TechSpot

Google redirect virus/trojan

Inactive
By SturmScourge
Aug 13, 2012
  1. Hello!

    I have a work computer that is suffering from the Google redirect virus/trojan. Attached are the MBAM, GMER and DDS logs per instructions: Thanks in advance for all the help you provide!

    Franklin


    >>>MBAM log:

    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org

    Database version: v2012.08.11.04

    Windows 7 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Cascade Mobile V :: CASCADEMOBILEV [administrator]

    8/13/2012 11:50:16 AM
    mbam-log-2012-08-13 (11-50-16).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 196118
    Time elapsed: 4 minute(s), 57 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

    >>>GMER log:

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-08-13 12:55:38
    Windows 6.1.7600
    Running: g12rwmn0.exe


    ---- Files - GMER 1.0.15 ----

    File C:\Users\Cascade Mobile V\AppData\Local\Temp\~DF24E632D67785D1F0.TMP 512 bytes

    ---- EOF - GMER 1.0.15 ----

    >>>DDS log:

    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_22
    Run by Cascade Mobile V at 12:59:15 on 2012-08-13
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3838.2450 [GMT -7:00]
    .
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
    SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    FW: McAfee Firewall *Disabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe
    C:\Windows\system32\svchost.exe -k HsfXAudioService
    C:\Windows\system32\lxddcoms.exe
    C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    C:\Windows\system32\mfevtps.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\rundll32.exe
    C:\Windows\system32\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe
    C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\Gateway\Gateway Power Management\ePowerTray.exe
    C:\Program Files (x86)\Lexmark 2500 Series\lxddamon.exe
    C:\Program Files (x86)\Lexmark 2500 Series\lxddmon.exe
    C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Apoint2K\ApMsgFwd.exe
    C:\Program Files (x86)\Launch Manager\LManager.exe
    C:\Program Files\Apoint2K\HidFind.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files\Gateway\Gateway Power Management\ePowerEvent.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
    c:\PROGRA~2\mcafee\SITEAD~1\saui.exe
    C:\Program Files (x86)\WordPerfect Office X3 - Home Edition\Programs\QPW.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\notepad.exe
    C:\Program Files\Common Files\McAfee\Core\mchost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\vssvc.exe
    C:\Windows\System32\svchost.exe -k swprv
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = about:blank
    uDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?

    b=ACGW&l=0409&m=nv53&r=27360710i5b6l0490z115a4511x668
    mDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?

    b=ACGW&l=0409&m=nv53&r=27360710i5b6l0490z115a4511x668
    mStart Page = hxxp://homepage.gateway.com/rdr.aspx?

    b=ACGW&l=0409&m=nv53&r=27360710i5b6l0490z115a4511x668
    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:

    \PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
    mWinlogon: Userinit=userinit.exe,
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files

    (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program

    Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files

    (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files

    (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\PROGRA~2\mcafee

    \SITEAD~1\mcieplg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files

    (x86)\Java\jre6\bin\jp2ssv.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee

    \SITEAD~1\mcieplg.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google

    Toolbar\GoogleToolbar_32.dll
    uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    mRun: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup

    \BackupManagerTray.exe" -h -k
    mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
    mRun: [FaxCenterServer] "C:\Program Files (x86)\Lexmark Fax Solutions\fm3032.exe" /s
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program

    Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:

    \PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:

    \PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22

    -windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22

    -windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22

    -windows-i586.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{23F02B85-A5D3-4D82-811F-E6FFCFC7CA2A} : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{23F02B85-A5D3-4D82-811F-E6FFCFC7CA2A}\35475727D675F627C646 : DhcpNameServer =

    192.168.1.1 192.168.1.1
    TCP: Interfaces\{23F02B85-A5D3-4D82-811F-E6FFCFC7CA2A}\96D284F64756C6 : DhcpNameServer =

    172.16.48.2
    TCP: Interfaces\{23F02B85-A5D3-4D82-811F-E6FFCFC7CA2A}\96D284F64756C60225231373 : DhcpNameServer

    = 172.16.48.2
    TCP: Interfaces\{BA830465-C981-462A-B27F-03B016E90934} : DhcpNameServer = 4.2.2.1
    Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~2\McAfee\MSC

    \McSnIePl.dll
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee

    \SITEAD~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee

    \SITEAD~1\McIEPlg.dll
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files

    (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program

    Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
    BHO-X64: Increase performance and video formats for your HTML5 <video> - No File
    BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files

    (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files

    (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    BHO-X64: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee

    \SITEAD~1\mcieplg.dll
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files

    (x86)\Java\jre6\bin\jp2ssv.dll
    TB-X64: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee

    \SITEAD~1\mcieplg.dll
    TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google

    \Google Toolbar\GoogleToolbar_32.dll
    mRun-x64: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup

    \BackupManagerTray.exe" -h -k
    mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

    MSRun
    mRun-x64: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    mRun-x64: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
    mRun-x64: [FaxCenterServer] "C:\Program Files (x86)\Lexmark Fax Solutions\fm3032.exe" /s
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Cascade Mobile V\AppData\Roaming\Mozilla\Firefox\Profiles

    \lmfgklkt.default\
    FF - prefs.js: browser.search.selectedEngine - Secure Search
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
    FF - plugin: c:\progra~2\mcafee\msc\npMcSnFFPl.dll
    FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
    FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\McAfee\SiteAdvisor\NPMcFFPlg32.dll
    FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\system32\drivers\mfehidk.sys --> C:\Windows

    \system32\drivers\mfehidk.sys [?]
    R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers

    \PxHlpa64.sys [?]
    R1 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\system32\drivers\mfewfpk.sys --> C:\Windows

    \system32\drivers\mfewfpk.sys [?]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows

    \system32\DRIVERS\vwififlt.sys [?]
    R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe -->

    C:\Windows\system32\atiesrxx.exe [?]
    R2 ePowerSvc;Acer ePower Service;C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe

    [2010-4-13 844320]
    R2 Greg_Service;GRegService;C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe [2009-8-28

    1150496]
    R2 HsfXAudioService;HsfXAudioService;C:\Windows\system32\svchost.exe -k HsfXAudioService [2009-7

    -13 20992]
    R2 lxdd_device;lxdd_device;C:\Windows\system32\lxddcoms.exe -service --> C:\Windows

    \system32\lxddcoms.exe -service [?]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\Common Files\McAfee

    \McSvcHost\McSvHost.exe [2012-7-24 200728]
    R2 McMPFSvc;McAfee Personal Firewall Service;C:\Program Files\Common Files\McAfee\McSvcHost

    \McSvHost.exe [2012-7-24 200728]
    R2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\McAfee\McSvcHost

    \McSvHost.exe [2012-7-24 200728]
    R2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

    [2012-7-24 200728]
    R2 McShield;McAfee McShield;C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe [2011-9

    -23 237920]
    R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\McAfee\SystemCore

    \mfefire.exe [2011-9-23 218320]
    R2 mfevtp;McAfee Validation Trust Protection Service;"C:\Windows\system32\mfevtps.exe" --> C:

    \Windows\system32\mfevtps.exe [?]
    R2 Updater Service;Updater Service;C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe

    [2009-10-29 240160]
    R3 CAXHWAZL;CAXHWAZL;C:\Windows\system32\DRIVERS\CAXHWAZL.sys --> C:\Windows\system32\DRIVERS

    \CAXHWAZL.sys [?]
    R3 cfwids;McAfee Inc. cfwids;C:\Windows\system32\drivers\cfwids.sys --> C:\Windows

    \system32\drivers\cfwids.sys [?]
    R3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS

    \k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
    R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\system32\drivers\mfeavfk.sys --> C:\Windows

    \system32\drivers\mfeavfk.sys [?]
    R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\system32\drivers\mfefirek.sys --> C:\Windows

    \system32\drivers\mfefirek.sys [?]
    R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows

    \system32\DRIVERS\usbfilter.sys [?]
    R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys -->

    C:\Windows\system32\DRIVERS\vwifimp.sys [?]
    S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

    [2010-7-9 135664]
    S2 lxddCATSCustConnectService;lxddCATSCustConnectService;C:\Windows\System32\spool\DRIVERS

    \x64\3\lxddserv.exe [2007-4-25 34224]
    S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update

    \GoogleUpdate.exe [2010-7-9 135664]
    S3 HipShieldK;McAfee Inc. HipShieldK;C:\Windows\system32\drivers\HipShieldK.sys --> C:\Windows

    \system32\drivers\HipShieldK.sys [?]
    S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\system32\drivers\mferkdet.sys --> C:\Windows

    \system32\drivers\mferkdet.sys [?]
    S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance

    Service\maintenanceservice.exe [2012-8-11 113120]
    S3 netr28x;Ralink 802.11n Wireless Driver for Windows Vista;C:\Windows\system32\DRIVERS

    \netr28x.sys --> C:\Windows\system32\DRIVERS\netr28x.sys [?]
    S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2009

    -10-29 225280]
    S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS

    \VSTAZL6.SYS [?]
    S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS

    \VSTDPV6.SYS [?]
    S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows

    \system32\DRIVERS\VSTCNXT6.SYS [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe

    --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    S4 McOobeSv;McAfee OOBE Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

    [2012-7-24 200728]
    S4 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup

    \IScheduleSvc.exe [2009-9-24 62720]
    .
    =============== Created Last 30 ================
    .
    2012-08-12 02:32:38 -------- d-----w- C:\Users\Cascade Mobile V\AppData\Local

    \Mozilla
    2012-08-06 23:33:34 -------- d-----w- C:\Program Files\Enigma Software Group
    2012-08-06 23:32:45 -------- d-----w- C:\Windows

    \F896D02690164122B9BD957FF092FFE9.TMP
    2012-08-06 23:32:42 -------- d-----w- C:\Program Files (x86)\Common Files\Wise

    Installation Wizard
    2012-07-24 15:16:19 196440 ----a-w- C:\Windows\System32\drivers\HipShieldK.sys
    2012-07-19 16:04:45 -------- d-----w- C:\Program Files\CCleaner
    .
    ==================== Find3M ====================
    .
    2012-08-10 16:28:27 1004 --sha-w- C:\Windows\SysWow64\KGyGaAvL.sys
    2012-07-03 20:46:44 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2012-06-22 14:40:58 69672 ----a-w- C:\Windows\System32\drivers\cfwids.sys
    2012-06-22 14:38:16 335784 ----a-w- C:\Windows\System32\drivers\mfewfpk.sys
    2012-06-22 14:38:04 177144 ----a-w- C:\Windows\System32\mfevtps.exe
    2012-06-22 14:37:04 10288 ----a-w- C:\Windows\System32\drivers\mfeclnk.sys
    2012-06-22 14:36:54 106112 ----a-w- C:\Windows\System32\drivers\mferkdet.sys
    2012-06-22 14:36:12 752672 ----a-w- C:\Windows\System32\drivers\mfehidk.sys
    2012-06-22 14:35:02 513456 ----a-w- C:\Windows\System32\drivers\mfefirek.sys
    2012-06-22 14:34:22 300392 ----a-w- C:\Windows\System32\drivers\mfeavfk.sys
    2012-06-22 14:34:00 169320 ----a-w- C:\Windows\System32\drivers\mfeapfk.sys
    2012-06-12 03:02:52 3147264 ----a-w- C:\Windows\System32\win32k.sys
    2012-06-06 05:50:50 2003968 ----a-w- C:\Windows\System32\msxml6.dll
    2012-06-06 05:50:50 1880064 ----a-w- C:\Windows\System32\msxml3.dll
    2012-06-06 05:09:46 1389568 ----a-w- C:\Windows\SysWow64\msxml6.dll
    2012-06-06 05:09:46 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
    2012-06-02 22:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
    2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll
    2012-06-02 22:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
    2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll
    2012-06-02 12:12:17 2311680 ----a-w- C:\Windows\System32\jscript9.dll
    2012-06-02 12:05:28 1392128 ----a-w- C:\Windows\System32\wininet.dll
    2012-06-02 12:04:50 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
    2012-06-02 12:01:40 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
    2012-06-02 11:57:08 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
    2012-06-02 08:33:25 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll
    2012-06-02 08:25:08 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
    2012-06-02 08:25:03 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
    2012-06-02 08:20:33 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
    2012-06-02 08:16:52 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2012-06-02 05:38:26 95088 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
    2012-06-02 05:38:24 152432 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
    2012-06-02 05:37:45 459216 ----a-w- C:\Windows\System32\drivers\cng.sys
    2012-06-02 05:27:02 340992 ----a-w- C:\Windows\System32\schannel.dll
    2012-06-02 05:27:00 307200 ----a-w- C:\Windows\System32\ncrypt.dll
    2012-06-02 04:48:39 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
    2012-06-02 04:48:35 225280 ----a-w- C:\Windows\SysWow64\schannel.dll
    2012-06-02 04:47:31 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll
    2012-06-02 04:42:51 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
    2012-05-18 16:27:00 59 ----a-w- C:\Windows\wpd99.drv
    .
    ============= FINISH: 12:59:37.79 ===============

    >>>DDS Attach log:

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 7/9/2010 2:38:12 PM
    System Uptime: 8/13/2012 6:40:45 AM (6 hours ago)
    .
    Motherboard: Gateway | | SJV50TR
    Processor: AMD Athlon(tm) II Dual-Core M320 | Socket S1G3 | 2100/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 454 GiB total, 368.748 GiB free.
    D: is CDROM (CDFS)
    E: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP189: 8/9/2012 7:47:08 AM - Windows Update
    RP190: 8/10/2012 7:57:43 AM - Windows Update
    RP191: 8/11/2012 3:48:49 PM - Windows Update
    RP192: 8/11/2012 6:37:58 PM - Windows Update
    RP193: 8/13/2012 5:49:09 AM - Windows Update
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader 9.4.1
    Amazon MP3 Downloader 1.0.10
    AMD USB Filter Driver
    Backup Manager Basic
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center InstallProxy
    Catalyst Control Center Localization All
    ccc-core-static
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    Combat Arms
    Compatibility Pack for the 2007 Office system
    CyberLink PowerDVD 8
    DaqLab
    DivX Setup
    Fallout: New Vegas
    FileOpen Client
    Gateway InfoCentre
    Gateway MyBackup
    Gateway Power Management
    Gateway Recovery Management
    Gateway Registration
    Gateway ScreenSaver
    Gateway Updater
    Google Earth
    Google Toolbar for Internet Explorer
    Google Update Helper
    Identity Card
    Indeo® software
    Japanese Fonts Support For Adobe Reader 9
    Jasc Paint Shop Pro Studio
    Java Auto Updater
    Java(TM) 6 Update 22
    Junk Mail filter update
    Launch Manager
    Malwarebytes Anti-Malware version 1.62.0.1300
    MapleStory
    McAfee Internet Security
    Microsoft .NET Framework 1.1
    Microsoft Choice Guard
    Microsoft Office 2007 Service Pack 3 (SP3)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Suite Activation Assistant
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Works
    ML-1200 Series
    Mozilla Firefox 14.0.1 (x86 en-US)
    Mozilla Maintenance Service
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Nexon Game Manager
    OmniFormat
    Pdf995
    Realtek USB 2.0 Card Reader
    Roxio Burn
    Roxio Update Manager
    SAE Safety Series
    Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
    Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
    Security Update for Microsoft Office InfoPath 2007 (KB2596786) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition
    Splash Lite
    Steam
    TurboCAD Designer v11.1
    Update for 2007 Microsoft Office System (KB967642)
    VC80CRTRedist - 8.0.50727.6195
    Video Web Camera
    Welcome Center
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Messenger
    Windows Live Movie Maker
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Upload Tool
    Windows Live Writer
    WordPerfect Office X3 - Home Edition Software Bundle
    WordPerfect Office X3 - Home Edition Task Manager
    WordPerfect(R) Office X3 - Home Edition
    .
    ==== Event Viewer Messages From Past Week ========
    .
    8/9/2012 8:10:55 AM, Error: Disk [11] - The driver detected a controller error on \Device

    \Harddisk1\DR1.
    8/8/2012 12:24:13 PM, Error: volsnap [14] - The shadow copies of volume C: were aborted because

    of an IO failure on volume C:.
    8/13/2012 5:51:22 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure:

    Windows failed to install the following update with error 0x8024200d: Security Update for Windows

    7 for x64-based Systems (KB2667402).
    8/13/2012 11:54:26 AM, Error: Disk [11] - The driver detected a controller error on \Device

    \Harddisk1\DR3.
    8/13/2012 11:39:51 AM, Error: atikmdag [43029] - Display is not active
    8/11/2012 7:26:30 PM, Error: Service Control Manager [7009] - A timeout was reached (30000

    milliseconds) while waiting for the lxddCATSCustConnectService service to connect.
    8/11/2012 7:26:30 PM, Error: Service Control Manager [7000] - The lxddCATSCustConnectService

    service failed to start due to the following error: The service did not respond to the start or

    control request in a timely fashion.
    8/11/2012 7:26:25 PM, Error: atikmdag [52236] - CPLIB :: General - Invalid Parameter
    8/11/2012 5:39:31 PM, Error: Service Control Manager [7031] - The McAfee McShield service

    terminated unexpectedly. It has done this 1 time(s). The following corrective action will be

    taken in 5000 milliseconds: Restart the service.
    8/11/2012 5:36:40 PM, Error: atapi [11] - The driver detected a controller error on \Device\Ide

    \IdePort0.
    8/10/2012 11:13:14 AM, Error: Disk [11] - The driver detected a controller error on \...\DR4.
    .
    ==== End Of File ===========================
     
  2. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    Please disable "word wrap" in Notepad because your logs are hard to read.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =======================================

    Which browser is affected?
    Did you check other browsers?

    Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    http://download.bleepingcomputer.com/grinler/beta/rkill.exe
    http://download.bleepingcomputer.com/grinler/beta/iExplore.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    If normal mode still doesn't work, run the tool from safe mode.

    When the scan is done Notepad will open with rKill log.
    Post it in your next reply.

    NOTE. rKill.txt log will also be present on your desktop.

    ===================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
     
  3. SturmScourge

    SturmScourge TS Rookie Topic Starter

    Broni:

    I use Firefox, so that is the browser that has been having redirect problems. I don't use IE, but when I tried it yesterday with about a dozen searches, no redirects occurred (although it's not much of a test). Also, it seems to occur less often now, but still does on occasion.

    >>>Here is the Rkill log:

    Rkill 2.1.0 by Lawrence Abrams (Grinler)
    http://www.bleepingcomputer.com/
    Copyright 2008-2012 BleepingComputer.com
    More Information about Rkill can be found at this link:
    http://www.bleepingcomputer.com/forums/topic308364.html

    Program started at: 08/14/2012 08:19:59 AM in x64 mode.
    Windows Version: Windows 7

    Checking for Windows services to stop.

    * No malware services found to stop.

    Checking for processes to terminate.

    * No malware processes found to kill.

    Checking Registry for malware related settings.

    * No issues found in the Registry.

    Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

    Performing miscellaneous checks.

    * No issues found.

    Searching for Missing Digital Signatures:

    * No issues found.

    Restarting Explorer.exe in order to apply changes.

    Program finished at: 08/14/2012 08:20:18 AM
    Execution time: 0 hours(s), 0 minute(s), and 18 seconds(s)

    >>>And here is the aswMBR log:

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-08-10 09:01:59
    -----------------------------
    09:01:59.375 OS Version: Windows x64 6.1.7600
    09:01:59.375 Number of processors: 2 586 0x603
    09:01:59.376 ComputerName: MIRRORBEACH UserName:
    09:02:00.811 Initialize success
    09:03:22.958 AVAST engine defs: 12081000
    09:04:30.442 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    09:04:30.444 Disk 0 Vendor: WDC_WD5000BEVT-22A0RT0 01.01A01 Size: 476940MB BusType: 11
    09:04:30.464 Disk 0 MBR read successfully
    09:04:30.467 Disk 0 MBR scan
    09:04:30.472 Disk 0 Windows VISTA default MBR code
    09:04:30.489 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 13000 MB offset 2048
    09:04:30.502 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 26626048
    09:04:30.518 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 463838 MB offset 26830848
    09:04:30.540 Disk 0 scanning C:\Windows\system32\drivers
    09:04:41.683 Service scanning
    09:05:14.382 Modules scanning
    09:05:14.388 Disk 0 trace - called modules:
    09:05:14.430 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
    09:05:14.435 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004c7c4f0]
    09:05:14.439 3 CLASSPNP.SYS[fffff8800148b43f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004bd8680]
    09:05:16.293 AVAST engine scan C:\Windows
    09:05:20.948 AVAST engine scan C:\Windows\system32
    09:09:39.395 AVAST engine scan C:\Windows\system32\drivers
    09:09:52.306 AVAST engine scan C:\Users\SturmScourge
    09:10:27.592 Disk 0 MBR has been saved successfully to "C:\Downloads\TechSpot-BleepingComputer - aswMBR\MBR.dat"
    09:10:27.663 The log file has been saved successfully to "C:\Downloads\TechSpot-BleepingComputer - aswMBR\aswMBR.txt"


    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-08-14 08:22:46
    -----------------------------
    08:22:46.394 OS Version: Windows x64 6.1.7600
    08:22:46.394 Number of processors: 2 586 0x602
    08:22:46.395 ComputerName: CASCADEMOBILEV UserName:
    08:22:48.183 Initialize success
    08:24:01.227 AVAST engine defs: 12081400
    08:24:42.865 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    08:24:42.867 Disk 0 Vendor: ST9500325AS 0001SDM1 Size: 476940MB BusType: 11
    08:24:42.930 Disk 0 MBR read successfully
    08:24:42.932 Disk 0 MBR scan
    08:24:42.937 Disk 0 Windows VISTA default MBR code
    08:24:42.963 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 12000 MB offset 2048
    08:24:42.987 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 24578048
    08:24:43.064 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 464838 MB offset 24782848
    08:24:43.099 Disk 0 scanning C:\Windows\system32\drivers
    08:25:08.117 Service scanning
    08:25:40.527 Modules scanning
    08:25:40.534 Disk 0 trace - called modules:
    08:25:40.539
    08:25:43.170 AVAST engine scan C:\Windows
    08:25:48.992 AVAST engine scan C:\Windows\system32
    08:31:34.392 AVAST engine scan C:\Windows\system32\drivers
    08:31:50.921 AVAST engine scan C:\Users\Cascade Mobile V
    08:32:43.465 Disk 0 MBR has been saved successfully to "C:\Downloads\TechSpot-BleepingComputer - aswMBR\MBR.dat"
    08:32:43.498 The log file has been saved successfully to "C:\Downloads\TechSpot-BleepingComputer - aswMBR\aswMBR.txt"

    One other thing, after I had run aswMBR and was closing the program box, my computer crashed, where the screen went black, and medium sized blue box opened, and Windows 7 did a memory dump to the harddrive before shutting down. I don't know if this means anything or not, but I've never had one of my computers do that before.

    Thanks!

    Franklin
     
  4. Broni

    Broni Malware Annihilator Posts: 47,037   +255

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.