Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Virus Win7 64 bit


  • This topic is locked This topic is locked
2 replies to this topic

#1 jamesins

jamesins

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 19 July 2010 - 09:13 PM

Sometimes my google searches are being redirected. As far as I can tell it is only happening in Firefox when using Google (but it doesn't happen that often, so I can't be sure). The links appear normal (even the mouse over URL display) until I click on them. They then redirect to another website, and if I go back to google and click on the link again it goes to the correct website.

Here's an example of one of the redirected links (search term "windows antivirus"):
http://googleads.sgdoubleclick.net/pagead/nclk?sa=L&ai=1&fadurl=googleads.g.doubleclick.net&u=http%3A%2F%2Fwww.google.com%2Furl%3Fsa%3Dt%26source%3Dweb%26cd%3D1%26ved%3D0CBwQFjAA%26url%3Dhttp%253A%252F%252Ffree.avg.com%252F%26ei%3DxgJFTOa4K4HCsAOU54ntDg%26usg%3DAFQjCNGC_5wf_ZlpTvTBmerEaNG3uLMPgA%26sig2%3D9cHwm1gNONM91nfvQAUtGQ&aclck=http%3A%2F%2Fwww.looksmartmarket.net%2Findex.php%3Fsearch%3Dwindows%2Bantivirus
I have run a bunch of antivirus software: Avast, AVR, Ad-Aware, MalwareBytes. Those programs found and removed quite a few problems. However, the redirect problem remains, and it seems that after a few days or weeks, a bunch of new malware appears on my computer. So I'm guessing that something is still on my computer that all the anti-virus programs have failed to find, and it is re-infecting my computer.

GMER doesn't work for me (I'm on Windows 7 64 bit - I don't think it works for that).

Here is the DDS log:


DDS (Ver_10-03-17.01) - NTFSX64
Run by James at 18:38:20.79 on Mon 07/19/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.8187.4756 [GMT -7:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files\CrashPlan\CrashPlanService.exe
C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe
C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Subversion\bin\svnserve.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\DisplayFusion\DisplayFusion.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\CrashPlan\CrashPlanTray.exe
C:\Program Files (x86)\todolist_exe\ToDoList.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\mspdbsrv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\DisplayFusion\DisplayFusionHookx86.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
c:\program files\windows defender\MpCmdRun.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
D:\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Bar =
mLocal Page = c:\windows\syswow64\blank.htm
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files (x86)\avg\avg9\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files (x86)\hotspot shield\hssie\HssIE.dll
uRun: [DisplayFusion] "c:\program files (x86)\displayfusion\DisplayFusion.exe"
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [SunJavaUpdateSched] "c:\program files (x86)\common files\java\java update\jusched.exe"
mRun: [StartCCC] "c:\program files (x86)\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files (x86)\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallati...uot;ver=9.0.839
StartupFolder: c:\users\james\appdata\roaming\micros~1\windows\startm~1\programs\startup\todoli~1.lnk - c:\program files (x86)\todolist_exe\ToDoList.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\crashp~1.lnk - c:\program files\crashplan\CrashPlanTray.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files (x86)\microsoft office\office10\OSA.EXE
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~2\micros~2\office10\EXCEL.EXE/3000
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files (x86)\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~2\common~1\skype\SKYPE4~1.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files (x86)\common files\lightscribe\LSRunOnce.exe"
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files (x86)\avg\avg9\avgssiea.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO-X64: Hotspot Shield Class: {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - c:\program files (x86)\hotspot shield\hssie\HssIE_64.dll
mRun-x64: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun-x64: [RtHDVCpl] c:\program files\realtek\audio\hda\RAVCpl64.exe -s

================= FIREFOX ===================

FF - ProfilePath - c:\users\james\appdata\roaming\mozilla\firefox\profiles\bsehmia7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.dingogames.com/
FF - plugin: c:\program files (x86)\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files (x86)\virtual earth 3d\npVE3D.dll
FF - plugin: c:\program files\itunes\mozilla plugins\npitunes.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\users\james\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\windows\syswow64\macromed\flash\NPSWF32.dll
FF - HiddenExtension: XULRunner: {90E982EC-74FE-400C-9EFB-551D1900377E} - c:\windows\system32\config\systemprofile\appdata\local\{90E982EC-74FE-400C-9EFB-551D1900377E}
FF - HiddenExtension: XULRunner: {40A17F10-5441-4162-81BB-2768A67479D6} - c:\users\james\appdata\local\{40A17F10-5441-4162-81BB-2768A67479D6}

---- FIREFOX POLICIES ----
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-7-3 69152]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-3 121936]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-1-8 202752]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-3 20048]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-7-3 61008]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-3 40384]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x64.sys [2009-11-13 19432]
R2 CrashPlanService;CrashPlan Backup Service;c:\program files\crashplan\CrashPlanService.exe [2010-3-5 222720]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files (x86)\hotspot shield\bin\hsswd.exe [2010-1-8 285744]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files (x86)\lavasoft\ad-aware\AAWService.exe [2010-7-12 1352832]
R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.SYS [2009-11-15 11576]
R2 svnservice;Subversion Service;c:\program files (x86)\subversion\bin\svnserve.exe [2009-10-26 114774]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-3 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-3 40384]
R3 lvpepf64;Volume Adapter;c:\windows\system32\drivers\lv302a64.sys [2008-7-26 15768]
R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\drivers\lvrs64.sys [2008-7-26 790424]
R3 LVUSBS64;Logitech USB Monitor Filter;c:\windows\system32\drivers\LVUSBS64.sys [2008-7-26 50072]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt64win7.sys [2010-1-15 239616]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\9592.tmp [2010-7-16 6144]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity64.sys [2010-7-16 29752]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\drivers\usbaapl64.sys [2010-4-19 50688]
S3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\drivers\vpcuxd.sys [2009-11-19 16384]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-7 1255736]

=============== Created Last 30 ================

2010-07-19 18:32:12 0 d--h--w- C:\$AVG
2010-07-19 18:20:14 13048 ------w- c:\windows\system32\avgrssta.dll.install_backup
2010-07-19 18:18:13 0 d-----w- c:\programdata\avg9
2010-07-19 18:16:29 0 d-----w- c:\program files (x86)\AVG
2010-07-18 19:55:39 121273 ----a-w- c:\users\james\.recently-used.xbel
2010-07-16 21:03:49 0 d-----w- c:\users\james\appdata\roaming\Malwarebytes
2010-07-16 21:03:42 24664 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-16 21:03:42 0 d-----w- c:\programdata\Malwarebytes
2010-07-16 21:03:42 0 d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2010-07-16 20:49:38 134 ----a-w- c:\windows\syswow64\Partizan.RRI
2010-07-16 20:35:47 2 --shatr- c:\windows\winstart.bat
2010-07-16 20:35:47 2 --shatr- c:\windows\syswow64\AUTOEXEC.NT
2010-07-16 19:58:46 0 d-----w- c:\program files (x86)\UnHackMe
2010-07-16 19:47:23 29752 ----a-w- c:\windows\system32\drivers\rspSanity64.sys
2010-07-16 19:26:20 6144 ------w- c:\windows\system32\9592.tmp
2010-07-16 19:25:55 6144 ------w- c:\windows\system32\3153.tmp
2010-07-16 19:25:43 0 d-----w- c:\program files (x86)\Sophos
2010-07-16 17:43:20 0 dc-h--w- c:\programdata\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-16 03:00:25 150 ----a-w- C:\zrpt.xml
2010-07-14 07:51:37 118 ----a-w- c:\windows\system32\MRT.INI
2010-07-13 19:01:50 144384 ----a-w- c:\windows\system32\cdd.dll
2010-07-04 03:54:55 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-03 17:25:02 69152 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-03 17:22:39 61008 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-07-03 17:22:33 38848 ----a-w- c:\windows\avastSS.scr
2010-07-03 17:22:32 165032 ----a-w- c:\windows\syswow64\aswBoot.exe
2010-07-03 17:22:31 0 d-----w- c:\programdata\Alwil Software
2010-07-03 17:22:31 0 d-----w- c:\program files\Alwil Software
2010-07-03 17:19:01 0 d-----w- c:\program files (x86)\Lavasoft
2010-07-02 19:40:18 0 d-----w- c:\program files (x86)\ImTOO
2010-06-29 04:10:52 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-29 04:06:00 0 d-----w- c:\programdata\Lavasoft
2010-06-29 02:16:19 0 d-----w- c:\users\james\Programs
2010-06-29 01:41:24 0 d-----w- c:\program files (x86)\Digital Assembly
2010-06-28 20:44:16 0 d-----w- C:\cnwdata
2010-06-25 18:41:27 0 d-----w- c:\program files\iTunes
2010-06-25 18:41:27 0 d-----w- c:\program files\iPod
2010-06-25 18:40:55 0 d-----w- c:\program files\Bonjour
2010-06-25 18:40:55 0 d-----w- c:\program files (x86)\Bonjour
2010-06-23 09:12:22 99176 ----a-w- c:\windows\syswow64\PresentationHostProxy.dll
2010-06-23 09:12:22 49472 ----a-w- c:\windows\syswow64\netfxperf.dll
2010-06-23 09:12:22 48960 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-23 09:12:22 444752 ----a-w- c:\windows\system32\mscoree.dll
2010-06-23 09:12:22 320352 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-23 09:12:22 297808 ----a-w- c:\windows\syswow64\mscoree.dll
2010-06-23 09:12:22 295264 ----a-w- c:\windows\syswow64\PresentationHost.exe
2010-06-23 09:12:22 1942856 ----a-w- c:\windows\system32\dfshim.dll
2010-06-23 09:12:22 1130824 ----a-w- c:\windows\syswow64\dfshim.dll
2010-06-23 09:12:22 109912 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-22 21:27:07 1736608 ----a-w- c:\windows\system32\ntdll.dll
2010-06-22 21:27:07 1289528 ----a-w- c:\windows\syswow64\ntdll.dll
2010-06-22 21:27:05 961024 ----a-w- c:\windows\system32\CPFilters.dll
2010-06-22 21:27:05 641536 ----a-w- c:\windows\syswow64\CPFilters.dll
2010-06-22 21:27:05 552960 ----a-w- c:\windows\system32\msdri.dll
2010-06-22 21:27:05 288256 ----a-w- c:\windows\system32\MSNP.ax
2010-06-22 21:27:05 258560 ----a-w- c:\windows\system32\mpg2splt.ax
2010-06-22 21:27:05 204288 ----a-w- c:\windows\syswow64\MSNP.ax
2010-06-22 21:27:05 199680 ----a-w- c:\windows\syswow64\mpg2splt.ax
2010-06-21 09:00:55 0 d-----w- c:\program files (x86)\Tasty Planet
2010-06-21 08:59:23 0 d-----w- c:\users\james\appdata\roaming\tastyplanet

==================== Find3M ====================

2010-05-27 07:24:13 34304 ----a-w- c:\windows\syswow64\atmlib.dll
2010-05-27 06:34:09 46080 ----a-w- c:\windows\system32\atmlib.dll
2010-05-27 04:11:32 366080 ----a-w- c:\windows\system32\atmfd.dll
2010-05-27 03:49:37 293888 ----a-w- c:\windows\syswow64\atmfd.dll
2010-05-21 21:14:28 270208 ------w- c:\windows\system32\MpSigStub.exe
2010-05-21 05:52:30 1192960 ----a-w- c:\windows\system32\wininet.dll
2010-05-21 05:18:06 977920 ----a-w- c:\windows\syswow64\wininet.dll
2010-05-21 05:14:50 48128 ----a-w- c:\windows\syswow64\jsproxy.dll
2010-05-18 23:55:18 95520 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 23:55:18 119584 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-18 23:35:16 91424 ----a-w- c:\windows\syswow64\dnssd.dll
2010-05-18 23:35:16 107808 ----a-w- c:\windows\syswow64\dns-sd.exe
2010-05-06 12:42:05 1225216 ----a-w- c:\windows\syswow64\urlmon.dll
2010-05-06 12:41:55 606208 ----a-w- c:\windows\syswow64\mstime.dll
2010-05-06 12:41:53 64512 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2010-05-06 12:41:53 5970944 ----a-w- c:\windows\syswow64\mshtml.dll
2010-05-06 12:41:49 381440 ----a-w- c:\windows\syswow64\iedkcs32.dll
2010-05-06 12:41:49 10984448 ----a-w- c:\windows\syswow64\ieframe.dll
2010-05-01 15:07:05 3122176 ----a-w- c:\windows\system32\win32k.sys
2010-04-23 07:13:36 2048 ----a-w- c:\windows\syswow64\tzres.dll
2010-04-23 07:11:58 2048 ----a-w- c:\windows\system32\tzres.dll
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-04-07 17:18:02 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-01-17 20:56:25 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\temp\cookies\index.dat
2010-01-17 20:56:25 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\temp\history\history.ie5\index.dat
2010-01-17 20:56:25 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\temp\temporary internet files\content.ie5\index.dat
2010-01-21 21:44:34 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 18:38:30.34 ===============



Help would be very much appreciated.

Cheers,
James

Hmmm, I think the redirect is being caused by a Firefox extension.. There are two XULRunner extensions. Disabling the first fixes the redirect problem. Searching google for XULRunner shows that there is a real extension with that name, but I don't think that I ever installed it. Right now I'm guessing that they are both malware and I have disabled them. Should I just delete these two files? I'm also guessing/hoping that these extensions are responsible for repeatedly putting the other malware on my computer that the antivirus programs are able to catch and remove.

FF - HiddenExtension: XULRunner: {90E982EC-74FE-400C-9EFB-551D1900377E} - c:\windows\system32\config\systemprofile\appdata\local\{90E982EC-74FE-400C-9EFB-551D1900377E}
FF - HiddenExtension: XULRunner: {40A17F10-5441-4162-81BB-2768A67479D6} - c:\users\james\appdata\local\{40A17F10-5441-4162-81BB-2768A67479D6}

Merged posts. ~ OB

Edited by Orange Blossom, 20 July 2010 - 10:19 PM.
Disable possibly live link. ~BZ


BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:58 PM

Posted 26 July 2010 - 03:13 PM

Hi,

If you still need help with this do the following:
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Copy-paste following contents into custom scan -area:
    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:58 PM

Posted 03 August 2010 - 12:19 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users