PDA

View Full Version : Google search result redirect



crazyapple92
2012-03-05, 05:16
When I google something it works just fine, when I got to open the link google provides it redirects me to various sites. If I stay on these sights for more than a second or two they download some BS Anti Virus program that disables all non essential services and processes and tells me it's being caused by generic virus X or some child porn in my recycling bin.

The later has happened twice, both times it was resolved by booting into safe mode and deleting the .exe for the BS program.

The redirect is still present. My AV program(s) did find anything, nor did Malware Bytes.

I have yet to run ERUNT as this site states that it works up to Vista but does not mention Windows 7 which I run (64 bit by the way). Please advise me as to whether or not it works with 7.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_27
Run by James at 21:02:11 on 2012-03-04
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.4095.2012 [GMT -6:00]
.
AV: K7TotalSecurity *Enabled/Outdated* {BC469931-B9AF-35BD-843C-DBDA831AFD8D}
AV: Panda Cloud Antivirus *Enabled/Updated* {86971480-9989-6750-B122-681A86518D59}
SP: Panda Cloud Antivirus *Enabled/Updated* {3DF6F564-BFB3-68DE-8B92-5368FDD6C7E4}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: K7TotalSecurity *Enabled/Outdated* {072778D5-9F95-3A33-BE8C-E0A8F89DB730}
FW: K7TotalSecurity *Enabled* {847D1814-F3C0-34E5-AF63-72EF7DC9BAF6}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\K7 Computing\K7TSecurity\K7TSMngr.exe
C:\Windows\system32\spool\DRIVERS\x64\3\lxduserv.exe
C:\Windows\system32\lxducoms.exe
C:\Program Files (x86)\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\Program Files\Common Files\Nitro PDF\Professional\6.0\NitroPDFDriverServicex64.exe
C:\Windows\SysWOW64\NLSSRV32.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe
C:\Windows\SysWOW64\vmnat.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe
C:\Windows\SysWOW64\vmnetdhcp.exe
C:\Program Files (x86)\K7 Computing\K7TSecurity\K7EmlPxy.exe
C:\Program Files (x86)\K7 Computing\K7TSecurity\K7FWSrvc.exe
C:\Program Files (x86)\K7 Computing\K7TSecurity\K7PSSrvc.exe
C:\Program Files (x86)\K7 Computing\K7TSecurity\K7RTScan.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Raxco\PerfectDisk\PDAgentS1.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Internet Download Manager\IDMan.exe
C:\Users\James\AppData\Local\Akamai\netsession_win.exe
C:\Program Files (x86)\NETGEAR\WNDA3100\WNDA3100.exe
C:\Users\James\AppData\Local\Akamai\netsession_win.exe
C:\Users\James\AppData\Local\Google\Update\1.3.21.99\GoogleCrashHandler.exe
C:\Users\James\AppData\Local\Google\Update\1.3.21.99\GoogleCrashHandler64.exe
C:\Program Files (x86)\K7 Computing\K7TSecurity\K7TSecurity.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\K7 Computing\K7TSecurity\K7SysMon.Exe
C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\DllHost.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.youtube.com/
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;
BHO: IDM integration (IDMIEHlprObj Class): {0055c089-8582-441b-a0bf-17b458c2a3a8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Foxit Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: CutePDF Form Filler Helper: {d41289f2-69c6-417b-897e-c653d677cbaf} - C:\Program Files (x86)\Acro Software\CutePDF Filler Evaluation\CPFillerCoE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Yontoo Layers (Drop Down Deals): {fd72061e-9fde-484d-a58a-0bab4151cad8} - C:\Program Files (x86)\Yontoo Layers Runtime (Drop Down Deals)\YontooIEClient.dll
TB: Foxit Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
uRun: [Sidebar] C:\Program Files (x86)\Windows Sidebar\sidebar.exe /autoRun
uRun: [IDMan] C:\Program Files (x86)\Internet Download Manager\IDMan.exe /onboot
uRun: [Google Update] "C:\Users\James\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Akamai NetSession Interface] "C:\Users\James\AppData\Local\Akamai\netsession_win.exe"
uRun: [Internet Security] C:\ProgramData\isecurity.exe
mRun: [K7TSStart] C:\Program Files (x86)\K7 Computing\K7TSecurity\K7TSecurity.exe
mRun: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry
mRun: [PSUNMain] "C:\Program Files (x86)\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" /Traybar
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
dRunOnce: [osk.exe] osk.exe
dRunOnce: [Application Restart #0] C:\Windows\System32\osk.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\NETGEA~1.LNK - C:\Program Files (x86)\NETGEAR\WNDA3100\WNDA3100.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all links with IDM - C:\Program Files (x86)\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - C:\Program Files (x86)\Internet Download Manager\IEExt.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
LSP: C:\Windows\system32\K7WSLsp.dll
LSP: %SystemRoot%\system32\vsocklib.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
TCP: DhcpNameServer = 192.168.11.1
TCP: Interfaces\{167F7E20-DF72-492A-8B7E-E3E827491A8A} : DhcpNameServer = 192.168.11.1
TCP: Interfaces\{167F7E20-DF72-492A-8B7E-E3E827491A8A}\2455646414C4F4D2436453330303F574 : DhcpNameServer = 192.168.11.1
TCP: Interfaces\{167F7E20-DF72-492A-8B7E-E3E827491A8A}\4416C6B616E6472756C6C6F51374 : DhcpNameServer = 192.168.11.1
TCP: Interfaces\{167F7E20-DF72-492A-8B7E-E3E827491A8A}\4416C6B616E6472756C6C6F52374 : DhcpNameServer = 192.168.12.1
mASetup: {A8D647C8-65AC-409F-B7B2-3C0FEE1A32F2} - C:\Program Files (x86)\PixiePack Codec Pack\InstallerHelper.exe
BHO-X64: IDM integration (IDMIEHlprObj Class): {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll
BHO-X64: IDM Helper - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: Foxit Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO-X64: Ask Toolbar BHO - No File
BHO-X64: CutePDF Form Filler Helper: {D41289F2-69C6-417B-897E-C653D677CBAF} - C:\Program Files (x86)\Acro Software\CutePDF Filler Evaluation\CPFillerCoE.dll
BHO-X64: CutePDF Form Filler - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: SmartSelect - No File
BHO-X64: Yontoo Layers (Drop Down Deals): {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo Layers Runtime (Drop Down Deals)\YontooIEClient.dll
BHO-X64: Yontoo Layer (Drop Down Deals)s - No File
TB-X64: Foxit Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
mRun-x64: [K7TSStart] C:\Program Files (x86)\K7 Computing\K7TSecurity\K7TSecurity.exe
mRun-x64: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry
mRun-x64: [PSUNMain] "C:\Program Files (x86)\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" /Traybar
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [(Default)]
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
Hosts: 87.229.126.50 www.google.com
Hosts: 87.229.126.51 www.bing.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\James\AppData\Roaming\Mozilla\Firefox\Profiles\w7xt50qv.default\
FF - component: C:\Users\James\AppData\Roaming\IDM\idmmzcc3\components\idmmzcc.dll
FF - plugin: C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\nppl3260.dll
FF - plugin: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\nprpjplug.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll
FF - plugin: C:\Users\James\AppData\Local\Google\Update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extentions.y2layers.installId - 2176e3f9-28ae-4cca-b216-b56962e5f0a0
FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,Buzzdock,BuzzdockTease,DropDownDeals,
.
============= SERVICES / DRIVERS ===============
.
R0 K7FWHlpr;K7FWHlpr;C:\Windows\system32\drivers\K7FWHlpr.sys --> C:\Windows\system32\drivers\K7FWHlpr.sys [?]
R1 JSWPSLWF;JumpStart Wireless Filter Driver;C:\Windows\system32\DRIVERS\jswpslwfx.sys --> C:\Windows\system32\DRIVERS\jswpslwfx.sys [?]
R1 K7Sentry;K7AntiVirus MiniFilter Driver;\??\C:\Windows\system32\drivers\K7Sentry.sys --> C:\Windows\system32\drivers\K7Sentry.sys [?]
R1 K7TdiHlp;K7TDI Helper Service;\??\C:\Windows\system32\drivers\K7TdiHlp.sys --> C:\Windows\system32\drivers\K7TdiHlp.sys [?]
R1 PSINKNC;PSINKNC;C:\Windows\system32\DRIVERS\psinknc.sys --> C:\Windows\system32\DRIVERS\psinknc.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 IDMWFP;IDMWFP;C:\Windows\system32\DRIVERS\idmwfp.sys --> C:\Windows\system32\DRIVERS\idmwfp.sys [?]
R2 PSINAflt;PSINAflt;C:\Windows\system32\DRIVERS\PSINAflt.sys --> C:\Windows\system32\DRIVERS\PSINAflt.sys [?]
R2 PSINFile;PSINFile;C:\Windows\system32\DRIVERS\PSINFile.sys --> C:\Windows\system32\DRIVERS\PSINFile.sys [?]
R2 PSINProc;PSINProc;C:\Windows\system32\DRIVERS\PSINProc.sys --> C:\Windows\system32\DRIVERS\PSINProc.sys [?]
R2 PSINProt;PSINProt;C:\Windows\system32\DRIVERS\PSINProt.sys --> C:\Windows\system32\DRIVERS\PSINProt.sys [?]
R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 anvsnddrv;AnvSoft Virtual Sound Device;C:\Windows\system32\drivers\anvsnddrv.sys --> C:\Windows\system32\drivers\anvsnddrv.sys [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 PCASp50a64;PCASp50a64 NDIS Protocol Driver;C:\Windows\system32\Drivers\PCASp50a64.sys --> C:\Windows\system32\Drivers\PCASp50a64.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
R3 WNDA3100;NETGEAR WNDA3100 USB2.0 Wireless Card Service;C:\Windows\system32\DRIVERS\WNDA31w7x.sys --> C:\Windows\system32\DRIVERS\WNDA31w7x.sys [?]
S2 Akamai;Akamai NetSession Interface;C:\Windows\System32\svchost.exe -k Akamai [2009-7-13 20992]
S3 DbusAudio;DbusAudio;C:\Windows\system32\drivers\DbusAudio.sys --> C:\Windows\system32\drivers\DbusAudio.sys [?]
S3 DrmRAudio;DrmRAudio;C:\Windows\system32\drivers\DrmRAudio.sys --> C:\Windows\system32\drivers\DrmRAudio.sys [?]
S3 epmntdrv;epmntdrv;C:\Windows\System32\epmntdrv.sys [2011-11-9 14216]
S3 EuGdiDrv;EuGdiDrv;C:\Windows\System32\EuGdiDrv.sys [2011-11-9 8456]
S3 PCAMp50a64;PCAMp50a64 NDIS Protocol Driver;C:\Windows\system32\Drivers\PCAMp50a64.sys --> C:\Windows\system32\Drivers\PCAMp50a64.sys [?]
S3 SndTAudio;SndTAudio;C:\Windows\system32\drivers\SndTAudio.sys --> C:\Windows\system32\drivers\SndTAudio.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 VBoxUSB;VirtualBox USB;C:\Windows\system32\Drivers\VBoxUSB.sys --> C:\Windows\system32\Drivers\VBoxUSB.sys [?]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys --> C:\Windows\system32\DRIVERS\WSDPrint.sys [?]
.
=============== Created Last 30 ================
.
2012-03-05 02:47:45 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{6654123A-C718-4F57-AADC-1943FEF2DFD1}\offreg.dll
2012-03-02 05:52:48 -------- d-----w- C:\ProgramData\VirtualizedApplications
2012-03-02 01:26:15 -------- d-----w- C:\f5c9eb4f3136b9103f59f33903c2
2012-02-29 15:56:42 -------- d-----w- C:\Program Files\iPod
2012-02-29 15:56:36 -------- d-----w- C:\Program Files\iTunes
2012-02-25 23:00:01 127016 --sh--w- C:\Users\James\AppData\Local\dplayx.dll
2012-02-23 01:20:49 33872 ----a-w- C:\Windows\System32\drivers\anvsnddrv.sys
2012-02-23 01:20:49 235520 ----a-w- C:\Windows\SysWow64\xvidvfw.dll
2012-02-23 01:20:48 143872 ----a-w- C:\Windows\SysWow64\xvid.ax
.
==================== Find3M ====================
.
2011-12-14 14:49:41 647360 ----a-w- C:\ProgramData\SPL8299.tmp
2011-12-10 21:24:08 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
.
============= FINISH: 21:05:10.24 ===============

Blade81
2012-03-06, 19:49
Hi,

There seems to be both K7TotalSecurity and Panda Cloud Antivirus installed there. It's recommended to have only one antivirus product installed and running. Decide which one to keep (make sure you have valid license for the one you're going to keep).



Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

crazyapple92
2012-03-07, 01:10
Thanks for taking the time to help me out here. It's much appreciated.

I intend to remove both AV programs and replace them with one good (free) one once this issue is resolved. Once we do get this out of the way I'd really appreciate some suggestions towards that end.

But for the moment I can't even do a Google search so finding and installing a new AV program will be a bit of a hassle. And I'm not too fond on the idea of removing my protection while malware is present and then installing a new AV program while it's still present.

That aside I've followed your instructions. The logs are attached.

Blade81
2012-03-07, 10:29
Hi again,


Open notepad and copy/paste the text in the quotebox below into it:



DDS::
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log.



Uninstall vulnerable Flash versions by following instructions here (http://kb2.adobe.com/cps/141/tn_14157.html). Fresh version can be obtained here (http://get.adobe.com/flashplayer/).


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 7 Update 3 (http://www.oracle.com/technetwork/java/javase/downloads/index.html).
Click the
Download
button under JRE.
Check the box that says:
Accept License Agreement.
Click on the jre-7u3-windows-i586.exe link to download Windows Offline Installation and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-7u3-windows-i586.exe to install the newest version.

* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
Click Scan
Wait for the scan to finish.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log. Is it still redirecting (with all installed browsers)?

crazyapple92
2012-03-08, 03:42
Ugh!

It seemed like the redirects had stopped. I was running ESET and it took 2 hours but got to %99 then spent another 2 hours there, not frozen but actually scanning. Then BLAM! Suddenly the redirects returned except it seems they not only redirect google results but any non cached websites. And it's back with a vengeance.

It's downloaded the BS AV program several times since it started acting up again. And it seems to be downloading several other kinds of viruses as well. K7 caught several strange programs trying to connect to the internet. I had K7 remove them but I doubt it caught them all. And something keeps repeatedly trying to delete my Appdata/Local folder.

I've ran ESET twice since my first attempt, both times the bogus AV program finds it's way back in and interrupts it. I'll try it one more time with my connection locked down. Or maybe just disabled.

Does my computer need to be connected to the internet to run ESET?

I'm not sure why it seemed to go away, maybe it really did. Or maybe I just haven't tried going to any non cached pages? I don't really go exploring on the internet often so that's possible.

Blade81
2012-03-08, 07:59
Hi,


Does my computer need to be connected to the internet to run ESET?
Yes. Please give it another go and post back the results + fresh DDS logs.

crazyapple92
2012-03-08, 17:24
So after taking 11 hours ESET finally finished. Was it supposed to generate a log? Because that I'm aware of, it didn't.

It said there were 15 infected items though.

I Will run DDS and get that log, just wanted to check if there's an ESET log hiding somewhere?

Blade81
2012-03-08, 18:14
Hi,

See if the report is in C:\Program Files (x86)\ESET folder.

crazyapple92
2012-03-09, 04:53
Okay, got everything ready here. The problem doesn't seem to be present at the moment, I'll cross my fingers and hope it doesn't resurface.

However another problem has popped up in it's stead, malwarebytes detected it and claimed to remove it but it didn't. It's a fake svchost called winrscmde and I can't tell what it's doing but it will usually be taking up 1-2GB of ram.

I've attached the logs, not sure what to do about the fake process?

Not sure if it will show up in the logs as I don't know if I did it before the scans or after but I've installed Avira, hopefully and seemingly it's doing better than my last experience with it. I haven't got around to uninstalling Pandac loud or K7 but they're both disabled.

Blade81
2012-03-09, 08:22
Hi,

Delete C:\Users\James\Desktop\Media\Docs\Docs\Stuff\Apps + Cracks folder. Also, it seems your Adobe Photoshop isn't legit version so you have to uninstall it. Uninstall also extra antivirus protection leaving just Avira installed.


When all that done post fresh dds logs.

crazyapple92
2012-03-09, 17:27
Done.

Next step?

crazyapple92
2012-03-09, 17:27
Oops, forgot the log.

crazyapple92
2012-03-09, 17:34
What a headache. I was just redirected from a google search of LibreOffice.

Problem is still present.

Blade81
2012-03-09, 17:44
Post attach.txt contents too.

crazyapple92
2012-03-09, 18:09
Here it is.

Blade81
2012-03-09, 18:11
Hi,

1. Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and extract its contents into a folder in desired location (i.e. c:\tdsskiller).
2. Execute the file TDSSKiller.exe.
3. Click Start Scan. If threats are found, select cure and click Continue (tool may prompt for a reboot).
4. Post back contents of log file in c: drive root (name should be in UtilityName.Version_Date_Time_log.txt format).

crazyapple92
2012-03-09, 20:12
.
.
.
.
.
*sigh*

Ran TDSSKiller, it reported a root kit and prompted me to reboot, so I did.

Upon rebooting: BRICKED!

Will not post, hangs at MB display, if you try to enter BIOS it freezes. Because of these things I can't get to a system recovery console and can't reinstall the OS.

I'll try to force my way in and see what I can do... But it's not looking good here.

Will report back.

crazyapple92
2012-03-10, 06:03
Phew.

I managed to resuscitate it. And I got the log.

Good business.

Looks like the log exceeds the allowed size on this forum though. I've compressed it into a .zip to make it work.

Blade81
2012-03-10, 16:31
Hi


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

crazyapple92
2012-03-11, 06:05
Done.

Logs attached.

Blade81
2012-03-11, 14:03
Hi,

ComboFix log doesn't seem to be complete. Please run ComboFix again and after that re-run DDS too. Post logs back here.

crazyapple92
2012-03-11, 23:23
That's because I ran combofix, it got to the log generating part and just hung out there for +30 minutes. I eventually quit out and grabbed the log.

I'll try it again, but this is what has happened every time I've ran it so far.

Blade81
2012-03-12, 07:34
Try to give it a run in safe mode if needed.

crazyapple92
2012-03-14, 02:01
Safe mode indeed.

Blade81
2012-03-14, 07:47
Open notepad and copy/paste the text in the quotebox below into it:



DDS::
dRun: [Update] rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Roaming\Adobe\Adobe\klzgc.dll",DllRegisterServer
dRun: [3gkb] C:\Windows\system32\config\systemprofile\AppData\Roaming\3gkb.exe
dRun: [modegdi] C:\Windows\system32\config\systemprofile\AppData\Roaming\modegdi.exe
RegLockDel::
[HKEY_USERS\S-1-5-21-2055685184-3404046546-893769538-1000_Classes\Wow6432Node\CLSID\{3e925816-e035-4419-a30a-a7536a6a55a0}]
[HKEY_USERS\S-1-5-21-2055685184-3404046546-893769538-1000_Classes\Wow6432Node\CLSID\{5b4321bc-3d43-4a80-848d-f42a6ce89888}]
[HKEY_USERS\S-1-5-21-2055685184-3404046546-893769538-1000_Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
[HKEY_USERS\S-1-5-21-2055685184-3404046546-893769538-1000_Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log + fresh dds logs.

crazyapple92
2012-03-15, 21:35
I ran combofix with that script in safe mode. I had C: open at the time and when the log was generated the entire combofix folder deleted itself. Not to the recycle bin mind you, just flat out vanished.

I ran a search to make sure it didn't just hide itself somewhere.

Blade81
2012-03-16, 14:40
Hi,

Download fresh copy of ComboFix to your desktop and run it. Post back the log + fresh dds logs.

crazyapple92
2012-03-16, 14:48
Should I run it with the same script?

Blade81
2012-03-16, 14:52
Let's try without the script this time.

crazyapple92
2012-03-19, 05:24
Sorry, I know this took a minute but here it is.

Blade81
2012-03-19, 09:53
Hi,

Run ESET online scanner and post back its findings.

Open notepad and copy/paste the text in the quotebox below into it:



File::
C:\Windows\system32\config\systemprofile\AppData\Roaming\Adobe\Adobe\klzgc.dll
C:\Windows\system32\config\systemprofile\AppData\Roaming\3gkb.exe
C:\Windows\system32\config\systemprofile\AppData\Roaming\modegdi.exe
Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Update"=-
"3gkb"=-
"modegdi"=-



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log.

Blade81
2012-03-28, 17:53
Due to inactivity, this thread will now be closed.

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.