Getting redirected frequently

[Moonbaby312]

My computer has been redirecting me lately, mainly when I Google things. I tried running MBAM, but it always hangs at and never fully completes. Below is my DDS log, and attached is the Attach log.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Owner at 21:12:25.99 on Tue 09/18/2012
Internet Explorer: 9.0.8112.16421
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3071.2017 [GMT -5:00]
.
AV: Webroot AntiVirus with AntiSpyware *Enabled/Updated* {3A033352-45FD-579C-DF47-2D2DA7A56A3D}
SP: Webroot AntiVirus with AntiSpyware *Enabled/Updated* {8162D2B6-63C7-5812-E5F7-165FDC222080}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Kodak\KODAK Share Button App\Listener.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Acer\Empowering Technology\SysMonitor.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Philips\Philips Songbird Resources\Autolauncher\PhilipsDeviceListener.exe
C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\Owner\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Webroot\WebrootSecurity\SSU.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Users\Owner\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.att.net/
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=1&o=vp32&d=1006&m=aspire_x1700
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=1&o=vp32&d=1006&m=aspire_x1700
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\program files\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: Partner BHO Class: {83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} - c:\programdata\partner\partner.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\program files\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: att.net Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [Sidebar] "c:\program files\windows sidebar\Sidebar.exe" /autorun
uRun: [ehTray.exe] "c:\windows\ehome\ehTray.exe"
uRun: [googletalk] "c:\users\owner\appdata\roaming\google\google talk\googletalk.exe" /autostart
uRun: [Google Update] "c:\users\owner\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] "c:\program files\windows media player\WMPNSCFG.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [RtHDVCpl] "c:\windows\RtHDVCpl.exe"
mRun: [Acer Empowering Technology Monitor] "c:\program files\acer\empowering technology\SysMonitor.exe"
mRun: [eDataSecurity Loader] "c:\program files\acer\empowering technology\edatasecurity\x86\eDSloader.exe"
mRun: [NvCplDaemon] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [BkupTray] "c:\program files\newtech infosystems\nti backup now 5\BkupTray.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [Skytel] "Skytel.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Philips Device Listener] "c:\program files\philips\philips songbird resources\autolauncher\PhilipsDeviceListener.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MRT] "c:\windows\system32\MRT.exe" /R
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
.
============= SERVICES / DRIVERS ===============
.
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-2-13 29808]
R2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\acer arcade live\acer homemedia connect\kernel\dms\CLMSServer.exe [2009-1-18 269448]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-3-3 16384]
R2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2009-1-18 24576]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-25 45056]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-4-25 131072]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-2-13 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-2-23 1180976]
R3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\drivers\netr28.sys [2009-1-18 338432]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-1 250568]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-8-17 40776]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-09-19 01:57:42 -------- d-----w- c:\windows\system32\MpEngineStore
2012-09-18 13:39:01 7022536 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{bbca113c-0e05-44e9-bdae-f9bc06e848d9}\mpengine.dll
.
==================== Find3M ====================
.
2012-08-29 16:19:45 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-29 16:19:45 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-04 14:02:46 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-06-29 00:16:58 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-06-29 00:09:01 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-29 00:08:59 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-29 00:04:43 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-29 00:00:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2006-05-31 13:24:34 2248984 ----a-w- c:\program files\dsetup32.dll
2006-05-31 13:23:38 484632 ----a-w- c:\program files\DXSETUP.exe
2006-05-31 13:22:50 74520 ----a-w- c:\program files\DSETUP.dll
.
============= FINISH: 21:14:54.95 ===============

[ken545]

Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

Running programs with Vista or Windows 7 , you need to Right Click on the program and select RUN AS ADMINISTATOR


I need to see the aswMBR also please

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan


On completion of the scan click save log, save it to your desktop and post in your next reply

[ken545]

Still with me ?

[Moonbaby312]

Yes, sorry for the wait. I'm not sure this scan completed. Nothing came up saying it did, and it wasn't doing anything.

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-09-25 17:00:05
-----------------------------
17:00:05.428 OS Version: Windows 6.0.6002 Service Pack 2
17:00:05.429 Number of processors: 2 586 0xF0D
17:00:05.430 ComputerName: OWNER-PC UserName: Owner
17:00:25.799 Initialize success
17:04:13.889 AVAST engine defs: 12092501
17:04:42.223 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005d
17:04:42.226 Disk 0 Vendor: WDC_WD32 01.0 Size: 305245MB BusType: 3
17:04:42.243 Disk 0 MBR read successfully
17:04:42.247 Disk 0 MBR scan
17:04:42.306 Disk 0 unknown MBR code
17:04:42.326 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 16384 MB offset 2048
17:04:42.377 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 142492 MB offset 33556480
17:04:42.407 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 146365 MB offset 325380132
17:04:42.423 Disk 0 scanning sectors +625137345
17:04:42.533 Disk 0 scanning C:\Windows\system32\drivers
17:05:03.595 Service scanning
17:05:35.926 Modules scanning
17:05:47.946 Disk 0 trace - called modules:
17:05:48.320 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
17:05:48.328 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x865a3aa0]
17:05:48.336 3 CLASSPNP.SYS[82fb38b3] -> nt!IofCallDriver -> [0x85d73700]
17:05:48.344 5 acpi.sys[8069f6bc] -> nt!IofCallDriver -> \Device\0000005d[0x85934c90]
17:05:49.819 AVAST engine scan C:\Windows
17:05:56.619 AVAST engine scan C:\Windows\system32
17:11:25.756 AVAST engine scan C:\Windows\system32\drivers
17:11:49.572 AVAST engine scan C:\Users\Owner
17:18:35.483 Disk 0 MBR has been saved successfully to "C:\Users\Owner\Desktop\MBR.dat"
17:18:35.499 The log file has been saved successfully to "C:\Users\Owner\Desktop\aswMBR.txt"

[ken545]

Where going to try to run Malwarebytes in a different way, lets do this

Go to Start > All Programs> Malwarebytes Antimalware > Tools > Malwarebytes Antimalware Chameleon and it will take you to this page


Then click on the first link to run Malwarebytes and if wont run try the next one until one of them runs

[Moonbaby312]

Sorry I'm taking a while to get this done. I'm working long hours and am posting this from work right now.

I will get this done within the next few days. Thanks for waiting!

[ken545]

[Moonbaby312]

I will do the Chameleon step tomorrow after work. Thanks again for the patience.

[ken545]

Hi,

Just want you to know that its been over two weeks since your original post, you may have some serious issues going on, malwarebytes wont run, I was hoping to see if it would run in Chameleon mode to see what it would find, but its possible that your master boot record is infected with a rogue partition, and this is not nice. Let me know if you want to continue and if not I will close this thread.

[Moonbaby312]

Small update. Still haven't had time to do the Chameleon step, so I will do that tomorrow since I'm off from work.

Windows did say it removed a trojan after an update. It was that Windows Malicious Software Removal tool that updated and removed the trojan. Since then, no redirects have occurred and my system has acted pretty normal.

I haven't tried running MBAM since then either. I may try that first, then move on to Chameleon.