIVERS\ks.sys
0x8A200000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x89FEB000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8A409000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8A43D000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8B000000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x8A44E000 \SystemRoot\system32\drivers\portcls.sys
0x8A47B000 \SystemRoot\system32\drivers\drmk.sys
0x8A4A0000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0x8A5BD000 \SystemRoot\system32\drivers\modem.sys
0x8A5CA000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8A5D3000 \SystemRoot\System32\Drivers\Null.SYS
0x8A5DA000 \SystemRoot\System32\Drivers\Beep.SYS
0x8A5E1000 \SystemRoot\System32\drivers\vga.sys
0x807DB000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8A5ED000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8A5F5000 \SystemRoot\system32\drivers\rdpencdd.sys
0x827F3000 \SystemRoot\System32\Drivers\Msfs.SYS
0x825F0000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8A400000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8B60E000 \SystemRoot\System32\drivers\tcpip.sys
0x8B6F7000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8B712000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8B728000 \SystemRoot\system32\DRIVERS\smb.sys
0x8B73C000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8B76E000 \SystemRoot\system32\drivers\afd.sys
0x8B7B6000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8B7CC000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8B7DA000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8BA05000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8BA41000 \??\C:\PROGRA~1\LAUNCH~1\DPortIO.sys
0x8BA45000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8BA4F000 \SystemRoot\System32\Drivers\dfsc.sys
0x8BA66000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8BA73000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x8BA7E000 \SystemRoot\System32\Drivers\dump_msahci.sys
0x93050000 \SystemRoot\System32\win32k.sys
0x8BA88000 \SystemRoot\System32\drivers\Dxapi.sys
0x8BA92000 \SystemRoot\system32\DRIVERS\monitor.sys
0x93270000 \SystemRoot\System32\TSDDD.dll
0x93290000 \SystemRoot\System32\cdd.dll
0x8BAA1000 \SystemRoot\system32\drivers\luafv.sys
0x8BABC000 \SystemRoot\system32\drivers\spsys.sys
0x8BB6B000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x8BB7B000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x8BBA5000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x8BBAF000 \SystemRoot\system32\DRIVERS\rspndr.sys
0xA9C06000 \SystemRoot\system32\drivers\HTTP.sys
0xA9C73000 \SystemRoot\System32\DRIVERS\srvnet.sys
0xA9C90000 \SystemRoot\system32\DRIVERS\bowser.sys
0xA9CA9000 \SystemRoot\System32\drivers\mpsdrv.sys
0xA9CBE000 \SystemRoot\system32\drivers\mrxdav.sys
0xA9CDE000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA9CFD000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0xA9D36000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0xA9D4E000 \SystemRoot\System32\DRIVERS\srv2.sys
0xA9D76000 \SystemRoot\System32\DRIVERS\srv.sys
0xA9DD4000 \??\C:\Acer\Empowering Technology\eRecovery\int15.sys
0xA9DDB000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xAD002000 \SystemRoot\system32\drivers\peauth.sys
0xAD0E0000 \SystemRoot\system32\DRIVERS\PSDNServ.sys
0xAD0E9000 \SystemRoot\system32\DRIVERS\PSDVdisk.sys
0xAD0FB000 \SystemRoot\System32\Drivers\secdrv.SYS
0xAD105000 \??\C:\Windows\system32\Drivers\SSPORT.sys
0xAD10C000 \SystemRoot\System32\drivers\tcpipreg.sys
0xAD118000 \SystemRoot\system32\DRIVERS\xaudio.sys
0xAD120000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x77460000 \Windows\System32\ntdll.dll

Processes (total 42):
0 System Idle Process
4 System
432 C:\Windows\System32\smss.exe
500 csrss.exe
544 C:\Windows\System32\wininit.exe
552 csrss.exe
592 C:\Windows\System32\services.exe
608 C:\Windows\System32\lsass.exe
616 C:\Windows\System32\lsm.exe
644 C:\Windows\System32\winlogon.exe
816 C:\Windows\System32\svchost.exe
876 C:\Windows\System32\svchost.exe
916 C:\Windows\System32\svchost.exe
996 C:\Windows\System32\svchost.exe
1048 C:\Windows\System32\svchost.exe
1128 C:\Windows\System32\audiodg.exe
1152 C:\Windows\System32\svchost.exe
1168 C:\Windows\System32\SLsvc.exe
1204 C:\Windows\System32\svchost.exe
1376 C:\Windows\System32\svchost.exe
1624 C:\Windows\System32\dwm.exe
1664 C:\Windows\explorer.exe
1752 C:\Windows\System32\spoolsv.exe
1760 C:\Windows\System32\taskeng.exe
1820 C:\Windows\System32\svchost.exe
1884 C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
464 C:\Windows\System32\taskeng.exe
1648 C:\Windows\System32\svchost.exe
1516 C:\Program Files\Giraffic\Veoh_GirafficWatchdog.exe
1028 C:\Windows\System32\svchost.exe
1044 C:\Windows\System32\svchost.exe
2060 C:\Windows\System32\svchost.exe
2108 C:\Windows\System32\SearchIndexer.exe
2832 C:\Program Files\Giraffic\Veoh_Giraffic.exe
3284 C:\Program Files\Windows Media Player\wmpnscfg.exe
3360 C:\Program Files\Windows Media Player\wmpnetwk.exe
456 C:\Windows\System32\wuauclt.exe
3112 C:\Program Files\Internet Explorer\iexplore.exe
1336 taskeng.exe
3468 C:\Windows\System32\SearchProtocolHost.exe
3912 C:\Windows\System32\SearchFilterHost.exe
4068 C:\Users\Acer 2009\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`eda00000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000000a`ce800000 (NTFS)

PhysicalDrive0 Model Number: HitachiHTS542580K9SA00, Rev: BBBOC31P

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 75374D27B77E61C9316E27BACDEE41C1E2C9874E

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

About the hard reset i'm not really comfortable doing that...will it damage any of the other laptops that i have connected to the internet? Is the admin username and password to do with my router, because i think i'll have to look around for that

#12 RPMcMurphy

Bleeping *^#@%~

Group: Malware Response Team
Posts: 2,398
Joined: 16-May 10
Gender:Male

Posted 03 January 2012 - 02:49 PM

Kristal08:

You can skip the reset of the router as it looks like that isn't the problem. We will need to do some work from outside of Windows using a CD or USB flash drive to boot from. Do you have access to a CD burner or USB flash drive?

Please run this for me also:

Please download Listparts

Run the tool, click Scan and post the log (Result.txt) it makes.

This post has been edited by RPMcMurphy: 03 January 2012 - 02:52 PM

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member

The help you receive here is free. If you wish to show your appreciation, then you may

#13 Kristal08

Member

Group: Members
Posts: 26
Joined: 19-December 11

Posted 04 January 2012 - 05:17 PM

ListParts by Farbar
Ran by Acer 2009 on 04-01-2012 at 22:14:44
Windows Vista (X86)
Running From: C:\Users\Acer 2009\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VUSES1LZ
************************************************************

========================= Memory info ======================

Percentage of memory in use: 84%
Total physical RAM: 1013.25 MB
Available physical RAM: 161.91 MB
Total Pagefile: 2288.88 MB
Available Pagefile: 1205.46 MB
Total Virtual: 2047.88 MB
Available Virtual: 1968.76 MB

======================= Partitions =========================

1 Drive c: (ACER) (Fixed) (Total:31.51 GB) (Free:7.08 GB) NTFS
2 Drive d: (DATA) (Fixed) (Total:31.3 GB) (Free:31.19 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 75 GB 0 B

Partitions of Disk 0:

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 12 GB 32 KB
Partition 2 Primary 32 GB 12 GB
Partition 3 Primary 31 GB 43 GB
Partition 4 Primary 1104 KB 75 GB

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

There is no volume associated with this partition.

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C ACER NTFS Partition 32 GB Healthy System

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D DATA NTFS Partition 31 GB Healthy

Disk: 0
Partition 4
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

****** End Of Log ******

Yes i do have a CD and a flash drive to back up my documents with

#14 RPMcMurphy

Bleeping *^#@%~

Group: Malware Response Team
Posts: 2,398
Joined: 16-May 10
Gender:Male

Posted 04 January 2012 - 11:03 PM

Kristal08:

OK, here we go. We will try using the USB drive:

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer

Insert your USB drive
Press Start > My Computer > right click your USB drive > choose Format > Quick format
Double click the unetbootin-xpud-windows-387.exe that you just downloaded
Press Run then OK
Select the DiskImage option then click the browse button located on the right side of the textbox field.
Browse to and select the xpud-0.9.2.iso file you downloaded
Verify the correct drive letter is selected for your USB device then click OK
It will install a little bootable OS on your USB device
Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
After it has completed do not choose to reboot the clean computer simply close the installer
Next download dumpit to your USB
Remove the USB and insert it in the sick computer
Boot the Sick computer
Press F12 and choose to boot from the USB
Follow the prompts
A Welcome to xPUD screen will appear
Press File
Expand mnt
Click on sdb1 (sdb1 represents the USB drive).
Double click on the dumpit file.
A black window will pop-up and it will dump and zip the MBR to your USB drive.
Press Enter to exit the black window.
Click on HOME tab and choose Power Off to turn off xPUD.
Remove the USB drive and insert it back on your working computer.
Locate the mbr.zip file in your USB drive and attach it when you reply.

Please include the following in your next post:

Attach the mbr.zip file

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member

The help you receive here is free. If you wish to show your appreciation, then you may

#15 Kristal08

Member

Group: Members
Posts: 26
Joined: 19-December 11

Posted 06 January 2012 - 01:53 AM

Sorry but before i do this i need to ask for more explanation. When i download the 2 programs to my 'clean computer' does that mean i have to move and delete all my files? Or do i just put the programs on my desktop?