PDA

View Full Version : IE Redirect Prob - Please Help



nevercanstop
2012-12-18, 00:20
Been using Spybot for years and am SOOOO happy with the product.

My girlfriend was doing a lot of holiday shopping on Saturday and must have picked up a virus as IE redirects on all Google links.

Spybot can be installed, but not updated on her machine no matter whether in safe mode or normal mode. Ran Bullguard diagnostic test ONLY and it showed infection with variant.kazy.127367. Have not tried to remove or correct this infection.

Below are the logs and attachments as requested. Any help with this would be GREATLY appreciated. Do not want to have to reformat and reinstall if I can avoid it. My gf has some software on the computer that would be very expensive to replace. It is EMR software and cannot be backed up.

----------------------
DDS (Ver_2012-11-20.01) - NTFS_AMD64 NETWORK
Internet Explorer: 9.0.8112.16421
Run by Reina at 17:05:18 on 2012-12-17
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3002.1670 [GMT -5:00]
.
AV: AVG Internet Security 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG Internet Security 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
FW: AVG Internet Security 2013 *Disabled* {36AFA1E1-4CDC-7EF8-11EE-C77C3581ABA2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig?brand=ACEW&bmod=EMUS&reason=1
uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e725&r=273610108715l0464z1i5r4412026r
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e725&r=273610108715l0464z1i5r4412026r
mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e725&r=273610108715l0464z1i5r4412026r
mWinlogon: Userinit = userinit.exe
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [Starfield Updater] "C:\Program Files (x86)\Workspace\workspaceupdate.exe"
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [BrMfcWnd] C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe /autorun
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [ROC_ROC_NT] "C:\Program Files (x86)\AVG Secure Search\ROC_ROC_NT.exe" / /PROMPT /CMPID=ROC_NT
StartupFolder: C:\Users\Reina\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ERUNTA~1.LNK - C:\Program Files (x86)\ERUNT\AUTOBACK.EXE
StartupFolder: C:\Users\Reina\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorUser = dword:5
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: ConsentPromptBehaviorAdminShOrigSetting = dword:0
mPolicies-System: ConsentPromptBehaviorUserShOrigSetting = dword:3
mPolicies-System: PromptOnSecureDesktopShOrigSetting = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {3E5769BB-1E33-4115-92C1-79944E5023AA} - hxxp://www.bullguard.com/onlinevirusscanner/BGScannerActiveX.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework//microsoft/wrc32.ocx
DPF: {CAFEEFAC-0014-0002-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com//activex/ractrl.cab?lmi=972
TCP: NameServer = 75.75.75.75 75.75.76.76 192.168.1.1
TCP: Interfaces\{D2EA92C4-8CC4-4C41-B1AD-6F45F08B7BA6} : DHCPNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
TCP: Interfaces\{D2EA92C4-8CC4-4C41-B1AD-6F45F08B7BA6}\0596C616475637 : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{D2EA92C4-8CC4-4C41-B1AD-6F45F08B7BA6}\4456C6271697 : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{D2EA92C4-8CC4-4C41-B1AD-6F45F08B7BA6}\4456C6271697D223 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{D2EA92C4-8CC4-4C41-B1AD-6F45F08B7BA6}\478656C6F636B65627 : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{D2EA92C4-8CC4-4C41-B1AD-6F45F08B7BA6}\6457C6C6D2845616C64786 : DHCPNameServer = 192.168.0.5 192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
x64-mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e725&r=273610108715l0464z1i5r4412026r
x64-mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=e725&r=273610108715l0464z1i5r4412026r
x64-BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
x64-Run: [Acer ePower Management] C:\Program Files\eMachines\eMachines Power Management\ePowerTray.exe
x64-Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>
x64-Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);C:\Windows\System32\drivers\L1C62x64.sys [2009-11-5 58880]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 ePowerSvc;Acer ePower Service;C:\Program Files\eMachines\eMachines Power Management\ePowerSvc.exe [2009-11-5 844320]
S2 File Backup;File Backup Service;C:\Program Files (x86)\Workspace\offSyncService.exe [2012-7-18 1174824]
S2 Greg_Service;GRegService;C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe [2009-8-28 1150496]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-4-15 13336]
S2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-17 399432]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-17 676936]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2009-6-17 144640]
S2 Updater Service;Updater Service;C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [2009-11-5 240160]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2010-12-10 48488]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352]
S3 massfilter;Mass Storage Filter Driver;C:\Windows\System32\drivers\massfilter.sys [2011-6-11 11776]
S3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-12-17 25928]
S3 NTIBackupSvc;NTI Backup Now 5 Backup Service;C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2009-6-17 50432]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2009-11-5 225280]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-7-1 59392]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-10-26 1255736]
S3 ZTEusbgps;ZTE GPS Port;C:\Windows\System32\drivers\ZTEusbgps.sys [2011-6-11 121344]
S3 ZTEusbnmeaext;ZTE NMEAExt Port;C:\Windows\System32\drivers\ZTEusbnmeaext.sys [2011-6-11 121344]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-12-17 19:17:37 -------- d-----w- C:\Program Files (x86)\BullGuard Ltd
2012-12-17 17:10:58 -------- d-----w- C:\Users\Reina\AppData\Roaming\Malwarebytes
2012-12-17 17:10:48 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-12-17 17:10:48 -------- d-----w- C:\ProgramData\Malwarebytes
2012-12-17 17:10:48 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-12-17 15:55:10 -------- d-----w- C:\Users\Reina\AppData\Local\Avg2013
2012-12-17 15:05:20 -------- d-----w- C:\Program Files\Microsoft Security Client
2012-12-12 16:55:32 114688 --sha-r- C:\Windows\SysWow64\sxsstoreq.dll
.
==================== Find3M ====================
.
2012-10-23 18:11:13 161570 ----a-w- C:\Windows\Uninstall_AImed_9.exe
2012-10-23 17:33:49 60304 ----a-w- C:\Users\Reina\g2mdlhlpx.exe
.
============= FINISH: 17:05:32.45 ===============

Ran ERUNT and DDS in Safe Mode. Was not sure if I should run in Normal Mode or Safe Mode. Sorry.

Dakeyras
2012-12-24, 21:59
Hi and welcome to Safer Networking. :)

Do you still require assistance ? If so post a new set of DDS logs please and we will go from there, thank you.

Jack&Jill
2013-01-01, 06:39
Due to lack of response, this topic is now closed.

If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. How to post a DDS log. (http://forums.spybot.info/showpost.php?p=1150&postcount=2)

If it has been less than three days since your last response and you need the thread re-opened, please send a private message (pm) to me or a MOD. A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

Everyone else please begin a New Topic.