Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect virus/slow computer.


  • Please log in to reply
1 reply to this topic

#1 Oizys

Oizys

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 06 May 2009 - 07:08 PM

First of all, hello all and thank you to whoever decided to start this forum. I've always been able to fix any malware problems until now, and am relieved that there is a site that can help me.

Okay, so about a week ago, I downloaded an "extended evaluation" copy of Audio Record Wizard v3.99. Not being very wise, I ran the program without running it through a scanner, and got a message about a specific DLL being broken. I ran to Google to see what the problem was, and surprise, I had a Google redirect virus.

I tried running Malwarebyte's Anti-Malware, but was denied by it not opening at all, not even an error message. So I jumped to Spybot S&D and ran a scan. A couple things showed up, but my problem persisted. When the two programs who never let me down failed, I turned back to Google and painfully copy and pasted links that turned up as I searched for help. Eventually I found a program called ComboFix that I installed and ran.

After that, I tried Google to see if it worked again. It didn't on first inspection, it re-directed me, but if I clicked back and then clicked on the same link, it would send me to the right page.
I then tried Malwarebyte's Anti-Malware again. It worked, and removed some files ( I'm going to start saving all my logs from now on), and the problem seemed fixed. After a couple of days, my computer started to slow down, and Google is redirecting me again. I've just run ComboFix, allowing Google to semi-work, and have found this website. I followed all the steps in the Preparation Guide, so here are my DDS logs.



DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 20:33:09.46 on 06/05/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.129 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Aliant\Net Assistant\bin\mpbtn.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
svchost
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ca10.hpwis.com/
uDefault_Search_URL = hxxp://srch-ca10.hpwis.com/
mStart Page = hxxp://ca10.hpwis.com/
mSearch Bar = hxxp://srch-ca10.hpwis.com/
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;*.local
TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [MotiveReportAgent] "c:\program files\common files\motive\mccibootstrapper.exe" /url="-appkey=motive -windowcontext=reportagent -url=file://c:\program files\common files\motive\reportagent.html" /browsertype=custommsie /browserpath="c:\program files\common files\motive\MotiveBrowser.exe" /hidden
mRun: [BootSkin Startup Jobs] "c:\progra~1\stardock\wincus~1\bootskin\BootSkin.exe" /StartupJobs
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netass~1.lnk - c:\program files\aliant\net assistant\bin\matcli.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189467361250
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189467346375
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\a4vaijyo.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - component: c:\program files\mozilla firefox\components\abefcafadfabf.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R2 SAVRTPEL;SAVRTPEL;c:\program files\norton antivirus\Savrtpel.sys [2003-8-7 35008]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-10-22 3032360]
S0 BootScreen;BootScreen;\SystemRoot\\SystemRoot\System32\drivers\vidstub.sys --> \SystemRoot\\SystemRoot\System32\drivers\vidstub.sys [?]
S2 mrtRate;mrtRate; [x]
S3 Drptusivnsns;Drptusivnsns; [x]
S3 FragFX;FragFX NT service;c:\windows\system32\drivers\FragFX.sys [2008-1-3 29824]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20031218.019\NAVENG.Sys [2004-1-21 67784]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20031218.019\NavEx15.Sys [2004-1-21 539592]
S3 SAVRT;SAVRT;c:\program files\norton antivirus\savrt.sys [2003-8-7 300736]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2008-10-22 15144]
S4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2003-8-15 255136]
S4 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2003-8-15 87200]
S4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2003-8-15 234656]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton antivirus\navapsvc.exe [2003-8-18 158376]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite 2009.sp2\RpcAgentSrv.exe [2009-1-17 98488]
S4 SAVScan;SAVScan;c:\program files\norton antivirus\SAVScan.exe [2003-8-10 193816]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]

=============== Created Last 30 ================


==================== Find3M ====================

2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-06 19:33 180,224 a------- c:\windows\system32\cnvshell.dll
2008-01-20 16:10 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-03-09 04:12 27,648 a--sh--- c:\windows\system32\AVSredirect.dll

============= FINISH: 20:33:36.45 ===============


Please help, and thank you a thousand times in advance.

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:42 PM

Posted 21 May 2009 - 10:54 AM

Hello Oizys,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users