Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another google/search redirection


  • This topic is locked This topic is locked
20 replies to this topic

#1 Grimor2000

Grimor2000

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 02 April 2011 - 05:45 PM

I've been following the other threads and have been successful in getting rid of the IE popups and some of the other annoying little bits of code, but this browser redirect has me stumped. Microsoft Security Essentials/Windows Defender is also disabled and will not run.

I've ran tdsskiller, ComboFix (got rid of the popups), KasperSpy Remover, and the EST online scanner.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by dmorse at 17:49:23.34 on Sat 04/02/2011
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3070.1972 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Program Files\NetSecure\SmartSwipe\NSTSECSvc_32.EXE
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\rundll32.exe
C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\CISVC.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\ThinkVantage Fingerprint Software\upeksrvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Lenovo\System Update\SUService.exe
C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe
C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Classic Shell\ClassicStartMenu.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\dmorse\Desktop\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\adobe contribute cs5\plugins\ieplugin\contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: ExplorerBHO Class: {449d0d6e-2412-4e61-b68f-1cb625cd9e52} - c:\program files\classic shell\ClassicExplorer32.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: SmartSwipe: {9ea1d653-4a77-4ff0-a3ce-c83466e835b1} - mscoree.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\adobe contribute cs5\plugins\ieplugin\contributeieplugin.dll
TB: Classic Explorer Bar: {553891b7-a0d5-4526-be18-d3ce461d6310} - c:\program files\classic shell\ClassicExplorer32.dll
TB: SmartSwipe: {9ea1d653-4a77-4ff0-a3ce-c83466e835b1} - mscoree.dll
uRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [PSQLLauncher] "c:\program files\thinkvantage fingerprint software\launcher.exe" /startup
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"
mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
mRun: [Classic Start Menu] c:\program files\classic shell\ClassicStartMenu.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\activc~1.lnk - c:\program files\actividentity\activclient\acsagent.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{21e247d4-5e27-4bea-aa4d-19a81203fe2a}\Icon3E5562ED7.ico
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {64964764-1101-4bbd-8891-B56B1A53B9B3} - {553891B7-A0D5-4526-BE18-D3CE461D6310} - c:\program files\classic shell\ClassicExplorer32.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {71C140F3-1A84-430B-9035-68815582DC79} - hxxp://rasfax/viewer/activeXViewer/reportparameterdialog.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://webjaguar.webex.com/client/T27LC/webex/ieatgpc1.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: psfus - c:\program files\thinkvantage fingerprint software\psqlpwd.dll
AppInit_DLLs: c:\windows\system32\acaptuser32.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli c:\program files\thinkvantage fingerprint software\psqlpwd.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\dmorse\appdata\roaming\mozilla\firefox\profiles\opu5rr9f.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: network.proxy.ftp - 192.168.50.100
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 192.168.50.100
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 192.168.50.100
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 192.168.50.100
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 192.168.50.100
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npContribute.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
============= SERVICES / DRIVERS ===============
.
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [2010-12-31 24304]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2010-12-31 13680]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 accoca;ActivClient Middleware Service;c:\program files\actividentity\activclient\accoca.exe [2008-5-2 188456]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-27 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-27 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-12-27 61960]
R2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\lenovo\virtscrl\lvvsst.exe [2010-12-31 93032]
R2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2011-1-6 91456]
R2 NSTSECSvc;NSTSECSvc;c:\program files\netsecure\smartswipe\NSTSECSvc_32.EXE [2010-10-20 142040]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\thinkvantage fingerprint software\smihlp.sys [2009-3-13 12560]
R2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\lenovo\hotkey\tphkload.exe [2010-12-31 99328]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2010-12-31 64440]
R2 UpekSrvc;Upek Service;c:\program files\thinkvantage fingerprint software\upeksrvc.exe [2010-7-21 35152]
R3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
R3 GenericMount;Generic Mount Driver;c:\windows\system32\drivers\GenericMount.sys [2009-9-21 46192]
R3 SCM488C;SCM Microsystems SCR120 PCMCIA Smart Card Reader;c:\windows\system32\drivers\pscr.sys [2009-7-13 18944]
R3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\drivers\swmx01.sys [2006-12-17 70272]
R3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\drivers\SWNC5E01.sys [2006-12-17 102016]
R3 SymSnapService;SymSnapService;c:\program files\norton ghost\shared\drivers\SymSnapService.exe [2009-9-21 1964528]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2010-12-31 45496]
S3 appliand;Applian Network Service;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-4-14 45736]
S3 DozeSvc;Lenovo Doze Mode Service;c:\program files\thinkpad\utilities\DOZESVC.EXE [2010-12-31 132456]
S3 GenericMount Helper Service;GenericMount Helper Service;c:\program files\norton ghost\shared\drivers\GenericMountHelper.exe [2009-9-21 1571336]
S3 JetFormCentral;JetForm Central Control Service;c:\jfcntrl\jfservic.exe [2011-3-17 86016]
S3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [2009-7-10 25856]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2010-12-2 25600]
S3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2010-12-31 75112]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2009-7-13 7168]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-12-27 1343400]
.
=============== Created Last 30 ================
.
2011-04-02 14:21:46 -------- d-----w- C:\$RECYCLE.BIN
2011-04-02 14:11:48 -------- d-----w- c:\users\dmorse\appdata\local\temp
2011-04-02 13:44:52 98816 ----a-w- c:\windows\sed.exe
2011-04-02 13:44:52 89088 ----a-w- c:\windows\MBR.exe
2011-04-02 13:44:52 256512 ----a-w- c:\windows\PEV.exe
2011-04-02 13:44:52 161792 ----a-w- c:\windows\SWREG.exe
2011-04-02 03:14:01 -------- d-----w- c:\progra~2\Kaspersky Lab
2011-04-02 02:48:33 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-02 02:48:32 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-04-02 02:48:32 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-04-02 02:48:32 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-04-02 02:48:32 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-04-02 02:48:32 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-04-02 02:48:32 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-04-02 02:48:32 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-04-02 02:18:10 -------- d-----w- c:\users\dmorse\appdata\roaming\Malwarebytes
2011-04-02 02:18:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-02 02:18:00 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-02 02:18:00 -------- d-----w- c:\progra~2\Malwarebytes
2011-04-02 02:17:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-01 19:36:28 -------- dc----w- c:\progra~2\{AD4FF8EF-B0C1-424D-B091-EE480EE8C7B5}
2011-04-01 19:33:58 90112 --sha-r- c:\windows\system32\C_285921.dll
2011-04-01 19:33:55 -------- d-----w- c:\users\dmorse\appdata\local\PackageAware
2011-04-01 01:45:25 -------- d-----w- c:\users\dmorse\Library
2011-03-31 13:21:23 -------- d-----w- C:\Reports
2011-03-29 16:32:41 -------- d-----w- c:\windows\PHP Report Maker
2011-03-29 16:32:41 -------- d-----w- c:\program files\PHP Report Maker 3
2011-03-29 16:19:10 -------- d-----w- c:\users\dmorse\appdata\local\QuickPar
2011-03-29 16:18:35 -------- d-----w- c:\program files\QuickPar
2011-03-29 16:14:04 -------- d-----w- c:\users\dmorse\appdata\local\NewsBin
2011-03-29 16:14:04 -------- d-----w- c:\program files\NewsBin
2011-03-29 02:50:08 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2011-03-26 21:46:52 938272 ----a-w- c:\windows\system32\wodFtpDLX.OCX
2011-03-22 17:59:49 -------- d-----w- c:\program files\Citrix
2011-03-22 17:59:07 -------- d-----w- c:\users\dmorse\appdata\local\Deployment
2011-03-22 17:59:07 -------- d-----w- c:\users\dmorse\appdata\local\Apps
2011-03-22 01:09:23 -------- d-----w- c:\users\dmorse\appdata\roaming\Replay Media Catcher 4
2011-03-22 01:09:23 -------- d-----w- c:\progra~2\Applian
2011-03-22 01:09:17 -------- d-----w- c:\program files\Applian Technologies
2011-03-21 13:25:49 -------- d-----w- c:\windows\WindowsMobile
2011-03-21 12:13:24 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2011-03-20 15:47:57 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2011-03-20 04:23:41 952 --sha-w- c:\windows\system32\KGyGaAvL.sys
2011-03-20 04:18:50 65536 ----a-r- c:\users\dmorse\appdata\roaming\microsoft\installer\{f428d0fb-765d-40eb-bdd8-a1e7f5c597fa}\Shortcut0.C3A146F5_4B48_11D5_A819_00B0D0428C0C.exe
2011-03-20 04:17:36 -------- d-----w- c:\program files\common files\Corel
2011-03-20 04:17:35 -------- d-----w- c:\program files\Corel
2011-03-20 04:13:35 -------- d-----w- c:\progra~2\MGI
2011-03-18 15:49:22 -------- d-----w- c:\program files\CCleaner
2011-03-17 14:28:41 -------- d-----w- C:\jfsrvr
2011-03-17 14:28:41 -------- d-----w- C:\jfcntrl
2011-03-16 13:05:51 -------- d-----w- c:\users\dmorse\appdata\roaming\Likno Software
2011-03-16 13:02:22 608448 ------w- c:\windows\system32\comctl32.ocx
2011-03-16 13:02:22 164144 ------w- c:\windows\system32\comct232.ocx
2011-03-16 13:02:20 212992 ------w- c:\windows\system32\UniBoxVB12.ocx
2011-03-16 13:02:20 139264 ------w- c:\windows\system32\uniflexsup.dll
2011-03-16 13:02:19 880640 ------w- c:\windows\system32\UniBox10.ocx
2011-03-16 13:02:19 53248 ------w- c:\windows\system32\ZLIB.DLL
2011-03-16 13:02:19 380928 ------w- c:\windows\system32\UniFlexGrid10.ocx
2011-03-16 13:02:19 364544 ------w- c:\windows\system32\UniGrid210.ocx
2011-03-16 13:02:19 1097728 ------w- c:\windows\system32\UniBox210.ocx
2011-03-16 13:02:13 -------- d-----w- c:\program files\Likno Web Modal Windows Builder
2011-03-16 13:02:13 -------- d-----w- c:\progra~2\InstallMate
2011-03-15 20:09:40 -------- d-----w- c:\program files\Sybase
2011-03-15 20:09:38 -------- d-----w- c:\program files\common files\Activant Shared
2011-03-15 20:08:41 -------- d-----w- c:\program files\common files\Activant
2011-03-15 20:07:46 -------- d-----w- C:\crystalreportviewers12
2011-03-15 20:05:45 -------- d-----w- c:\program files\Activant
2011-03-15 13:02:56 -------- d-----w- c:\windows\PHPMaker
2011-03-14 15:46:03 -------- d-----w- c:\users\dmorse\appdata\roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2011-03-14 15:46:03 -------- d-----w- c:\users\dmorse\appdata\roaming\Adobe Mini Bridge CS5
2011-03-12 04:38:29 -------- d-----w- c:\program files\PHPMaker 8
2011-03-11 21:28:09 -------- d-----w- c:\users\dmorse\appdata\local\Apple Computer
2011-03-11 21:26:38 -------- d-----w- c:\users\dmorse\appdata\local\Apple
2011-03-11 01:45:30 -------- d-----w- c:\program files\Microsoft LifeCam
2011-03-11 01:45:27 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2011-03-11 01:45:27 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2011-03-09 19:46:59 802304 ----a-w- c:\windows\system32\FntCache.dll
2011-03-09 19:46:59 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-03-09 19:46:59 1074176 ----a-w- c:\windows\system32\DWrite.dll
2011-03-09 19:46:57 642048 ----a-w- c:\windows\system32\CPFilters.dll
2011-03-09 19:46:57 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 19:46:56 850432 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 19:46:56 199680 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-09 19:46:55 2690560 ----a-w- c:\windows\system32\mstscax.dll
2011-03-09 19:46:55 1034240 ----a-w- c:\windows\system32\mstsc.exe
2011-03-09 14:32:45 -------- d-----w- c:\users\dmorse\appdata\local\Sony
2011-03-09 14:20:40 -------- d-----w- c:\program files\Vstplugins
2011-03-09 14:20:29 -------- d-----w- c:\program files\Sony
2011-03-09 14:19:34 -------- d-----w- c:\program files\Sony Setup
.
==================== Find3M ====================
.
2011-02-03 02:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-07 07:31:10 442880 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-07 07:31:10 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-01-07 07:27:11 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-07 05:33:11 294400 ----a-w- c:\windows\system32\atmfd.dll
2011-01-05 03:37:38 2329088 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 17:50:03.52 ===============

Attached Files


Edited by Grimor2000, 03 April 2011 - 09:13 AM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:52 AM

Posted 06 April 2011 - 09:24 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.
If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system.
If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.


Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    wininit.exe
    hlp.dat
    /md5stop
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 Grimor2000

Grimor2000
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 06 April 2011 - 09:48 AM

I have done the following so far;
Ran malwarebytes, KasperSky removal tool, GooredFix, tdsskiller, ComboFix, Symantec End Point Protection (removed after scan), Avira Antivir (currently running), HijackThis (log below), Eset online scanner, windows malicious software removal tool, SUPERAntiSpyware, and Tizer Rootkit Razor.
Uninstalled and reinstalled firefox.

Problem: redirects in IE and firefox for google and bing (yahoo seems fine) search results that contain the search string (ie hxxp://www.google.com/url?sa=t&source=web&cd=1&ved=0CCcQFjAA&url=hxxp%3A%2F%2Fwww.eset.com%2F&ei=o3qcTZ-GKoqisQPUy4X7Aw&usg=AFQjCNESWBxYzdJj86h9y-DsHZ-H0r80Aw) they redirect to various domains but usually involves goingonearth.com, previously adding goingonearth.com to my host file seemed to fix this, but my host file was then corrupted and had to be fixed. although pinging goingonearth.com resolves to 127.0.01 now, it no longer stops the redirect. going to hxtp://xxx.goingonearth.com in firefox and IE takes me to google.com, searching for it in google takes me to hxxp://msdn.microsoft.com/en-us/aa570318.aspx

I have since installed chrome as a browser and it seems unaffected and works fine to resolve websites and links.

Attached Files


Edited by myrti, 06 April 2011 - 10:10 AM.
disabled links


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:52 AM

Posted 06 April 2011 - 10:12 AM

I take it this is a business computer?

If so, I strongly recommend you to ask your IT suppport/network Administrator to fix this. After all they are paid to do so.

I ask this for several reasons:
  • There may be restrictions and modifications installed on such machines that could be damaged or altered by the actions we take to remove Malware.
  • Any infection could jump terminals in a computer network.
  • There may also be legal issues regarding any loss of business data that I do not wish to deal with.
  • Some people who come here use their computers for work, and the computers may contain the patient records of a physician or the financial records of an accountant's clients or credit card and bank account information of their employer's customers.
  • There may be tremendous risks and legal liability for such users for not fully securing the computer. We will not know this unless we ask. We do not want to be accidentally putting those we help in vulnerable positions for law suits.
  • Business factors outweigh technical factors in making the reformat and reinstall decision. Sometimes friends give missing CDs or lack of expertise as a reason for not doing a reformat and reinstall.
  • The cost of replacing missing Windows XP and MS Office CDs and getting an Microsoft Certified Systems Engineer to come in for 3 hours to do the reinstall and apply all the critical updates, is trivial compared with the potential cost of a multi-million dollar lawsuit for breach of trust if confidential client or patient information is disclosed.
  • In specific situations where highly confidential information about others is on the computer, and a backdoor virus or trojan is found, we are helping people more by identifying that they have a backdoor trojan which puts them in a particularly vulnerable situation and sending them to seek local professional help from a Microsoft Certified Systems Engineer or Certified Information Systems Security Professional or Global Information Assurance Certification Certified Security Expert or Certified Computing Professional or Internet Service Provider than we would be trying to fully resolve their problems long distance.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 Grimor2000

Grimor2000
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 06 April 2011 - 10:37 AM

It's ok, I am the "IT suppport/network Administrator"

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:52 AM

Posted 06 April 2011 - 10:57 AM

Hi,

ok. First question is if you're using a router, to connect to the internet. I'm going to guess no?

COuld you please run a scan with RkU too:
Please download Rootkit Unhooker from one of the following links and save it to your desktop. Link 1 (.exe file) Link 2 (zipped file) Link 3 (.rar file) In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.
  • Double-click on RKUnhookerLE.exe to start the program. Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 Grimor2000

Grimor2000
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 06 April 2011 - 11:52 AM

ok. First question is if you're using a router, to connect to the internet. I'm going to guess no?
not in the traditional home user way, no.


RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows 7
Version 6.1.7600
Number of processors #2
==============================================
>Drivers
==============================================
0x91A10000 C:\Windows\system32\DRIVERS\atikmdag.sys 6193152 bytes (ATI Technologies Inc., ATI Radeon Kernel Mode Driver)
0x82E54000 C:\Windows\system32\ntkrnlpa.exe 4259840 bytes (Microsoft Corporation, NT Kernel & System)
0x82E54000 PnpManager 4259840 bytes
0x82E54000 RAW 4259840 bytes
0x82E54000 WMIxWDM 4259840 bytes
0x826C0000 Win32k 2404352 bytes
0x826C0000 C:\Windows\System32\win32k.sys 2404352 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x8B60C000 C:\Windows\System32\drivers\tcpip.sys 1347584 bytes (Microsoft Corporation, TCP/IP Driver)
0x8B25E000 C:\Windows\System32\Drivers\Ntfs.sys 1241088 bytes (Microsoft Corporation, NT File System Driver)
0x9120E000 C:\Windows\system32\DRIVERS\athr.sys 1114112 bytes (Atheros Communications, Inc., Atheros Extensible Wireless LAN device driver)
0x99016000 C:\Windows\system32\DRIVERS\HSX_DPV.sys 1060864 bytes (Conexant Systems, Inc., HSF_DP driver)
0x92030000 C:\Windows\System32\drivers\dxgkrnl.sys 749568 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x8B484000 C:\Windows\system32\drivers\ndis.sys 749568 bytes (Microsoft Corporation, NDIS 6.20 driver)
0x99119000 C:\Windows\system32\DRIVERS\HSX_CNXT.sys 737280 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0x838E9000 C:\Windows\system32\CI.dll 700416 bytes (Microsoft Corporation, Code Integrity Module)
0x9DD03000 C:\Windows\system32\drivers\peauth.sys 618496 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x9DC6F000 C:\Windows\system32\Drivers\CVPNDRVA.sys 589824 bytes (Cisco Systems, Inc., Cisco Systems VPN Client IPSec Driver)
0x95AFE000 C:\Windows\system32\drivers\HTTP.sys 544768 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x83816000 C:\Windows\system32\mcupdate_GenuineIntel.dll 491520 bytes (Microsoft Corporation, Intel Microcode Update Library)
0x83A13000 C:\Windows\system32\drivers\Wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
0x9CCDB000 C:\Windows\system32\drivers\spsys.sys 434176 bytes (Microsoft Corporation, security processor)
0x90C6A000 C:\Windows\system32\drivers\csc.sys 409600 bytes (Microsoft Corporation, Windows Client Side Caching Driver)
0x98C80000 C:\Windows\system32\drivers\ADIHdAud.sys 405504 bytes (Analog Devices, Inc., High Definition Audio Function Driver)
0x8B40B000 C:\Windows\System32\Drivers\cng.sys 380928 bytes (Microsoft Corporation, Kernel Cryptography, Next Generation)
0x8E8D2000 C:\Windows\system32\drivers\afd.sys 368640 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x9CC8A000 C:\Windows\System32\DRIVERS\srv.sys 331776 bytes (Microsoft Corporation, Server driver)
0x9CC3B000 C:\Windows\System32\DRIVERS\srv2.sys 323584 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x82970000 C:\Windows\System32\ATMFD.DLL 315392 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0x91333000 C:\Windows\system32\DRIVERS\USBPORT.SYS 307200 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x83B54000 C:\Windows\System32\drivers\volmgrx.sys 307200 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x83A92000 C:\Windows\system32\DRIVERS\ACPI.sys 294912 bytes (Microsoft Corporation, ACPI Driver for NT)
0x95A95000 C:\Windows\system32\DRIVERS\nwifi.sys 286720 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
0x98C2B000 C:\Windows\system32\DRIVERS\usbhub.sys 278528 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x838A7000 C:\Windows\system32\CLFS.SYS 270336 bytes (Microsoft Corporation, Common Log File System Driver)
0x90C07000 C:\Windows\system32\DRIVERS\rdbss.sys 266240 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x8B78F000 C:\Windows\system32\DRIVERS\volsnap.sys 258048 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x8B53B000 C:\Windows\system32\drivers\NETIO.SYS 253952 bytes (Microsoft Corporation, Network I/O Subsystem)
0x98D2B000 C:\Windows\system32\DRIVERS\HSXHWAZL.sys 249856 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
0x9DC12000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 241664 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x92178000 C:\Windows\system32\DRIVERS\SynTP.sys 241664 bytes (Synaptics Incorporated, Synaptics Touchpad Driver)
0x920E7000 C:\Windows\System32\drivers\dxgmms1.sys 233472 bytes (Microsoft Corporation, DirectX Graphics MMS)
0x9213F000 C:\Windows\system32\DRIVERS\e1e6232.sys 233472 bytes (Intel Corporation, Intel® PRO/1000 Adapter NDIS 6 deserialized driver)
0x82E1D000 ACPI_HAL 225280 bytes
0x82E1D000 C:\Windows\system32\halmacpi.dll 225280 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x839C0000 C:\Windows\system32\drivers\fltmgr.sys 212992 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x8E800000 C:\Windows\system32\DRIVERS\ks.sys 212992 bytes (Microsoft Corporation, Kernel CSA Library)
0x8B5CB000 C:\Windows\System32\DRIVERS\fvevol.sys 204800 bytes (Microsoft Corporation, BitLocker Drive Encryption Driver)
0x8E92C000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x8B755000 C:\Windows\System32\drivers\fwpkclnt.sys 200704 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x98CE3000 C:\Windows\system32\drivers\portcls.sys 192512 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x83BB4000 C:\Windows\system32\DRIVERS\pcmcia.sys 188416 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0x8B59E000 C:\Windows\System32\drivers\rdyboost.sys 184320 bytes (Microsoft Corporation, ReadyBoost Driver)
0x8B38D000 C:\Windows\System32\Drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x83AEB000 C:\Windows\system32\DRIVERS\pci.sys 172032 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0x90CF4000 C:\Windows\system32\DRIVERS\avipbb.sys 155648 bytes (Avira GmbH, Avira Driver for Security Enhancement)
0x8B3CB000 C:\Windows\system32\DRIVERS\CLASSPNP.SYS 151552 bytes (Microsoft Corporation, SCSI Class System Dll)
0x8B579000 C:\Windows\System32\Drivers\ksecpkg.sys 151552 bytes (Microsoft Corporation, Kernel Security Support Provider Interface Packages)
0x83994000 C:\Windows\system32\DRIVERS\ataport.SYS 143360 bytes (Microsoft Corporation, ATAPI Driver Extension)
0x95BB7000 C:\Windows\system32\DRIVERS\mrxsmb.sys 143360 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x90D65000 C:\Windows\system32\DRIVERS\ndiswan.sys 139264 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x9DDA4000 C:\Windows\System32\DRIVERS\srvnet.sys 135168 bytes (Microsoft Corporation, Server Network driver)
0x8B23D000 C:\Windows\system32\DRIVERS\symsnap.sys 135168 bytes (StorageCraft, StorageCraft Volume Snap-Shot)
0x90D1A000 C:\Windows\system32\DRIVERS\tunnel.sys 135168 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x8E848000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0x8B211000 C:\Windows\system32\DRIVERS\cdrom.sys 126976 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0x92000000 C:\Windows\system32\DRIVERS\dne2000.sys 126976 bytes (Deterministic Networks, Inc., Deterministic Network Enhancer)
0x92120000 C:\Windows\system32\DRIVERS\HDAudBus.sys 126976 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0x8E965000 C:\Windows\system32\DRIVERS\pacer.sys 126976 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x82950000 C:\Windows\System32\cdd.dll 122880 bytes (Microsoft Corporation, Canonical Display Driver)
0x95A67000 C:\Windows\system32\DRIVERS\irda.sys 122880 bytes (Microsoft Corporation, IRDA Protocol Driver)
0x98C0B000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0x9DC4D000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 110592 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x8E9A3000 C:\Windows\system32\DRIVERS\serial.sys 106496 bytes (Microsoft Corporation, Serial Device Driver)
0x95A4D000 C:\Windows\system32\drivers\WudfPf.sys 106496 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0x95B8C000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x98D12000 C:\Windows\system32\drivers\drmk.sys 102400 bytes (Microsoft Corporation, Microsoft Trusted Audio Drivers)
0x98D8B000 C:\Windows\system32\DRIVERS\SWNC5E01.sys 102400 bytes (Sierra Wireless Inc., Sierra Wireless NDIS Driver)
0x90CCE000 C:\Windows\System32\Drivers\dfsc.sys 98304 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0x913AE000 C:\Windows\system32\DRIVERS\i8042prt.sys 98304 bytes (Microsoft Corporation, i8042 Port Driver)
0x921B3000 C:\Windows\system32\DRIVERS\parport.sys 98304 bytes (Microsoft Corporation, Parallel Port Driver)
0x90D4D000 C:\Windows\system32\DRIVERS\rasl2tp.sys 98304 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0x90D87000 C:\Windows\system32\DRIVERS\raspppoe.sys 98304 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x90D9F000 C:\Windows\system32\DRIVERS\raspptp.sys 94208 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x90DB6000 C:\Windows\system32\DRIVERS\rassstp.sys 94208 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
0x8E8B0000 C:\Windows\system32\DRIVERS\tdx.sys 94208 bytes (Microsoft Corporation, TDI Translation Driver)
0x98DB0000 C:\Windows\system32\DRIVERS\usbccgp.sys 94208 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0x83BE2000 C:\Windows\System32\drivers\mountmgr.sys 90112 bytes (Microsoft Corporation, Mount Point Manager)
0x95A36000 C:\Windows\system32\DRIVERS\avgntflt.sys 86016 bytes (Avira GmbH, Avira Minifilter Driver)
0x98DD2000 C:\Windows\system32\DRIVERS\HIDCLASS.SYS 77824 bytes (Microsoft Corporation, Hid Class Library)
0x8B3B8000 C:\Windows\System32\Drivers\ksecdd.sys 77824 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x95AEB000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x8E9BD000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x921E7000 C:\Windows\system32\DRIVERS\AgileVpn.sys 73728 bytes (Microsoft Corporation, RAS Agile Vpn Miniport Call Manager)
0x90D3B000 C:\Windows\system32\DRIVERS\intelppm.sys 73728 bytes (Microsoft Corporation, Processor Device Driver)
0x95BA5000 C:\Windows\System32\drivers\mpsdrv.sys 73728 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x98D79000 C:\Windows\system32\DRIVERS\swmx01.sys 73728 bytes (Sierra Wireless Inc., Sierra Wireless USB MUX Driver)
0x8B7EE000 C:\Windows\system32\DRIVERS\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x98D68000 C:\Windows\System32\Drivers\dump_dumpfve.sys 69632 bytes
0x83800000 C:\Windows\system32\drivers\fileinfo.sys 69632 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x98C6F000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
0x83B20000 C:\Windows\System32\drivers\partmgr.sys 69632 bytes (Microsoft Corporation, Partition Management Driver)
0x8388E000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x8E984000 C:\Windows\system32\DRIVERS\vwififlt.sys 69632 bytes (Microsoft Corporation, Virtual WiFi Filter Driver)
0x95A85000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x8B7D6000 C:\Windows\System32\Drivers\mup.sys 65536 bytes (Microsoft Corporation, Multiple UNC Provider Driver)
0x95ADB000 C:\Windows\system32\DRIVERS\ndisuio.sys 65536 bytes (Microsoft Corporation, NDIS User mode I/O driver)
0x8E9D7000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Remote Desktop Server Driver)
0x83B44000 C:\Windows\system32\DRIVERS\volmgr.sys 65536 bytes (Microsoft Corporation, Volume Manager Driver)
0x9137E000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x90CE6000 C:\Windows\system32\DRIVERS\blbdrive.sys 57344 bytes (Microsoft Corporation, BLB Drive Driver)
0x8E995000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x8E8A2000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x83BA6000 C:\Windows\system32\DRIVERS\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x8B468000 C:\Windows\System32\drivers\pcw.sys 57344 bytes (Microsoft Corporation, Performance Counters for Windows Driver)
0x8E9ED000 C:\Windows\System32\Drivers\SCDEmu.SYS 57344 bytes (PowerISO Computing, Inc., PowerISO Virtual Drive)
0x90DE1000 C:\Windows\system32\DRIVERS\umbus.sys 57344 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x83A84000 C:\Windows\system32\drivers\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
0x921DA000 C:\Windows\system32\DRIVERS\CompositeBus.sys 53248 bytes (Microsoft Corporation, Multi-Transport Composite Bus Enumerator)
0x991E4000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x9201F000 C:\Windows\system32\DRIVERS\GenericMount.sys 53248 bytes (Symantec Corporation, Symantec Corporation Generic Mount)
0x913C6000 C:\Windows\system32\DRIVERS\kbdclass.sys 53248 bytes (Microsoft Corporation, Keyboard Class Driver)
0x991CD000 C:\Windows\system32\drivers\modem.sys 53248 bytes (Microsoft Corporation, Modem Device Driver)
0x913D5000 C:\Windows\system32\DRIVERS\mouclass.sys 53248 bytes (Microsoft Corporation, Mouse Class Driver)
0x9DDC5000 C:\Windows\System32\drivers\tcpipreg.sys 53248 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0x8E869000 C:\Windows\System32\drivers\watchdog.sys 53248 bytes (Microsoft Corporation, Watchdog Driver)
0x90C5E000 C:\Windows\System32\drivers\discache.sys 49152 bytes (Microsoft Corporation, System Indexer/Cache Driver)
0x98DEC000 C:\Windows\system32\DRIVERS\kbdhid.sys 49152 bytes (Microsoft Corporation, HID Keyboard Filter Driver)
0x913A2000 C:\Windows\System32\DRIVERS\scfilter.sys 49152 bytes (Microsoft Corporation, Microsoft Smart Card Reader Filter Driver)
0x98DA4000 C:\Windows\System32\Drivers\tcusb.sys 49152 bytes (UPEK Inc., TouchChip USB Kernel Driver)
0x91200000 C:\Windows\system32\drivers\tpm.sys 49152 bytes (Microsoft Corporation, TPM Device Driver)
0x8E83C000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x83B39000 C:\Windows\system32\DRIVERS\BATTC.SYS 45056 bytes (Microsoft Corporation, Battery Class Driver)
0x991F1000 C:\Windows\System32\Drivers\dump_dumpata.sys 45056 bytes
0x98DC7000 C:\Windows\system32\DRIVERS\hidusb.sys 45056 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0x9900A000 C:\Windows\system32\DRIVERS\monitor.sys 45056 bytes (Microsoft Corporation, Monitor Driver)
0x98C00000 C:\Windows\system32\DRIVERS\mouhid.sys 45056 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0x8E897000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x91A00000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x91397000 C:\Windows\system32\DRIVERS\SMCLIB.SYS 45056 bytes (Microsoft Corporation, Smart Card Driver Library)
0x8E8C7000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0x91328000 C:\Windows\system32\DRIVERS\usbuhci.sys 45056 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0x83B15000 C:\Windows\system32\DRIVERS\vdrvroot.sys 45056 bytes (Microsoft Corporation, Virtual Drive Root Enumerator)
0x90DCD000 C:\Windows\system32\DRIVERS\appliand.sys 40960 bytes (Applian Technologies Inc., APPLIAND helper driver)
0x99000000 C:\Windows\System32\Drivers\dump_msahci.sys 40960 bytes
0x991DA000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x83A09000 C:\Windows\system32\DRIVERS\msahci.sys 40960 bytes (Microsoft Corporation, MS AHCI 1.0 Standard Driver)
0x90C52000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0x90C48000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0x9138D000 C:\Windows\system32\DRIVERS\pscr.sys 40960 bytes (SCM Microsystems, Inc., SCM PCMCIA Smart Card Reader)
0x839F4000 C:\Windows\System32\Drivers\PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0x90DD7000 C:\Windows\system32\DRIVERS\rdpbus.sys 40960 bytes (Microsoft Corporation, Microsoft RDP Bus Device driver)
0x9DD9A000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x913E2000 C:\Windows\system32\DRIVERS\serenum.sys 40960 bytes (Microsoft Corporation, Serial Port Enumerator)
0x9131E000 C:\Windows\system32\DRIVERS\vwifibus.sys 40960 bytes (Microsoft Corporation, Virtual WiFi Bus Driver)
0x8E88E000 C:\Windows\system32\DRIVERS\1UnHooker.sys 36864 bytes
0x839B7000 C:\Windows\system32\DRIVERS\amdxata.sys 36864 bytes (Advanced Micro Devices, Storage Filter Driver)
0x9CD45000 C:\Windows\system32\DRIVERS\asyncmac.sys 36864 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0x83A00000 C:\Windows\system32\DRIVERS\atapi.sys 36864 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0x8B47B000 C:\Windows\System32\Drivers\Fs_Rec.sys 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0x913F4000 C:\Windows\system32\drivers\irenum.sys 36864 bytes (Microsoft Corporation, Infra-Red Bus Enumerator)
0x9CD4E000 C:\Windows\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0x82920000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x8B786000 C:\Windows\system32\DRIVERS\vmstorfl.sys 36864 bytes (Microsoft Corporation, Virtual Storage Filter Driver)
0x95B83000 C:\Windows\system32\DRIVERS\vwifimp.sys 36864 bytes (Microsoft Corporation, Virtual WiFi Miniport Driver)
0x83ADA000 C:\Windows\system32\DRIVERS\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x8389F000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x83B31000 C:\Windows\system32\DRIVERS\compbatt.sys 32768 bytes (Microsoft Corporation, Composite Battery Driver)
0x8B7E6000 C:\Windows\System32\drivers\hwpolicy.sys 32768 bytes (Microsoft Corporation, Hardware Policy Driver)
0x80BC1000 C:\Windows\system32\kdcom.dll 32768 bytes (Microsoft Corporation, Serial Kernel Debugger)
0x83AE3000 C:\Windows\system32\DRIVERS\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x913EC000 C:\Windows\system32\DRIVERS\nscirda.sys 32768 bytes (National Semiconductor Corporation, NSC Fast Infrared Driver.)
0x8E876000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x8E87E000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Encoder Miniport)
0x8E886000 C:\Windows\system32\drivers\rdprefmp.sys 32768 bytes (Microsoft Corporation, RDP Reflector Driver Miniport)
0x8B7CE000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0x9DDD2000 C:\Windows\system32\DRIVERS\xaudio.sys 32768 bytes (Conexant Systems, Inc., Modem Audio Device Driver)
0x83BF8000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x98DE5000 C:\Windows\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0x83B9F000 C:\Windows\system32\DRIVERS\intelide.sys 28672 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0x8B230000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x9DC68000 C:\Windows\system32\DRIVERS\parvdm.sys 28672 bytes (Microsoft Corporation, VDM Parallel Driver)
0x8E9D0000 C:\Windows\System32\drivers\Tppwr32v.sys 28672 bytes (Lenovo Group Limited, Power Manager)
0x8E95E000 C:\Windows\system32\DRIVERS\wfplwf.sys 28672 bytes (Microsoft Corporation, WFP NDIS 6.20 Lightweight Filter Driver)
0x921D4000 C:\Windows\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0x921F9000 C:\Windows\system32\DRIVERS\psadd.sys 24576 bytes (Lenovo (United States) Inc., SMBIOS Driver)
0x8E9E7000 C:\Windows\system32\DRIVERS\ssmdrv.sys 24576 bytes (Avira GmbH, AVIRA SnapShot Driver)
0x8B476000 C:\Windows\System32\DRIVERS\DozeHDD.sys 20480 bytes (Lenovo., Doze Mode Kernel Driver for HDD control)
0x921CF000 C:\Windows\system32\DRIVERS\ibmpmdrv.sys 20480 bytes (Lenovo., ThinkPad Power Management Driver)
0x921CB000 C:\Windows\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0x9DCFF000 C:\Windows\system32\DRIVERS\mdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface x86 Driver)
0x95A4B000 C:\Program Files\ThinkVantage Fingerprint Software\smihlp.sys 8192 bytes (UPEK Inc., SMI helper driver)
0x90C5C000 C:\Windows\system32\DRIVERS\smiif32.sys 8192 bytes (Lenovo Group Limited, SMI Driver for Lenovo system)
0x9120C000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x913D3000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
==============================================
>Stealth
==============================================
0x02EE0000 Hidden Image-->log4net.dll [ EPROCESS 0x88650860 ] PID: 4716, 282624 bytes
0x04380000 Hidden Image-->System.Data.SQLite.DLL [ EPROCESS 0x88650860 ] PID: 4716, 872448 bytes


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:52 AM

Posted 06 April 2011 - 12:26 PM

Hi,

did any of the tools find anything?

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

c:\windows\system32\C_285921.dll

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Does any other PC on the network get redirected?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 Grimor2000

Grimor2000
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 06 April 2011 - 12:48 PM

I had to take ownership of the file to scan it, it only had system listed.

File size:
90112 bytes
Filetype:
PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
MD5:
5e2928327ea5e983001c841e0c8a5d78
SHA1:
b62984aac2b95a377fcb3b212c30d6fa36307dd1

Emsisoft 2011-04-06 Gen.Variant.Vundo!IK
ikarus 2011-04-06 Gen.Variant.Vundo

the rest were "found nothing"



no other PC's get redirected, and it happens both at home, and at work regardless of dns server. I don't think it's a DNS issue so much as chrome resolves the links correctly.

Edited by Grimor2000, 06 April 2011 - 12:50 PM.


#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:52 AM

Posted 06 April 2011 - 01:12 PM

Hi,

yes, I figured that you wouldn't see an infected router in a business network. :wink:

The tools you ran, in particular gooredfix, tdsskiller and mbam, check for more than just DNS issues, which is why I am interested in knowing whether they found anything.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 Grimor2000

Grimor2000
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 06 April 2011 - 01:36 PM

TDSSKiller found nothing
mbam found tracking cookies and some other tidbits (log attached) later scans found nothing

Xmulea.exe was the virus that kept popping up initially and I believe initiated a lot of this.
Avira detects it as TR/Kazy.17829.6 Trojan


GooredFix by jpshortstuff (03.07.10.1)
Log created at 14:33 on 06/04/2011 (dmorse)
Firefox version 4.0 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [02:48 02/04/2011]
{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [15:07 11/01/2011]
{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} [18:37 12/01/2011]
{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} [18:44 06/03/2011]

C:\Users\dmorse\Application Data\Mozilla\Firefox\Profiles\opu5rr9f.default\extensions\
foxmarks@kei.com [00:42 25/03/2011]
{6e84150a-d526-41f1-a480-a67d3fed910d} [19:41 27/12/2010]
{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [01:08 27/03/2011]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"smartswipe@netsecuretechnologies.com"="C:\Program Files\NetSecure\SmartSwipe\Firefox" [19:33 27/01/2011]
"{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}"="C:\Program Files\Adobe\Adobe Contribute CS5\Plugins\FirefoxPlugin\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}" [02:45 05/04/2011]

---------- Old Logs ----------
GooredFix[14.47.05_04-04-2011].txt
GooredFix[18.32.41_06-04-2011].txt
GooredFix[18.33.09_06-04-2011].txt

-=E.O.F=-


EDIT: I forgot to mention that Windows Security Center won't run either.

Attached Files


Edited by Grimor2000, 06 April 2011 - 02:57 PM.


#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:52 AM

Posted 06 April 2011 - 03:36 PM

Hi,

could you check in services.msc that the security center service still exists and is running?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 Grimor2000

Grimor2000
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 06 April 2011 - 04:08 PM

the service is disabled, it can be set to manual/automatic and started but soon changes to disabled again.

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:52 AM

Posted 06 April 2011 - 04:35 PM

Hi,

could you please also post the first ComboFix log that you got?

Please rename this file: c:\windows\system32\C_285921.dll to C_285921.dll.bak. Then reboot and see if that fixes the issues with the redirects.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 Grimor2000

Grimor2000
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 06 April 2011 - 04:55 PM

I couldn't find the original ComboFix log, renaming the dll fixed the redirect issue.

Windows security center was able to be enabled and started and windows defender runs again.
goingonearth.com can now be googled without being redirected.

I also submitted the dll file to mcafee and symantec just for the heck of it

And I liked BleepingComputer on facebook :-)

Edited by Grimor2000, 06 April 2011 - 05:10 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users