PDA

View Full Version : Google redirect (DDS included)



mark1eo
2011-06-25, 09:35
Hi guys i keep getting redirected when using any search engine.

Let me know what information you require to help.





.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_25
Run by HOME at 16:31:06 on 2011-06-25
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.61.1033.18.8175.7161 [GMT 10:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\viakaraokesrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
F:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Users\HOME\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\HOME\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Users\HOME\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\HOME\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit=userinit.exe,
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
uRun: [SmartRAM] "F:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" /m
uRun: [EPSON TX550W Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIFIP.EXE /FU "D:\temp\E_S2599.tmp" /EF "HKCU"
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://qaccess.qantas.com.au/aussyd13/dwa7W.cab
TCP: Interfaces\{9611E342-2175-48BF-B455-4A737775D0BB} : NameServer = 61.9.134.49,61.9.133.193
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\HOME\AppData\Roaming\Mozilla\Firefox\Profiles\kt5skon0.default\
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Users\HOME\AppData\Local\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
============= SERVICES / DRIVERS ===============
.
R0 SmartDefragDriver;SmartDefragDriver;C:\Windows\system32\Drivers\SmartDefragDriver.sys --> C:\Windows\system32\Drivers\SmartDefragDriver.sys [?]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-6-5 366640]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-4-29 2218600]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-4-7 378472]
R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-4-12 2656280]
R2 VIAKaraokeService;VIA Karaoke digital mixer Service;C:\Windows\system32\viakaraokesrv.exe --> C:\Windows\system32\viakaraokesrv.exe [?]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\system32\DRIVERS\L1C62x64.sys --> C:\Windows\system32\DRIVERS\L1C62x64.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 MEIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\Windows\system32\drivers\viahduaa.sys --> C:\Windows\system32\drivers\viahduaa.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-5-7 136176]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-6-5 1153368]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-5-7 136176]
S3 npusbio;npusbio;C:\Windows\system32\Drivers\npusbio_x64.sys --> C:\Windows\system32\Drivers\npusbio_x64.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-06-17 13:00:21 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%
2011-06-17 12:58:04 -------- d-----w- C:\Users\HOME\AppData\Local\LogMeIn Hamachi
2011-06-17 12:42:39 -------- d-----w- C:\Users\HOME\AppData\Roaming\PFStaticIP
2011-06-17 12:40:48 -------- d-----w- C:\Program Files (x86)\PFStaticIP
2011-06-17 11:50:11 -------- d-----w- C:\Users\HOME\AppData\Local\Western Digital
2011-06-17 10:01:57 205824 ----a-w- C:\Windows\patchw32.dll
2011-06-17 10:01:11 205824 ----a-w- C:\Windows\pw32a.dll
2011-06-17 10:01:10 28 ----a-w- C:\Windows\SysWow64\copytowin.bat
2011-06-17 10:01:10 205824 ----a-w- C:\Windows\SysWow64\pw32a.dll
2011-06-07 06:39:54 -------- d-----w- C:\Windows\pss
2011-06-07 06:33:08 32136 ----a-w- C:\Windows\System32\SmartDefragBootTime.exe
2011-06-07 06:33:08 18232 ----a-w- C:\Windows\System32\drivers\SmartDefragDriver.sys
2011-06-05 10:04:21 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2011-06-05 10:04:21 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2011-06-05 07:05:27 -------- d-----w- C:\Users\HOME\AppData\Roaming\TS3Client
2011-06-05 06:59:12 -------- d-----w- C:\Program Files\TeamSpeak 3 Client
2011-06-05 06:06:14 -------- d-----w- C:\Users\HOME\AppData\Local\Deployment
2011-06-05 06:06:14 -------- d-----w- C:\Users\HOME\AppData\Local\Apps
2011-06-05 05:33:11 -------- d-----w- C:\Users\HOME\AppData\Roaming\Malwarebytes
2011-06-05 05:33:06 39984 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-06-05 05:33:05 -------- d-----w- C:\ProgramData\Malwarebytes
2011-06-05 05:33:03 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-06-05 05:33:02 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-06-04 07:42:48 49752 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
2011-06-04 07:37:18 -------- d-----w- C:\Program Files (x86)\Lavasoft
2011-06-04 07:05:54 -------- d-----w- C:\Users\HOME\AppData\Roaming\Adware Alert
2011-06-04 04:37:54 27520 ----a-w- C:\Windows\System32\drivers\Diskdump.sys
2011-06-04 04:37:48 870912 ----a-w- C:\Windows\SysWow64\XpsPrint.dll
2011-06-04 04:37:48 1465344 ----a-w- C:\Windows\System32\XpsPrint.dll
2011-06-04 04:37:13 31232 ----a-w- C:\Windows\SysWow64\prevhost.exe
2011-06-04 04:37:13 31232 ----a-w- C:\Windows\System32\prevhost.exe
2011-06-04 04:37:06 2871808 ----a-w- C:\Windows\explorer.exe
2011-06-04 04:37:06 2616320 ----a-w- C:\Windows\SysWow64\explorer.exe
2011-06-04 04:37:00 476160 ----a-w- C:\Windows\System32\XpsGdiConverter.dll
2011-06-04 04:37:00 288256 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll
2011-06-04 04:36:51 902656 ----a-w- C:\Windows\System32\d2d1.dll
2011-06-04 04:36:51 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll
2011-06-04 04:36:51 1544192 ----a-w- C:\Windows\System32\DWrite.dll
2011-06-04 04:36:51 1139200 ----a-w- C:\Windows\System32\FntCache.dll
2011-06-04 04:36:51 1076736 ----a-w- C:\Windows\SysWow64\DWrite.dll
2011-06-04 04:36:26 197120 ----a-w- C:\Windows\System32\d3d10_1.dll
2011-06-04 04:36:26 161792 ----a-w- C:\Windows\SysWow64\d3d10_1.dll
2011-06-03 06:48:44 135168 --sha-r- C:\Windows\SysWow64\msxml4G.dll
2011-05-31 23:07:29 8718160 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{513A8BEB-B3FA-4AA3-9620-8DF8A7B074E1}\mpengine.dll
.
==================== Find3M ====================
.
2011-06-04 04:37:39 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
2011-06-04 04:37:39 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2011-05-28 03:30:09 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-05-28 03:06:58 3135488 ----a-w- C:\Windows\System32\win32k.sys
2011-05-28 02:53:58 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-05-13 08:14:55 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-05-08 13:17:48 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-05-03 05:29:29 976896 ----a-w- C:\Windows\System32\inetcomm.dll
2011-05-03 04:30:02 741376 ----a-w- C:\Windows\SysWow64\inetcomm.dll
2011-04-29 03:06:10 467456 ----a-w- C:\Windows\System32\drivers\srv.sys
2011-04-29 03:05:49 410112 ----a-w- C:\Windows\System32\drivers\srv2.sys
2011-04-29 03:05:37 168448 ----a-w- C:\Windows\System32\drivers\srvnet.sys
2011-04-27 02:40:40 158208 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
2011-04-27 02:39:40 289280 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-04-27 02:39:37 128000 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
2011-04-25 05:33:51 1923968 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-04-25 02:34:03 499200 ----a-w- C:\Windows\System32\drivers\afd.sys
2011-04-22 22:08:29 1188864 ----a-w- C:\Windows\System32\wininet.dll
2011-04-22 19:10:01 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-04-15 01:42:32 98304 ----a-w- C:\Windows\system32CmdLineExt.dll
2011-04-12 12:32:33 175616 ----a-w- C:\Windows\System32\msclmd.dll
2011-04-12 12:32:33 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2011-04-09 07:02:55 5562240 ----a-w- C:\Windows\System32\ntoskrnl.exe
2011-04-09 06:58:56 142336 ----a-w- C:\Windows\System32\poqexec.exe
2011-04-09 06:02:25 3967872 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2011-04-09 06:02:25 3912576 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2011-04-09 05:56:38 123904 ----a-w- C:\Windows\SysWow64\poqexec.exe
2011-04-07 13:19:38 117864 ----a-w- C:\Windows\System32\nvmctray.dll
2011-04-07 13:19:36 797288 ----a-w- C:\Windows\System32\easyUpdatusAPIU64.dll
2011-04-07 13:19:36 61032 ----a-w- C:\Windows\System32\nvshext.dll
2011-04-07 13:19:36 1012328 ----a-w- C:\Windows\System32\nvvsvc.exe
2011-04-07 13:19:26 6338152 ----a-w- C:\Windows\System32\nvcpl.dll
2011-04-07 13:19:08 3041384 ----a-w- C:\Windows\System32\nvsvc64.dll
.
============= FINISH: 16:31:37.84 ===============

Blottedisk
2011-06-26, 21:14
Hi mark1eo,

Welcome to Safer Networking. My name is Blottedisk and I will be helping you with your malware issues.


Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Thread Tools box to the top right of your topic title and then choosing Suscribe to this Thread (then choose Instant Notification by email). If the button says Unsuscribe from this Thread, then you are already subscribed.
Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then the thread will be locked due to inactivity. However, if you will be away, let us know and we will be sure to keep the thread open.


Please follow these steps in order:


Step 1 | Please download GMER from one of the following locations and save it to your desktop:

Main Mirror (http://gmer.net/download.php ) - This version will download a randomly named file (Recommended)
Zipped Mirror (http://gmer.net/gmer.zip ) - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

--------------------------------------------------------------------


Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection (http://forums.whatthetech.com/index.php?showtopic=96260 ) so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.


Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif


GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Make sure all options are checked except:

IAT/EAT
Drives/Partition other than Systemdrive, which is typically C:\
Show All (This is important, so do not miss it.)

http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_th.gif (http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_screen2-1.gif )
Click the image to enlarge it

Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode (http://www.computerhope.com/issues/chsafe.htm ).

Step 2 | Please download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe ) to your desktop.

Double click the aswMBR icon to run it.
Vista and Windows 7 users right click the icon and choose "Run as administrator".
Click the Scan button to start scan.
When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan-1.png (http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan.png )
Click the image to enlarge it


Step 3 | Please download MBRCheck.exe (http://ad13.geekstogo.com/MBRCheck.exe ) to your desktop.
Be sure to disable your security programs
Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
A window will open on your desktop
if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
If nothing unusual is found just press Enter A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
Please post the contents of that file.

mark1eo
2011-06-27, 12:08
hey ive done step one above, here is step 2 and 3 in a zip folder :) thx for you assistance.

Blottedisk
2011-06-27, 17:55
Hi there,


Step 1 is GMER. I can't seem to find where you submitted the log?

mark1eo
2011-06-28, 09:53
sorry for that here is step one

Blottedisk
2011-06-28, 15:29
No probs :)

Please use the instructions on this page to change your DNS servers to use OpenDNS:

OpenDNS Instructions for Win7 (https://store.opendns.com/setup/device/windows-7/print)

After this, flush the DNS cache and web browser cache as recommended.


When finished, please download Combofix from either of the links below and save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html )
--------------------------------------------------------------------

Right-click and choose "Run as administrator" on Combofix.exe & follow the prompts. When finished, it will produce a report for you.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix )

mark1eo
2011-06-29, 11:49
Here you are

Blottedisk
2011-06-29, 23:08
Please go to the following site to scan a file: Virus Total (http://forums.whatthetech.com/redirect.php?url=http%3A%2F%2Fwww.virustotal.com )

Click on Browse, and upload the following file for analysis:

C:\Windows\SysWow64\msxml4G.dll

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.

mark1eo
2011-07-02, 11:21
Hey in my windows folder i only have msxml4r.dll so thats what i scanned. Hope its ok?

Antivirus Version Last Update Result
AhnLab-V3 2011.07.02.00 2011.07.01 -
AntiVir 7.11.10.197 2011.07.01 -
Antiy-AVL 2.0.3.7 2011.07.02 -
Avast 4.8.1351.0 2011.07.01 -
Avast5 5.0.677.0 2011.07.01 -
AVG 10.0.0.1190 2011.07.01 -
BitDefender 7.2 2011.07.02 -
CAT-QuickHeal 11.00 2011.07.02 -
ClamAV 0.97.0.0 2011.07.02 -
Commtouch 5.3.2.6 2011.07.02 -
Comodo 9250 2011.07.02 -
DrWeb 5.0.2.03300 2011.07.02 -
eSafe 7.0.17.0 2011.06.29 -
eTrust-Vet 36.1.8421 2011.07.01 -
F-Prot 4.6.2.117 2011.07.01 -
F-Secure 9.0.16440.0 2011.07.02 -
Fortinet 4.2.257.0 2011.07.02 -
GData 22 2011.07.02 -
Ikarus T3.1.1.104.0 2011.07.02 -
Jiangmin 13.0.900 2011.07.01 -
K7AntiVirus 9.107.4863 2011.07.01 -
Kaspersky 9.0.0.837 2011.07.02 -
McAfee 5.400.0.1158 2011.07.02 -
McAfee-GW-Edition 2010.1D 2011.07.02 -
Microsoft 1.7000 2011.07.02 -
NOD32 6258 2011.07.02 -
Norman 6.07.10 2011.07.01 -
nProtect 2011-07-01.01 2011.07.01 -
Panda 10.0.3.5 2011.07.01 -
PCTools 8.0.0.5 2011.07.01 -
Prevx 3.0 2011.07.02 -
Rising 23.64.04.03 2011.07.01 -
Sophos 4.67.0 2011.07.02 -
SUPERAntiSpyware 4.40.0.1006 2011.07.02 -
Symantec 20111.1.0.186 2011.07.02 -
TheHacker 6.7.0.1.246 2011.07.01 -
TrendMicro 9.200.0.1012 2011.07.02 -
TrendMicro-HouseCall 9.200.0.1012 2011.07.02 -
VBA32 3.12.16.4 2011.07.01 -
VIPRE 9746 2011.07.02 -
ViRobot 2011.7.2.4545 2011.07.02 -
VirusBuster 14.0.105.2 2011.07.01 -

Blottedisk
2011-07-02, 15:46
Its ok.

As you have Malwarebytes' Anti-Malware installed on your computer. Could you please do a scan using these settings:

Open Malwarebytes' Anti-Malware
Select the Update tab
Click Check for Updates
After the update have been completed, Select the Scanner tab.
Select Perform Quick scan, then click on Scan
When done, you will be prompted. Click OK. If Items are found, then click on Show Results
Check all items then click on Remove Selected
After it has removed the items, Notepad will open. Please post this log in your next reply.

The log can also be found here:

C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Or via the Logs tab when the application is started.

Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately.
Failure to reboot will prevent MBAM from removing all the malware.

mark1eo
2011-07-04, 12:23
MBAM log

Blottedisk
2011-07-04, 15:50
ComboFix - CFScript

WARNING !
This script is for THIS user and computer ONLY!
Using this tool incorrectly could damage your Operating System... preventing it from starting again!

You will not have Internet access when you execute ComboFix. All open windows will need to be closed!

Please open Notepad and copy/paste all the text below... into the window:


DDS::
TCP: Interfaces\{9611E342-2175-48BF-B455-4A737775D0BB} : NameServer = 61.9.134.49,61.9.133.193

Save it to your desktop as CFScript.txt
Please disable any Antivirus or Firewall you have active, as shown in this topic (http://www.bleepingcomputer.com/forums/topic114351.html). Please close all open application windows.
Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:

http://i526.photobucket.com/albums/cc345/MPKwings/ComboFixScriptDrag.gif

This will cause ComboFix to run again.
Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
Do Not touch your computer when ComboFix is running!
When finished... Notepad will open ... ComboFix will produce a log file called "log.txt".
Please copy/paste the contents of log.txt... in your next reply.

** Enable your Antivirus and Firewall, before connecting to the Internet again! **

mark1eo
2011-07-07, 15:07
Log file form combofix

mark1eo
2011-07-07, 15:08
woops here is the attachment

Blottedisk
2011-07-09, 08:22
Hi there,


How's the machine working? Any redirects?

mark1eo
2011-07-09, 08:59
Hey thank you heaps for you help, no more redirects so far :) Much appreciated.

Blottedisk
2011-07-11, 03:49
You are welcome ;)


Please follow this last set of instructions:


Step 1 | Delete ComboFix and Clean Up

The following will implement some cleanup procedures as well as reset System Restore points. Click Start > Run and copy/paste the following underlined text into the Run box and click OK:

ComboFix /Uninstall

Please advise if this step is missed for any reason as it performs some important actions.

Step 2 | Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Click on the following link to visit java website: Java Runtime Environment (JRE) 6 (http://www.oracle.com/technetwork/java/javase/downloads/index.html )

Scroll down to where it says "JDK 6 Update 26 with Java EE".
Click the "Download" button to the right column (JRE).
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue. The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the recently downloaded java installer icon to install the newest version.
After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
On the General tab, under Temporary Internet Files, click the Settings button.
Next, click on the Delete Files button
There are two options in the window to clear the cache - Leave BOTH Checked
Applications and AppletsTrace and Log Files
Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Temporary Files Window
Click OK to leave the Java Control Panel.

Step 3 | I notice you do not have an Antivirus, to clean you without one would be a waste of time as you will get re-infected. We should cure that first. Choose, download and install only ONE of the following applications:



Avast - http://www.avast.com/eng/download-avast-home.html (http://forums.whatthetech.com/redirect.php?url=http%3A%2F%2Fwww.avast.com%2Feng%2Fdownload-avast-home.html )
AVG - http://free.avg.com/ (http://forums.whatthetech.com/redirect.php?url=http%3A%2F%2Ffree.avg.com%2F )
Antivir - http://www.free-av.com/ (http://forums.whatthetech.com/redirect.php?url=http%3A%2F%2Fwww.free-av.com%2F )


Step 4 | I don't see any evidence of a 3rd Party Firewall installed on your computer. If you have one installed, make sure it's functioning properly. As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access from the outside world. Firewalls protect against hackers and malicious intruders.

If you do not have a firewall installed...
I strongly recommend you download a free (for personal use) firewall NOW that monitors traffic in both directions... from one of these vendors:

Comodo (http://personalfirewall.comodo.com/download_firewall.html ) (Is now bundled with AV software, toolbar and search provider. Opt to install only the firewall software... uncheck the rest)
Online Armor Free (http://www.tallemu.com/downloads.php ) (Free version at bottom of page (XP/Vista/W7 (32bit).) 64bit version not available yet. Some reported conflicts with Avira AntiVir.
ZoneAlarm (http://download.cnet.com/ZoneAlarm/3000-10435_4-10039884.html ) (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)
Ashampoo (http://www.download.com/Ashampoo-FireWall/3000-10435_4-10575187.html )

Last Step | Now, in order to avoid future infections, please take time to read the following article:

So how did I get infected in the first place? (http://forums.spybot.info/showthread.php?t=279 )

Thank you for your patience, and performing all of the procedures requested. I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed :)