Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirects


  • This topic is locked This topic is locked
17 replies to this topic

#1 snipersgethead

snipersgethead

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 31 May 2010 - 11:20 AM

Hello BC users, recently my google searches have been going haywire. I use Mozilla Firefox and everytime I use the google toolbar or the google website itself it takes several seconds for it to load up my search results. On the other hand, while browsing the internet with direct links and not using google, the speed is fine with no hiccups at all. Then when I click on one of the results from the google search, most of the times it redirects me to a rogue address. So I have to click it multiple times until it finally gets it right. I've ran a full scan on NOD32 and malwarebytes in both normal and safe mode but the problem still persists. Any help would be appreciated.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:15:21 AM, on 5/31/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\MotioninJoy\ds3\DS3_Tool.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=14196&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Acronis Toolbar Helper] rundll32.exe C:\Users\Morris\Local Settings\Application Data\Desktop Cleanup Wizard\dskclean.dll, StartProt
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DS3 Tool] C:\Program Files\MotioninJoy\ds3\DS3_Tool.exe -mini
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [Desktop Cleanup Wizard] rundll32.exe "C:\Users\Morris\Local Settings\Application Data\Desktop Cleanup Wizard\dskclean.dll", StartProt
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program Files\Microsoft Office\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Acronis System Backup (acrosysbackup_exSq1Pn5tAB4) - Unknown owner - C:\Windows\system32\wirepots.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Program Files\nHancer\nHancerService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Windows System Backup Dumper (winbackupdumper-id19Sq1Pn5tAB4) - Unknown owner - C:\Windows\system32\mousenh32.exe

--
End of file - 5921 bytes


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 AM

Posted 02 June 2010 - 03:03 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log. I apologize for the delay.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a GMER log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or GMER log please refer to this page and in step #6 and Step #7 and Step #8 for further instructions on downloading and running DDS & GMER. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-GMER log
-Description of any remaining problems you may still have.


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 snipersgethead

snipersgethead
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 02 June 2010 - 04:10 PM

You don't need to apologize for anything. I'm just glad someone came around to my help whether it be sooner or later. So thank you very much for aiding me in this conflict. I don't have any additional problems from the one I previously described which are still occurring persistently.

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 AM

Posted 02 June 2010 - 07:41 PM

Hello again,

Thanks for those logs.

Let's begin with a Combofix run and continue from there:

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.


Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 snipersgethead

snipersgethead
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 03 June 2010 - 10:46 PM

Not a problem.

ComboFix 10-06-03.01 - Morris 06/03/2010 17:52:19.5.4 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3327.2390 [GMT -5:00]
Running from: c:\users\Morris\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2010-05-03 to 2010-06-03 )))))))))))))))))))))))))))))))
.

2010-06-03 22:58 . 2010-06-03 22:58 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-03 22:58 . 2010-06-03 22:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-31 16:14 . 2010-05-31 16:14 388096 ----a-r- c:\users\Morris\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-31 16:14 . 2010-05-31 16:14 -------- d-----w- c:\program files\Trend Micro
2010-05-31 15:59 . 2010-06-03 22:58 -------- d-----w- c:\users\Morris\AppData\Local\temp
2010-05-31 13:28 . 2010-05-31 13:28 -------- d-----w- c:\users\Morris\AppData\Roaming\Malwarebytes
2010-05-31 13:28 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-31 13:28 . 2010-05-31 13:28 -------- d-----w- c:\programdata\Malwarebytes
2010-05-31 13:28 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-31 13:28 . 2010-05-31 13:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-28 21:29 . 2010-05-28 21:29 140288 ----a-w- c:\windows\system32\pcre3.dll
2010-05-28 21:29 . 2010-05-30 23:51 8704 ----a-w- c:\windows\system32\wirepots.exe
2010-05-28 21:29 . 2010-05-30 23:51 11776 ----a-w- c:\windows\system32\mousenh32.exe
2010-05-28 21:29 . 2010-05-30 23:51 38912 ----a-w- c:\windows\system32\wirepots.dll
2010-05-28 21:29 . 2010-05-30 23:51 38912 ----a-w- c:\windows\system32\syspol32.dll
2010-05-28 21:29 . 2010-05-28 21:29 38912 ----a-w- c:\windows\system32\b_syspol32.dll
2010-05-28 21:29 . 2010-05-28 21:29 -------- d-----w- c:\users\Morris\AppData\Local\Desktop Cleanup Wizard
2010-05-21 00:55 . 2010-05-21 01:05 -------- d-----w- c:\users\Morris\AppData\Roaming\Synthesia
2010-05-21 00:55 . 2010-05-21 00:55 -------- d-----w- c:\program files\Synthesia
2010-05-12 20:50 . 2010-05-12 20:50 -------- d-----w- c:\users\Morris\AppData\Local\Microsoft Game Studios
2010-05-12 20:50 . 2010-05-12 20:50 -------- d-----w- c:\programdata\Microsoft Games
2010-05-12 20:49 . 2010-05-12 20:49 -------- d-----w- c:\users\Morris\AppData\Roaming\Microsoft Game Studios
2010-05-10 22:38 . 2010-05-10 22:38 -------- d-----w- c:\users\Morris\AppData\Local\Rockstar Games
2010-05-10 20:37 . 2010-05-10 22:35 -------- d-----w- c:\program files\Grand Theft Auto IV - Episodes From Liberty City

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-03 15:08 . 2010-01-28 04:05 -------- d-----w- c:\users\Morris\AppData\Roaming\FrostWire
2010-05-30 13:36 . 2010-01-25 03:24 -------- d-----w- c:\users\Morris\AppData\Roaming\uTorrent
2010-05-30 01:29 . 2010-05-02 15:53 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2010-05-30 01:29 . 2010-05-02 15:51 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-05-30 01:29 . 2010-01-25 03:58 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-05-19 12:08 . 2010-01-28 04:02 -------- d-----w- c:\program files\FrostWire
2010-05-12 20:51 . 2009-07-14 04:52 -------- d-----w- c:\program files\Microsoft Games
2010-05-02 16:19 . 2010-05-02 16:19 -------- d-----w- c:\programdata\Ubisoft
2010-05-02 16:15 . 2010-01-30 16:14 -------- d-----w- c:\program files\Ubisoft
2010-05-02 16:15 . 2010-01-25 21:47 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-02 15:22 . 2009-07-13 23:40 409088 ----a-w- c:\windows\system32\systemcpl.dll
2010-05-02 15:22 . 2009-07-13 23:36 13824 ----a-w- c:\windows\system32\slwga.dll
2010-05-02 15:22 . 2009-07-13 23:24 811520 ----a-w- c:\windows\system32\user32.dll
2010-05-02 15:02 . 2010-05-02 15:02 109608 ----a-w- c:\users\Morris\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-02 14:47 . 2010-04-28 04:13 21412 ----a-w- c:\windows\system32\emptyregdb.dat
2010-05-02 14:37 . 2010-04-05 01:40 -------- d-----w- c:\users\Morris\AppData\Roaming\Vso
2010-05-02 14:37 . 2010-04-24 15:17 -------- d-----w- c:\users\Morris\AppData\Roaming\TotalRecorder
2010-05-02 14:37 . 2010-03-17 17:08 -------- d--h--r- c:\users\Morris\AppData\Roaming\SecuROM
2010-05-02 14:37 . 2010-02-07 04:53 -------- d-----w- c:\users\Morris\AppData\Roaming\Red Kawa
2010-05-02 14:37 . 2010-01-30 15:37 -------- d-----w- c:\users\Morris\AppData\Roaming\nHancer
2010-05-02 14:37 . 2010-01-25 23:28 -------- d-----w- c:\users\Morris\AppData\Roaming\runic games
2010-05-02 14:37 . 2010-01-25 03:20 -------- d-----w- c:\users\Morris\AppData\Roaming\SystemRequirementsLab
2010-05-02 14:37 . 2010-03-08 23:40 -------- d-----w- c:\users\Morris\AppData\Roaming\MotioninJoy
2010-05-02 14:35 . 2010-02-12 13:17 -------- d-----w- c:\users\Morris\AppData\Roaming\Bioshock2
2010-05-02 14:35 . 2010-01-26 01:46 -------- d-----w- c:\users\Morris\AppData\Roaming\Canon
2010-05-02 14:35 . 2010-01-25 03:58 -------- d-----w- c:\users\Morris\AppData\Roaming\DAEMON Tools Lite
2010-05-02 14:35 . 2010-01-27 12:54 -------- d-----w- c:\users\Morris\AppData\Roaming\Apple Computer
2010-05-02 14:35 . 2010-04-04 20:50 -------- d-----w- c:\users\Morris\AppData\Roaming\Ahead
2010-05-02 14:27 . 2010-05-02 14:11 -------- d-----w- c:\programdata\NVIDIA
2010-05-02 14:27 . 2010-04-11 22:51 -------- d-----w- c:\programdata\vsosdk
2010-05-02 14:27 . 2010-02-12 13:14 -------- d-sh--w- c:\programdata\SecuROM
2010-05-02 14:27 . 2010-01-31 15:11 -------- dc-h--w- c:\programdata\{0691F710-1ECA-4B5A-9727-25554F1BFDC6}
2010-05-02 14:27 . 2010-01-27 12:53 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-05-02 14:27 . 2010-04-04 20:49 -------- d-----w- c:\programdata\Nero
2010-05-02 14:27 . 2010-03-08 23:40 -------- d-----w- c:\programdata\MotioninJoy
2010-05-02 14:27 . 2010-01-30 15:36 -------- d-----w- c:\programdata\nHancer
2010-05-02 14:27 . 2010-01-26 23:48 -------- d-----w- c:\programdata\Microsoft Help
2010-05-02 14:25 . 2010-03-28 12:52 -------- d-----w- c:\program files\Serious Sam 2
2010-05-02 14:25 . 2010-03-25 11:50 -------- d-----w- c:\program files\SQUARE ENIX - Eidos Interactive
2010-05-02 14:25 . 2010-01-25 22:20 -------- d-----w- c:\program files\Runic Games
2010-05-02 14:25 . 2010-02-02 00:40 -------- d-----w- c:\program files\Rockstar Games
2010-05-02 14:25 . 2010-02-06 23:33 -------- d-----w- c:\program files\Red Kawa
2010-05-02 14:25 . 2010-01-27 12:52 -------- d-----w- c:\program files\QuickTime
2010-05-02 14:25 . 2010-03-27 12:47 -------- d-----w- c:\program files\PFPortChecker
2010-05-02 14:25 . 2010-03-08 23:36 -------- d-----w- c:\program files\Parallel Port Joystick
2010-05-02 14:24 . 2010-01-30 15:36 -------- d-----w- c:\program files\nHancer
2010-05-02 14:24 . 2010-04-04 20:49 -------- d-----w- c:\program files\Nero
2010-05-02 14:24 . 2009-07-14 04:52 -------- d-----w- c:\program files\MSBuild
2010-05-02 14:24 . 2010-03-20 03:15 -------- d-----w- c:\program files\Microsoft WSE
2010-05-02 14:24 . 2010-03-08 23:40 -------- d-----w- c:\program files\MotioninJoy
2010-05-02 14:24 . 2010-01-26 23:50 -------- d-----w- c:\program files\Microsoft Works
2010-05-02 14:24 . 2010-01-26 23:50 -------- d-----w- c:\program files\Microsoft.NET
2010-05-02 14:24 . 2010-01-26 23:49 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-05-02 14:24 . 2010-02-12 13:10 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-05-02 14:24 . 2010-01-29 22:12 -------- d-----w- c:\program files\Mass Effect 2
2010-05-02 14:23 . 2010-02-02 12:48 -------- d-----w- c:\program files\Left 4 Dead 2
2010-05-02 14:20 . 2010-01-27 12:53 -------- d-----w- c:\program files\iTunes
2010-05-02 14:20 . 2010-01-25 03:17 -------- d-----w- c:\program files\Java
2010-05-02 14:20 . 2010-01-27 12:53 -------- d-----w- c:\program files\iPod
2010-05-02 14:20 . 2010-04-24 15:16 -------- d-----w- c:\program files\HighCriteria
2010-05-02 14:20 . 2010-04-05 01:24 -------- d-----w- c:\program files\Gabest
2010-05-02 14:20 . 2010-04-27 22:01 -------- d-----w- c:\program files\ESET
2010-05-02 14:20 . 2010-01-31 15:06 -------- d-----w- c:\program files\Electronic Arts
2010-05-02 14:19 . 2010-02-26 12:33 -------- d-----w- c:\program files\Eidos
2010-05-02 14:18 . 2010-01-25 04:31 -------- d-----w- c:\program files\EA GAMES
2010-05-02 14:18 . 2010-01-26 21:30 -------- d-----w- c:\program files\Dragon Age
2010-05-02 14:16 . 2010-02-12 13:11 -------- d-----w- c:\program files\2K
2010-05-02 14:16 . 2010-02-12 13:01 -------- d-----w- c:\program files\2K Games
2010-05-02 14:13 . 2010-05-02 14:13 -------- d--h--w- c:\programdata\CanonBJ
2010-05-02 14:11 . 2010-05-02 14:11 -------- d-----w- c:\program files\NVIDIA Corporation
2010-05-02 14:11 . 2010-05-02 14:11 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-05-01 22:51 . 2010-05-01 22:51 -------- d-----w- c:\users\Morris\AppData\Roaming\DAEMON Tools Pro
2010-05-01 14:36 . 2010-05-01 14:36 -------- d-----w- c:\program files\MSXML 4.0
2010-04-24 15:23 . 2010-04-24 15:23 372001 ----a-w- c:\users\Morris\windrvswld94.exe
2010-04-05 01:40 . 2010-04-05 01:40 47360 ----a-w- c:\users\Morris\AppData\Roaming\pcouffin.sys
2010-04-05 01:40 . 2010-04-05 01:40 47360 ----a-w- c:\users\Morris\AppData\Roaming\pcouffin.sys
2010-03-25 09:27 . 2010-03-25 09:27 1107264 ----a-w- c:\users\Morris\AppData\Roaming\Mozilla\Firefox\Profiles\cnd5cb8h.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
2010-03-20 03:15 . 2010-03-20 03:15 10134 ----a-r- c:\users\Morris\AppData\Roaming\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2010-03-16 23:29 . 2010-03-16 23:29 85504 ----a-w- c:\users\Morris\AppData\Roaming\SystemRequirementsLab\srlproxy_cyri_4.1.71.0A.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

------- Sigcheck -------

[-] 2010-05-02 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7600.16385] . . c:\windows\System32\user32.dll
[7] 2009-07-14 . 34B7E222E81FAFA885F0C5F2CFA56861 . 811520 . . [6.1.7600.16385] . . c:\windows\ERDNT\cache\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]
"DS3 Tool"="c:\program files\MotioninJoy\ds3\DS3_Tool.exe" [2010-01-19 77824]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"Desktop Cleanup Wizard"="c:\users\Morris\Local Settings\Application Data\Desktop Cleanup Wizard\dskclean.dll" [2010-05-28 38912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Acronis Toolbar Helper"="c:\users\Morris\Local Settings\Application Data\Desktop Cleanup Wizard\dskclean.dll" [2010-05-28 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-05-30 691696]
R2 acrosysbackup_exSq1Pn5tAB4;Acronis System Backup;c:\windows\system32\wirepots.exe [2010-05-30 8704]
R2 winbackupdumper-id19Sq1Pn5tAB4;Windows System Backup Dumper;c:\windows\system32\mousenh32.exe [2010-05-30 11776]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-07-26 25832]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2007-03-20 28672]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-01 1343400]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-02-06 106208]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-02-06 727720]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2009-02-06 92800]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
S3 SrvHsfPCI;SrvHsfPCI;c:\windows\system32\DRIVERS\VSTBS23.SYS [2009-07-13 266752]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
S3 TotRec8;Total Recorder WDM audio filter driver;c:\windows\system32\drivers\TotRec8.sys [2009-10-20 89680]

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=14196&l=dis
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\program files\Microsoft Office\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Morris\AppData\Roaming\Mozilla\Firefox\Profiles\cnd5cb8h.default\
FF - component: c:\users\Morris\AppData\Roaming\Mozilla\Firefox\Profiles\cnd5cb8h.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-06-03 18:00:46
ComboFix-quarantined-files.txt 2010-06-03 23:00
ComboFix2.txt 2010-05-31 15:58
ComboFix3.txt 2010-05-30 13:47
ComboFix4.txt 2010-05-30 01:23
ComboFix5.txt 2010-06-03 22:51

Pre-Run: 12,973,314,048 bytes free
Post-Run: 13,048,180,736 bytes free

- - End Of File - - FE3A824EF4DC6399E8F6EF4D5310CC65


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 AM

Posted 05 June 2010 - 11:32 AM

Hello.

Are the re-directs still there?


Run a Malwarebytes scan for me...
Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link


Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 snipersgethead

snipersgethead
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 08 June 2010 - 04:11 PM

Hello, sorry for the extremely late reply, I've been occupied + wanted to see if the redirects were still there. Yesterday, it happened once and that was the only time it happened since the last time I posted. Now it started getting bad so I ran MBAM like asked so I don't know how it will go.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4157

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

6/8/2010 4:09:31 PM
mbam-log-2010-06-08 (16-09-31).txt

Scan type: Quick scan
Objects scanned: 125896
Time elapsed: 6 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\acronis toolbar helper (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 AM

Posted 09 June 2010 - 06:31 PM

Are the redirects in FireFox, IE or both?

Reboot your computer and let me know if it is still there.
Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 snipersgethead

snipersgethead
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 13 June 2010 - 09:34 PM

it has still been happening, just not as often as before. i just tested it in IE8 and it occurs in both (forgot how slow IE was).

Attached Files


Edited by snipersgethead, 13 June 2010 - 09:35 PM.


#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 AM

Posted 14 June 2010 - 09:44 PM

Try Ressetting your Router and see if it helps.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 snipersgethead

snipersgethead
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 15 June 2010 - 10:55 PM

Tried restoring to default settings in my router configuration, holding the hard reset button from the back, and powering off completely with a reset/powercycling, and still the redirects continue to occur. If you run out of ideas I can easily do a fresh repair of Windows 7 and see where the leaves me. If that doesn't fix it, then truly I am screwed.

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 AM

Posted 17 June 2010 - 08:25 PM

We can always do that, and usually it does fix it, but let's try something else once more.

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Download and Run Combofix

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.

Download and Run GooredFix

Please download GooredFix and save it to your Desktop if you lost your copy.
Alternative Download Mirror #1

Please make sure all instances of Firefox are closed at this point before proceeding.
  • Ensure all Firefox windows are closed at this time.
  • Please double-click GooredFix.exe on your Desktop to run it. If you are using Vista, please right-click and select run as administartor
  • When prompted to run the scan, click Yes.
  • The removal process will begin, please be paitent until it finishes.
  • A log will open with the file after completion, please post the contents of that log in your next reply
*Note: The log can also be found on your desktop called GooredFix.txt

Download and Run TDSSKiller
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Edited by extremeboy, 17 June 2010 - 08:26 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 snipersgethead

snipersgethead
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 19 June 2010 - 01:37 PM

I appreciate the help.

Attached Files



#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:24 AM

Posted 20 June 2010 - 11:58 AM

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    CODE
    FCopy::
    c:\windows\ERDNT\cache\user32.dll | c:\windows\System32\user32.dll
    RegLock::
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)

    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Reboot if not already done, and let me know if the redirect is still there.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 snipersgethead

snipersgethead
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 20 June 2010 - 02:18 PM

Done.

Attached Files

  • Attached File  log.txt   15.73KB   4 downloads





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users