PDA

View Full Version : google redirect problems


Burga
2011-10-21, 20:55
Hello. i've tried numerous software and read a bunch of threads regarding google redirect malware, but i haven't been able to get rid of the problem.

Avast found a infected file, consrv.dll, in system32 and system64 folders, but couldn't do anything to them.

Spybot found a bunch of malware and deleted them, but consrv.dll wasn't removed so the problems came back shortly

Program called eScan also found consrv.dll and renamed them to consrv.dll.mwt. After this I tried to delete the files again through Avast, but that didn't happen.

That's when i decided to get some help before my fathers computer (who requested my assistance) is completely jammed or something. :P
So i'd really appreciate your guidance.

DDS log:


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514
Run by Markku at 20:25:01 on 2011-10-21
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.358.1035.18.4094.2355 [GMT 3:00]
.
AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
AV: Norton Internet Security *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Norton Internet Security *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\spool\DRIVERS\x64\3\lxedserv.exe
C:\Windows\system32\lxedcoms.exe
C:\Program Files (x86)\Norton Internet Security\Engine\16.7.0.30\ccSvcHst.exe
C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Fujitsu\SystemDiagnostics\OnlineDiagnostic\TestManager\TestHandler.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Lexmark S600 Series\lxedmon.exe
C:\Program Files (x86)\Lexmark S600 Series\ezprint.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files (x86)\CyberLink\Shared files\brs.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files (x86)\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files (x86)\AVEO USB2.0 PC Camera(U2HGCV3P31048)\AveoSTI.exe
C:\Program Files (x86)\OpenOffice.org 2.3\program\soffice.BIN
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Windows\system32\notepad.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.fi/
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=FTSA&bmod=EU01
mWinlogon: Userinit=userinit.exe
BHO: Lexmark Työkalurivi: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - C:\Program Files\Lexmark Toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\16.7.0.30\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\16.7.0.30\IPSBHO.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
BHO: Lexmark : {d2c5e510-be6d-42cc-9f61-e4f939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\16.7.0.30\coIEPlg.dll
TB: Lexmark Työkalurivi: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - C:\Program Files\Lexmark Toolbar\toolband.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
mRun: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"
mRun: [BDRegion] C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe
mRun: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [AveoSTI.exe] C:\Program Files (x86)\AVEO USB2.0 PC Camera(U2HGCV3P31048)\AveoSTI.exe
mRunOnce: [aswAhAScr.dll] "C:\Program Files\Alwil Software\Avast5\aswRegSvr.exe" "C:\Program Files\Alwil Software\Avast5\AhAScr.dll"
StartupFolder: C:\Users\Markku\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\startup\ERUNTA~1.LNK - C:\Program Files (x86)\ERUNT\AUTOBACK.EXE
StartupFolder: C:\Users\Markku\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\startup\LAUNCH~1.LNK - C:\Program Files (x86)\Fujitsu\LaunchCenter\LaunchCenter.exe
StartupFolder: C:\Users\Markku\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 2.3\program\quickstart.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
TCP: DhcpNameServer = 192.168.254.254 192.168.254.254
TCP: Interfaces\{1BADEEA9-F08E-4D19-8403-8FC81F5C4374} : DhcpNameServer = 192.168.254.254 192.168.254.254
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files (x86)\Norton Internet Security\Engine\16.7.0.30\CoIEPlg.dll
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=consrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
{1017A80C-6F09-4548-A84D-EDD6AC9525F0}
{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}
{6D53EC84-6AAE-4787-AEEE-F4628F01010C}
{AA58ED58-01DD-4d91-8333-CF10577473F7}
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
{D2C5E510-BE6D-42CC-9F61-E4F939078474}
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}
{1017A80C-6F09-4548-A84D-EDD6AC9525F0}
{2318C2B1-4965-11d4-9B18-009027A5CD4F}
mRun-x64: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
mRun-x64: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"
mRun-x64: [BDRegion] C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe
mRun-x64: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [AveoSTI.exe] C:\Program Files (x86)\AVEO USB2.0 PC Camera(U2HGCV3P31048)\AveoSTI.exe
mRunOnce-x64: [aswAhAScr.dll] "C:\Program Files\Alwil Software\Avast5\aswRegSvr.exe" "C:\Program Files\Alwil Software\Avast5\AhAScr.dll"
.
============= SERVICES / DRIVERS ===============
.
R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/12/30 11:34:04];C:\Program Files (x86)\CyberLink\PowerDVD9\000.fcl [2009-5-7 146928]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-3-23 40384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
R2 lxed_device;lxed_device;C:\Windows\system32\lxedcoms.exe -service --> C:\Windows\system32\lxedcoms.exe -service [?]
R2 lxedCATSCustConnectService;lxedCATSCustConnectService;C:\Windows\System32\spool\DRIVERS\x64\3\lxedserv.exe [2010-9-4 45736]
R2 Norton Internet Security;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\16.7.0.30\ccSvcHst.exe [2009-12-30 117640]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
S1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google-päivityspalvelu (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-2-3 135664]
S3 AVEO;USB2.0 PC Camera;C:\Windows\system32\DRIVERS\AVEOdcnt.sys --> C:\Windows\system32\DRIVERS\AVEOdcnt.sys [?]
S3 gupdatem;Google Päivitä-palvelu (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-2-3 135664]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windowsin aktivointitekniikoiden palvelu;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-10-21 17:19:40 -------- dc----w- C:\rei
2011-10-21 17:19:33 -------- d-----w- C:\Program Files\Reimage
2011-10-21 16:52:20 -------- d---a-w- C:\Windows\VDLL.DLL
2011-10-21 16:52:20 -------- d---a-w- C:\Windows\SysWow64\runouce.exe
2011-10-21 16:52:20 -------- d---a-w- C:\Windows\rundll16.exe
2011-10-21 16:52:20 -------- d---a-w- C:\Windows\RUNDL132.EXE
2011-10-21 16:52:20 -------- d---a-w- C:\Windows\logo1_.exe
2011-10-21 16:52:20 -------- d---a-w- C:\Windows\logo_1.exe
2011-10-21 16:51:16 632064 ----a-w- C:\Windows\SysWow64\msvcr80.dll
2011-10-21 16:51:15 554240 ----a-w- C:\Windows\SysWow64\msvcp80.dll
2011-10-21 16:51:14 34048 ----a-w- C:\Windows\SysWow64\eEmpty.exe
2011-10-21 16:51:07 -------- d-----w- C:\Program Files (x86)\Common Files\MicroWorld
2011-10-21 16:50:58 -------- d-----w- C:\ProgramData\MicroWorld
2011-10-21 16:08:50 601944 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2011-10-21 16:08:48 41184 ----a-w- C:\Windows\avastSS.scr
2011-10-21 15:23:55 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2011-10-21 15:23:55 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2011-10-21 14:00:12 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B829E256-AAA6-45C6-8C46-8EB03B320699}\offreg.dll
2011-10-21 14:00:11 8570192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B829E256-AAA6-45C6-8C46-8EB03B320699}\mpengine.dll
2011-10-17 17:07:53 -------- d-sh--w- C:\Windows\System32\%APPDATA%
2011-10-16 11:31:22 -------- d-----w- C:\ProgramData\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
2011-10-15 08:21:40 -------- d-----w- C:\Windows\System32\SPReview
2011-10-15 08:20:38 -------- d-----w- C:\Windows\System32\EventProviders
2011-10-12 15:52:37 75776 ----a-w- C:\Windows\SysWow64\psisrndr.ax
2011-09-25 07:22:07 -------- d-----w- C:\Users\Markku\AppData\Local\PackageAware
.
==================== Find3M ====================
.
2011-10-15 08:30:09 175616 ----a-w- C:\Windows\System32\msclmd.dll
2011-10-15 08:30:09 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2011-10-01 03:25:37 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-10-01 02:42:56 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-09-06 03:03:17 3138048 ----a-w- C:\Windows\System32\win32k.sys
2011-08-27 05:37:49 861696 ----a-w- C:\Windows\System32\oleaut32.dll
2011-08-27 05:37:48 331776 ----a-w- C:\Windows\System32\oleacc.dll
2011-08-27 04:26:27 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2011-08-27 04:26:27 233472 ----a-w- C:\Windows\SysWow64\oleacc.dll
2011-08-20 05:37:58 1188864 ----a-w- C:\Windows\System32\wininet.dll
2011-08-20 04:31:05 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-08-17 05:26:46 613888 ----a-w- C:\Windows\System32\psisdecd.dll
2011-08-17 05:25:08 108032 ----a-w- C:\Windows\System32\psisrndr.ax
2011-08-17 04:24:12 465408 ----a-w- C:\Windows\SysWow64\psisdecd.dll
.
============= FINISH: 20:31:59,34 ===============
ken545
2011-10-24, 00:18
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.


You have two antivirus programs, Norton and Avast, you only need one, more than one is overkill and will severely hamper system performance, your call but one needs to be uninstalled via Programs and Features in the Control Panel



Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png
ken545
2011-10-28, 13:02
Due to inactivity, this thread will now be closed.

If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a new DDS log with a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.