Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Igoogle search results redirect


  • This topic is locked This topic is locked
25 replies to this topic

#1 dkistner

dkistner

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:48 AM

Posted 12 November 2010 - 09:59 PM

When I search the Internet from my Firefox 3.6.12 browser using Google, the search results return normally, and I can click on a link and go to the appropriate web site. But when I search using Google from my iGoogle page, and click on a link from the results, a new tab is opened up and I am redirected to a random website. Here's a few sample sites:

First this appears, and I get redirected:
hxxp://results.google-analytics.com/

Redirected sites:

hxxp://r.localpages.com/j.php?h=e4091507668cdf22e7362352e6e16886&s=c&px=1&wf=1&ai=10300&fm=1778&st=blackberry+software&tos=1289620226

hxxp://www.babelgum.com/6003396/?utm_source=113669_155_&utm_medium=CPC&utm_campaign=AdOn

hxxp://www.ivillage.com/ivillage-5-your-don-t-miss-list/1-j-256800?ivNPA=1&sky=ggl%7Civl%7Cvi%7Civillage5%7C?source=113669_155

hxxp://kc.mv.bidsystem.com/bin/findwhat.dll?clickthrough&y=77260&x=BVEsT4L:LEntNaxMKbi3MR;p;ZqGpdi0LXvcsRqxCgylj4xe8Xn2PbG;pFBH8a1nA4e0YXquIFyscRnLpdlFzbmcyEPHYTg6hZlRYwe;EMp0qwVwexnFRQemmRvP6dLKYFdSNuilTWn4VdEpXwkEKTk5wgF5FG;FRRpVPgdBWw2M1cFavZcS04GzvyKNTMIZ8W2OK25dxdJ4iZvXRWaR9Wd8NcnGOSKMvcqXolI;QZeCJ5P2NSFq9Gl0RWquqMJE:8qbyuv:rwaSAdntTT2U;asW:tJO9rKdITy;RZq7LaVteH$zC


This only happens on this one computer. If I use my iGoogle on another computer it works normally. No problems.

I am running Norton 360 with updated dat files and it does not detect malware.
I also use up to date Malwarebytes, but it too fails to detect any malware.
I also tried:
Spybot Search and Destroy,
HitmanPro 3.5
Norton Power Eraser
SafeReturner
Ad-Aware

Finally, I went to "Geeks to Go" and used:
OTM
GooredFix
and then ran Kaspersky TDSSKiller

Here's the link to those instructions that I followed exactly, but didn't help:
http://www.geekstogo.com/forum/topic/267407-how-to-fix-google-redirects

Nothing seems to detect this malware.

Finally I found your forum here. I followed the instructions exactly, (ran DeFogger etc.), and copied the DDS.txt below, and attached the Attach.txt to this post. But when I ran the GMER, it did not detect malware so there isn't a "Ark.txt" because it was "zero bytes" with no data to save.

Thank you very much in advance for any help you can give me.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

DDS (Ver_10-11-10.01) - NTFS_AMD64
Run by David Kistner at 19:42:01.37 on Fri 11/12/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1791.734 [GMT -6:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\SysWOW64\IoctlSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\RapidSolution\AudialsOne 4\VCDWriter\64\VCDAudioService.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Brownie\BrStsW64.exe
C:\Program Files (x86)\Brownie\brpjp04a.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Users\David Kistner.Owner-PC\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\David Kistner.Owner-PC\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://walterfootball.com/forum/forumdisplay.php?f=25
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton 360\Engine\4.3.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton 360\Engine\4.3.0.5\IPSBHO.DLL
BHO: {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton 360\Engine\4.3.0.5\coIEPlg.dll
mRun: [NBKeyScan] "C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
mRun: [BrStsWnd] C:\Program Files (x86)\Brownie\BrstsW64.exe Autorun
StartupFolder: C:\Users\DAVIDK~1.OWN\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\PMBMED~1.LNK - C:\Program Files (x86)\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
mASetup: {A8D647C8-65AC-409F-B7B2-3C0FEE1A32F2} - C:\Program Files (x86)\PixiePack Codec Pack\InstallerHelper.exe
TB-X64: ZoneAlarm Toolbar: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File

================= FIREFOX ===================

FF - ProfilePath - C:\Users\DAVIDK~1.OWN\AppData\Roaming\Mozilla\Firefox\Profiles\jrwga11w.default\
FF - component: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\coFFPlgn\components\coFFPlgn.dll
FF - component: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: C:\Program Files (x86)\Common Files\Oberon Media\NCAdapter\1.0.0.7\npapicomadapter.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;C:\Windows\System32\drivers\AVGIDSEH.sys [2010-9-13 27216]
R0 Lbd;Lbd;C:\Windows\System32\drivers\Lbd.sys [2010-11-6 69152]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2009-12-8 53488]
R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\N360x64\0403000.005\symds64.sys [2010-10-21 433200]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\N360x64\0403000.005\symefa64.sys [2010-10-21 221232]
R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);C:\Windows\System32\drivers\tdrpm258.sys [2009-11-15 1477728]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20101104.001\BHDrvx64.sys [2010-11-3 953904]
R1 ccHP;Symantec Hash Provider;C:\Windows\System32\drivers\N360x64\0403000.005\cchpx64.sys [2010-10-21 615040]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20101111.001\IDSviA64.sys [2010-10-19 476720]
R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\N360x64\0403000.005\ironx64.sys [2010-10-21 150064]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;C:\Windows\System32\drivers\N360x64\0403000.005\symtdiv.sys [2010-10-21 451120]
R2 afcdpsrv;Acronis Nonstop Backup service;C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe [2009-11-15 2480048]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2009-8-18 203264]
R2 N360;Norton 360;C:\Program Files (x86)\Norton 360\Engine\4.3.0.5\ccsvchst.exe [2010-10-21 126392]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2010-11-6 1153368]
R2 Virtual CDAudio Service;Virtual CDAudio Service;C:\Program Files (x86)\RapidSolution\AudialsOne 4\VCDWriter\64\VCDAudioService.exe [2010-5-25 178552]
R3 afcdp;afcdp;C:\Windows\System32\drivers\afcdp.sys [2009-11-15 251488]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-10-21 132656]
R3 RRNetCapMP;RRNetCapMP;C:\Windows\System32\drivers\rrnetcap.sys [2010-5-12 37480]
R3 rsvcdwdr;rsvcdwdr;C:\Windows\System32\drivers\rsvcdwdr.sys [2010-5-12 41576]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2010-9-23 1375992]
S3 RRNetCap;RRNetCap Service;C:\Windows\System32\drivers\rrnetcap.sys [2010-5-12 37480]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2010-4-19 50688]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-5-18 1255736]

=============== File Associations ===============

scrfile="%1" /S

=============== Created Last 30 ================

2010-11-10 23:14:51 -------- d-----w- C:\Program Files (x86)\Safe Returner
2010-11-10 22:58:55 -------- d-----w- C:\_OTM
2010-11-10 22:54:40 -------- d-----w- C:\Malware Software
2010-11-09 23:06:11 -------- d-----w- C:\PROGRA~3\SafeReturner
2010-11-09 22:57:41 -------- d-----w- C:\Users\DAVIDK~1.OWN\AppData\Local\NPE
2010-11-08 23:48:38 19528 ----a-w- C:\Windows\System32\drivers\hitmanpro35.sys
2010-11-08 23:48:36 -------- d-----w- C:\Program Files\Hitman Pro 3.5
2010-11-08 23:47:43 -------- d-----w- C:\PROGRA~3\Hitman Pro
2010-11-08 00:04:52 -------- d-----w- C:\Users\DAVIDK~1.OWN\AppData\Local\CrashDumps
2010-11-07 01:42:19 -------- d-----w- C:\Program Files\CCleaner
2010-11-06 21:35:00 15880 ----a-w- C:\Windows\System32\lsdelete.exe
2010-11-06 21:21:20 69152 ----a-w- C:\Windows\System32\drivers\Lbd.sys
2010-11-06 21:21:18 49752 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
2010-11-06 21:16:35 -------- d-----w- C:\Users\DAVIDK~1.OWN\AppData\Local\Sunbelt Software
2010-11-06 21:16:05 -------- dc-h--w- C:\PROGRA~3\{E961CE1B-C3EA-4882-9F67-F859B555D097}
2010-11-06 21:15:44 -------- d-----w- C:\Program Files (x86)\Lavasoft
2010-11-06 20:39:04 483 ----a-w- C:\Program Files (x86)\1106201015390434.bat
2010-11-06 19:54:08 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2010-11-06 19:54:08 -------- d-----w- C:\PROGRA~3\Spybot - Search & Destroy
2010-11-06 16:10:00 -------- d-----w- C:\Frontier Web Site
2010-10-27 12:04:02 641536 ----a-w- C:\Windows\SysWow64\CPFilters.dll
2010-10-27 12:04:02 552960 ----a-w- C:\Windows\System32\msdri.dll
2010-10-27 12:04:01 961024 ----a-w- C:\Windows\System32\CPFilters.dll
2010-10-27 12:04:01 288256 ----a-w- C:\Windows\System32\MSNP.ax
2010-10-27 12:04:01 258560 ----a-w- C:\Windows\System32\mpg2splt.ax
2010-10-27 12:04:01 204288 ----a-w- C:\Windows\SysWow64\MSNP.ax
2010-10-27 12:04:01 199680 ----a-w- C:\Windows\SysWow64\mpg2splt.ax
2010-10-27 10:39:48 27008 ----a-w- C:\Windows\System32\drivers\Diskdump.sys
2010-10-21 13:46:49 451120 ----a-w- C:\Windows\System32\drivers\N360x64\0403000.005\symtdiv.sys
2010-10-21 13:46:49 433200 ----a-r- C:\Windows\System32\drivers\N360x64\0403000.005\symds64.sys
2010-10-21 13:46:49 32304 ----a-w- C:\Windows\System32\drivers\N360x64\0403000.005\srtspx64.sys
2010-10-21 13:46:49 221232 ----a-w- C:\Windows\System32\drivers\N360x64\0403000.005\symefa64.sys
2010-10-21 13:46:48 615040 ----a-w- C:\Windows\System32\drivers\N360x64\0403000.005\cchpx64.sys
2010-10-21 13:46:48 505392 ----a-w- C:\Windows\System32\drivers\N360x64\0403000.005\srtsp64.sys
2010-10-21 13:46:48 150064 ----a-w- C:\Windows\System32\drivers\N360x64\0403000.005\ironx64.sys
2010-10-21 13:46:29 -------- d-----w- C:\Windows\System32\drivers\N360x64\0403000.005
2010-10-21 03:15:31 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared
2010-10-21 02:51:21 34152 ----a-r- C:\Windows\System32\drivers\GEARAspiWDM.sys
2010-10-21 02:51:21 126312 ----a-r- C:\Windows\System32\GEARAspi64.dll
2010-10-21 02:51:21 107368 ----a-r- C:\Windows\SysWow64\GEARAspi.dll
2010-10-21 02:51:18 173104 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2010-10-21 02:51:10 -------- d-----w- C:\Program Files\Symantec
2010-10-21 02:51:10 -------- d-----w- C:\Program Files\Common Files\Symantec Shared
2010-10-21 02:50:39 -------- d-----w- C:\Windows\System32\drivers\N360x64
2010-10-21 02:50:37 -------- d-----w- C:\Program Files (x86)\Norton 360
2010-10-21 02:50:36 -------- d-----w- C:\PROGRA~3\Norton
2010-10-21 02:50:21 -------- d-----w- C:\Program Files (x86)\NortonInstaller
2010-10-21 02:50:21 -------- d-----w- C:\PROGRA~3\NortonInstaller
2010-10-16 21:59:31 -------- d-----w- C:\Users\DAVIDK~1.OWN\AppData\Roaming\Pogo
2010-10-16 21:59:31 -------- d-----w- C:\PROGRA~3\Pogo
2010-10-16 21:54:34 -------- d-----w- C:\PROGRA~3\Oberon Media
2010-10-16 21:54:15 -------- d-----w- C:\Users\DAVIDK~1.OWN\AppData\Roaming\Oberon Media
2010-10-16 21:54:08 -------- d-----w- C:\Program Files (x86)\Common Files\Oberon Media
2010-10-16 21:54:05 -------- d-----w- C:\Program Files (x86)\Oberon Media
2010-10-16 21:50:39 -------- d-----w- C:\Users\DAVIDK~1.OWN\AppData\Local\Oberon Media
2010-10-16 15:33:00 -------- d-----w- C:\Users\DAVIDK~1.OWN\AppData\Roaming\AVG
2010-10-15 22:40:18 -------- d-----w- C:\Users\DAVIDK~1.OWN\AppData\Roaming\AVG10
2010-10-15 22:22:40 -------- d--h--w- C:\PROGRA~3\Common Files
2010-10-15 22:21:14 -------- d-----w- C:\PROGRA~3\AVG10
2010-10-15 22:05:35 -------- d-----w- C:\PROGRA~3\MFAData

==================== Find3M ====================

2010-09-15 09:50:37 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2010-09-13 21:28:00 27216 ----a-w- C:\Windows\System32\drivers\AVGIDSEH.sys
2010-09-10 05:35:44 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2010-09-10 05:35:43 347648 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
2010-09-08 16:17:46 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2010-09-08 16:17:46 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
2010-09-08 05:36:17 1192960 ----a-w- C:\Windows\System32\wininet.dll
2010-09-08 05:34:34 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2010-09-08 04:30:04 978432 ----a-w- C:\Windows\SysWow64\wininet.dll
2010-09-08 04:28:15 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2010-09-08 04:16:38 482816 ----a-w- C:\Windows\System32\html.iec
2010-09-08 03:35:30 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2010-09-08 03:22:31 386048 ----a-w- C:\Windows\SysWow64\html.iec
2010-09-08 02:48:16 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2010-09-01 05:12:09 12625920 ----a-w- C:\Windows\System32\wmploc.DLL
2010-09-01 04:23:49 12625408 ----a-w- C:\Windows\SysWow64\wmploc.DLL
2010-09-01 02:58:34 3123712 ----a-w- C:\Windows\System32\win32k.sys
2010-08-31 04:32:30 954752 ----a-w- C:\Windows\SysWow64\mfc40.dll
2010-08-31 04:32:30 954288 ----a-w- C:\Windows\SysWow64\mfc40u.dll
2010-08-27 06:14:02 236032 ----a-w- C:\Windows\System32\srvsvc.dll
2010-08-27 05:46:48 9728 ----a-w- C:\Windows\SysWow64\sscore.dll
2010-08-27 03:38:04 463360 ----a-w- C:\Windows\System32\drivers\srv.sys
2010-08-27 03:37:48 402944 ----a-w- C:\Windows\System32\drivers\srv2.sys
2010-08-27 03:37:26 161792 ----a-w- C:\Windows\System32\drivers\srvnet.sys
2010-08-26 05:27:28 148992 ----a-w- C:\Windows\System32\t2embed.dll
2010-08-26 04:39:58 109056 ----a-w- C:\Windows\SysWow64\t2embed.dll
2010-08-25 00:25:13 103720 ----a-w- C:\Users\David Kistner.Owner-PC\GoToAssistDownloadHelper.exe
2010-08-21 06:38:47 1024512 ----a-w- C:\Windows\System32\wmpmde.dll
2010-08-21 06:36:49 340992 ----a-w- C:\Windows\System32\schannel.dll
2010-08-21 06:31:06 633856 ----a-w- C:\Windows\System32\comctl32.dll
2010-08-21 06:29:47 558592 ----a-w- C:\Windows\System32\spoolsv.exe
2010-08-21 05:36:33 738816 ----a-w- C:\Windows\SysWow64\wmpmde.dll
2010-08-21 05:36:24 224256 ----a-w- C:\Windows\SysWow64\schannel.dll
2010-08-21 05:33:24 530432 ----a-w- C:\Windows\SysWow64\comctl32.dll
1998-12-09 02:53:54 99840 ----a-w- C:\Program Files (x86)\Common Files\IRAABOUT.DLL
1998-12-09 02:53:54 70144 ----a-w- C:\Program Files (x86)\Common Files\IRAMDMTR.DLL
1998-12-09 02:53:54 48640 ----a-w- C:\Program Files (x86)\Common Files\IRALPTTR.DLL
1998-12-09 02:53:54 31744 ----a-w- C:\Program Files (x86)\Common Files\IRAWEBTR.DLL
1998-12-09 02:53:54 186368 ----a-w- C:\Program Files (x86)\Common Files\IRAREG.DLL
1998-12-09 02:53:54 17920 ----a-w- C:\Program Files (x86)\Common Files\IRASRIAL.DLL

============= FINISH: 19:43:27.62 ===============

Attached Files


Edited by Orange Blossom, 12 November 2010 - 10:45 PM.
Deactivated links. ~ OB


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:48 PM

Posted 22 November 2010 - 07:31 AM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Quick Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please Download Rootkit Unhooker Save it to your desktop.
  • extract RKUnhooker to your desktop
    Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file -
    you can get a free one from here - http://www.7-zip.org/
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 dkistner

dkistner
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:48 AM

Posted 22 November 2010 - 10:33 AM

Thank you very much for helping me. The computer still has the redirect problem described in the original post. After reading your reply I downloaded the OTM and ran the scan as you requested. I will include the files generated by that scan here.

I also downloaded the Rootkit Unhooker, installed it, and attempted to run it. But when I tried to run the software I received this error:
Error loading NTSTATUS code: 0xC000036B

Attached Files



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:48 PM

Posted 22 November 2010 - 12:34 PM

Looks like you have a router infection. Please reset your router and see if the problem is gone. You can do this by pressing the reset button with a small object for approx. 10 seconds while the router is powered off.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 dkistner

dkistner
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:48 AM

Posted 22 November 2010 - 03:31 PM

I tried this, but I still get redirected.

I was looking at the OTL.txt file, and it's all over my head, but I did notice a lot of wierd characters:

O1 HOSTS File: ([2010/11/20 09:15:00 | 000,425,118 | R--- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: റ⌊匠慴瑲漠⁦湥牴敩⁳湩敳瑲摥戠⁹灓批瑯ⴠ匠慥捲⁨…敄瑳潲൹ㄊ㜲〮〮ㄮ眉睷〮㜰畧牡⹤潣൭ㄊ㜲〮〮ㄮ〉㜰畧牡⹤潣൭ㄊ㜲〮〮ㄮ〉㠰⹩潣൭ㄊ㜲〮〮ㄮ眉睷〮㠰⹫潣൭ㄊ㜲〮〮ㄮ〉㠰⹫潣൭ㄊ㜲〮〮ㄮ眉睷〮栰⹱潣൭ㄊ㜲〮〮ㄮ〉栰⹱潣൭ㄊ㜲〮〮ㄮ〉〱〴⸲潣൭ㄊ㜲〮〮ㄮ眉睷〮㈳㌴⸹潣൭ㄊ㜲〮〮ㄮ〉㈳㌴⸹潣൭ㄊ㜲〮〮ㄮ眉睷〮捳湡挮浯਍㈱⸷⸰⸰ऱ猰慣⹮潣൭ㄊ㜲〮〮ㄮㄉ〰朰慲楴灳潲敢⹮潣൭ㄊ㜲〮〮ㄮ眉睷ㄮ〰朰慲楴灳潲敢⹮潣൭ㄊ㜲〮〮ㄮㄉ〰渱浡湥挮浯਍㈱⸷⸰⸰ऱ睷⹷〱㄰慮敭⹮潣൭ㄊ㜲〮〮ㄮㄉ〰㠸㈸〹獣挮浯਍㈱⸷⸰⸰ऱ睷⹷〱㠰㠸㤲挰⹳潣൭ㄊ㜲〮〮ㄮ眉睷ㄮ〰敳汸湩獫挮浯਍㈱⸷⸰⸰ऱ〱猰硥楬歮⹳潣൭ㄊ㜲〮〮ㄮㄉ猰步挮浯਍㈱⸷⸰⸰ऱ睷⹷〱敳⹫潣൭ㄊ㜲〮〮ㄮ眉睷ㄮ㈭〰ⴵ敳牡档挮浯਍㈱⸷⸰⸰ऱⴱ〲㔰猭慥捲⹨潣൭ㄊ㜲〮〮ㄮㄉ㌲灦牯⹮湩潦਍㈱⸷⸰⸰ऱ睷⹷㈱昳潰湲椮普൯ㄊ㜲〮〮

There where far more characters than these, but I just cut and pasted this bit to give you an idea of what's in there. What the heck is THAT stuff? Could that be related?

Edited by dkistner, 22 November 2010 - 06:05 PM.


#6 dkistner

dkistner
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:48 AM

Posted 22 November 2010 - 06:09 PM

One other thing, in the morning I will be away from my computer for a few days. I wanted to let you know in advance so you don't close this out, thinking I was able to fix this on my own. I still need help with this, but won't be back until Sunday, November 28th.

Thanks again for everything. I'll be here tonight in case you'd post anything.

Edited by dkistner, 22 November 2010 - 06:09 PM.


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:48 PM

Posted 23 November 2010 - 06:27 AM

Yes, I noticed that too, I'll keep this topic open until 28 November and then bump it.

Please run the following fix:

OTL FIX
------------
We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :commands
    [emptytemp]
    [resethosts]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.

Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.Link 1
Link 2
Link 3
  • Double-click on MBRCheck.exe to run it. Vista/Windows 7 users right-click and select Run As Administrator.
  • It will open a black screen with some data on it...please do not fix anything (if it gives you an option).
  • When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  • A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will be created on the desktop.
  • Copy and paste the contents of that log in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 dkistner

dkistner
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:48 AM

Posted 23 November 2010 - 07:14 AM

I ran those two programs. I have attached the MBR.txt to this post. Thanks again for your help. I'll be back here on Sunday the 28th.

Attached Files



#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:48 PM

Posted 23 November 2010 - 02:50 PM

That looks okay. Can you please post me a new OTL quick scan log? How are things running now?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 dkistner

dkistner
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:48 AM

Posted 27 November 2010 - 08:23 PM

I just returned from my trip. I have attached the latest OTL quick scan lot file. I'm still having the redirect problem though. Thanks for sticking with me on this to get rid of the problem.

Attached Files


Edited by dkistner, 27 November 2010 - 08:24 PM.


#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:48 PM

Posted 28 November 2010 - 03:40 AM

Your log still shows the router hijack. Please let me know what your router manufacturer is so I can look up how to reset it.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 dkistner

dkistner
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:48 AM

Posted 28 November 2010 - 08:04 AM

It is a Linksys, Wireless G.

I did find a pin on the unit that looks like a reset button to me. I unplugged the unit for several seconds, and then held the pin down for several seconds. Then I restarted the unit. But I still have the Google reroute problem.

Edited by dkistner, 28 November 2010 - 08:16 AM.


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:48 PM

Posted 28 November 2010 - 08:25 AM

Try pressing the reset button for 30 seconds. If that doesn't do the trick, post me the exact details (Linksys, nr.....).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 dkistner

dkistner
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:48 AM

Posted 28 November 2010 - 09:46 AM

I disconnected the power and pressed the reset button for over a minute. I still have the problem. The router is a Linksys WRT54G that we have had for years now. I don't have the administrator username and password to the unit. Would it be better to simply get a newer router and set it up? I would be willing to do that.

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:48 PM

Posted 28 November 2010 - 09:52 AM

Please run these steps.

Please right click on your Internet Connection icon in the System Tray and select Status. In the Status window click the Options button.

Look under "this connection uses the following items" and highlight Internet Protocol (TCP/IP). Click Properties.

On the General tab, make sure "Obtain an IP address automatically" and "Obtain DNS server address automatically" are both ticked.
On the Alternate Configuration tab, make sure "Automatic private IP address" is ticked.

Click OK to exit the Properties and OK to exit the other windows as well.

Now, click Start > Run and type cmd in the runbox.

A command window will open. Type ipconfig /flushdns and press enter.


Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:
@echo off
(ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print) >>Log1.txt
start notepad Log1.txt
del %0
Go to the File menu at the top of the Notepad and select Save as.
Select save in: desktop
Fill in File name: test.bat
Save as type: All file types (*.*)
Click save.
Close the Notepad.
Locate and double-click tast.bat on the desktop.
A notepad opens, copy and paste the content it (log1.txt) to your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users