Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect, and Rouge AntiSpyware popups


  • This topic is locked This topic is locked
8 replies to this topic

#1 ConnerVT

ConnerVT

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 09 March 2010 - 06:10 PM

I'm usually the guy people call to solve their computer problems, and have cleaned up my own, and others, systems for years. But this one is just bugging me to no end. I just can't seem to find it with my usual tools.

For the past few days, I've been getting redirected to the wrong web site when searching with Google. There will be a definite pause (2-4 seconds) when sent off to the wrong site. Clicking on the link again will then send me to the correct site. (The links from Google are ones I have high confidence in not being "dangerous"). Occasionally (1 in 20?), the redirect will come up with a Rouge AntiSpyware invite window ("Your computer may be infected, click OK to continue..." type stuff). When I see this, I usually abort out of IE8 via the Task manager.

My system here is usually pretty secure, and almost always can solve my (and others) issues with MalwareBytes. I did a full scan with the most recent update, and found only one issue ( Files Infected: C:\Documents and Settings\Fred\x.exe (Worm.AutoRun.Gen) -> Quarantined and deleted successfully.) Had hoped it was going to solve my problem, but after doing about 10 minutes of safe, random Googling, came up with the same redirection issue.

I've run through the requested steps, and would greatly appreciate some help from someone here. If nothing else, I'll learn something new today! Thanks!
-------------------------

DDS (Ver_09-12-01.01) - NTFSx86
Run by Fred at 17:24:54.96 on Tue 03/09/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1404 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\MMTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Replay Media Catcher\FLVSrvc.exe
C:\Program Files\OpenVPN\bin\openvpn-gui.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RMClock\RMClock.exe
C:\Documents and Settings\Fred\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Fred\Desktop\Bleepin Computer\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/webhp
uInternet Settings,ProxyServer = http=148.233.159.58:3128
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: StumbleUpon Launcher: {145b29f4-a56b-4b90-bbac-45784ebebbb7} - c:\program files\stumbleupon\StumbleUponIEBar.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Babylon IE plugin: {9cfaccb6-2f3f-4177-94ea-0d2b72d384c1} - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: CBHO Object: {cba74cda-df78-4ad9-954e-3b15d0a993de} - c:\program files\corestreet\spoofstick\SpoofStickBHO.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: SpoofStick: {4d46ed77-1429-4cf6-8f63-c84b5d710baf} - c:\program files\corestreet\spoofstick\SpoofStick.dll
TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:\program files\stumbleupon\StumbleUponIEBar.dll
TB: {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No File
TB: Wikipedia Search Bar: {ae07101b-46d4-4a98-af68-0333ea26e113} - mscoree.dll
TB: {44E7EF6C-6F5C-4AAF-A080-7725A27878ED} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RMClock] "c:\program files\rmclock\RMClock.exe"
uRun: [SansaDispatch] c:\documents and settings\fred\application data\sandisk\sansa updater\SansaDispatch.exe
uRun: [msxmlmapDirect] rundll32.exe "c:\documents and settings\fred\local settings\application data\msxmlmapdirect\msxmlmapDirect.dll", DllInit
mRun: [NvMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Acronis True Image Monitor] "c:\program files\acronis\trueimage\TrueImageMonitor.exe"
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [UVS10 Preload] c:\program files\ulead systems\ulead videostudio 10\uvPL.exe
mRun: [MMTray] MMTray.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ask and Record FLV Service] "c:\program files\replay media catcher\FLVSrvc.exe" /run
mRun: [openvpn-gui] c:\program files\openvpn\bin\openvpn-gui.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Babylon Client] c:\program files\babylon\babylon-pro\Babylon.exe -AutoStart
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &Copy Location - c:\windows\web\graburl.htm
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: ImTranslator - c:\progra~1\smartl~1\imtran~1\startup.html
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: Search Image on TinEye - file://c:\documents and settings\fred\my documents\tineye 1.0\TinEye.js
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
IE: Translate this web page with Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Action.htm
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - res://c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/ActionTU.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - {8C85E2EE-9FD6-11D5-B770-504D54C10000} - c:\program files\visualroute\vrie.dll
IE: {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - {C651A691-CCD9-11D2-92D3-0000F87A4A55} - c:\windows\system32\webzone.dll
IE: {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - {C651A693-CCD9-11D2-92D3-0000F87A4A55} - c:\windows\system32\webzone.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - {A58D06D4-CA90-11D2-92D2-0000F87A4A55} - c:\windows\system32\oline.dll
Trusted Zone: eset.eu\www
Trusted Zone: wcax.com\www
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.64.0.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162494762859
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www3.ca.com/securityadvisor/virusinfo/webscan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {C77FB8C0-8B6D-440E-AC26-2BD39E97E8F2} - hxxp://speedtest.adelphia.net/customerdiag/speedtest/SPEEDTESTACTIVEX.CAB
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - hxxp://download.abacast.com/download/files/abasetup163.cab
TCP: {5BDD2247-BFAF-4AF5-B759-FA34D058FCC1} = 192.168.1.1,208.67.222.222
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\fred\applic~1\mozilla\firefox\profiles\vhvg5jst.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [2008-1-27 15172]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-5 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-5 28424]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-5 360584]
R1 CXAVSAUD;ADS PTV 305 Audio Capture;c:\windows\system32\drivers\cxavsaud.sys [2007-1-29 9984]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-2-23 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-2-23 285392]
R3 RTCore32;RTCore32;\??\c:\program files\rmclock\rtcore32.sys --> c:\program files\rmclock\RTCore32.sys [?]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2006-10-1 26624]
S0 AmdAcpi;AmdAcpi Bus Filter Driver;c:\windows\system32\drivers\amdacpi.sys --> c:\windows\system32\drivers\AmdAcpi.sys [?]
S1 amdtools;AMD Special Tools Driver;c:\windows\system32\drivers\amdtools.sys --> c:\windows\system32\drivers\amdtools.sys [?]
S2 gupdate1c9a655b7c769a0;Google Update Service (gupdate1c9a655b7c769a0);c:\program files\google\update\GoogleUpdate.exe [2009-3-16 133104]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [2003-9-19 25573]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra professional business 2009.sp2\RpcAgentSrv.exe [2009-3-14 98488]
S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\stumbleupon\StumbleUponUpdateService.exe [2008-12-18 120168]
S3 TTDec;ATI WDM Teletext Decoder (Microsoft Corporation);c:\windows\system32\drivers\atinttxx.sys [2006-11-1 13824]

=============== Created Last 30 ================

2010-03-09 22:23:41 0 ----a-w- c:\documents and settings\fred\defogger_reenable
2010-03-07 20:40:29 0 d-----w- c:\program files\AnyBizSoft
2010-03-03 06:38:51 20480 ----a-w- c:\windows\system32\mssockdp.dll
2010-03-02 01:38:44 0 d-----w- c:\docume~1\fred\applic~1\AVS4YOU
2010-03-02 01:38:27 0 d-----w- c:\docume~1\alluse~1\applic~1\AVS4YOU
2010-03-02 01:35:20 0 d-----w- c:\program files\common files\AVSMedia
2010-03-02 01:35:07 0 d-----w- c:\program files\AVS4YOU
2010-02-28 16:18:26 0 d-----w- c:\program files\IMesh Toolbar Removal Tool
2010-02-28 04:15:45 885792 ----a-w- c:\windows\system32\ssdw3b32.ocx
2010-02-28 04:15:45 72192 ----a-w- c:\windows\system32\ssprn32.dll
2010-02-28 04:15:45 554632 ----a-w- c:\windows\system32\PrintPRO3.dll
2010-02-28 04:15:44 0 d-----w- c:\program files\EZW
2010-02-24 00:51:44 0 d-----w- c:\docume~1\fred\applic~1\AVG9
2010-02-24 00:38:39 0 d--h--w- C:\$AVG
2010-02-24 00:37:55 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-02-23 13:46:40 0 d-----w- c:\program files\Babylon
2010-02-23 13:46:08 0 d-----w- c:\docume~1\fred\applic~1\Babylon
2010-02-23 13:46:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Babylon
2010-02-23 00:43:38 0 d-----w- c:\documents and settings\fred\.bh_gui
2010-02-23 00:42:38 0 d-----w- c:\docume~1\alluse~1\applic~1\SRI
2010-02-23 00:40:27 0 d-----w- c:\program files\WinPcap

==================== Find3M ====================

2010-02-24 00:38:21 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-24 00:38:21 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-24 00:38:07 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-25 12:51:40 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-01-25 12:51:36 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-01-14 16:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2005-05-13 22:12:00 217073 --sha-r- c:\windows\meta4.exe
2005-07-14 17:31:20 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 20:32:28 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 03:37:42 45568 --sha-r- c:\windows\system32\cygz.dll
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2004-01-25 05:00:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2009-11-30 23:23:31 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2005-02-28 18:16:22 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 05:00:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll

============= FINISH: 17:25:46.40 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:48 PM

Posted 11 March 2010 - 06:08 AM

Hi,

* Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 ConnerVT

ConnerVT
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 11 March 2010 - 11:36 AM

miekiemoes --

Thank you for helping me out. I'm at work right now, and away from the problem computer until this evening (~7PM EST). But I thought a quick note was in order to let you know that I'm still in need, and have been watching this thread.

I'll run MalwareBytes again for you tonight, and post my results. But previously (right before running DDS and GMER), the only thing found with it (full scan) was one infected file (Files Infected: C:\Documents and Settings\Fred\x.exe (Worm.AutoRun.Gen) -> Quarantined and deleted successfully), which I noted in my original post. But I'll run a quick scan again.

If you have any additional checks you would also wish for me to do (if MalwareBytes comes up clean), let me know, and I'll run them also.

Again, thanks for your assistance, and I am glad you are willing to help!

Fred



#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:48 PM

Posted 11 March 2010 - 11:53 AM

Hi,

Please make sure you update malwarebytes before you run the scan, because that's the most important part since detection for this variant was added into malwarebytes recently.
To update, click the update tab > check for updates. smile.gif
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 ConnerVT

ConnerVT
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 11 March 2010 - 07:55 PM

I'm back. Thanks for waiting for me. thumbup2.gif

Ran an updated MalwareBytes scan, and it looks like it now found it. The update from 3-09 didn't see it. I never had a new variant before. I feel special. smile.gif

Follows is my MB log. What's next?

---------

Malwarebytes' Anti-Malware 1.44
Database version: 3855
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/11/2010 7:40:49 PM
mbam-log-2010-03-11 (19-40-49).txt

Scan type: Quick Scan
Objects scanned: 157026
Time elapsed: 11 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Documents and Settings\Fred\Local Settings\Application Data\msxmlmapDirect\msxmlmapDirect.dll (Trojan.SearchRedir.M) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msxmlmapdirect (Trojan.SearchRedir.M) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Fred\Local Settings\Application Data\msxmlmapdirect (Trojan.SearchRedir.M) -> Delete on reboot.

Files Infected:
C:\Documents and Settings\Fred\Local Settings\Application Data\msxmlmapdirect\msxmlmapDirect.dll (Trojan.SearchRedir.M) -> Delete on reboot.


#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:48 PM

Posted 12 March 2010 - 02:23 AM

Hi,

I assume you have rebooted afterwards?
How are things now? Are you still getting redirected?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 ConnerVT

ConnerVT
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 12 March 2010 - 07:15 AM

Yes, it has been rebooted. So far, seems good. I haven't been redirected yet.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:48 PM

Posted 12 March 2010 - 07:18 AM

Ok, good to hear. smile.gif

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:48 PM

Posted 18 March 2010 - 01:30 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users