TechSpot

Using Firefox or IE if open Google, get redirect to Google.com.br

Inactive
By NutnFunny
Mar 4, 2011
  1. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Let me know, what you want to do, or....continue with instructions, including Eset scan.
     
  2. NutnFunny

    NutnFunny TS Rookie Topic Starter Posts: 44

    Eset Scan done
    No results.... this is a smart MF===
     
  3. NutnFunny

    NutnFunny TS Rookie Topic Starter Posts: 44

    Open to Options...
     
  4. NutnFunny

    NutnFunny TS Rookie Topic Starter Posts: 44

    new virus..or attack...
    the recommended (products) files.. do not apply
    my machine is wobbly,.. my laptop is very unstable
    Appreciate your hard work...
    where do we go from here?
     
  5. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    More details, please.
     
  6. NutnFunny

    NutnFunny TS Rookie Topic Starter Posts: 44

    New virus or dns attack, the reason malware programs not able to remove.
    Laptop is getting redirects when on firefox,home page is google as well,and it will redirect to different websites.

    PC still the same. Google.com is replaced with Google.com.br

    Yahoo shows my location in different cities

    Craigslist shows different cities almost every time I bring it up.

    Noticed when disconnected from satellite/Router on laptop and used Sprint
    wireless modem the problem disappears on laptop...no redirect.

    Originally did ipconfig /flush on pc. but no luck.
    You have helped out tremendously, just wondering if this is not virus but some kind of firmware error on router.
    Placed call to Skycasters, satellite internet they will call monday.
    Any thoughts?
     
  7. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Please download MiniToolBox and run it.

    Checkmark following boxes:
    • Report IE Proxy Settings
    • List content of Hosts
    • List IP configuration
    Click Go and post the result.
     
  8. NutnFunny

    NutnFunny TS Rookie Topic Starter Posts: 44

    MiniToolBox by Farbar
    Ran by admin at 2011-03-06 12:32:20
    Windows (TM) Vista Home Premium Service Pack 2 (X64)

    ***************************************************************************


    ========================= IE Proxy Settings: ==============================

    Proxy is not enabled.
    No Proxy Server is set.

    ========================= End of IE Proxy Settings ========================
    =============== Hosts content: ============================================

    # Copyright (c) 1993-2006 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host

    127.0.0.1 localhost

    =============== End of Hosts ==============================================

    ================= IP Configuration: =======================================

    # ----------------------------------
    # IPv4 Configuration
    # ----------------------------------
    pushd interface ipv4

    reset
    set global


    popd
    # End of IPv4 configuration



    Windows IP Configuration

    Host Name . . . . . . . . . . . . : admin-PC
    Primary Dns Suffix . . . . . . . :
    Node Type . . . . . . . . . . . . : Unknown
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) 82567LF-2 Gigabit Network Connection
    Physical Address. . . . . . . . . : 00-24-E8-14-4A-6B
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::a148:c14f:c95e:e31d%11(Preferred)
    IPv4 Address. . . . . . . . . . . : 76.239.149.90(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.252
    Lease Obtained. . . . . . . . . . : Sunday, March 06, 2011 12:15:49 PM
    Lease Expires . . . . . . . . . . : Monday, March 07, 2011 12:15:49 AM
    Default Gateway . . . . . . . . . : 76.239.149.89
    DHCP Server . . . . . . . . . . . : 76.239.149.89
    DHCPv6 IAID . . . . . . . . . . . : 251667688
    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-11-77-00-3A-00-24-E8-14-4A-6B
    DNS Servers . . . . . . . . . . . : 76.239.149.89
    75.7.64.62
    NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter Local Area Connection* 6:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : isatap.{61601A34-0C30-467E-95F8-A432826500A0}
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 7:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
    Physical Address. . . . . . . . . : 02-00-54-55-4E-01
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:3449:114a:b310:6aa5(Preferred)
    Link-local IPv6 Address . . . . . : fe80::3449:114a:b310:6aa5%10(Preferred)
    Default Gateway . . . . . . . . . :
    NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter Local Area Connection* 11:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : 6TO4 Adapter
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    IPv6 Address. . . . . . . . . . . : 2002:4cef:955a::4cef:955a(Preferred)
    Default Gateway . . . . . . . . . : 2002:c058:6301::c058:6301
    DNS Servers . . . . . . . . . . . : 76.239.149.89
    75.7.64.62
    NetBIOS over Tcpip. . . . . . . . : Disabled
    Server: UnKnown
    Address: 76.239.149.89

    Name: google.com
    Addresses: 74.125.47.99
    74.125.47.103
    74.125.47.104
    74.125.47.105
    74.125.47.147
    74.125.47.106



    Pinging google.com [74.125.47.99] with 32 bytes of data:

    Reply from 74.125.47.99: bytes=32 time=607ms TTL=47

    Reply from 74.125.47.99: bytes=32 time=567ms TTL=47



    Ping statistics for 74.125.47.99:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

    Approximate round trip times in milli-seconds:

    Minimum = 567ms, Maximum = 607ms, Average = 587ms

    Server: UnKnown
    Address: 76.239.149.89

    Name: yahoo.com
    Addresses: 209.191.122.70
    67.195.160.76
    69.147.125.65
    72.30.2.43
    98.137.149.56



    Pinging yahoo.com [209.191.122.70] with 32 bytes of data:

    Reply from 209.191.122.70: bytes=32 time=555ms TTL=46

    Reply from 209.191.122.70: bytes=32 time=573ms TTL=46



    Ping statistics for 209.191.122.70:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

    Approximate round trip times in milli-seconds:

    Minimum = 555ms, Maximum = 573ms, Average = 564ms



    Pinging 127.0.0.1 with 32 bytes of data:

    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



    Ping statistics for 127.0.0.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

    Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

    ===========================================================================
    Interface List
    11 ...00 24 e8 14 4a 6b ...... Intel(R) 82567LF-2 Gigabit Network Connection
    1 ........................... Software Loopback Interface 1
    12 ...00 00 00 00 00 00 00 e0 isatap.{61601A34-0C30-467E-95F8-A432826500A0}
    10 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
    13 ...00 00 00 00 00 00 00 e0 6TO4 Adapter
    ===========================================================================

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 76.239.149.89 76.239.149.90 20
    76.239.149.88 255.255.255.252 On-link 76.239.149.90 276
    76.239.149.90 255.255.255.255 On-link 76.239.149.90 276
    76.239.149.91 255.255.255.255 On-link 76.239.149.90 276
    127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
    127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
    127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
    224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
    224.0.0.0 240.0.0.0 On-link 76.239.149.90 276
    255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
    255.255.255.255 255.255.255.255 On-link 76.239.149.90 276
    ===========================================================================
    Persistent Routes:
    None

    IPv6 Route Table
    ===========================================================================
    Active Routes:
    If Metric Network Destination Gateway
    13 1125 ::/0 2002:c058:6301::c058:6301
    1 306 ::1/128 On-link
    10 18 2001::/32 On-link
    10 266 2001:0:4137:9e76:3449:114a:b310:6aa5/128
    On-link
    13 1025 2002::/16 On-link
    13 281 2002:4cef:955a::4cef:955a/128
    On-link
    11 276 fe80::/64 On-link
    10 266 fe80::/64 On-link
    10 266 fe80::3449:114a:b310:6aa5/128
    On-link
    11 276 fe80::a148:c14f:c95e:e31d/128
    On-link
    1 306 ff00::/8 On-link
    10 266 ff00::/8 On-link
    11 276 ff00::/8 On-link
    ===========================================================================
    Persistent Routes:
    None

    ================= End of IP Configuration =================================
     
  9. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Looks normal.

    Possibly, you got reinfected.

    Update Malwarebytes, run it and give me a new log.
     
  10. NutnFunny

    NutnFunny TS Rookie Topic Starter Posts: 44

    Malwarebytes will not respond, rebooted, turned of Avast, still will not respond.
    still getting redirect.
    removed Linksys router and now am directly on Satellite modem.
     
  11. NutnFunny

    NutnFunny TS Rookie Topic Starter Posts: 44

    Malware will run now, but will not allow me to update it becomes "not responding"

    Here is log.

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5976

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 7.0.6002.18005

    3/6/2011 3:32:28 PM
    mbam-log-2011-03-06 (15-32-28).txt

    Scan type: Quick scan
    Objects scanned: 164952
    Time elapsed: 2 minute(s), 9 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Are you still getting redirected, when connected straight to the modem?

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  13. NutnFunny

    NutnFunny TS Rookie Topic Starter Posts: 44

    Yes still getting Google.com.br
    and now IE will not connect to the internet.
    So it is not a error with the Linksys, may be something with the ISP.

    Do I need to delete the ComboFix I already have?

    Rkill did not load the last go around, but will try again.
     
  14. NutnFunny

    NutnFunny TS Rookie Topic Starter Posts: 44

    Here is the message I get when trying to download Rkill.com,.scr or .exe

    Virus Download Blocked

    Download of the virus has been blocked in accordance with company policy. Please contact your system administrator if you believe this is in error.

    File name: download.bleepingcomputer.com
     
  15. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    This is false positive warning. Disregard it.

    Yes, you need to delete your Combofix file.

    What country are you located in?
     
  16. NutnFunny

    NutnFunny TS Rookie Topic Starter Posts: 44

    used a different computer, my laptop with a sprint modem and downloaded rkill to a jump stick.
    Now in the first 8 steps Rkill and DDS would not let me download.
    I will also download DDS to jumpstick.

    Let me know if i should delete the existing ComboFix first before i download it again
    thanks
     
  17. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Yes.
     
  18. NutnFunny

    NutnFunny TS Rookie Topic Starter Posts: 44

    Here is new ComboFix file:

    ComboFix 11-03-06.01 - admin 03/06/2011 18:45:42.3.8 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.8182.6315 [GMT -6:00]
    Running from: c:\users\admin\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-07 to 2011-03-07 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-07 00:52 . 2011-03-07 00:52 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-03-06 17:02 . 2011-03-03 18:16 25048 ----a-w- c:\program files (x86)\Mozilla Firefox\components\browserdirprovider.dll
    2011-03-06 17:02 . 2011-03-03 18:16 140248 ----a-w- c:\program files (x86)\Mozilla Firefox\components\brwsrcmp.dll
    2011-03-06 04:07 . 2011-03-06 04:07 -------- d-----w- c:\program files (x86)\Common Files\Adobe
    2011-03-06 03:59 . 2011-03-06 03:59 -------- d-----w- c:\windows\SysWow64\wbem\Logs
    2011-03-06 01:06 . 2011-03-06 01:06 -------- d-----w- C:\_OTL
    2011-03-06 00:59 . 2011-02-03 03:40 472808 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-03-06 00:59 . 2011-02-03 03:40 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2011-03-06 00:58 . 2011-03-06 00:58 -------- d-----w- c:\programdata\McAfee
    2011-03-05 01:53 . 2011-03-05 01:54 -------- d-----w- c:\program files (x86)\FileBulldog Toolbar
    2011-03-05 01:53 . 2011-03-05 01:53 -------- d-----w- c:\program files (x86)\Temp File Cleaner
    2011-03-04 21:33 . 2011-02-11 07:30 7947600 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{64085234-D7AC-4F4E-9D03-52AB13065D9F}\mpengine.dll
    2011-03-03 05:22 . 2011-03-03 05:22 -------- d-----w- c:\program files (x86)\ESET
    2011-03-01 13:33 . 2011-03-01 13:33 -------- d-----w- c:\program files (x86)\Common Files\Skype
    2011-03-01 04:52 . 2011-02-23 14:57 505176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-02-24 02:50 . 2011-02-24 02:50 -------- d-----w- c:\program files\iPod
    2011-02-24 02:50 . 2011-02-24 02:50 -------- d-----w- c:\programdata\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
    2011-02-24 02:50 . 2011-02-24 02:50 -------- d-----w- c:\program files\iTunes
    2011-02-24 02:42 . 2011-02-24 02:42 -------- d-----w- c:\program files\Bonjour
    2011-02-24 02:42 . 2011-02-24 02:42 -------- d-----w- c:\program files (x86)\Bonjour
    2011-02-21 23:42 . 2011-02-21 23:42 -------- d-----w- c:\users\admin\AppData\Local\Yahoo!
    2011-02-10 03:36 . 2011-01-20 16:46 900480 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
    2011-02-10 03:35 . 2010-10-15 14:02 4699024 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-02-10 03:35 . 2010-10-15 13:43 1168512 ----a-w- c:\windows\SysWow64\ntdll.dll
    2011-02-10 03:35 . 2010-10-15 13:43 1585168 ----a-w- c:\windows\system32\ntdll.dll
    2011-02-10 03:35 . 2011-01-08 09:03 48128 ----a-w- c:\windows\system32\atmlib.dll
    2011-02-10 03:35 . 2011-01-08 08:47 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
    2011-02-10 03:35 . 2011-01-08 06:45 367104 ----a-w- c:\windows\system32\atmfd.dll
    2011-02-10 03:35 . 2011-01-08 06:28 292352 ----a-w- c:\windows\SysWow64\atmfd.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-23 15:04 . 2010-07-10 19:29 40648 ----a-w- c:\windows\avastSS.scr
    2011-02-23 15:04 . 2010-05-15 15:06 190016 ----a-w- c:\windows\SysWow64\aswBoot.exe
    2011-02-23 15:04 . 2011-01-22 16:22 238968 ----a-w- c:\windows\system32\aswBoot.exe
    2011-02-23 14:57 . 2010-05-15 15:06 280408 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-02-23 14:55 . 2010-05-15 15:06 53592 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-02-23 14:55 . 2010-05-15 15:06 31064 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-02-23 14:55 . 2010-05-15 15:06 64344 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-02-23 14:54 . 2010-05-15 15:06 22360 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-02-02 23:11 . 2010-08-22 18:32 270720 ------w- c:\windows\system32\MpSigStub.exe
    2011-01-23 00:51 . 2011-01-23 00:51 53248 ----a-r- c:\users\admin\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
    2010-12-28 16:08 . 2011-01-12 09:34 466944 ----a-w- c:\windows\system32\odbc32.dll
    2010-12-28 15:55 . 2011-01-12 09:34 413696 ----a-w- c:\windows\SysWow64\odbc32.dll
    2010-12-21 00:09 . 2009-05-18 03:30 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
    2010-12-21 00:08 . 2009-10-03 22:58 24152 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-14 16:15 . 2011-01-12 09:34 1251840 ----a-w- c:\windows\system32\sdclt.exe
    .
    .
    ((((((((((((((((((((((((((((( SnapShot_2011-03-06_18.17.04 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-01-21 03:20 . 2011-03-06 18:16 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2008-01-21 03:20 . 2011-03-07 00:54 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2008-01-21 03:20 . 2011-03-06 18:16 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2008-01-21 03:20 . 2011-03-07 00:54 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2008-01-21 03:20 . 2011-03-06 18:16 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-01-21 03:20 . 2011-03-07 00:54 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-01-21 02:23 . 2011-03-07 00:56 61168 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2006-11-02 15:45 . 2011-03-07 00:56 79516 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2009-05-17 18:48 . 2011-03-07 00:56 12298 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3792922179-2174670505-3486552871-1000_UserData.bin
    - 2009-05-17 18:45 . 2011-03-06 17:28 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-05-17 18:45 . 2011-03-06 22:23 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-05-17 18:45 . 2011-03-06 22:23 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-05-17 18:45 . 2011-03-06 17:28 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-05-17 18:45 . 2011-03-06 17:28 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-05-17 18:45 . 2011-03-06 22:23 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-11-26 21:14 . 2011-03-04 14:40 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-11-26 21:14 . 2011-03-06 23:05 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-11-26 21:14 . 2011-03-04 14:40 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-11-26 21:14 . 2011-03-06 23:05 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-11-26 21:14 . 2011-03-04 14:40 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-11-26 21:14 . 2011-03-06 23:05 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-11-26 21:14 . 2011-03-07 00:53 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-11-26 21:14 . 2011-03-06 17:36 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-11-26 21:14 . 2011-03-06 17:36 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-11-26 21:14 . 2011-03-07 00:53 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2011-03-07 00:53 . 2011-03-07 00:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2011-03-06 18:15 . 2011-03-06 18:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2011-03-07 00:53 . 2011-03-07 00:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2011-03-06 18:15 . 2011-03-06 18:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2006-11-02 12:46 . 2011-03-06 17:42 604264 c:\windows\system32\perfh009.dat
    + 2006-11-02 12:46 . 2011-03-06 23:31 604264 c:\windows\system32\perfh009.dat
    - 2006-11-02 12:46 . 2011-03-06 17:42 103964 c:\windows\system32\perfc009.dat
    + 2006-11-02 12:46 . 2011-03-06 23:31 103964 c:\windows\system32\perfc009.dat
    - 2010-04-30 05:55 . 2011-03-06 18:14 328912 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2010-04-30 05:55 . 2011-03-07 00:52 328912 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2010-05-01 04:13 . 2011-03-07 00:52 957760 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3792922179-2174670505-3486552871-1000-8192.dat
    - 2010-05-01 04:13 . 2011-03-06 18:14 957760 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3792922179-2174670505-3486552871-1000-8192.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
    "Steam"="c:\program files (x86)\steam\steam.exe" [2010-11-18 1242448]
    "msnmsgr"="c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe" [2008-12-03 3882312]
    "Logitech Vid"="c:\program files (x86)\Logitech\Vid\vid.exe" [2010-05-11 6061400]
    "Logitech Vid HD"="c:\program files (x86)\Logitech\Vid\vid.exe" [2010-05-11 6061400]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-07-16 61440]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
    "nmctxth"="c:\program files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856]
    "LWS"="c:\program files (x86)\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-08 165208]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-01-25 421160]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
    Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2009-08-29 49152]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2007-11-14 53488]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2008-12-22 88576]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-11-25 202752]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-02-23 64344]
    S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-09-24 155648]
    S2 LinksysUpdater;Linksys Updater;c:\program files (x86)\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-11-13 204800]
    S2 LVPrcS64;Process Monitor;c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe [2010-05-08 197976]
    S2 WinFLdrv;WinFLdrv;SysWOW64\WinFLdrv.sys [x]
    S3 CompFilter64;UVCCompositeFilter;c:\windows\system32\DRIVERS\lvbflt64.sys [2010-11-10 24032]
    S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y60x64.sys [2008-09-28 316544]
    S3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [2010-05-08 30304]
    S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [2010-11-10 341856]
    S3 LVUVC64;Logitech HD Pro Webcam C910(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [2010-11-10 4162784]
    .
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-07 c:\windows\Tasks\SDMsgUpdate (SD).job
    - c:\progra~2\SMARTD~1\Messages\SDNotify.exe [2011-01-19 17:29]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-02-23 15:04 134384 ----a-w- c:\program files\Alwil Software\Avast5\ashShA64.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2008-12-22 6931488]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.bing.com/?pc=Z045&form=ZGAPHP
    mLocal Page = %SystemRoot%\system32\blank.htm
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\caulprq5.default\
    FF - prefs.js: browser.search.selectedEngine - Bing
    FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
    FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z045&form=ZGAADF&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Zemanta: firefox@zemanta.com - %profile%\extensions\firefox@zemanta.com
    FF - Ext: KGen: kgen@elitwork.com - %profile%\extensions\kgen@elitwork.com
    FF - Ext: TACO with Abine: optout@dubfire.net - %profile%\extensions\optout@dubfire.net
    FF - Ext: SeoQuake Plugin - Seolinx: seoquake-plugin-seolinx@seoquake.com - %profile%\extensions\seoquake-plugin-seolinx@seoquake.com
    FF - Ext: SeoQuake: {317B5128-0B0B-49b2-B2DB-1E7560E16C74} - %profile%\extensions\{317B5128-0B0B-49b2-B2DB-1E7560E16C74}
    FF - Ext: SEOpen: {ff6bdc07-eed6-4815-ad95-d7938b673ab5} - %profile%\extensions\{ff6bdc07-eed6-4815-ad95-d7938b673ab5}
    FF - user.js: yahoo.homepage.dontask - true
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-3792922179-2174670505-3486552871-1000\Software\SecuROM\License information*]
    "datasecu"=hex:5d,7a,11,54,95,f3,ed,78,68,27,50,c9,80,1c,b0,4d,56,c3,a4,bc,f8,
    4e,78,92,67,65,1d,08,5f,90,a3,cc,14,61,cb,39,d7,d1,3f,7d,5e,f3,93,38,05,c3,\
    "rkeysecu"=hex:44,08,c1,7a,cf,c3,bf,2d,ef,f6,ad,12,77,f9,0e,ed
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Bonjour\mDNSResponder.exe
    c:\program files (x86)\Common Files\Logishrd\LVMVFM\LVPrS64H.exe
    c:\windows\SysWOW64\PnkBstrA.exe
    c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\windows\SysWOW64\java.exe
    c:\program files (x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    c:\program files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
    .
    **************************************************************************
    .
    Completion time: 2011-03-06 19:04:59 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-03-07 01:04
    ComboFix2.txt 2011-03-06 18:26
    ComboFix3.txt 2011-03-05 22:57
    .
    Pre-Run: 377,477,726,208 bytes free
    Post-Run: 377,322,381,312 bytes free
    .
    - - End Of File - - EE07911224A9679D12F70E3B7B4BCD9E
     
  19. NutnFunny

    NutnFunny TS Rookie Topic Starter Posts: 44

    Broni,

    USA,
    Here is RKill file:

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 03/06/2011 at 19:14:36.
    Operating System: Windows (TM) Vista Home Premium


    Processes terminated by Rkill or while it was running:

    C:\Program Files\Alwil Software\Avast5\defs\11030601\Sf.bin


    Rkill completed on 03/06/2011 at 19:14:56.
     
  20. NutnFunny

    NutnFunny TS Rookie Topic Starter Posts: 44

    rebooted, still getting redirect to google.com.br
     
  21. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Go Start>Run (Start search in Vista), type in:
    cmd
    Click OK (in Vista and Windows 7, while holding CTRL, and SHIFT, press Enter).

    In Command Prompt window, type in following commands, and hit Enter after each one:
    ipconfig /flushdns
    ipconfig /registerdns
    ipconfig /release
    ipconfig /renew
    net stop "dns client"
    net start "dns client"


    Turn the computer off.

    On your router, you'll find a pinhole marked "Reset".
    Keep pushing the hole, using a pencil, or a paperclip until all lights briefly come off and on.
    NOTE. Simple router disconnecting from a power source will NOT do.
    Restart computer and check for redirections.

    NOTE. You may need to re-check your router security settings, as described HERE
     
  22. NutnFunny

    NutnFunny TS Rookie Topic Starter Posts: 44

    Completed the ipconfig processes and the pc and router reboot.

    still getting redirect to google.com.br
     
  23. Broni

    Broni Malware Annihilator Posts: 47,986   +271

  24. NutnFunny

    NutnFunny TS Rookie Topic Starter Posts: 44

    Created new user, still redirect to google.com.br
    pretty sure this is an issue with ISP, I have to have one of the cleanest pc's around.
    problem disappears when using wireless modem from sprint, no redirect, just good old google.
    So in a nut shell google has decided my IP is in Brasil, while Yahoo, MSN know my IP is USA based.
    Thank you for all your help.
    I will work with my ISP: and if no luck submit request to Google to redirect my IP to a USA standing.
    Thanks again.
    Will let you know howit works out.
     
  25. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Keep me posted.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.