Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

google links redirecting

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

google links redirecting

Unread postby munkie » January 18th, 2010, 11:06 pm

Hi, this has been happening since I upgraded to Windows 7, although it could simply be that I started noticing then.

Basically, very sporadically, when I do a search on google, one of the results will redirect to a google ad. If I redo the search, then the link is returned to normal. So far I have only seen this in firefox but I cannot be 100% sure because it really only happens from time to time.

I scanned once with malwarebytes when I first realized it - that found 3 problems and removed them. Since then I have rescanned and found nothing but the problem still persists.

Other problems I've been having is that the memory use is always greater than 60% even when I'm not running any programs aside from the startup ones (1GB RAM may be the problem). Also, my NVIDIA graphics is not doing so well. This is probably unrelated to the problem but just putting it out there.

Here is my hijackthis log and uninstall list; before the scan I got an error message about being denied write access to the Hosts file?

If someone can help me that would be great; otherwise I'll just resort to reformatting my hard drive.

Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:22:18 AM, on 1/18/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\sttray.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: QuickSet.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O16 - DPF: {F8C41CBF-721F-4B99-9FC8-2F8077C4AD39} (BravaClientXView 5.2 Class) - https://drawing.constructware.com/IGC/BravaClientX.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: Mei006h Service (Mei006h) - Unknown owner - C:\Windows\System32\mei006h.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\System32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Cisco AnyConnect VPN Agent (vpnagent) - Cisco Systems, Inc. - C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6985 bytes


Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Shockwave Player 11
Adobe Stock Photos 1.0
Apple Application Support
Apple Software Update
Audacity 1.2.6
AutoCAD Civil 3D 2009
Autodesk Student Community Download Tool
Cakewalk Pro Audio 9 Demo
CDisplay 1.8
Cisco AnyConnect VPN Client
Compatibility Pack for the 2007 Office system
Conexant HDA D110 MDC V.92 Modem
Dell System Customization Wizard
DellSupport
Digital Line Detect
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
DWG TrueView 2009
ffdshow [rev 610] [2006-12-01]
FoxyTunes for Firefox
Games, Music, & Photos Launcher
Google SketchUp 7
GoToAssist 8.0.0.514
HijackThis 2.0.2
Java(TM) 6 Update 17
Java(TM) SE Runtime Environment 6
LiveUpdate 3.2 (Symantec Corporation)
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
MediaDirect
Microsoft Office Standard Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Microsoft WSE 3.0 Runtime
Modem Diagnostic Tool
Mozilla Firefox (3.5.7)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NetWaiting
NVIDIA Drivers
OutlookAddinSetup
PrimoPDF
Product Documentation Launcher
QualxServ Service Agreement
QuickSet
QuickTime
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
SigmaTel Audio
Skype 2.5
Skype Setup
Sonic Activation Module
Spybot - Search & Destroy
Symantec AntiVirus
Synaptics Pointing Device Driver
Undelete Plus 2.98
URL Assistant
User's Guides
VC80CRTRedist - 8.0.50727.762
Winamp
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Player Firefox Plugin
WinRAR
munkie
Active Member
 
Posts: 8
Joined: January 18th, 2010, 10:53 pm
Advertisement
Register to Remove

Re: google links redirecting

Unread postby MWR 3 day Mod » January 22nd, 2010, 3:59 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: google links redirecting

Unread postby jmw3 » January 27th, 2010, 3:21 am

Hello & Welcome to Malware Removal

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this ensure Notify me when a reply is posted is ticked on the POST A REPLY page.

In the meantime please note the following:
  • Please take time to read the Malware Removal Forum Guidelines and Rules where the conditions for receiving help at this forum are explained.
  • Any recommendations made are for your computer problems only and should NOT be used on any other computer.
  • Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
    1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
    2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
  • If you get stuck or are unsure of something please ask for a further explanation, do not guess.
  • It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.
Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Thanks

Here is my hijackthis log and uninstall list; before the scan I got an error message about being denied write access to the Hosts file?
With Vista & Windows 7 you need to right click on most applications & choose Run as Administrator. This could be the reason you received the error message.

Disable Spybot's TeaTimer 1.5 & 1.6
  • If you have version 1.5, right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol)
  • Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless
  • Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy
  • Click on Mode > Advanced Mode. When it prompts you, click Yes
  • On the left hand side, click on Tools
  • Check this box if it is not yet ticked: Resident
  • You will notice that Resident is now added under Tools. Click on Resident
  • Uncheck this box: Resident "TeaTimer" (Protection of over-all system settings) active
  • Exit Spybot Search & Destroy
  • Restart your computer for the changes to take effect
Leave TeaTimer disabled until we're done here.

DDS
Download DDS.scr by sUBs from one of the following links & save it to your desktop.
Link 1
Link 2
  • Double-Click on dds.scr and a command window will appear. This is normal
  • Shortly after two logs will appear, DDS.txt & Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply
Gmer
Download GMER Rootkit Scanner from here.
  • Right click the .exe file then choose Run as Administrator to run the program. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.

To post in next reply:
Contents of DDS log
Contents of Attach.txt
Contents of Gmer log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: google links redirecting

Unread postby munkie » January 27th, 2010, 12:01 pm

Great, thanks so much for helping me.

When I ran dds using the file I got from the first link, it opens a txt that has a lot of symbols...no discernible words, and nothing else happens. When I click on the second link it goes to a page that has the same type of problem, and nothing to download.

Here are the results from Gmer:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-27 10:56:36
Windows 6.1.7600
Running: tkd5cgmv.exe; Driver: C:\Users\Miki\AppData\Local\Temp\uglcypoc.sys


---- System - GMER 1.0.15 ----

SSDT 8562AA20 ZwAlertResumeThread
SSDT 8562AB00 ZwAlertThread
SSDT 85619390 ZwAllocateVirtualMemory
SSDT 8560D268 ZwConnectPort
SSDT 8562A780 ZwCreateMutant
SSDT 85636300 ZwCreateThread
SSDT 8560F050 ZwFreeVirtualMemory
SSDT 8562A860 ZwImpersonateAnonymousToken
SSDT 8562A940 ZwImpersonateThread
SSDT 856364C0 ZwMapViewOfSection
SSDT 8562A6A0 ZwOpenEvent
SSDT 85609180 ZwOpenProcessToken
SSDT 8562AF08 ZwOpenThreadToken
SSDT 85619208 ZwResumeThread
SSDT 8562AE48 ZwSetContextThread
SSDT 85619240 ZwSetInformationProcess
SSDT 8562AD88 ZwSetInformationThread
SSDT 8562A5C0 ZwSuspendProcess
SSDT 8562AC08 ZwSuspendThread
SSDT 85619C10 ZwTerminateProcess
SSDT 8562ACC8 ZwTerminateThread
SSDT 85633428 ZwUnmapViewOfSection
SSDT 856192C0 ZwWriteVirtualMemory

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E36AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E36104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E363F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1E634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1E898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E361DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E36958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E366F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E36F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E371A8

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000050 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----
munkie
Active Member
 
Posts: 8
Joined: January 18th, 2010, 10:53 pm

Re: google links redirecting

Unread postby munkie » January 27th, 2010, 12:04 pm

Actually when I looked more carefully, the dds txt has a line on top that says

"This program cannot be run in DOS mode"
munkie
Active Member
 
Posts: 8
Joined: January 18th, 2010, 10:53 pm

Re: google links redirecting

Unread postby jmw3 » January 27th, 2010, 12:23 pm

Hi

If the file extension for DDS is .scr, rename it to DDS.com or DDS.pif
Then try running it again.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: google links redirecting

Unread postby munkie » January 27th, 2010, 4:24 pm

Ok, here are the results from the DDS scan:

DDS (Ver_09-12-01.01) - NTFSx86
Run by murisaka at 15:15:18.27 on 01/27/2010 Wed
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_17
Microsoft Windows 7 Ultimate 6.1.7600.0.932.81.1033.18.1022.291 [GMT -5:00]

AV: Symantec AntiVirus *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Symantec AntiVirus *enabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\System32\mei006h.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Windows\System32\STacSV.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\sttray.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\explorer.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Miki\Desktop\dds.pif
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mWinlogon: USERINIT=c:\windows\system32\userinit.exe
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LVCOMSX] "c:\program files\common files\logishrd\lcommgr\LVComSX.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam10\QuickCam10.exe" /hide
StartupFolder: c:\users\miki\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\windows\installer\{7f0c4457-8e64-491b-8d7b-991504365d1e}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/s ... wflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-l ... cfscan.cab
DPF: {F8C41CBF-721F-4B99-9FC8-2F8077C4AD39} - hxxps://drawing.constructware.com/IGC/BravaClientX.cab
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\miki\appdata\roaming\mozilla\firefox\profiles\suhyldt7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\users\miki\appdata\roaming\mozilla\firefox\profiles\suhyldt7.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.10);user_pref(general.useragent.extra.zencast, );user_pref(yahoo.homepage.dontask, truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-8 102448]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

=============== Created Last 30 ================

2010-01-23 20:59:18 0 d-----w- c:\programdata\Office Genuine Advantage
2010-01-22 17:36:32 977920 ----a-w- c:\windows\system32\wininet.dll
2010-01-19 05:47:21 0 d-----w- c:\programdata\Logishrd
2010-01-18 05:21:42 0 d-----w- c:\program files\Trend Micro
2010-01-15 15:44:26 0 d-----w- c:\programdata\Apple Computer
2010-01-15 15:42:30 0 d-----w- c:\programdata\Apple
2010-01-13 02:17:48 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-01-13 02:15:20 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-12 20:17:58 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-01-12 20:17:58 108544 ----a-w- c:\windows\system32\t2embed.dll
2010-01-12 20:17:57 70656 ----a-w- c:\windows\system32\fontsub.dll
2010-01-12 17:15:42 0 d-----w- c:\users\miki\appdata\roaming\Malwarebytes
2010-01-12 17:15:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-12 17:15:24 0 d-----w- c:\programdata\Malwarebytes
2010-01-12 17:15:23 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-12 17:15:23 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-12 17:01:36 34816 ----a-w- c:\windows\system32\msasn1.dll
2010-01-12 17:01:28 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2010-01-12 17:01:28 1320960 ----a-w- c:\windows\system32\CertEnroll.dll
2010-01-12 17:01:27 507568 ----a-w- c:\windows\system32\winload.exe
2010-01-12 17:01:27 2613248 ----a-w- c:\windows\explorer.exe
2010-01-12 17:01:26 442920 ----a-w- c:\windows\system32\winresume.exe
2010-01-12 17:01:20 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2010-01-12 06:01:51 19456 --sha-w- c:\users\miki\Thumbs.db
2010-01-11 15:33:21 20 --sh--w- c:\users\miki\ntuser.ini
2010-01-11 15:32:58 0 d-sh--w- C:\Recovery
2010-01-11 12:14:47 0 d-----w- c:\windows\Panther
2010-01-11 11:56:15 0 dc-h--w- C:\$WINDOWS.~Q
2010-01-11 11:49:38 0 dc-h--w- C:\$INPLACE.~TR
2010-01-11 10:33:12 713888 ----a-w- c:\windows\system32\PerfStringBackup.INI
2010-01-11 10:30:01 0 d-----w- c:\windows\system32\wbem\Performance
2010-01-11 10:05:28 21316 ----a-w- c:\windows\system32\emptyregdb.dat
2010-01-11 09:20:21 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-01-11 09:19:54 0 d-----w- c:\program files\CONEXANT
2010-01-11 09:19:51 9504 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2010-01-11 09:19:51 9504 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2010-01-11 09:19:43 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2010-01-11 09:19:37 0 d-----w- c:\program files\Synaptics
2010-01-11 06:03:51 1890 ----a-w- c:\windows\diagwrn.xml
2010-01-11 06:03:51 1890 ----a-w- c:\windows\diagerr.xml
2010-01-06 22:11:00 145920 ----a-w- c:\users\miki\Dec 09 Ski Camp G3.doc
2010-01-06 22:10:47 371200 ----a-w- c:\users\miki\SKI報告書 miki - ruri.xls
2009-12-29 03:40:23 23040 ----a-w- c:\users\miki\Ski Camp 12-09 G3.doc

==================== Find3M ====================

2010-01-15 21:21:28 60562 ----a-w- c:\users\miki\appdata\roaming\nvModes.dat
2010-01-14 16:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 15:18:32.03 ===============




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume3
Install Date: 1/11/2010 10:33:03 AM
System Uptime: 1/27/2010 2:27:20 PM (1 hours ago)

Motherboard: Dell Inc. | | 0FP985
Processor: Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz | Microprocessor | 2000/166mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 62 GiB total, 20.574 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 6.25 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================


==== Installed Programs ======================

AAC Decoder
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Shockwave Player 11
Adobe Stock Photos 1.0
Apple Application Support
Apple Software Update
Audacity 1.2.6
AutoCAD Civil 3D 2009
Autodesk Student Community Download Tool
AutoUpdate
Cakewalk Pro Audio 9 Demo
CDisplay 1.8
Cisco AnyConnect VPN Client
Compatibility Pack for the 2007 Office system
Conexant HDA D110 MDC V.92 Modem
Dell System Customization Wizard
DellSupport
Digital Line Detect
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
DWG TrueView 2009
ffdshow [rev 610] [2006-12-01]
Foxit Reader
FoxyTunes for Firefox
Games, Music, & Photos Launcher
Google SketchUp 7
GoToAssist 8.0.0.514
H.264 Decoder
HijackThis 2.0.2
Java(TM) 6 Update 17
Java(TM) SE Runtime Environment 6
LiveUpdate 3.2 (Symantec Corporation)
Logitech QuickCam
Malwarebytes' Anti-Malware
MediaDirect
Microsoft Office Standard Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Microsoft WSE 3.0 Runtime
MKV Splitter
Modem Diagnostic Tool
Mozilla Firefox (3.5.7)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NetWaiting
NVIDIA Drivers
OGA Notifier 2.0.0048.0
OutlookAddinSetup
PrimoPDF
Product Documentation Launcher
QualxServ Service Agreement
QuickSet
QuickTime
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
Security Update for CAPICOM (KB931906)
SigmaTel Audio
Skype 2.5
Skype Setup
Sonic Activation Module
Spybot - Search & Destroy
Symantec AntiVirus
Synaptics Pointing Device Driver
Undelete Plus 2.98
URL Assistant
User's Guides
VBA (2627.01)
VC80CRTRedist - 8.0.50727.762
Winamp
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Player Firefox Plugin
WinRAR

==== End Of File ===========================
munkie
Active Member
 
Posts: 8
Joined: January 18th, 2010, 10:53 pm

Re: google links redirecting

Unread postby jmw3 » January 27th, 2010, 11:50 pm

Hi

View Hidden Files & Folders
To view Hidden Files & Folders do the following:
Click Start
Open Computer
Select the Tools menu and click Folder Options
Select the View Tab
Under the Hidden files and folders heading select Show hidden files and folders
Uncheck the Hide protected operating system files (recommended) option
Click Yes to confirm
Click OK

Upload Files for Scanning
Go to VirusTotal & upload the following File/s for scanning.
  • Copy & paste the following File & Path in the text box next to the Browse button
    Code: Select all
    C:\Windows\System32\mei006h.exe
  • Click Send File
  • If confronted with two options, choose Reanalyse file now
  • Wait for scans to finish then copy & paste the results into your next reply.
Remove Programs
Click Start > Control Panel > Program and Features
Remove these programs by clicking Remove

URL Assistant

If some programs listed are not present, please do not panic
You should also remove the following out dated Java version as it is open to exploitation:
Java(TM) SE Runtime Environment 6

GooredFix
Download GooredFix from one of the locations below & save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed
  • To run the tool, right-click & select Run As Administrator
  • When prompted to run the scan, click Yes
  • GooredFix will check for infections, then a log will appear. Post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt)
To post in next reply:
Results of VirusTotal scan
GooredFix log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: google links redirecting

Unread postby munkie » January 28th, 2010, 12:10 am

Okay, from virus total and gooredfix:

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.01.28 -
AhnLab-V3 5.0.0.2 2010.01.27 -
AntiVir 7.9.1.154 2010.01.27 -
Antiy-AVL 2.0.3.7 2010.01.27 -
Authentium 5.2.0.5 2010.01.28 -
Avast 4.8.1351.0 2010.01.28 -
AVG 9.0.0.730 2010.01.27 -
BitDefender 7.2 2010.01.28 -
CAT-QuickHeal 10.00 2010.01.28 -
ClamAV 0.94.1 2010.01.27 -
Comodo 3734 2010.01.28 -
DrWeb 5.0.1.12222 2010.01.27 -
eSafe 7.0.17.0 2010.01.27 -
eTrust-Vet 35.2.7264 2010.01.27 -
F-Prot 4.5.1.85 2010.01.27 -
F-Secure 9.0.15370.0 2010.01.27 -
Fortinet 4.0.14.0 2010.01.27 -
GData 19 2010.01.28 -
Ikarus T3.1.1.80.0 2010.01.28 -
Jiangmin 13.0.900 2010.01.27 -
K7AntiVirus 7.10.957 2010.01.26 -
Kaspersky 7.0.0.125 2010.01.28 -
McAfee 5874 2010.01.27 -
McAfee+Artemis 5874 2010.01.27 Suspect-D!0CEE939B6669
McAfee-GW-Edition 6.8.5 2010.01.27 -
Microsoft 1.5406 2010.01.28 -
NOD32 4811 2010.01.27 -
Norman 6.04.03 2010.01.27 -
nProtect 2009.1.8.0 2010.01.27 -
Panda 10.0.2.2 2010.01.27 -
PCTools 7.0.3.5 2010.01.28 -
Prevx 3.0 2010.01.28 -
Rising 22.32.03.01 2010.01.28 -
Sophos 4.50.0 2010.01.28 -
Sunbelt 3.2.1858.2 2010.01.28 -
Symantec 20091.2.0.41 2010.01.28 -
TheHacker 6.5.0.9.167 2010.01.28 -
TrendMicro 9.120.0.1004 2010.01.28 -
VBA32 3.12.12.1 2010.01.27 -
ViRobot 2010.1.28.2159 2010.01.28 -
VirusBuster 5.0.21.0 2010.01.27 -
Additional information
File size: 61440 bytes
MD5...: 0cee939b66697980f834173218115991
SHA1..: 17dea785d8caabf27d38828a739741fa97b03596
SHA256: 94a5132864fd35d44d34c15e8d2a2fecf681a94f689606e3c7c7f94e8e863436
ssdeep: 1536:FELnKFY5TY7Mz06AQ5e73mXjem0Qekfgg2kxno52:FELKFY3A0xno5
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x41fb
timedatestamp.....: 0x45dd279b (Thu Feb 22 05:18:19 2007)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xb3a4 0xb400 6.65 5ac9aa2920fd2002d12563dfd62e966d
.rdata 0xd000 0x214c 0x2200 5.48 6baf53fbd533dfb3a9db7012e7bb0d6e
.data 0x10000 0x3920 0x1600 3.61 930acfd73a41d32d0bebd607d352f8f2

( 2 imports )
> KERNEL32.dll: SetConsoleCtrlHandler, GetWindowsDirectoryA, CreateDirectoryA, SetFileTime, SetFilePointer, Sleep, SetFileAttributesA, CreateFileA, FindClose, FindNextFileA, FindFirstFileA, GetModuleFileNameA, FormatMessageA, lstrlenA, LocalFree, SetEvent, CreateEventA, CreateNamedPipeA, ResetEvent, GetLastError, WaitForMultipleObjects, ConnectNamedPipe, ReadFile, WriteFile, DisconnectNamedPipe, FlushFileBuffers, CloseHandle, HeapFree, HeapAlloc, GetProcAddress, GetModuleHandleA, ExitProcess, GetCommandLineA, GetVersionExA, GetProcessHeap, HeapDestroy, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetStdHandle, LoadLibraryA, InitializeCriticalSection, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetConsoleCP, GetConsoleMode, HeapSize, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW
> ADVAPI32.dll: RegisterServiceCtrlHandlerA, OpenServiceA, ControlService, QueryServiceStatus, DeleteService, OpenSCManagerA, CreateServiceA, CloseServiceHandle, SetServiceStatus, RegisterEventSourceA, ReportEventA, DeregisterEventSource, InitializeSecurityDescriptor, ConvertStringSecurityDescriptorToSecurityDescriptorA, StartServiceCtrlDispatcherA

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)



GooredFix by jpshortstuff (08.01.10.1)
Log created at 23:08 on 27/01/2010 (murisaka)
Firefox version 3.5.7 (en-GB)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
inspector@mozilla.org [05:46 16/03/2008]
{972ce4c6-7e08-4474-a285-3208198ce6fd} [05:46 16/03/2008]
{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} [04:18 01/12/2008]
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [02:14 04/12/2008]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [11:42 25/03/2009]
{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [15:05 02/09/2009]
{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [20:13 20/10/2009]
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [04:14 23/11/2009]

C:\Users\Miki\Application Data\Mozilla\Firefox\Profiles\suhyldt7.default\extensions\
unplug@compunach [05:06 20/11/2009]
{0545b830-f0aa-4d7e-8820-50a4629a56fe} [17:44 16/12/2009]
{463F6CA5-EE3C-4be1-B7E6-7FEE11953374} [13:45 21/01/2010]
{57407AE0-868F-11DC-AD21-49A755D89593} [01:03 02/09/2008]
{AE93811A-5C9A-4d34-8462-F7B864FC4696} [17:25 25/01/2010]
{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [19:58 17/01/2010]
{CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B}(19) [01:07 03/06/2008]
{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7} [05:02 21/09/2008]
{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [16:50 12/01/2010]
{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} [03:23 06/05/2009]
{dd30bf68-268a-4815-ad48-8740b774c764} [13:13 26/08/2009]
{fa038e8f-d1d1-11db-9705-005056c00008} [16:53 03/01/2010]
{ff356687-aa08-463d-a46c-11c451824939} [13:13 26/08/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [07:23 23/08/2009]

-=E.O.F=-
munkie
Active Member
 
Posts: 8
Joined: January 18th, 2010, 10:53 pm

Re: google links redirecting

Unread postby jmw3 » January 28th, 2010, 1:26 am

Hi

ComboFix
Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):
Link 1
Link 2

**IMPORTANT !!! Save ComboFix.exe to your Desktop**

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Right-click on ComboFix.exe then choose Run as Administrator & follow the prompts
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


To post in next reply:
ComboFix log
Update on how the computer is running
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: google links redirecting

Unread postby munkie » January 28th, 2010, 2:18 am

It looks like my links are no longer redirecting! Recently, it was occurring more frequently but now it seems gone. Thank you thank you sooo much!
I'll still be on the look out, just in case.

Here is the Combofix log:

ComboFix 10-01-27.03 - murisaka 8/2010 Thu 0:56.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.932.81.1033.18.1022.285 [GMT -5:00]
Running from: c:\users\Miki\Desktop\ComboFix.exe
AV: Symantec AntiVirus *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Symantec AntiVirus *disabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1400113804-1914402855-3429530994-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-2423544557-4289886051-2762074548-1000
c:\$recycle.bin\S-1-5-21-2423544557-4289886051-2762074548-500
c:\users\Miki\AppData\Local\{32CE0889-6448-4E5A-A5B9-C8BC93E72274}
c:\users\Miki\AppData\Local\{32CE0889-6448-4E5A-A5B9-C8BC93E72274}\chrome.manifest
c:\users\Miki\AppData\Local\{32CE0889-6448-4E5A-A5B9-C8BC93E72274}\chrome\content\_cfg.js
c:\users\Miki\AppData\Local\{32CE0889-6448-4E5A-A5B9-C8BC93E72274}\chrome\content\overlay.xul
c:\users\Miki\AppData\Local\{32CE0889-6448-4E5A-A5B9-C8BC93E72274}\install.rdf

.
((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-28 )))))))))))))))))))))))))))))))
.

2010-01-28 06:06 . 2010-01-28 06:07 -------- d-----w- c:\users\Miki\AppData\Local\temp
2010-01-28 06:06 . 2010-01-28 06:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-24 22:18 . 2010-01-24 22:18 1956072 ----a-w- c:\users\Miki\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-01-23 22:27 . 2010-01-23 22:27 -------- d-----w- c:\users\Miki\AppData\Local\Diagnostics
2010-01-23 20:59 . 2010-01-23 20:59 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-01-22 17:36 . 2009-12-19 09:02 977920 ----a-w- c:\windows\system32\wininet.dll
2010-01-21 13:45 . 2009-09-18 14:28 421888 ----a-w- c:\users\Miki\AppData\Roaming\Mozilla\Firefox\Profiles\suhyldt7.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
2010-01-19 05:47 . 2010-01-19 05:47 -------- d-----w- c:\programdata\Logishrd
2010-01-19 05:47 . 2010-01-19 05:47 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-01-19 05:47 . 2010-01-19 05:47 -------- d-----w- c:\program files\Logitech
2010-01-19 05:19 . 2010-01-19 05:19 -------- d-----w- c:\users\Miki\AppData\Local\ElevatedDiagnostics
2010-01-18 05:21 . 2010-01-18 05:21 -------- d-----w- c:\program files\Trend Micro
2010-01-15 15:50 . 2010-01-15 15:50 -------- d-----w- c:\users\Miki\AppData\Local\Apple Computer
2010-01-15 15:44 . 2010-01-15 15:45 -------- d-----w- c:\program files\QuickTime
2010-01-15 15:44 . 2010-01-15 15:44 -------- d-----w- c:\programdata\Apple Computer
2010-01-15 15:42 . 2010-01-15 15:42 -------- d-----w- c:\program files\Common Files\Apple
2010-01-15 15:42 . 2010-01-15 15:42 -------- d-----w- c:\users\Miki\AppData\Local\Apple
2010-01-15 15:42 . 2010-01-15 15:42 -------- d-----w- c:\program files\Apple Software Update
2010-01-15 15:42 . 2010-01-15 15:42 -------- d-----w- c:\programdata\Apple
2010-01-13 02:17 . 2009-09-10 05:52 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-01-13 02:15 . 2009-10-29 07:22 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-12 20:40 . 2009-08-27 08:00 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100112.005\NAVEX32A.DLL
2010-01-12 20:40 . 2009-12-14 09:00 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100112.005\CCERASER.DLL
2010-01-12 20:40 . 2009-10-19 08:00 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100112.005\ECMSVR32.DLL
2010-01-12 20:40 . 2009-08-27 08:00 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100112.005\NAVENG.SYS
2010-01-12 20:40 . 2009-08-27 08:00 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100112.005\EECTRL.SYS
2010-01-12 20:40 . 2009-08-27 08:00 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100112.005\NAVENG32.DLL
2010-01-12 20:40 . 2009-08-27 08:00 1323568 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100112.005\NAVEX15.SYS
2010-01-12 20:40 . 2009-08-27 08:00 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100112.005\ERASER.SYS
2010-01-12 20:17 . 2009-10-19 14:10 108544 ----a-w- c:\windows\system32\t2embed.dll
2010-01-12 20:17 . 2009-07-30 04:44 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-01-12 20:17 . 2009-10-19 14:10 70656 ----a-w- c:\windows\system32\fontsub.dll
2010-01-12 17:15 . 2010-01-12 17:15 -------- d-----w- c:\users\Miki\AppData\Roaming\Malwarebytes
2010-01-12 17:15 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-12 17:15 . 2010-01-12 17:15 -------- d-----w- c:\programdata\Malwarebytes
2010-01-12 17:15 . 2010-01-12 17:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-12 17:15 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-12 17:01 . 2009-08-29 06:57 34816 ----a-w- c:\windows\system32\msasn1.dll
2010-01-12 17:01 . 2009-10-02 04:06 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2010-01-12 17:01 . 2009-09-03 07:04 1320960 ----a-w- c:\windows\system32\CertEnroll.dll
2010-01-12 17:01 . 2009-08-19 07:20 507568 ----a-w- c:\windows\system32\winload.exe
2010-01-12 17:01 . 2009-08-03 05:35 2613248 ----a-w- c:\windows\explorer.exe
2010-01-12 17:01 . 2009-08-19 07:20 442920 ----a-w- c:\windows\system32\winresume.exe
2010-01-12 17:01 . 2009-08-29 06:54 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2010-01-11 15:34 . 2010-01-11 15:34 159048 ----a-w- c:\users\Miki\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-11 15:32 . 2010-01-11 15:32 -------- d-----w- C:\Recovery
2010-01-11 12:14 . 2010-01-11 15:33 -------- d-----w- c:\windows\Panther
2010-01-11 11:56 . 2010-01-11 10:07 -------- dc----w- C:\$WINDOWS.~Q
2010-01-11 11:49 . 2010-01-11 11:53 -------- dc----w- C:\$INPLACE.~TR
2010-01-11 10:30 . 2010-01-15 15:15 -------- d-----w- c:\windows\system32\wbem\Performance
2010-01-11 10:05 . 2010-01-11 10:05 21316 ----a-w- c:\windows\system32\emptyregdb.dat
2010-01-11 09:19 . 2010-01-11 09:19 -------- d-----w- c:\program files\CONEXANT
2010-01-11 09:19 . 2010-01-11 09:19 -------- d-----w- c:\program files\Synaptics
2010-01-11 06:19 . 2009-12-14 09:00 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100110.017\CCERASER.DLL
2010-01-11 06:19 . 2009-10-19 08:00 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100110.017\ECMSVR32.DLL
2010-01-11 06:19 . 2009-08-27 08:00 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100110.017\NAVENG.SYS
2010-01-11 06:19 . 2009-08-27 08:00 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100110.017\EECTRL.SYS
2010-01-11 06:19 . 2009-08-27 08:00 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100110.017\NAVENG32.DLL
2010-01-11 06:19 . 2009-08-27 08:00 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100110.017\NAVEX32A.DLL
2010-01-11 06:19 . 2009-08-27 08:00 1323568 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100110.017\NAVEX15.SYS
2010-01-11 06:19 . 2009-08-27 08:00 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100110.017\ERASER.SYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-28 04:06 . 2007-06-29 04:53 -------- d-----w- c:\program files\Java
2010-01-28 03:11 . 2010-01-11 09:20 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-01-21 13:41 . 2008-03-15 08:19 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-19 05:25 . 2007-06-29 04:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-19 02:49 . 2008-04-08 03:48 -------- d-----w- c:\program files\MagicISO
2010-01-19 02:49 . 2008-03-16 21:47 -------- d-----w- c:\users\Miki\AppData\Roaming\uTorrent
2010-01-15 21:21 . 2008-03-15 08:32 60562 ----a-w- c:\users\Miki\AppData\Roaming\nvModes.dat
2010-01-14 16:12 . 2009-10-03 01:02 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-11 09:52 . 2008-03-21 04:36 -------- d-----w- c:\users\Miki\AppData\Roaming\Winamp
2010-01-11 09:52 . 2009-02-21 14:50 -------- d-----w- c:\users\Miki\AppData\Roaming\Skype
2010-01-11 09:52 . 2008-03-30 17:18 -------- d-----w- c:\users\Miki\AppData\Roaming\Thunderbird
2010-01-11 09:52 . 2008-03-16 05:47 -------- d-----w- c:\users\Miki\AppData\Roaming\Talkback
2010-01-11 09:52 . 2008-03-17 22:38 -------- d-----w- c:\users\Miki\AppData\Roaming\Roxio
2010-01-11 09:51 . 2008-03-20 03:45 -------- d-----w- c:\users\Miki\AppData\Roaming\Media Player Classic
2010-01-11 09:51 . 2008-03-15 06:52 -------- d--h--w- c:\users\Miki\AppData\Roaming\GTek
2010-01-11 09:51 . 2009-12-07 19:10 -------- d-----w- c:\users\Miki\AppData\Roaming\Foxit
2010-01-11 09:51 . 2009-09-02 00:20 -------- d-----w- c:\users\Miki\AppData\Roaming\DivX
2010-01-11 09:51 . 2009-03-03 06:18 -------- d-----w- c:\users\Miki\AppData\Roaming\Cisco
2010-01-11 09:51 . 2008-10-20 22:05 -------- d-----w- c:\users\Miki\AppData\Roaming\Creative
2010-01-11 09:51 . 2008-08-04 14:59 -------- d-----w- c:\users\Miki\AppData\Roaming\CyberLink
2010-01-11 09:51 . 2008-03-23 19:56 -------- d-----w- c:\users\Miki\AppData\Roaming\Download Manager
2010-01-11 09:51 . 2008-03-18 01:27 -------- d-----w- c:\users\Miki\AppData\Roaming\Autodesk
2010-01-11 09:51 . 2008-03-15 06:52 -------- d-----w- c:\users\Miki\AppData\Roaming\Dell
2010-01-11 09:29 . 2008-03-17 22:14 -------- d-----w- c:\programdata\Adobe Systems
2010-01-11 09:28 . 2008-10-10 03:24 -------- d-----w- c:\program files\Microsoft WSE
2010-01-11 09:28 . 2008-03-15 07:38 -------- d-----w- c:\program files\Microsoft.NET
2010-01-11 09:28 . 2007-06-29 05:18 -------- d-----w- c:\program files\Microsoft Works
2010-01-11 09:28 . 2007-06-29 04:57 -------- d-----w- c:\program files\Modem Diagnostic Tool
2010-01-11 09:28 . 2009-07-14 04:52 -------- d-----w- c:\program files\Microsoft Games
2010-01-11 09:28 . 2007-07-17 19:48 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-01-11 09:28 . 2007-07-17 19:12 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-01-11 09:28 . 2007-06-29 05:17 -------- d-----w- c:\program files\Google
2010-01-11 09:28 . 2009-12-07 19:10 -------- d-----w- c:\program files\Foxit Software
2010-01-11 09:28 . 2008-03-20 03:48 -------- d-----w- c:\program files\ffdshow
2010-01-11 09:27 . 2008-10-10 03:25 -------- d-----w- c:\program files\DWG TrueView 2009
2010-01-11 09:27 . 2009-06-03 20:49 -------- d-----w- c:\program files\DivX
2010-01-11 09:27 . 2007-06-29 05:17 -------- d-----w- c:\program files\DellSupport
2010-01-11 09:27 . 2007-06-29 04:57 -------- d-----w- c:\program files\Digital Line Detect
2010-01-11 09:27 . 2008-03-14 15:23 -------- d-----w- c:\program files\Dell Support Center
2010-01-11 09:27 . 2007-06-29 04:55 -------- d-----w- c:\program files\Dell
2010-01-11 09:27 . 2008-03-20 03:27 -------- dcsh--w- c:\program files\Common Files\WindowsLiveInstaller
2010-01-11 09:27 . 2007-06-29 05:19 -------- d-----w- c:\program files\CyberLink
2010-01-11 09:26 . 2007-06-29 05:09 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-11 09:26 . 2007-06-29 05:06 -------- d-----w- c:\program files\Common Files\SureThing Shared
2010-01-11 09:26 . 2007-06-29 05:05 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-01-11 09:26 . 2007-06-29 05:05 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-01-11 09:26 . 2009-06-03 20:51 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-01-11 09:26 . 2007-07-17 19:09 -------- d-----w- c:\program files\Common Files\L&H
2010-01-11 09:26 . 2007-06-29 04:54 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-11 09:26 . 2009-06-03 20:49 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-01-11 09:26 . 2008-03-17 22:47 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2010-01-11 09:26 . 2008-03-17 22:08 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-01-11 09:26 . 2007-06-29 05:18 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-11 09:25 . 2009-03-03 06:16 -------- d-----w- c:\program files\Cisco
2010-01-11 09:25 . 2008-10-21 06:08 -------- d-----w- c:\program files\CDisplay
2010-01-11 09:25 . 2008-09-06 05:41 -------- d-----w- c:\program files\Citrix
2010-01-11 09:25 . 2008-10-08 03:11 -------- d-----w- c:\program files\Autodesk Student Community Download Tool
2010-01-11 09:25 . 2008-03-17 22:47 -------- d-----w- c:\program files\Autodesk
2010-01-11 09:25 . 2007-06-29 05:17 -------- d-----w- c:\program files\BAE
2010-01-11 09:25 . 2008-10-10 03:05 -------- d-----w- c:\program files\AutoCAD Civil 3D 2009
2010-01-11 09:25 . 2008-12-01 01:16 -------- d-----w- c:\program files\Audacity
2010-01-11 09:24 . 2009-03-07 06:16 -------- d-----w- c:\program files\activePDF
2010-01-11 09:19 . 2010-01-11 09:19 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2009-12-14 09:00 . 2009-12-14 09:00 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\cceraser.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2009-07-14 144384]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-12-13 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-12-13 7766016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-12-13 81920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-20 815104]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-12-08 107112]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-03-16 17920]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-05-02 184320]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-08-05 135568]
"SigmatelSysTrayApp"="sttray.exe" [2007-02-08 303104]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-13 488984]
"LVCOMSX"="c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-02-13 252704]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-13 774680]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\users\Miki\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-6-28 50688]
QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-6-28 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [9/14/2009 11:49 PM 1153368]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2/3/2009 3:39 PM 427192]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/8/2009 10:05 AM 102448]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\netw5v32.sys [6/10/2009 4:18 PM 4231168]
S2 Mei006h;Mei006h Service;c:\windows\System32\mei006h.exe [4/7/2008 12:11 AM 61440]
S3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [8/5/2007 4:29 PM 121744]
.
Contents of the 'Scheduled Tasks' folder

2009-12-02 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-09-15 19:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: {F8C41CBF-721F-4B99-9FC8-2F8077C4AD39} - hxxps://drawing.constructware.com/IGC/BravaClientX.cab
FF - ProfilePath - c:\users\Miki\AppData\Roaming\Mozilla\Firefox\Profiles\suhyldt7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\users\Miki\AppData\Roaming\Mozilla\Firefox\Profiles\suhyldt7.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.10);user_pref(general.useragent.extra.zencast, );user_pref(yahoo.homepage.dontask, true.
- - - - ORPHANS REMOVED - - - -

Notify-GoToAssist - c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
AddRemove-Cakewalk Pro Audio 9 Demo - c:\program files\Cakewalk\Cakewalk Pro Audio 9 Demo\CWPA9_Uninst.isu


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Common Client\ccService\Channels]
@Denied: (C D) (Everyone)
"{1943285A-EDC3-48A2-A36F-D826C552E717}"="{023E69F4-0B12-4A6B-B4A8-222B2AAD60EF}"
"{37009485-6EC4-4D54-A6E1-73A89C069D71}"="{9EA66D7B-7579-4C41-B92F-60542C66F8C9}"
"{88764B40-05BB-4816-9D1D-B80934F73488}"="{EFD2FD0D-E6CC-4EC4-ADD5-E8D5DEA62E4F}"
"{8A154803-F73B-4E7C-A92F-9898362F4438}"="{5225A7F9-9C38-4264-A686-9186815C1A94}"
"{AC9515C0-0FCE-4D93-9FED-5382CB0F0F11}"="{EFD2FD0D-E6CC-4EC4-ADD5-E8D5DEA62E4F}"
"{CFD1DE13-358B-4BA5-9D8C-2F60855D9850}"="{023E69F4-0B12-4A6B-B4A8-222B2AAD60EF}"
"{D071D40F-0BE2-48C0-B164-CFBFC036D2F3}"="{9EA66D7B-7579-4C41-B92F-60542C66F8C9}"
"{DD141859-6E3C-4346-B16E-71B596A4F815}"="{023E69F4-0B12-4A6B-B4A8-222B2AAD60EF}"
"ccEvtCli"="{F779E72D-3AF9-47B6-9F17-AD9E5B1B9A30}"
"{520E7A35-8C68-4AC1-9075-F1A486269A0C}"="{A5598117-4B8F-4B47-BC4C-E0E8305A0723}"
"{30A21EE8-7B80-4A04-ACEE-61E2A6D80D41}"="{A5598117-4B8F-4B47-BC4C-E0E8305A0723}"
"{89A2AAF7-1334-47A9-B4F2-896C264E658B}"="{C47516D4-C820-43B3-9B2C-EFC136AACBAD}"
"{FABC9623-08DA-405A-B1A3-FA8BEE5697F7}"="{42D30821-B93C-4057-91D2-76FEF01839E4}"
"{2597C57F-D42B-4ABE-8E5D-98904314124C}"="{309B7854-E69B-4F42-8281-1E6ED69A3911}"
"{64A0E693-D92A-4B3A-81C3-907F3B54FAE4}"="{309B7854-E69B-4F42-8281-1E6ED69A3911}"
"{C5931EB4-E515-4E59-BC28-502B40824DA1}"="{2C7D490A-180A-4670-8475-3B7E04F7755E}"
"{7BCEA9B3-DE13-4C83-AC85-73CAD23DC369}"="{7034FF6B-FA3A-40A1-92BA-36D3E798E8C2}"
"{4975EB84-62EA-4560-86BB-AB13588DA775}"="{321A9453-8045-406D-A3DE-58082EE02DF4}"
"{AC522724-D0D3-4EEB-8D16-B55F27177867}"="{321A9453-8045-406D-A3DE-58082EE02DF4}"
"{96BD88F1-6D8B-4DF6-B5A1-E3D27E1C1257}"="{7E6F08CD-3B61-4D48-A542-DEAD79B93416}"
"{4D78D67E-69AA-4123-81BB-90F77AACA640}"="{9483F09A-D99E-4F71-BF23-84E9E7AB903C}"
"{861991D8-080B-452F-A5EA-47862887A4C7}"="{9483F09A-D99E-4F71-BF23-84E9E7AB903C}"
"{63863751-4A14-4920-8097-9F97F5CD9EF7}"="{0E11F1A3-091C-44D2-B4F9-B7782A9A0CEC}"
"{0A9A8542-0499-471C-AACB-52CEB3FC9CB8}"="{0E11F1A3-091C-44D2-B4F9-B7782A9A0CEC}"
"{41A74F1D-45CF-476F-86C7-A8AB6E0B14B3}"="{7D579B31-3DD9-4ED1-9399-D87383F1632C}"
"{5E8AA8DA-1877-4236-842F-8BF072740AA1}"="{7D579B31-3DD9-4ED1-9399-D87383F1632C}"
"{AB9271FF-03BD-475F-883D-86C189CC9580}"="{7D579B31-3DD9-4ED1-9399-D87383F1632C}"
"{65D27484-D548-4FEC-9A55-F16CF907057B}"="{EC606B56-6394-4E29-9926-72CC297E3D9F}"
"{AE94D8DE-0AB7-47CF-A42D-829D335584B1}"="{9CC21DBC-334A-4922-99DE-388C551380B4}"
"{9D44613C-3096-4539-A002-73FFD3D2F722}"="{9CC21DBC-334A-4922-99DE-388C551380B4}"
"{3090A0AA-F383-448F-84E6-71B8889845AF}"="{640675B0-9994-492B-AB8A-0E740EBF3556}"
"{9CA80813-31A5-4A27-B344-3F5B389DF347}"="{640675B0-9994-492B-AB8A-0E740EBF3556}"
"{BAA506F2-9F83-4A0C-911C-BD77E329B29C}"="{6AB48F0A-0A47-49F3-AE64-2BCED8D72A0E}"
"{667BDD99-7E3F-47EB-9884-56E413876318}"="{6AB48F0A-0A47-49F3-AE64-2BCED8D72A0E}"
"{CC5E4E8C-A8E9-4BF3-874A-D360F5C9B93C}"="{23CB953C-522D-4173-9CB8-D2800FEDB4AA}"
"{ADB9F571-AF4A-4620-825B-074FDAA41BC9}"="{EDB3F0FE-2E23-4F28-9753-D939551E852B}"
"{D326BBA2-B5AB-4C75-8D9D-6C2B58723289}"="{EDB3F0FE-2E23-4F28-9753-D939551E852B}"
"{1F01EAB7-A915-4588-B998-6191C457F2BF}"="{B5FD516C-A94B-4E3F-94E2-DCFCE04F01A2}"
"{6B6C4D95-E9E1-475C-A400-5BA00FFA76C1}"="{B5FD516C-A94B-4E3F-94E2-DCFCE04F01A2}"
"{5CB6F58A-FAE1-47F3-A79A-2751FAE314BC}"="{99B64621-6DF3-46E1-9BD4-B62B56156CFE}"
"{F64F731B-F29E-4ED0-B5DE-CFB1F20163E5}"="{DEDBFBBD-30BE-4C83-B9BB-14953333822B}"
"{FA6AE1A2-DC8E-42D7-87C8-8C2B2FAF044C}"="{99B64621-6DF3-46E1-9BD4-B62B56156CFE}"
"{DAC52869-6FF3-48A9-8B6F-AE7FAC232580}"="{CA1DB665-462F-4296-BB49-C0DD4F68913C}"
"{E067DBDF-FB04-400C-B880-F85DAE19277D}"="{A1AC6C2E-782A-4233-9118-43E01A7E63BB}"
"{67749E7F-1091-41F6-B806-8776635ED323}"="{A1AC6C2E-782A-4233-9118-43E01A7E63BB}"
"{5E35044A-29B2-4589-BBD9-3BD57ACE10CC}"="{D2D3EB36-7632-4701-9A22-28A711A789B3}"
"{CD6DF7DF-2973-4B44-BE1E-7E82CE83D844}"="{D2D3EB36-7632-4701-9A22-28A711A789B3}"
"{9069BA03-827F-4B4A-A61E-B1E58E1E37B4}"="{06333BB1-5548-4B75-A08D-AB2D36B2FD0E}"
"{F6F473BD-C04D-4E4A-B83D-8BE61EC34693}"="{8057C0DF-1F43-4333-823F-F60ED28A66DC}"
"{7912717F-7D2A-46CE-8D8F-BC9E10A0D600}"="{8057C0DF-1F43-4333-823F-F60ED28A66DC}"
"{381B01A9-C631-44AB-AB4F-104F8383AAD0}"="{C5505515-D9B6-4E7C-B4FD-C0A4DC32DA28}"
"{AF22194C-D6D1-4CAD-84D9-3741389DD307}"="{80D736BB-524C-444A-99E2-7C811510E398}"
"{004FD8A8-AE2C-4B0C-BA04-D395290B9809}"="{80D736BB-524C-444A-99E2-7C811510E398}"
"{E4B79677-AA5C-40E1-97CC-574A7FAB6C96}"="{D619D35A-B504-463F-A9C4-5042CA906860}"
"{8F48A504-ECFA-4F38-ABCC-F965AEF6176B}"="{D619D35A-B504-463F-A9C4-5042CA906860}"
"ccSvcHst_ccSetMgr"="{F779E72D-3AF9-47B6-9F17-AD9E5B1B9A30}"
"ccSettingsService"="{F779E72D-3AF9-47B6-9F17-AD9E5B1B9A30}"
"SNDServiceRequestChannel"="{F779E72D-3AF9-47B6-9F17-AD9E5B1B9A30}"
"SNDLocationChannel"="{F779E72D-3AF9-47B6-9F17-AD9E5B1B9A30}"
"ccSvcHst_ccEvtMgr"="{F779E72D-3AF9-47B6-9F17-AD9E5B1B9A30}"
"{077E69AA-4295-4718-8D8B-6CB4F8740A52}"="{26B49BD7-0911-4EA1-BFCD-9C84E89FA67E}"
"{D890A277-4CB9-4BC5-9DD1-872D549D5AB5}"="{26B49BD7-0911-4EA1-BFCD-9C84E89FA67E}"
"{2E8E999A-E970-405F-9432-571B4BDF1EBF}"="{31C5197A-84A5-4D43-85E7-D41685F3EDFB}"
"{2F7CDCE2-F5D9-4101-B058-6216FCE56B50}"="{FEC8CE2C-D098-489A-9C5C-2380810DCC2D}"
"{B2367038-7200-4902-B037-1BF83F6222E0}"="{FEC8CE2C-D098-489A-9C5C-2380810DCC2D}"
"{D98600EA-790F-470A-B608-1E06189F1E77}"="{31C5197A-84A5-4D43-85E7-D41685F3EDFB}"
"{A5B3E893-7A27-4B6A-85AE-C22F8D1B7FA7}"="{FEC8CE2C-D098-489A-9C5C-2380810DCC2D}"
"{9581D42F-01C1-4F84-B0DD-AD77D20880A3}"="{F779E72D-3AF9-47B6-9F17-AD9E5B1B9A30}"
"{641E3399-7EE6-4687-A3A0-27BB0AB6072B}"="{F779E72D-3AF9-47B6-9F17-AD9E5B1B9A30}"
"{6FB464E1-0909-457E-9CB6-61B65B43B60D}"="{F779E72D-3AF9-47B6-9F17-AD9E5B1B9A30}"
"{CA15B7FD-2BE6-4F1B-9DB5-3853AEC79373}"="{1601C745-DCCF-466B-AC28-D32E00E2E306}"
"{260F3EF8-9891-465C-9586-562D94FF725A}"="{FAD952F3-83C1-4B60-B678-8E47FB262316}"
"{894380E8-758B-4450-A5C2-57BA25EED4D3}"="{1601C745-DCCF-466B-AC28-D32E00E2E306}"
"{398B76A7-A9E7-4217-8061-A2DBFB2ADA9C}"="{EEBFC1A0-B360-481E-BF30-43362BE082E6}"
"{7F54EE60-BD13-4762-93DE-E0C334556830}"="{EEBFC1A0-B360-481E-BF30-43362BE082E6}"
"{7D9B5C33-77C4-4DCD-A50E-8CB0049169C9}"="{1601C745-DCCF-466B-AC28-D32E00E2E306}"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-01-28 01:11:39
ComboFix-quarantined-files.txt 2010-01-28 06:11

Pre-Run: 21,951,844,352 bytes free
Post-Run: 21,816,995,840 bytes free

- - End Of File - - 50385EF5DF751A36A786B2C556FA3684
munkie
Active Member
 
Posts: 8
Joined: January 18th, 2010, 10:53 pm

Re: google links redirecting

Unread postby jmw3 » January 28th, 2010, 11:25 pm

Hi
Apologies for the late reply. I had some urgent family matters to attend to.

It looks like my links are no longer redirecting! Recently, it was occurring more frequently but now it seems gone.
Good stuff. Just a little more to do.

CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code: Select all
File::
c:\windows\System32\mei006h.exe
Folder::
c:\users\Miki\AppData\Roaming\uTorrent
c:\program files\BAE
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
Driver::
Mei006h
DDS::
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
RegLock::
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Common Client\ccService\Channels]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

Save this as CFScript.txt, in the same location as ComboFix.exe

Image

Refering to the picture above, drag CFScript into ComboFix.exe
If prompted by ComboFix to update, please do so
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Kaspersky Online Scan
Right click on your favourite web browser (Internet Explorer, Firefox, etc) and select Run As Administrator to run it
Go to Kaspersky website and perform an online antivirus scan
  • Read through the requirements and privacy statement and click on Accept button
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
  • When the downloads have finished, click on Settings
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan
  • Once the scan is complete, it will display the results. Click on View Scan Report
  • You will see a list of infected items there. Click on Save Report As...
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply
Pictured tutorial if required.

To post in next reply:
ComboFix log
Kaspersky Online Scan log
A new HijackThis log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: google links redirecting

Unread postby munkie » January 29th, 2010, 5:20 pm

Here is the Combofix log and new Hijackthis log. Nothing was found using the Kaspersky scanner.

ComboFix 10-01-27.03 - murisaka 9/2010 Fri 0:11.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.932.81.1033.18.1022.278 [GMT -5:00]
Running from: c:\users\Miki\Desktop\ComboFix.exe
Command switches used :: c:\users\Miki\Desktop\CFScript.txt
AV: Symantec AntiVirus *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Symantec AntiVirus *disabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}

FILE ::
"c:\windows\System32\mei006h.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\BAE
c:\program files\BAE\BAE.dll
c:\users\Miki\AppData\Roaming\uTorrent
c:\users\Miki\AppData\Roaming\uTorrent\dht.dat
c:\users\Miki\AppData\Roaming\uTorrent\dht.dat.old
c:\users\Miki\AppData\Roaming\uTorrent\Gaki no Tsukai #987 (2009.12.31SP) [24h Batsu Game] [29.97fps].mp4.torrent
c:\users\Miki\AppData\Roaming\uTorrent\resume.dat
c:\users\Miki\AppData\Roaming\uTorrent\resume.dat.old
c:\users\Miki\AppData\Roaming\uTorrent\rss.dat
c:\users\Miki\AppData\Roaming\uTorrent\rss.dat.old
c:\users\Miki\AppData\Roaming\uTorrent\settings.dat
c:\users\Miki\AppData\Roaming\uTorrent\settings.dat.old
c:\users\Miki\AppData\Roaming\uTorrent\Studio Ghibli.torrent
c:\users\Miki\AppData\Roaming\uTorrent\utorrent.lng
c:\windows\System32\mei006h.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Mei006h


((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-29 )))))))))))))))))))))))))))))))
.

2010-01-29 05:22 . 2010-01-29 05:22 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-29 05:22 . 2010-01-29 05:22 -------- d-----w- c:\users\murisaka\AppData\Local\temp
2010-01-29 05:22 . 2010-01-29 05:22 -------- d-----w- c:\users\hide\AppData\Local\temp
2010-01-29 05:22 . 2010-01-29 05:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-28 06:11 . 2010-01-29 05:53 -------- d-----w- c:\users\Miki\AppData\Local\temp
2010-01-27 15:40 . 2009-10-31 05:45 2614272 ----a-w- c:\windows\explorer.exe
2010-01-27 15:40 . 2009-10-28 06:17 285696 ----a-w- c:\windows\system32\winlogon.exe
2010-01-23 22:27 . 2010-01-23 22:27 -------- d-----w- c:\users\Miki\AppData\Local\Diagnostics
2010-01-23 20:59 . 2010-01-23 20:59 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-01-22 17:36 . 2009-12-19 09:02 977920 ----a-w- c:\windows\system32\wininet.dll
2010-01-19 05:47 . 2010-01-19 05:47 -------- d-----w- c:\programdata\Logishrd
2010-01-19 05:47 . 2010-01-19 05:47 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-01-19 05:47 . 2010-01-19 05:47 -------- d-----w- c:\program files\Logitech
2010-01-19 05:19 . 2010-01-19 05:19 -------- d-----w- c:\users\Miki\AppData\Local\ElevatedDiagnostics
2010-01-18 05:21 . 2010-01-18 05:21 -------- d-----w- c:\program files\Trend Micro
2010-01-15 15:50 . 2010-01-15 15:50 -------- d-----w- c:\users\Miki\AppData\Local\Apple Computer
2010-01-15 15:44 . 2010-01-15 15:45 -------- d-----w- c:\program files\QuickTime
2010-01-15 15:44 . 2010-01-15 15:44 -------- d-----w- c:\programdata\Apple Computer
2010-01-15 15:42 . 2010-01-15 15:42 -------- d-----w- c:\program files\Common Files\Apple
2010-01-15 15:42 . 2010-01-15 15:42 -------- d-----w- c:\users\Miki\AppData\Local\Apple
2010-01-15 15:42 . 2010-01-15 15:42 -------- d-----w- c:\program files\Apple Software Update
2010-01-15 15:42 . 2010-01-15 15:42 -------- d-----w- c:\programdata\Apple
2010-01-13 02:17 . 2009-09-10 05:52 257024 ----a-w- c:\windows\system32\msv1_0.dll
2010-01-13 02:15 . 2009-10-29 07:22 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-12 20:17 . 2009-10-19 14:10 108544 ----a-w- c:\windows\system32\t2embed.dll
2010-01-12 20:17 . 2009-07-30 04:44 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-01-12 20:17 . 2009-10-19 14:10 70656 ----a-w- c:\windows\system32\fontsub.dll
2010-01-12 17:15 . 2010-01-12 17:15 -------- d-----w- c:\users\Miki\AppData\Roaming\Malwarebytes
2010-01-12 17:15 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-12 17:15 . 2010-01-12 17:15 -------- d-----w- c:\programdata\Malwarebytes
2010-01-12 17:15 . 2010-01-12 17:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-12 17:15 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-12 17:01 . 2009-08-29 06:57 34816 ----a-w- c:\windows\system32\msasn1.dll
2010-01-12 17:01 . 2009-10-02 04:06 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2010-01-12 17:01 . 2009-09-03 07:04 1320960 ----a-w- c:\windows\system32\CertEnroll.dll
2010-01-12 17:01 . 2009-08-19 07:20 507568 ----a-w- c:\windows\system32\winload.exe
2010-01-12 17:01 . 2009-08-19 07:20 442920 ----a-w- c:\windows\system32\winresume.exe
2010-01-12 17:01 . 2009-08-29 06:54 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2010-01-11 15:34 . 2010-01-11 15:34 159048 ----a-w- c:\users\Miki\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-11 15:32 . 2010-01-11 15:32 -------- d-----w- C:\Recovery
2010-01-11 12:14 . 2010-01-11 15:33 -------- d-----w- c:\windows\Panther
2010-01-11 11:56 . 2010-01-11 10:07 -------- dc----w- C:\$WINDOWS.~Q
2010-01-11 11:49 . 2010-01-11 11:53 -------- dc----w- C:\$INPLACE.~TR
2010-01-11 10:30 . 2010-01-15 15:15 -------- d-----w- c:\windows\system32\wbem\Performance
2010-01-11 10:05 . 2010-01-11 10:05 21316 ----a-w- c:\windows\system32\emptyregdb.dat
2010-01-11 09:19 . 2010-01-11 09:19 -------- d-----w- c:\program files\CONEXANT
2010-01-11 09:19 . 2010-01-11 09:19 -------- d-----w- c:\program files\Synaptics

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-29 05:54 . 2010-01-11 09:20 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-01-28 04:06 . 2007-06-29 04:53 -------- d-----w- c:\program files\Java
2010-01-24 22:18 . 2010-01-24 22:18 1956072 ----a-w- c:\users\Miki\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-01-21 13:41 . 2008-03-15 08:19 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-19 05:25 . 2007-06-29 04:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-19 02:49 . 2008-04-08 03:48 -------- d-----w- c:\program files\MagicISO
2010-01-15 21:21 . 2008-03-15 08:32 60562 ----a-w- c:\users\Miki\AppData\Roaming\nvModes.dat
2010-01-14 16:12 . 2009-10-03 01:02 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-11 09:52 . 2008-03-21 04:36 -------- d-----w- c:\users\Miki\AppData\Roaming\Winamp
2010-01-11 09:52 . 2009-02-21 14:50 -------- d-----w- c:\users\Miki\AppData\Roaming\Skype
2010-01-11 09:52 . 2008-03-30 17:18 -------- d-----w- c:\users\Miki\AppData\Roaming\Thunderbird
2010-01-11 09:52 . 2008-03-16 05:47 -------- d-----w- c:\users\Miki\AppData\Roaming\Talkback
2010-01-11 09:52 . 2008-03-17 22:38 -------- d-----w- c:\users\Miki\AppData\Roaming\Roxio
2010-01-11 09:51 . 2008-03-20 03:45 -------- d-----w- c:\users\Miki\AppData\Roaming\Media Player Classic
2010-01-11 09:51 . 2008-03-15 06:52 -------- d--h--w- c:\users\Miki\AppData\Roaming\GTek
2010-01-11 09:51 . 2009-12-07 19:10 -------- d-----w- c:\users\Miki\AppData\Roaming\Foxit
2010-01-11 09:51 . 2009-09-02 00:20 -------- d-----w- c:\users\Miki\AppData\Roaming\DivX
2010-01-11 09:51 . 2009-03-03 06:18 -------- d-----w- c:\users\Miki\AppData\Roaming\Cisco
2010-01-11 09:51 . 2008-10-20 22:05 -------- d-----w- c:\users\Miki\AppData\Roaming\Creative
2010-01-11 09:51 . 2008-08-04 14:59 -------- d-----w- c:\users\Miki\AppData\Roaming\CyberLink
2010-01-11 09:51 . 2008-03-23 19:56 -------- d-----w- c:\users\Miki\AppData\Roaming\Download Manager
2010-01-11 09:51 . 2008-03-18 01:27 -------- d-----w- c:\users\Miki\AppData\Roaming\Autodesk
2010-01-11 09:51 . 2008-03-15 06:52 -------- d-----w- c:\users\Miki\AppData\Roaming\Dell
2010-01-11 09:29 . 2008-03-17 22:14 -------- d-----w- c:\programdata\Adobe Systems
2010-01-11 09:28 . 2008-10-10 03:24 -------- d-----w- c:\program files\Microsoft WSE
2010-01-11 09:28 . 2008-03-15 07:38 -------- d-----w- c:\program files\Microsoft.NET
2010-01-11 09:28 . 2007-06-29 05:18 -------- d-----w- c:\program files\Microsoft Works
2010-01-11 09:28 . 2007-06-29 04:57 -------- d-----w- c:\program files\Modem Diagnostic Tool
2010-01-11 09:28 . 2009-07-14 04:52 -------- d-----w- c:\program files\Microsoft Games
2010-01-11 09:28 . 2007-07-17 19:48 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-01-11 09:28 . 2007-07-17 19:12 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-01-11 09:28 . 2007-06-29 05:17 -------- d-----w- c:\program files\Google
2010-01-11 09:28 . 2009-12-07 19:10 -------- d-----w- c:\program files\Foxit Software
2010-01-11 09:28 . 2008-03-20 03:48 -------- d-----w- c:\program files\ffdshow
2010-01-11 09:27 . 2008-10-10 03:25 -------- d-----w- c:\program files\DWG TrueView 2009
2010-01-11 09:27 . 2009-06-03 20:49 -------- d-----w- c:\program files\DivX
2010-01-11 09:27 . 2007-06-29 05:17 -------- d-----w- c:\program files\DellSupport
2010-01-11 09:27 . 2007-06-29 04:57 -------- d-----w- c:\program files\Digital Line Detect
2010-01-11 09:27 . 2008-03-14 15:23 -------- d-----w- c:\program files\Dell Support Center
2010-01-11 09:27 . 2007-06-29 04:55 -------- d-----w- c:\program files\Dell
2010-01-11 09:27 . 2008-03-20 03:27 -------- dcsh--w- c:\program files\Common Files\WindowsLiveInstaller
2010-01-11 09:27 . 2007-06-29 05:19 -------- d-----w- c:\program files\CyberLink
2010-01-11 09:26 . 2007-06-29 05:09 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-11 09:26 . 2007-06-29 05:06 -------- d-----w- c:\program files\Common Files\SureThing Shared
2010-01-11 09:26 . 2007-06-29 05:05 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-01-11 09:26 . 2007-06-29 05:05 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-01-11 09:26 . 2009-06-03 20:51 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-01-11 09:26 . 2007-07-17 19:09 -------- d-----w- c:\program files\Common Files\L&H
2010-01-11 09:26 . 2007-06-29 04:54 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-11 09:26 . 2009-06-03 20:49 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-01-11 09:26 . 2008-03-17 22:47 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2010-01-11 09:26 . 2008-03-17 22:08 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-01-11 09:26 . 2007-06-29 05:18 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-11 09:25 . 2009-03-03 06:16 -------- d-----w- c:\program files\Cisco
2010-01-11 09:25 . 2008-10-21 06:08 -------- d-----w- c:\program files\CDisplay
2010-01-11 09:25 . 2008-09-06 05:41 -------- d-----w- c:\program files\Citrix
2010-01-11 09:25 . 2008-10-08 03:11 -------- d-----w- c:\program files\Autodesk Student Community Download Tool
2010-01-11 09:25 . 2008-03-17 22:47 -------- d-----w- c:\program files\Autodesk
2010-01-11 09:25 . 2008-10-10 03:05 -------- d-----w- c:\program files\AutoCAD Civil 3D 2009
2010-01-11 09:25 . 2008-12-01 01:16 -------- d-----w- c:\program files\Audacity
2010-01-11 09:24 . 2009-03-07 06:16 -------- d-----w- c:\program files\activePDF
2010-01-11 09:19 . 2010-01-11 09:19 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2009-12-14 09:00 . 2010-01-28 06:32 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100127.005\CCERASER.DLL
2009-12-14 09:00 . 2010-01-12 20:40 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20100112.005\CCERASER.DLL
2009-12-14 09:00 . 2009-12-14 09:00 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\cceraser.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2009-07-14 144384]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-12-13 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-12-13 7766016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-12-13 81920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-20 815104]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-12-08 107112]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-03-16 17920]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-05-02 184320]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-08-05 135568]
"SigmatelSysTrayApp"="sttray.exe" [2007-02-08 303104]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-13 488984]
"LVCOMSX"="c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-02-13 252704]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-13 774680]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\users\Miki\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-6-28 50688]
QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-6-28 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [9/14/2009 11:49 PM 1153368]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2/3/2009 3:39 PM 427192]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/8/2009 10:05 AM 102448]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\netw5v32.sys [6/10/2009 4:18 PM 4231168]
S3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [8/5/2007 4:29 PM 121744]
.
Contents of the 'Scheduled Tasks' folder

2009-12-02 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-09-15 19:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: {F8C41CBF-721F-4B99-9FC8-2F8077C4AD39} - hxxps://drawing.constructware.com/IGC/BravaClientX.cab
FF - ProfilePath - c:\users\Miki\AppData\Roaming\Mozilla\Firefox\Profiles\suhyldt7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\users\Miki\AppData\Roaming\Mozilla\Firefox\Profiles\suhyldt7.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.10);user_pref(general.useragent.extra.zencast, );user_pref(yahoo.homepage.dontask, true.
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(9304)
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\windows\System32\STacSV.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\System32\rundll32.exe
c:\program files\Symantec AntiVirus\VPTray.exe
c:\windows\sttray.exe
c:\program files\Dell\QuickSet\quickset.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2010-01-29 01:02:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-29 06:02
ComboFix2.txt 2010-01-28 06:11

Pre-Run: 21,360,029,696 bytes free
Post-Run: 20,799,352,832 bytes free

- - End Of File - - E0C814275133CB4E129342582C93C193



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:13:30 PM, on 1/29/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\sttray.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Windows\System32\StikyNot.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\taskhost.exe
C:\PROGRA~1\FOXITS~1\FOXITR~1\FOXITR~1.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: QuickSet.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_17.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_17.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O16 - DPF: {F8C41CBF-721F-4B99-9FC8-2F8077C4AD39} (BravaClientXView 5.2 Class) - https://drawing.constructware.com/IGC/BravaClientX.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\System32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Cisco AnyConnect VPN Agent (vpnagent) - Cisco Systems, Inc. - C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7582 bytes
munkie
Active Member
 
Posts: 8
Joined: January 18th, 2010, 10:53 pm

Re: google links redirecting

Unread postby jmw3 » January 29th, 2010, 7:10 pm

Hi
Looking good.

Fix HiJackThis Entries
  • Open HiJackThis by right-clicking then choosing Run as Administrator
  • Click on Do a system scan only
  • Place a checkmark next to these lines(if still present):
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O15 - ESC Trusted Zone: http://*.update.microsoft.com


  • Close all windows except Hijackthis and click Fix Checked
  • Click Yes when prompted
  • Close HijackThis.
Reboot your computer.

Clean Up
Now we need to clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.
Remove ComboFix
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run then copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall
OTC
Download OTC by Old Timer here & save it to your desktop.
Double click on OTC.exe. Click on CleanUp!.
You will receive a prompt that it needs to restart the computer to remove the files. Click Yes.
It will restart your computer automatically. If it doesn't, please restart your computer manually.
You can delete the following from your desktop:
DDS.scr
The Gmer.exe file (it will be randomly named .exe file)
GooredFix.exe & it's back up folder
Any logs that may have been saved to your desktop

You can remove the Kaspersky Online Scanner. This can be done via Add or Remove Programs
You should also remove HijackThis. You can do this by going to C:\Program Files\Trend Micro\HijackThis
  • Double click HijackThis.exe
  • From the Main menu click Open the Misc Tools section
  • Using the scroll bar, scroll down to Uninstall HijackThis
  • Click Uninstall HijackThis & exit then click Yes at the prompt
Let me know of any problems before we wrap this up.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: google links redirecting

Unread postby jmw3 » February 1st, 2010, 6:24 pm

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 292 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware