[Solved] Google Redirect on Win7 64-bit, can't run Combofix or GMER

By rlerner
Aug 2, 2010
Topic Status:
Not open for further replies.
  1. When clicking on Google search results, sporadically taken to Scour, Infomash or other search sites. Have read several posts resolving this issue and the 8-step fix, but I'm on 64-bit Win7 some of the steps won't work. Cannot run Combofix or GMER (only for 32-bit systems?). Have run AV scan, MBAM, Hitman Pro, GooredFix, no joy.

    The system is Win7-64, using FF 3.6.8. Have attached log files from DDS.

    Would appreciate any help or suggestions.

    Thanks!

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 46,329   +252

    Welcome aboard [​IMG]

    Please, never zip any logs.

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.
  3. rlerner

    rlerner Newcomer, in training Topic Starter

    Thanks. Here's the MBR report:

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows 7 Ultimate Edition
    Windows Information: (build 7600), 64-bit
    Base Board Manufacturer: ASUSTeK Computer INC.
    BIOS Manufacturer: American Megatrends Inc.
    System Manufacturer: System manufacturer
    System Product Name: System Product Name
    Logical Drives Mask: 0x0000079c

    Kernel Drivers (total 215):
    0x0325F000 \SystemRoot\system32\ntoskrnl.exe
    0x03216000 \SystemRoot\system32\hal.dll
    0x00BA4000 \SystemRoot\system32\kdcom.dll
    0x00C4A000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
    0x00C8E000 \SystemRoot\system32\PSHED.dll
    0x00CA2000 \SystemRoot\system32\CLFS.SYS
    0x00D00000 \SystemRoot\system32\CI.dll
    0x00EEF000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x00F93000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x00FA2000 \SystemRoot\system32\DRIVERS\ACPI.sys
    0x00E00000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
    0x00E09000 \SystemRoot\system32\DRIVERS\msisadrv.sys
    0x00E13000 \SystemRoot\system32\DRIVERS\pci.sys
    0x00E46000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
    0x00E53000 \SystemRoot\System32\drivers\partmgr.sys
    0x00E68000 \SystemRoot\system32\DRIVERS\volmgr.sys
    0x00E7D000 \SystemRoot\System32\drivers\volmgrx.sys
    0x00ED9000 \SystemRoot\system32\DRIVERS\pciide.sys
    0x00DC0000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
    0x00DD0000 \SystemRoot\system32\DRIVERS\jraid.sys
    0x00C00000 \SystemRoot\system32\DRIVERS\SCSIPORT.SYS
    0x00C2F000 \SystemRoot\System32\drivers\mountmgr.sys
    0x01016000 \SystemRoot\system32\DRIVERS\iaStor.sys
    0x012A7000 \SystemRoot\system32\DRIVERS\iaStorV.sys
    0x013C5000 \SystemRoot\system32\DRIVERS\atapi.sys
    0x013CE000 \SystemRoot\system32\DRIVERS\ataport.SYS
    0x01200000 \SystemRoot\system32\DRIVERS\msahci.sys
    0x0120B000 \SystemRoot\system32\DRIVERS\amdxata.sys
    0x01216000 \SystemRoot\system32\drivers\fltmgr.sys
    0x01262000 \SystemRoot\system32\drivers\fileinfo.sys
    0x01132000 \SystemRoot\system32\DRIVERS\ndasfs.sys
    0x014AC000 \SystemRoot\system32\DRIVERS\lfsfilt.sys
    0x0161A000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x01519000 \SystemRoot\System32\Drivers\msrpc.sys
    0x017BD000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x01577000 \SystemRoot\System32\Drivers\cng.sys
    0x017D7000 \SystemRoot\System32\drivers\pcw.sys
    0x017E8000 \SystemRoot\System32\Drivers\Fs_Rec.sys
    0x018C3000 \SystemRoot\system32\drivers\ndis.sys
    0x01800000 \SystemRoot\system32\drivers\NETIO.SYS
    0x01860000 \SystemRoot\System32\Drivers\ksecpkg.sys
    0x01A02000 \SystemRoot\System32\drivers\tcpip.sys
    0x019B5000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x0188B000 \SystemRoot\system32\DRIVERS\lpx6x.sys
    0x018B2000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x01600000 \SystemRoot\system32\DRIVERS\vmstorfl.sys
    0x01400000 \SystemRoot\system32\DRIVERS\volsnap.sys
    0x01610000 \SystemRoot\System32\Drivers\spldr.sys
    0x0144C000 \SystemRoot\System32\drivers\rdyboost.sys
    0x01486000 \SystemRoot\System32\Drivers\mup.sys
    0x017F2000 \SystemRoot\System32\drivers\hwpolicy.sys
    0x011A4000 \SystemRoot\System32\DRIVERS\fvevol.sys
    0x015EA000 \SystemRoot\system32\DRIVERS\disk.sys
    0x01276000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
    0x02F5B000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x02F85000 \SystemRoot\System32\Drivers\Null.SYS
    0x02F8E000 \SystemRoot\System32\Drivers\Beep.SYS
    0x02F95000 \SystemRoot\System32\drivers\vga.sys
    0x02FA3000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x02FC8000 \SystemRoot\System32\drivers\watchdog.sys
    0x02FD8000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x02FE1000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x02FEA000 \SystemRoot\system32\drivers\rdprefmp.sys
    0x03E74000 \SystemRoot\system32\DRIVERS\ndasrofs.sys
    0x04488000 \SystemRoot\system32\DRIVERS\ndasfat.sys
    0x04528000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x04533000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x04544000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x04562000 \SystemRoot\system32\drivers\afd.sys
    0x04400000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x04445000 \SystemRoot\system32\DRIVERS\wfplwf.sys
    0x0444E000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x04474000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x03F7C000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x045EC000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x03F97000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x03FE8000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x03FF4000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x03E00000 \SystemRoot\System32\drivers\discache.sys
    0x046FD000 \SystemRoot\system32\drivers\csc.sys
    0x04780000 \SystemRoot\System32\Drivers\dfsc.sys
    0x0479E000 \SystemRoot\system32\DRIVERS\blbdrive.sys
    0x047AF000 \SystemRoot\system32\DRIVERS\avipbb.sys
    0x047D1000 \SystemRoot\SysWow64\drivers\AsUpIO.sys
    0x047D7000 \SystemRoot\SysWow64\drivers\AsIO.sys
    0x04600000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x04626000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0x0463C000 \SystemRoot\system32\DRIVERS\atikmpag.sys
    0x04AB1000 \SystemRoot\system32\DRIVERS\atikmdag.sys
    0x052D5000 \SystemRoot\System32\drivers\dxgkrnl.sys
    0x05200000 \SystemRoot\System32\drivers\dxgmms1.sys
    0x05246000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x0526A000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0x05277000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x053C9000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x0518D000 \SystemRoot\system32\DRIVERS\Rt64win7.sys
    0x04A00000 \SystemRoot\system32\DRIVERS\1394ohci.sys
    0x053DA000 \SystemRoot\system32\DRIVERS\ASACPI.sys
    0x053E2000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0x04A3E000 \SystemRoot\system32\DRIVERS\PS2.sys
    0x04A47000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x04A56000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    0x04A63000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
    0x052CD000 \SystemRoot\system32\DRIVERS\wacomvhid.sys
    0x04A73000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0x04A8C000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0x04A95000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
    0x051DC000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x04682000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x0468E000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x046BD000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x046D8000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x047DD000 \SystemRoot\system32\DRIVERS\rassstp.sys
    0x03E0F000 \SystemRoot\system32\DRIVERS\rdpbus.sys
    0x03E1A000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x052D0000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x03E29000 \SystemRoot\system32\DRIVERS\ks.sys
    0x05CDF000 \SystemRoot\system32\DRIVERS\ndasbus.sys
    0x05D5C000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x05D6E000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x05DC8000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0x05DD5000 \SystemRoot\system32\DRIVERS\wacommousefilter.sys
    0x05DDD000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x05C00000 \SystemRoot\system32\drivers\AtiHdmi.sys
    0x05C23000 \SystemRoot\system32\drivers\portcls.sys
    0x05C60000 \SystemRoot\system32\drivers\drmk.sys
    0x05C82000 \SystemRoot\system32\drivers\ksthunk.sys
    0x07809000 \SystemRoot\system32\drivers\RTKVHD64.sys
    0x000D0000 \SystemRoot\System32\win32k.sys
    0x079B6000 \SystemRoot\System32\drivers\Dxapi.sys
    0x079C2000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x02E00000 \SystemRoot\System32\Drivers\dump_iaStor.sys
    0x079D0000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
    0x079E3000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0x079F1000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x05C95000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0x05CB2000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0x05CCD000 \SystemRoot\system32\DRIVERS\monitor.sys
    0x079F3000 \SystemRoot\system32\DRIVERS\usbprint.sys
    0x05DF2000 \SystemRoot\system32\drivers\LVUSBS64.sys
    0x02F1C000 \SystemRoot\system32\DRIVERS\usbscan.sys
    0x02852000 \SystemRoot\system32\DRIVERS\LV302V64.SYS
    0x02AD2000 \SystemRoot\system32\DRIVERS\lv302a64.sys
    0x02AD5000 \SystemRoot\system32\drivers\usbaudio.sys
    0x02AF0000 \SystemRoot\system32\DRIVERS\lvrs64.sys
    0x02BB0000 \SystemRoot\system32\DRIVERS\wacmoumonitor.sys
    0x02BB9000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0x02BC7000 \SystemRoot\system32\DRIVERS\dc3d.sys
    0x02BD3000 \SystemRoot\system32\DRIVERS\point64k.sys
    0x00560000 \SystemRoot\System32\TSDDD.dll
    0x00820000 \SystemRoot\System32\ATMFD.DLL
    0x00750000 \SystemRoot\System32\cdd.dll
    0x02800000 \SystemRoot\system32\drivers\luafv.sys
    0x02823000 \SystemRoot\system32\DRIVERS\avgntflt.sys
    0x02F2D000 \SystemRoot\system32\drivers\WudfPf.sys
    0x02BE1000 \SystemRoot\system32\DRIVERS\lltdio.sys
    0x011DE000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0x07C72000 \SystemRoot\System32\Drivers\fastfat.SYS
    0x07CA8000 \SystemRoot\system32\drivers\HTTP.sys
    0x07D70000 \SystemRoot\system32\DRIVERS\bowser.sys
    0x07D8E000 \SystemRoot\System32\drivers\mpsdrv.sys
    0x07DA6000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0x07C00000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0x07C4E000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0x07DD3000 \SystemRoot\System32\Drivers\adfs.SYS
    0x080EF000 \SystemRoot\system32\drivers\peauth.sys
    0x08195000 \SystemRoot\System32\Drivers\secdrv.SYS
    0x081A0000 \SystemRoot\System32\DRIVERS\srvnet.sys
    0x081CD000 \SystemRoot\System32\drivers\tcpipreg.sys
    0x08000000 \SystemRoot\System32\DRIVERS\srv2.sys
    0x09C6B000 \SystemRoot\System32\DRIVERS\srv.sys
    0x09D03000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
    0x09DA5000 \SystemRoot\system32\DRIVERS\asyncmac.sys
    0x09C00000 \SystemRoot\system32\DRIVERS\udfs.sys
    0x09D34000 \SystemRoot\system32\DRIVERS\cdfs.sys
    0x77370000 \Windows\System32\ntdll.dll
    0x484A0000 \Windows\System32\smss.exe
    0xFF690000 \Windows\System32\apisetschema.dll
    0xFF950000 \Windows\System32\autochk.exe
    0xFF600000 \Windows\System32\shlwapi.dll
    0xFF590000 \Windows\System32\gdi32.dll
    0xFF580000 \Windows\System32\nsi.dll
    0xFF320000 \Windows\System32\iertutil.dll
    0xFF300000 \Windows\System32\imagehlp.dll
    0x77540000 \Windows\System32\normaliz.dll
    0x77270000 \Windows\System32\user32.dll
    0xFF260000 \Windows\System32\comdlg32.dll
    0x77150000 \Windows\System32\kernel32.dll
    0xFF210000 \Windows\System32\Wldap32.dll
    0xFF1E0000 \Windows\System32\imm32.dll
    0xFF190000 \Windows\System32\ws2_32.dll
    0xFF0F0000 \Windows\System32\msvcrt.dll
    0xFEFC0000 \Windows\System32\wininet.dll
    0xFEEB0000 \Windows\System32\msctf.dll
    0xFEE30000 \Windows\System32\difxapi.dll
    0xFEC50000 \Windows\System32\setupapi.dll
    0xFEC40000 \Windows\System32\lpk.dll
    0xFEB60000 \Windows\System32\advapi32.dll
    0x77530000 \Windows\System32\psapi.dll
    0xFDDD0000 \Windows\System32\shell32.dll
    0xFDC50000 \Windows\System32\urlmon.dll
    0xFDB80000 \Windows\System32\usp10.dll
    0xFDA50000 \Windows\System32\rpcrt4.dll
    0xFD970000 \Windows\System32\oleaut32.dll
    0xFD8D0000 \Windows\System32\clbcatq.dll
    0xFD8B0000 \Windows\System32\sechost.dll
    0xFD6A0000 \Windows\System32\ole32.dll
    0xFD600000 \Windows\System32\comctl32.dll
    0xFD5C0000 \Windows\System32\wintrust.dll
    0xFD450000 \Windows\System32\crypt32.dll
    0xFD410000 \Windows\System32\cfgmgr32.dll
    0xFD3F0000 \Windows\System32\devobj.dll
    0xFD380000 \Windows\System32\KernelBase.dll
    0xFD370000 \Windows\System32\msasn1.dll
    0x75950000 \Windows\SysWOW64\normaliz.dll

    Processes (total 87):
    0 System Idle Process
    4 System
    384 C:\Windows\System32\smss.exe
    512 csrss.exe
    600 C:\Windows\System32\wininit.exe
    620 csrss.exe
    656 C:\Windows\System32\services.exe
    676 C:\Windows\System32\lsass.exe
    684 C:\Windows\System32\lsm.exe
    796 C:\Windows\System32\svchost.exe
    916 C:\Windows\System32\svchost.exe
    976 C:\Windows\System32\atiesrxx.exe
    140 C:\Windows\System32\winlogon.exe
    400 C:\Windows\System32\svchost.exe
    532 C:\Windows\System32\svchost.exe
    812 C:\Windows\System32\svchost.exe
    1172 C:\Windows\System32\svchost.exe
    1264 C:\Windows\System32\atieclxx.exe
    1280 C:\Windows\System32\wisptis.exe
    1324 C:\Windows\System32\svchost.exe
    1516 C:\Windows\System32\spoolsv.exe
    1544 C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
    1588 C:\Windows\System32\svchost.exe
    1700 C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
    1732 C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    1756 C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    1792 C:\Program Files (x86)\Flip Video\FlipShare\FlipShareService.exe
    1900 C:\Program Files (x86)\Common Files\microsoft shared\VS7DEBUG\mdm.exe
    1940 C:\Program Files\NDAS\System\ndassvc.exe
    1988 C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
    1996 C:\Windows\System32\conhost.exe
    2040 C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    2056 C:\Windows\System32\taskhost.exe
    2188 C:\Windows\System32\wisptis.exe
    2196 C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe
    2208 C:\Windows\System32\dwm.exe
    2272 C:\Windows\explorer.exe
    2344 C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe
    2708 C:\Windows\System32\svchost.exe
    2732 C:\Windows\System32\Tablet.exe
    2836 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    2868 C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
    2680 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
    3088 C:\Windows\System32\WTablet\TabUserW.exe
    3124 C:\Windows\System32\Tablet.exe
    3232 unsecapp.exe
    3308 WmiPrvSE.exe
    3456 C:\Windows\System32\SearchIndexer.exe
    3580 C:\Windows\System32\svchost.exe
    3628 WUDFHost.exe
    3700 C:\Windows\System32\svchost.exe
    4036 C:\Windows\WindowsMobile\wmdc.exe
    4064 C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    4072 C:\Windows\System32\svchost.exe
    3096 C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    2160 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    3936 C:\Program Files (x86)\ATI Technologies\HydraVision\HydraGrd.exe
    2596 C:\Program Files\NDAS\System\ndasmgmt.exe
    4112 C:\Windows\System32\svchost.exe
    4148 C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    4276 C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
    4316 C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
    4368 C:\Program Files (x86)\ATI Technologies\HydraVision\Grid64.exe
    4476 C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe
    4552 C:\Program Files (x86)\PowerGuard Smart\PowerGuard Smart.exe
    4700 C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
    4732 C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe
    4916 C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    4964 C:\Program Files (x86)\iTunes\iTunesHelper.exe
    3888 C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    4588 C:\Program Files\iPod\bin\iPodService.exe
    3068 C:\Program Files\Windows Media Player\wmpnetwk.exe
    1040 C:\Windows\System32\svchost.exe
    5352 C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    6112 C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe
    5792 C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE
    2852 C:\Windows\System32\svchost.exe
    3780 C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
    3820 C:\Windows\System32\audiodg.exe
    1360 C:\Windows\System32\taskhost.exe
    1740 C:\Windows\splwow64.exe
    3448 C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
    1052 C:\Windows\SysWOW64\SearchProtocolHost.exe
    5516 C:\Windows\System32\SearchProtocolHost.exe
    3648 C:\Users\Richard\Desktop\MBRCheck.exe
    5284 C:\Windows\System32\conhost.exe
    2564 C:\Windows\System32\dllhost.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`06500000 (NTFS)
    \\.\E: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: bø€ÿÿà0ø€ÿÿ
    PhysicalDrive1 Model Number: WDCWD2500KS-00MJB0, Rev: 02.01C03

    Size Device Name MBR Status
    --------------------------------------------
    931 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
    SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79
    232 GB \\.\PhysicalDrive1 Windows 2008 MBR code detected
    SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


    Done!
  4. Broni

    Broni Malware Annihilator Posts: 46,329   +252

    OK, that looks clean.
    Which browser is affected?

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  5. rlerner

    rlerner Newcomer, in training Topic Starter

    Using FF 3.6.8

    OTL.txt & Extras.txt attached.

    Thanks again

    Attached Files:

  6. Broni

    Broni Malware Annihilator Posts: 46,329   +252

    While I'm checking your logs, can you check, if same redirection happens in IE?
  7. rlerner

    rlerner Newcomer, in training Topic Starter

    Doesn't seem to happen in IE 8.0.7600
  8. Broni

    Broni Malware Annihilator Posts: 46,329   +252

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O4 - HKLM..\Run: [] File not found
      O4 - HKCU..\Run: [AdobeBridge] File not found
      O18:64bit: - Protocol\Handler\intu-help-qb3 {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - Reg Error: Key error. File not found
      O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
      O18:64bit: - Protocol\Handler\qbwc {FC598A64-626C-4447-85B8-53150405FD57} - Reg Error: Key error. File not found
      O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
      O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
      [2010/07/20 11:03:56 | 000,000,000 | ---D | C] -- C:\Users\Richard\AppData\Local\{E01C3029-5983-4E8E-8E84-BF687425BA43}
      [2010/07/20 11:01:14 | 000,000,000 | ---D | C] -- C:\Users\Richard\AppData\Local\qoaxloyak
      [2010/07/20 11:03:58 | 000,000,000 | ---- | M] () -- C:\Users\Richard\AppData\Local\Ltovagayusaqi.bin
      [2010/07/20 11:03:57 | 000,000,120 | ---- | M] () -- C:\Users\Richard\AppData\Local\Wjuwafa.dat
      
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  9. rlerner

    rlerner Newcomer, in training Topic Starter

    Reboot log:

    All processes killed
    ========== OTL ==========
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge deleted successfully.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\intu-help-qb3\ deleted successfully.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4}\ not found.
    File {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - Reg Error: Key error. File not found not found.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-help\ deleted successfully.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{314111c7-a502-11d2-bbca-00c04f8ec294}\ not found.
    File {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found not found.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\qbwc\ deleted successfully.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FC598A64-626C-4447-85B8-53150405FD57}\ not found.
    File {FC598A64-626C-4447-85B8-53150405FD57} - Reg Error: Key error. File not found not found.
    64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
    C:\Users\Richard\AppData\Local\{E01C3029-5983-4E8E-8E84-BF687425BA43}\chrome\content folder moved successfully.
    C:\Users\Richard\AppData\Local\{E01C3029-5983-4E8E-8E84-BF687425BA43}\chrome folder moved successfully.
    C:\Users\Richard\AppData\Local\{E01C3029-5983-4E8E-8E84-BF687425BA43} folder moved successfully.
    C:\Users\Richard\AppData\Local\qoaxloyak folder moved successfully.
    C:\Users\Richard\AppData\Local\Ltovagayusaqi.bin moved successfully.
    C:\Users\Richard\AppData\Local\Wjuwafa.dat moved successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Default
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public

    User: Richard
    ->Temp folder emptied: 367149 bytes
    ->Temporary Internet Files folder emptied: 13933649 bytes
    ->Java cache emptied: 2027 bytes
    ->FireFox cache emptied: 91971494 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Apple Safari cache emptied: 0 bytes
    ->Flash cache emptied: 1450 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 5446 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 32902 bytes
    RecycleBin emptied: 44718 bytes

    Total Files Cleaned = 101.00 mb


    [EMPTYFLASH]

    User: Default

    User: Public

    User: Richard
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.9.1 log created on 08022010_221710

    Files\Folders moved on Reboot...
    File\Folder C:\Users\Richard\AppData\Local\Temp\~DF35D23C13E632BE4B.TMP not found!
    File\Folder C:\Users\Richard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WJQ6OAML\search[4].htm not found!
    File\Folder C:\Users\Richard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5G5FGOCV\search[2].htm not found!

    Registry entries deleted on Reboot...

    Attached Files:

    • OTL.Txt
      File size:
      107.3 KB
      Views:
      1
  10. Broni

    Broni Malware Annihilator Posts: 46,329   +252

    Still redirecting?
  11. rlerner

    rlerner Newcomer, in training Topic Starter

    It looks as though the demons have been exorcised!

    Thank you very much. Brilliant work!!
     
  12. Broni

    Broni Malware Annihilator Posts: 46,329   +252

    Super :)

    Yeah, I've noticed some bad files, which got on your computer at 2010/07/20 around 11AM.

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Go to Kaspersky website and perform an online antivirus scan.

    • Disable your active antivirus program.
    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
      • Archives
      • Mail databases
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
  13. rlerner

    rlerner Newcomer, in training Topic Starter

    Checkup.txt:

    Results of screen317's Security Check version 0.99.5
    Windows 7 (UAC is enabled)
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    Avira AntiVir Personal - Free Antivirus
    WMI entry may not exist for antivirus; attempting automatic update.
    Avira successfully updated!
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 21
    Adobe Flash Player 10.1.53.64
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Avira Antivir avgnt.exe
    Avira Antivir avguard.exe
    ````````````````````````````````
    DNS Vulnerability Check:

    Unknown. This method cannot test your vulnerability to DNS cache poisoning. (Wireless connection?)

    ``````````End of Log````````````


    Cleaned files. Will let Kapersky run overnight.

    Thanks again for the great tech support!
  14. Broni

    Broni Malware Annihilator Posts: 46,329   +252

    You're welcome :)
  15. Broni

    Broni Malware Annihilator Posts: 46,329   +252

    Are you still out there?
  16. rlerner

    rlerner Newcomer, in training Topic Starter

    Yes. All looks good at this point. Several days with no redirects. Got rid of that last folder, and Kaspersky did not find anything. Calling it solved.

    Thanks again for your help. Great job.
  17. Broni

    Broni Malware Annihilator Posts: 46,329   +252

    Cool, but you still need to perform last steps...

    OTL Clean-Up
    Clean up with OTL:

    * Double-click OTL.exe to start the program.
    * Close all other programs apart from OTL as this step will require a reboot
    * On the OTL main screen, press the CLEANUP button
    * Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    =======================================================================

    Your computer is clean [​IMG]


    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    8. Run Temporary File Cleaner (TFC) weekly.

    9. Download and install Secunia Personal Software Inspector (PSI). The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    10. Run defrag at your convenience.

    11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.