Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

the source of Google Search redirect problems? cpcadnet ???


  • This topic is locked This topic is locked
10 replies to this topic

#1 pnut

pnut

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 06 July 2011 - 07:06 PM

Hi. I'm in the process of going through all the steps to figure out why my Google search links are often being redirected, and think I may have stumbled upon a cause. Rkill and Malwarebytes are not picking it up at all (in normal or safe modes). So now I'm just looking for anything suspicious. In going through my Firefox history, out pops "Redirect" (around the middle of screen shot below). Wow, can it really be named so ridiculously too obvious???
:busy:

Resized to 98% (was 768 x 614) - Click image to enlargePosted Image

Looking at the location for it, I'm almost done typing "cpcadnet.com" into a Google search, when I suddenly get a full blue screen of death with some huge warning on it that I was being shut down! Within seconds, my computer crashed and was restarting on its own. As it was rebooting, I went directly into Safe Mode with Networking, and first get this recovery notice (can someone please translate to tell me WTH happened?):

Resized to 98% (was 768 x 614) - Click image to enlargePosted Image

Next, I get back to searching for info on "cpcadnet" (still in Safe Mode), but find virtually nothing being said about it related to a virus, malware, etc.

So I challenge myself to stare down the monster directly, expecting another all-out attack of some kind, and go to www.cpcadnet.com ...

and get this:


Resized to 98% (was 768 x 614) - Click image to enlargePosted Image

Yep, just "HELLO!"

Interestingly, I noticed that when I searched here on bleepingcomputer.com forums for "cpcadnet", almost every one of the 26 results found are related to the Google Redirect problem. In looking through those, nobody discusses cpcadnet directly (well, one person inquired – but the tech involved didn't respond on it). But my Google highlighter picks it up buried within every one of their Adware Tracking Cookie lists!

Lastly, I try the other cpcadnet link in my Firefox history (as follows):
http://www.cpcadnet.com/track/?b=44t2q2t25454r2&xargs=dT13d3cub2ZmZXJzZmluZGVyLmJpeiZwPTAmYWQ9MTU3Jm09dXMmZD1hSFIwY0RvdkwzTmxZWEpqYUM1MWN5NWlNREJyYldGeWEzTXVZMjl0TDJ4aGJtUnBibWN1Y0dod1AyWTlNakl5TWlaclpYbDNiM0prUFU5MWRHUnZiM0lyU0dGc2JHOTNaV1Z1Sm5GMVpYSjVQVzF2ZEdsdmJpdHZkWFJrYjI5eUswaGhiR3h2ZDJWbGJpWmhabVp6ZFdJOU1UVXdNbDlmTWpJMU1EQmZYek5sTWpOaFlqSTFaVFU0T1dSa056WXhZVEUzT0RGaVlUa3dNR014TURjNUptMWhjbXRsZEQxMWN3JTNEJTNEJms9T3V0ZG9vcitIYWxsb3dlZW4mcT1tb3Rpb24rb3V0ZG9vcitIYWxsb3dlZW4maXA9OTkuMTc4LjgxLjkxJm49YzI1ZjJkN2ZkMzYyNjkyZWU1OTJiNzU0ODMyMjUxMTMmYT0yMjUwMCZ0PTEzMDg3NjIxOTQmc2ljPTAmZmNsPWdsb2JhbCZpbW09MSZiYz0xJmRpPXd3dy5vZmZlcnNmaW5kZXIuYml6Jm1jZj0x&pos=0

and instantly get redirected to an ad page every time. AH-HA!!! :dance:


I have no idea how to fix it, but it sure seems to be the most likely culprit.


Also consider this - in using Google search today, I was redirected to the bogus "Windows 7 Repair" virus page. Recognized it immediately, because I was attacked by this thing about a week ago (not aware of the redirect problem yet, I happened to be searching for Windows 7 info at the time, and thought it was a legit MS page). So if the cpcadnet redirect was intended to "harmlessly" point us to mere advertising, why would this page be included?! I'm willing to bet they are all working in conjunction, to advertise crap and infect our machines to oblivion until we are tortured into paying their hostage fees! Come to think of it - that's exactly what they're doing! It's all about THE MONEY!!
MAY THESE NASTY EVIL CROOKS ROT IN HELL!!!
:angry:

Meanwhile, still need a fix for it... help please?



(Please note this was originally posted in the "Am I infected?" forum, where some basic efforts were made to provide assistance, but unforntunately nothing was accomplished. I have re-posted here as advised by Grinler, in hopes of finding the most qualified assistance for this particular issue.)
The link to the original post is: http://www.bleepingcomputer.com/forums/topic406125.html/page__p__2308598__fromsearch__1



Please also note that I am currently unable to run a Windows 7 backup, as I tried twice today and both times received a blue screen automatic shutdown (likely due to some other nifty feature of this malware infection - ugh). This thing is killing me!

:axe:

Please help!



Logs -

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Paul at 17:46:16 on 2011-07-06
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1919.1103 [GMT -4:00]
.
AV: Panda Cloud Antivirus *Enabled/Updated* {86971480-9989-6750-B122-681A86518D59}
SP: Panda Cloud Antivirus *Enabled/Updated* {3DF6F564-BFB3-68DE-8B92-5368FDD6C7E4}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\Program Files\Secunia\PSI-Secunia Personal Software Inspector\PSIA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Secunia\PSI-Secunia Personal Software Inspector\psi_tray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Secunia\PSI-Secunia Personal Software Inspector\sua.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10t_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://admin.cornerstone-appraisals.com/Appraiser/login.aspx
uSearch Bar = Preserve
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi-secunia personal software inspector\psi_tray.exe
uPolicies-explorer: DisableThumbnailsOnNetworkFolders = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: cornerstone-appraisals.com\admin
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{F42AF411-BA35-4FC7-8D66-06527B6774AB} : DhcpNameServer = 192.168.1.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\paul\appdata\roaming\mozilla\firefox\profiles\k70paqk9.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/calendar/render?gsessionid=OK
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPDFXCviewNPPlugin.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\program files\tracker software\pdf viewer\npPDFXCviewNPPlugin.dll
.
============= SERVICES / DRIVERS ===============
.
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2011-4-28 126024]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2011-4-28 140608]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2011-4-28 143432]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2011-4-28 99400]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2011-4-28 111176]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2011-4-28 112712]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi-secunia personal software inspector\psia.exe [2011-4-19 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi-secunia personal software inspector\sua.exe [2011-4-19 399416]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 DKRtWrt;DKRtWrt;c:\windows\system32\drivers\DKRtWrt.sys [2011-5-27 38608]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-5-26 52224]
S4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-5-26 136176]
S4 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-6-6 2214504]
.
=============== Created Last 30 ================
.
2011-06-24 13:43:35 -------- d-----w- C:\TDSSKiller_Quarantine
2011-06-24 04:32:12 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-23 21:21:23 7074640 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{4cfb1d33-6e2c-4e40-8709-05922728eb4a}\mpengine.dll
2011-06-23 13:55:55 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-06-23 13:55:54 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-06-23 13:55:54 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-06-23 13:24:28 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2011-06-23 13:06:36 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-06-23 12:40:11 -------- d-----w- c:\users\paul\appdata\local\WindowsUpdate
2011-06-23 11:55:58 -------- d-----w- c:\users\paul\appdata\local\Secunia PSI
2011-06-23 11:55:42 -------- d-----w- c:\program files\Secunia
2011-06-22 15:54:43 167704 ----a-w- c:\program files\mozilla firefox\plugins\npPDFXCviewNPPlugin.dll
2011-06-22 02:49:28 0 ----a-w- c:\users\paul\appdata\local\Dmehuwar.bin
2011-06-22 02:49:26 -------- d-----w- c:\users\paul\appdata\local\{60FF5BE0-307C-4C1E-AE2C-D563DE8CA016}
2011-06-22 02:34:49 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-06-22 02:34:49 141104 ----a-w- c:\program files\internet explorer\sqmapi.dll
2011-06-22 02:34:48 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-06-22 02:34:06 272384 ----a-w- c:\windows\system32\CNMLM9W.DLL
2011-06-22 02:33:10 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-22 02:33:10 1290624 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-22 02:33:08 311808 ----a-w- c:\windows\system32\drivers\srv.sys
2011-06-22 02:33:08 310272 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-22 02:33:08 114688 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-22 02:33:07 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-22 02:33:06 741376 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-22 02:32:48 96768 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-22 02:32:48 223744 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-22 02:32:48 123904 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-17 14:34:45 -------- d-----w- c:\programdata\CanonIJScan
2011-06-17 14:30:55 -------- d-----w- c:\users\paul\appdata\roaming\Tracker Software
2011-06-10 18:40:27 76168 ----a-w- c:\windows\system32\atsckernel.exe
2011-06-10 18:40:26 20360 ----a-w- c:\windows\system32\atashost.exe
2011-06-10 18:40:02 -------- d-----w- c:\programdata\WebEx
2011-06-07 03:35:09 543336 ----a-w- c:\windows\system32\easyupdatusapiu.dll
2011-06-07 03:34:29 899688 ----a-w- c:\windows\system32\nvdispco3220150.dll
2011-06-07 03:34:29 865896 ----a-w- c:\windows\system32\nvgenco322090.dll
2011-06-07 03:34:29 57960 ----a-w- c:\windows\system32\OpenCL.dll
2011-06-07 03:34:29 5301352 ----a-w- c:\windows\system32\nvcuda.dll
2011-06-07 03:34:29 2804328 ----a-w- c:\windows\system32\nvcuvid.dll
2011-06-07 03:34:29 2082408 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-06-07 03:34:29 16456296 ----a-w- c:\windows\system32\nvoglv32.dll
2011-06-07 03:34:29 13011560 ----a-w- c:\windows\system32\nvcompiler.dll
2011-06-07 03:34:29 10589800 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2011-06-07 03:33:39 -------- d-----w- C:\NVIDIA
2011-06-07 03:30:12 -------- d-----w- c:\program files\SystemRequirementsLab
.
==================== Find3M ====================
.
2011-06-23 13:06:27 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-29 13:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-26 20:13:10 431672 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-05-26 19:55:31 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-05-25 06:09:07 66664 ----a-w- c:\windows\system32\nvshext.dll
2011-05-25 06:09:07 615528 ----a-w- c:\windows\system32\nvvsvc.exe
2011-05-25 06:09:07 2557544 ----a-w- c:\windows\system32\nvsvc.dll
2011-05-25 06:09:07 111208 ----a-w- c:\windows\system32\nvmctray.dll
2011-05-25 06:09:06 3693672 ----a-w- c:\windows\system32\nvcpl.dll
2011-05-25 06:09:05 11992680 ----a-w- c:\windows\system32\nvd3dum.dll
2011-05-25 06:09:04 2335848 ----a-w- c:\windows\system32\nvapi.dll
2011-05-25 06:09:04 12392 ----a-w- c:\windows\system32\drivers\nvBridge.kmd
2011-05-24 23:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-04-28 21:47:02 365888 ----a-w- c:\windows\system32\PSUNCpl.cpl
2011-04-28 11:57:47 112712 ----a-w- c:\windows\system32\drivers\PSINProt.sys
2011-04-28 11:57:21 111176 ----a-w- c:\windows\system32\drivers\PSINProc.sys
2011-04-28 11:57:20 99400 ----a-w- c:\windows\system32\drivers\PSINFile.sys
2011-04-28 11:57:20 143432 ----a-w- c:\windows\system32\drivers\PSINAflt.sys
2011-04-28 11:57:20 126024 ----a-w- c:\windows\system32\drivers\PSINKNC.sys
2011-04-22 19:14:16 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-04-13 19:02:36 40984 ----a-w- c:\windows\system32\drivers\point32.sys
2011-04-13 19:02:36 21784 ----a-w- c:\windows\system32\drivers\nuidfltr.sys
2011-04-09 06:02:25 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-04-09 06:02:25 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-04-09 05:56:38 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-04-09 03:02:04 390656 ----a-w- c:\windows\system32\ipcoin815.dll
2011-04-09 03:01:54 40448 ----a-w- c:\windows\system32\drivers\dc3d.sys
.
============= FINISH: 17:46:52.83 ===============


Attached File  Attach.txt 7-6-11.txt   8.19KB   1 downloads

Attached File  Attach.txt 7-6-11.txt   8.19KB   1 downloads

BC AdBot (Login to Remove)

 


#2 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:39 PM

Posted 23 July 2011 - 08:47 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



Thanks and again sorry for the delay.

DR

#3 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:39 PM

Posted 02 August 2011 - 11:46 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#4 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:39 PM

Posted 03 August 2011 - 02:49 AM

This topic has been re-opened at the request of the person who originally posted.

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#5 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:05:39 PM

Posted 03 August 2011 - 08:37 AM

Hi pnut,

I will be handling your log to help you get cleaned up. I apologize for the delay but the forum is very busy and as you can see the logs we ask for are very extensive and take a lot of time to investigate.

Please subscribe to this topic. Click on the Watch Topic button, select Immediate Notification and click on proceed.

Make sure Word Wrap in notepad is turned off. When copying and pasting logs paste them directly in the reply box only attach logs if asked to. Do not wrap logs in codebox or code tags. It makes it very difficult to read and analyze them. Please paste them directly into the reply box. Do not make any changes to your system until we are through. Fixes are based upon information that is current from your system so any changes can affect our strategy. Please refrain from running any tools we may use without specific instructions.

If your operating system is Windows Vista or Windows 7 it may be necessary to right click then choose Run as Administrator any programs we use.

Before we begin please check and follow the instructions on How to Show Hidden Files and Folders in Windows Vista and Windows XP and How to show hidden files in Windows 7

Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.

Please read carefully all directions and instructions. If you are instructed to save a tool to the desktop please save it to the desktop. If you have since resolved the original problem you were having, we would appreciate you letting us know.

I need to see the current state of your machine. Please follow the directions in Post #2.


In your next reply please post DDS.txt in the body of the reply box and attach the Attach.txt log. There is no need to zip the attach log. :)



Thanks
PW

#6 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:05:39 PM

Posted 06 August 2011 - 08:27 AM

Hi pnut,

Do you still need help?
PW

#7 pnut

pnut
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 06 August 2011 - 08:42 AM

Yes. Sorry, just been buried alive in work lately and do not have time to run all the steps involved right now. It is the exact same problem as posted before under "Am I Infected", and nothing has changed. I know you guys prefer fresh info, but can I trouble you to please look through that post and give me your initial thoughts?

#8 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:05:39 PM

Posted 06 August 2011 - 10:06 AM

Hi pnut,


Info about cpcadnet
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rlz=1T4GUEA_enUS429US429&q=cpcadnet




Information about cpcadnet.com


Registrant:
CpcAdv Srl

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: CPCADNET.COM

Domain servers in listed order:
NS57.DOMAINCONTROL.COM
NS58.DOMAINCONTROL.COM


For complete domain details go to:
http://who.godaddy.com/whoischeck.aspx?Domain=CPCADNET.COM



From Site Advisor

http://www.siteadvisor.com/sites/cpcadnet.com

cpcadnet.com
We tested this site and didn't find any significant problems.


Please post the previously requested logs and also the following: :)


Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until we are through.


Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".


Thanks!!

Edited by pwgib, 06 August 2011 - 10:38 AM.

PW

#9 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:05:39 PM

Posted 09 August 2011 - 05:44 PM

Hi pnut,



Do you still need help?
PW

#10 pnut

pnut
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 09 August 2011 - 07:09 PM

Yes, still need help, but still buried alive in work. I promise to run the logs you need when free. Please let it ride open for now. The google search redirects are still happening daily.

#11 pwgib

pwgib

  • Malware Response Team
  • 2,957 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:05:39 PM

Posted 20 August 2011 - 07:22 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
PW




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users