Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Browser keeps getting redirected

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Browser keeps getting redirected

Unread postby splatified » June 26th, 2010, 9:52 pm

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, June 26, 2010
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, June 26, 2010 11:16:51
Records in database: 4292034
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: no

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 94768
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 02:42:41

No threats found. Scanned area is clean.

Selected area has been scanned.
splatified
Active Member
 
Posts: 10
Joined: June 21st, 2010, 10:35 am
Advertisement
Register to Remove

Re: Browser keeps getting redirected

Unread postby melboy » June 27th, 2010, 4:33 pm

Hi

Great - Looking good, we're nearly done.


Backup the Registry:

Modifying the Registry can create unforseen problems, so it always wise to create a backup before doing so.

  • Please go here and download ERUNT.
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Install ERUNT by following the prompts.
  • Use the default install settings but say no to the portion that asks you to add ERUNT to the Start-Up folder. You can enable this option later if you wish.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.(System registry & Current user registry)
  • Click on OK
  • When the Question pop-up appears click on Yes to create the folder.
  • After a short duration the Registry backup is complete! popup will appear
  • Now click on OK. A backup has been created.



OTM

Download OTM by Old Timer and save it to your Desktop.
  • Double-click OTM.exe to run it.
  • Paste the following code under the Image area. Do not include the word Code.
    Code: Select all
    :Services
    XDva346
    
    :Reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "D4027C7F-154A-4066-A1AD-4243D8127440"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "KernelFaultCheck"=-
    
    :files
    c:\windows\system32\XDva346.sys 
    
    :Commands
    [purity]
    [emptytemp]
    [Reboot]
    

    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large Image button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.


    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


    After OTM has rebooted.


    Re-run DDS

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Disable any script blocker, and then double click dds.scr to run the tool.
    • When done, Please copy & paste the contents of :
      • DDS.txt
    And post it in your next reply.


    In your next reply:
    1. DDS.txt
    2. OTM log
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Browser keeps getting redirected

Unread postby melboy » June 28th, 2010, 5:44 pm

Still with us splatified?
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Browser keeps getting redirected

Unread postby melboy » June 30th, 2010, 12:44 pm

Hi Splatified

It has been two days since my last post.

  • Do you still need help?
  • Do you need more time?
  • Are you having problems following my instructions?
  • According to Malware Removal's latest policy, topics can be closed after 3 days without a response. If you do not reply within the next 24 hours, this topic will be closed.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Browser keeps getting redirected

Unread postby splatified » June 30th, 2010, 11:04 pm

Sorry, I think there was something wrong with my power supply. My computer wouldn't boot up. Sorry for the wait. Here are the logs:



All processes killed
========== SERVICES/DRIVERS ==========
Service XDva346 stopped successfully!
Service XDva346 deleted successfully!
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\D4027C7F-154A-4066-A1AD-4243D8127440 not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\KernelFaultCheck not found.
========== FILES ==========
File/Folder c:\windows\system32\XDva346.sys not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: Kenneth
->Temp folder emptied: 118873307 bytes
->Temporary Internet Files folder emptied: 5613329 bytes
->Java cache emptied: 128094 bytes
->FireFox cache emptied: 76939967 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 5354 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 12655199 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 15225210 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 219.00 mb


OTM by OldTimer - Version 3.1.12.2 log created on 06302010_225609

Files moved on Reboot...
File C:\WINDOWS\temp\Perflib_Perfdata_494.dat not found!

Registry entries deleted on Reboot...










DDS (Ver_10-03-17.01) - NTFSx86
Run by Kenneth at 23:02:26.09 on Wed 06/30/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1918.1131 [GMT -4:00]

AV: ESET NOD32 Antivirus 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\ATI\WebPAM\jetty\extra\win32\Wrapper.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI\WebPAM\_jvm\bin\java.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Logitech\Logitech Vid\vid.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Logitech\Logitech Vid\LU\LULnchr.exe
C:\Program Files\Logitech\Logitech Vid\LU\LogitechUpdate.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Kenneth\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Logitech Vid] "c:\program files\logitech\logitech vid\vid.exe" -bootmode
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Google Update] "c:\documents and settings\kenneth\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [ASUS Update Checker] c:\program files\asus\asusupdate\updatechecker\UpdateChecker.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDow ... ab_nvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/sho ... wflash.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kenneth\applic~1\mozilla\firefox\profiles\76asb9c3.default\
FF - plugin: c:\documents and settings\kenneth\application data\mozilla\firefox\profiles\76asb9c3.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
FF - plugin: c:\documents and settings\kenneth\application data\mozilla\firefox\profiles\76asb9c3.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - plugin: c:\documents and settings\kenneth\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [2010-6-18 11448]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-3-29 114984]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2010-3-29 95872]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2001-8-23 14336]
R2 ATIWebPAM;ATI WebPAM;c:\program files\ati\webpam\jetty\extra\win32\Wrapper.exe [2010-3-27 110592]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-3-29 810120]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-6-18 1691480]
S3 se32;EnTech softEngine;c:\windows\system32\drivers\se32.sys [2007-5-3 12112]

=============== Created Last 30 ================

2010-07-01 02:56:09 0 d-----w- C:\_OTM
2010-06-26 16:02:04 0 d-----w- c:\program files\Sun
2010-06-26 16:01:57 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-06-26 16:01:57 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-26 14:48:38 77312 ----a-w- C:\mbr.exe
2010-06-25 04:17:03 0 d-----w- c:\program files\iPod
2010-06-25 04:17:00 0 d-----w- c:\program files\iTunes
2010-06-25 04:10:18 0 d-----w- c:\program files\Bonjour
2010-06-21 14:01:10 0 d-----w- c:\program files\Trend Micro
2010-06-21 03:01:19 32656 ----a-w- c:\windows\system32\msonpmon.dll
2010-06-21 02:58:35 0 d-----w- c:\windows\SHELLNEW
2010-06-21 02:48:45 0 d-----w- c:\program files\CCleaner
2010-06-21 02:45:25 0 d-----w- c:\program files\AIM
2010-06-21 02:45:24 0 d-----w- c:\program files\common files\Software Update Utility
2010-06-20 23:14:11 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-20 23:14:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-06-20 21:35:08 0 d-----w- c:\program files\ESET
2010-06-20 17:40:46 0 d-----w- c:\docume~1\kenneth\applic~1\Malwarebytes
2010-06-20 17:40:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-20 17:40:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-20 17:40:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-20 17:40:32 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-19 00:00:53 1048576 ----a-w- c:\windows\M2N68-AM-Plus-1702.ROM
2010-06-18 23:27:05 888320 ----a-r- c:\windows\system32\fdco1ins.dll
2010-06-18 23:27:05 888320 ----a-r- c:\windows\system32\fdco1.dll
2010-06-18 23:27:05 66688 ----a-r- c:\windows\system32\drivers\NVENETFD.sys
2010-06-18 23:27:03 7090 ----a-w- c:\windows\system32\nvnrm.nvu
2010-06-18 23:27:02 207872 ----a-r- c:\windows\system32\drivers\nvnrm.sys
2010-06-18 23:27:02 151552 ----a-r- c:\windows\system32\nvconrm.dll
2010-06-18 23:27:02 13824 ----a-r- c:\windows\system32\drivers\nvnetbus.sys
2010-06-18 23:27:02 11264 ----a-r- c:\windows\system32\bdco1ins.dll
2010-06-18 23:27:02 11264 ----a-r- c:\windows\system32\bdco1.dll
2010-06-18 19:20:45 0 d-----w- c:\program files\ATI Technologies
2010-06-18 12:31:47 562989 ----a-w- c:\windows\M2N68-AM-Plus-1702.zip
2010-06-18 12:30:12 11448 ----a-r- c:\windows\system32\drivers\AsUpIO.sys
2010-06-18 12:30:11 24576 ----a-r- c:\windows\system32\AsIO.dll
2010-06-18 12:30:11 11296 ----a-r- c:\windows\system32\drivers\AsIO.sys
2010-06-18 12:30:07 0 d-----w- c:\program files\ASUS
2010-06-18 11:38:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-06-18 11:37:49 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-06-18 11:35:26 600680 ----a-w- c:\windows\system32\nvudisp.exe
2010-06-18 11:33:32 359016 ----a-w- c:\windows\vncutil.exe
2010-06-18 11:33:31 52840 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2010-06-18 11:33:31 129640 ----a-w- c:\windows\RtkAudioService.exe
2010-06-18 11:33:25 1395800 ----a-w- c:\windows\system32\drivers\Monfilt.sys
2010-06-18 11:33:22 1691480 ----a-w- c:\windows\system32\drivers\Ambfilt.sys
2010-06-18 11:32:33 0 d-----w- c:\program files\AMD
2010-06-18 11:32:04 25668 ----a-w- c:\windows\Ascd_log.ini
2010-06-18 11:31:28 5810 ----a-r- c:\windows\system32\drivers\ASACPI.sys
2010-06-18 11:31:24 1769 ----a-w- c:\windows\Language_trs.ini
2010-06-18 11:31:20 19226 ----a-w- c:\windows\Ascd_tmp.ini
2010-06-18 11:31:20 10296 ----a-w- c:\windows\system32\drivers\ASUSHWIO.SYS
2010-06-17 14:40:17 0 d-----w- c:\program files\Microsoft
2010-06-17 14:40:00 0 d-----w- c:\program files\Windows Live SkyDrive
2010-06-16 16:29:05 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-06-16 16:29:05 215920 ----a-w- c:\windows\system32\muweb.dll
2010-06-16 16:23:23 0 d-----w- c:\windows\system32\wbem\Repository
2010-06-11 07:07:52 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-06-08 16:28:14 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-06-08 13:08:09 0 d-----w- c:\documents and settings\kenneth\Tracing
2010-06-08 12:45:10 0 d-----w- c:\program files\common files\Windows Live
2010-06-07 21:34:52 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-06-07 21:34:42 277608 ----a-w- c:\windows\system32\nvmccs.dll
2010-06-07 21:34:42 13902440 ----a-w- c:\windows\system32\nvcpl.dll
2010-06-07 21:34:42 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-06-07 21:34:40 154728 ----a-w- c:\windows\system32\nvsvc32.exe
2010-06-07 21:34:40 145000 ----a-w- c:\windows\system32\nvcolor.exe

==================== Find3M ====================

2010-07-01 02:57:39 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-07-01 02:57:37 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-06-26 12:36:01 61056 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2010-06-21 01:12:15 217388 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-06-21 01:12:11 217388 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-06-08 21:16:38 84584 ----a-w- c:\windows\SOUNDMAN.EXE
2010-06-08 21:16:38 1833576 ----a-w- c:\windows\SkyTel.exe
2010-06-08 21:16:32 9721960 ----a-w- c:\windows\RTLCPL.EXE
2010-06-08 21:16:32 1489512 ----a-w- c:\windows\RtlUpd.exe
2010-06-08 21:16:26 6056040 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2010-06-08 21:16:20 19552872 ----a-w- c:\windows\RTHDCPL.EXE
2010-06-08 21:16:14 2180712 ----a-w- c:\windows\MicCal.exe
2010-06-08 21:16:08 64104 ----a-w- c:\windows\ALCMTR.EXE
2010-06-08 21:16:08 2815592 ----a-w- c:\windows\ALCWZRD.EXE
2010-06-07 23:57:00 6300544 ----a-w- c:\windows\system32\nv4_disp.dll
2010-06-07 23:57:00 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-06-07 23:57:00 4554752 ----a-w- c:\windows\system32\nvcuda.dll
2010-06-07 23:57:00 2632296 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-06-07 23:57:00 232040 ----a-w- c:\windows\system32\nvcodins.dll
2010-06-07 23:57:00 232040 ----a-w- c:\windows\system32\nvcod.dll
2010-06-07 23:57:00 2186342 ----a-w- c:\windows\system32\nvdata.bin
2010-06-07 23:57:00 2165352 ----a-w- c:\windows\system32\nvcuvid.dll
2010-06-07 23:57:00 15192064 ----a-w- c:\windows\system32\nvoglnt.dll
2010-06-07 23:57:00 1359872 ----a-w- c:\windows\system32\nvapi.dll
2010-06-07 23:57:00 10531200 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-06-07 23:57:00 10256384 ----a-w- c:\windows\system32\nvcompiler.dll
2010-06-02 08:55:30 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-06-02 08:55:30 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-06-02 08:55:30 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-05-28 16:58:26 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-05-26 15:41:02 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-05-26 15:41:02 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-05-26 15:41:02 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-05-26 15:41:02 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2010-05-26 15:41:02 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-05-18 20:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-28 22:45:24 1251872 ----a-w- c:\windows\RtlExUpd.dll
2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\atmfd(2).dll
2010-04-17 02:12:18 48464 ----a-w- c:\windows\system32\sirenacm.dll
2010-04-16 15:36:49 662016 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 15:36:45 81920 ------w- c:\windows\system32\ieencode.dll
2010-04-16 12:33:36 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-05 15:28:15 77365 ----a-w- c:\windows\War3Unin.dat

============= FINISH: 23:03:01.48 ===============
splatified
Active Member
 
Posts: 10
Joined: June 21st, 2010, 10:35 am

Re: Browser keeps getting redirected

Unread postby melboy » July 1st, 2010, 5:35 pm

Hi

Looks good.


OTM by OldTimer

This should still be on your Desktop.

  • Double-click OTM .exe
  • Click the CleanUp! button
  • Select Yes when the Begin cleanup Process? Prompt appears
  • If you are prompted to Reboot during the cleanup, select Yes
  • The tool will delete itself once it finishes, if not delete it by yourself



Your log now appears to be clean.
This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


Your computer was infected with a ROOTKIT. In particular, the TDL3 rootkit, also known as Win32/Alureon. A rootkit is a set of software tools intended for concealing running processes, files or system data from the operating system.

Due to its rootkit functionality, it's impossible to tell what may have been done when the system was compromised.

Therefore it may be prudent to:

  1. Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts.
  2. Change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password)

What are rootkits from Wikipedia

How do I respond to a possible identity theft and how do I prevent it

==================

Windows XP Service Pack 3 is missing
You should take care of this as soon as possible, since your computer will be very vulnerable without it.
Support for Windows XP with Service Pack 2 (SP2) will end on July 13, 2010
viewtopic.php?p=514344#p514344

==================

General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.


Protection Programs
Don't forget to re-enable any protection programs we disabled during your fix.


Clear Infected System Restore Points

  • Turn System Restore off
  • On the Desktop, right click on the My Computer icon.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
    Restart your computer
    -
  • Turn System Restore on
  • On the Desktop, right click on the My Computer icon.
  • Click Properties.
  • Click the System Restore tab.
  • Uncheck Turn off System Restore on all drives.
  • Click Apply
  • Click each drive in turn where system restore is not required and click Settings
    Note: System restore is only needed on drives with an operating system installed
  • For each drive without an operating system, check Turn off system restore on this drive, click Yes then click OK.
Note: only do this once, and not on a regular basis


  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
    Uninstall Tools for Major Antivirus Products
  • Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
    Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.
  • Make Internet Explorer More Secure
    Internet Explorer 8 <<< Recommended Version
    For older versions please read and follow the recommendations at this site
    Internet Explorer7
    Internet Explorer6


Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
  • Malwarebytes' Anti-Malware
    As you already have Malwarebytes' Anti-Malware on board I would keep it regularly updated and run regular quick scans with it. (TIP: Cleaning out temp files can reduce scanning times.)
    Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. The Full version includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.
  • Hosts File
    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.
  • Install and use a firewall with outbound protection
    The Windows firewall only monitors incoming traffic, NOT outgoing. Using a software firewall in its default configuration to replace the Windows firewall greatly reduces the risk of your computer being hacked. Make sure your firewall is always enabled while your computer is connected to the internet.
    Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
    Suggestions:

    [Please note that trial pay is not needed to get any product for free.]



Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Browser keeps getting redirected

Unread postby jmw3 » July 4th, 2010, 8:08 pm

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 274 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware