Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with virus; Google search results keep redirecting and google toolbar results show up in German


  • This topic is locked This topic is locked
12 replies to this topic

#1 lawguy112

lawguy112

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 25 May 2011 - 01:13 PM

I recently started a new job and the computer I was assigned to has a nasty redirect virus. Every other Google search result I click redirects me to a random website regardless of which internet browser I use. MalwareBytes and Search and Destroy have not worked. Also, when I search for something in Google toolbar, it searches through google.de so that the results are all in German. Thanks for any help/advice you can offer.

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 7.0.6000.16643
Run by paralegal1 at 12:09:20 on 2011-05-25
Microsoft® Windows Vista™ Business 6.0.6000.0.1252.1.1033.18.2046.972 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Dell Network Assistant\hnm_svc.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\taskeng.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\paralegal1\Desktop\dds.scr
C:\Windows\system32\WSCRIPT.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com/
uWindow Title = Internet Explorer provided by Dell
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.8.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.8.0.5\IPSBHO.DLL
BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.8.0.5\coIEPlg.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Blubster] c:\program files\blubster\Blubster.exe SILENT
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\dellne~1.lnk - c:\windows\installer\{0240bdfb-2995-4a3f-8c96-18d41282b716}\Icon0240BDFB3.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
TCP: {38E807BC-443F-43C3-B72D-0C92ADB5D363} = 192.168.1.10,8.8.8.8
Notify: igfxcui - igfxdev.dll
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\paralegal1\appdata\roaming\mozilla\firefox\profiles\9t291ruf.default\
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1108000.005\symds.sys [2010-9-21 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1108000.005\symefa.sys [2010-9-21 173104]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\bashdefs\20110518.001\BHDrvx86.sys [2011-5-18 802936]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1108000.005\cchpx86.sys [2010-9-21 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\ipsdefs\20110518.001\IDSvix86.sys [2011-5-18 353912]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1108000.005\ironx86.sys [2010-9-21 116784]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1108000.005\symtdiv.sys [2010-9-21 339504]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.8.0.5\ccsvchst.exe [2010-9-21 126392]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-5-18 1153368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-10 105592]
.
=============== Created Last 30 ================
.
2011-05-20 20:13:41 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-18 20:48:09 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-05-18 20:48:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-05-10 15:07:52 -------- d-----w- c:\users\paralegal1\appdata\roaming\Malwarebytes
2011-05-10 15:07:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-10 15:07:45 -------- d-----w- c:\programdata\Malwarebytes
2011-05-10 15:07:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-10 15:07:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-05 15:23:04 -------- d-----w- c:\users\paralegal1\appdata\local\Seven Zip
.
==================== Find3M ====================
.
2011-04-14 09:07:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 12:10:14.22 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CStew23

CStew23

  • Members
  • 1,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:33 PM

Posted 25 May 2011 - 01:45 PM

Hello lawguy112 ! Welcome to BleepingComputer Forums! :welcome:

My name is Chris and and I will be helping you with your computer problems.

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only! If you are not the original poster of this thread DO NOT run the fixes provided here.
  • Please do not run any tools until requested by myself or another member of Staff! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • If you stay with me, follow my instructions and ask questions when confused you'll be back up and running in no time :)

Now let's get down to business:

First, do we have your IT department's permission to be working with you and this machine? I don't want to step on any toes here.

Also, I'm currently a trainee in the Malware Removal Training program and therefore my answers have to be checked by a Teacher before they get posted to you. There may be a delay due to this. I apologize in advance if this happens. Hold tight while I get the first set of instructions out to you.
Please don't send help request via PM, unless I am already helping you. Use the forums!
If you have not heard from me in 48 hours please use this and send me a PM reminder.

#3 lawguy112

lawguy112
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 25 May 2011 - 01:54 PM

Re: Permission: My boss knows about this problem and encouraged me to find a fix on my own time since we don't have an IT Dept here.

I appreciate any help I can get on this so I'm not worried about a delay, thanks.

#4 CStew23

CStew23

  • Members
  • 1,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:33 PM

Posted 28 May 2011 - 01:26 PM

Hi LawGuy,

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player's components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.

I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):

  • Click Start, point to Settings, and then click Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.
  • Do the same for each Viewpoint component.
========

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
Please don't send help request via PM, unless I am already helping you. Use the forums!
If you have not heard from me in 48 hours please use this and send me a PM reminder.

#5 lawguy112

lawguy112
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 31 May 2011 - 09:06 AM

Deleted viewpoint as recommended. Combofix appears to have worked


ComboFix 11-05-30.08 - paralegal1 05/31/2011 9:45.1.2 - x86
Microsoft® Windows Vista™ Business 6.0.6000.0.1252.1.1033.18.2046.1130 [GMT -4:00]
Running from: c:\users\paralegal1\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\program files\Search Toolbar
c:\program files\Search Toolbar\SearchToolbar.dll
c:\programdata\84fe5d
c:\programdata\84fe5d\7247.mof
c:\programdata\84fe5d\BackUp\Dell Network Assistant.lnk
c:\programdata\84fe5d\BackUp\PMB Media Check Tool.lnk
c:\programdata\84fe5d\MSS.ico
c:\programdata\84fe5d\MSSSys\vd952342.bd
c:\users\administrator\Desktop\EZ-Tracks.com.lnk
c:\users\anneiry\Desktop\EZ-Tracks.com.lnk
c:\users\Rozarioassociates\Desktop\EZ-Tracks.com.lnk
.
.
((((((((((((((((((((((((( Files Created from 2011-04-28 to 2011-05-31 )))))))))))))))))))))))))))))))
.
.
2011-05-31 13:51 . 2011-05-31 13:51 -------- d-----w- c:\users\Rozarioassociates\AppData\Local\temp
2011-05-31 13:51 . 2011-05-31 13:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-31 13:42 . 2011-05-31 13:42 -------- d-----w- C:\32788R22FWJFW
2011-05-25 15:31 . 2011-05-25 15:31 -------- d-----w- c:\users\paralegal1\AppData\Local\Mozilla
2011-05-20 20:13 . 2011-05-25 19:23 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-18 20:48 . 2011-05-25 15:51 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-05-18 20:48 . 2011-05-18 20:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-05-10 15:07 . 2011-05-10 15:07 -------- d-----w- c:\users\paralegal1\AppData\Roaming\Malwarebytes
2011-05-10 15:07 . 2011-05-10 15:07 -------- d-----w- c:\programdata\Malwarebytes
2011-05-10 15:07 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-10 15:07 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-10 15:07 . 2011-05-10 15:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-05 15:42 . 2011-05-05 15:42 -------- d-----w- c:\users\paralegal1\AppData\Roaming\Sony Corporation
2011-05-05 15:23 . 2011-05-05 15:23 -------- d-----w- c:\users\paralegal1\AppData\Local\Seven Zip
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-14 09:07 . 2011-01-04 21:19 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-14 16:26 . 2011-05-25 15:31 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-14 4452352]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-25 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-25 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-25 129560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-4-29 7168]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^anneiry^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\users\anneiry\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1108000.005\SYMDS.SYS [2010-02-04 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1108000.005\SYMEFA.SYS [2010-04-22 173104]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\BASHDefs\20110518.001\BHDrvx86.sys [2011-04-15 802936]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1108000.005\ccHPx86.sys [2010-02-26 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.6.0.32\Definitions\IPSDefs\20110527.001\IDSvix86.sys [2011-03-14 353912]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1108000.005\Ironx86.SYS [2010-04-29 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\NIS\1108000.005\SYMTDIV.SYS [2010-05-06 339504]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe [2010-02-26 126392]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-05-10 105592]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uxddikow
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
TCP: Interfaces\{38E807BC-443F-43C3-B72D-0C92ADB5D363}: NameServer = 192.168.1.10,8.8.8.8
FF - ProfilePath - c:\users\paralegal1\AppData\Roaming\Mozilla\Firefox\Profiles\9t291ruf.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Blubster - c:\program files\Blubster\Blubster.exe
MSConfigStartUp-BlackBerryAutoUpdate - c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-31 09:51
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.8.0.5\diMaster.dll\" /prefetch:1"
.
Completion time: 2011-05-31 09:55:48
ComboFix-quarantined-files.txt 2011-05-31 13:55
.
Pre-Run: 105,462,476,800 bytes free
Post-Run: 106,092,568,576 bytes free
.
- - End Of File - - F70E20CE3CF90EF60C8D3ADD7DB38B87

#6 CStew23

CStew23

  • Members
  • 1,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:33 PM

Posted 31 May 2011 - 05:59 PM

Hi,

How is the machine running now? Still experiencing issues?
Please don't send help request via PM, unless I am already helping you. Use the forums!
If you have not heard from me in 48 hours please use this and send me a PM reminder.

#7 lawguy112

lawguy112
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 31 May 2011 - 09:36 PM

It's all working fine now. No more redirects from google search results or popups, and the toolbar searches are showing up in English. Thanks for all your help!

#8 CStew23

CStew23

  • Members
  • 1,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:33 PM

Posted 01 June 2011 - 01:06 PM

Hi,

Great. Now we just need to do some updates.

There's an outdated version of Java on your machine but, you have the latest revision.

Please uninstall this via Add/Remove Programs"

Java™ SE Runtime Environment 6
======

Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:
  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
Your Adobe Reader is now up to date!
=======

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

Please don't send help request via PM, unless I am already helping you. Use the forums!
If you have not heard from me in 48 hours please use this and send me a PM reminder.

#9 CStew23

CStew23

  • Members
  • 1,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:33 PM

Posted 07 June 2011 - 03:03 PM

Hi,

Still with me?
Please don't send help request via PM, unless I am already helping you. Use the forums!
If you have not heard from me in 48 hours please use this and send me a PM reminder.

#10 lawguy112

lawguy112
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 07 June 2011 - 04:50 PM

Sorry about the delay. Here's the ESETScan

C:\Qoobox\Quarantine\C\Program Files\Search Toolbar\SearchToolbar.dll.vir Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\ProgramData\84fe5d\7247.mof.vir Win32/RogueAV.A trojan cleaned by deleting - quarantined
C:\Users\anneiry\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\15397e0d-64f5f356 Java/TrojanDownloader.OpenStream.NBZ trojan deleted - quarantined

#11 CStew23

CStew23

  • Members
  • 1,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:33 PM

Posted 08 June 2011 - 08:10 PM

Hi,

How are things running? Please post a new DDS log in your reply to confirm all is good.
Please don't send help request via PM, unless I am already helping you. Use the forums!
If you have not heard from me in 48 hours please use this and send me a PM reminder.

#12 CStew23

CStew23

  • Members
  • 1,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:33 PM

Posted 15 June 2011 - 10:16 AM

Still with us?
Please don't send help request via PM, unless I am already helping you. Use the forums!
If you have not heard from me in 48 hours please use this and send me a PM reminder.

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,985 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:33 PM

Posted 22 June 2011 - 03:28 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users