[Solved] Google Redirect on Win7 64-bit, can't run Combofix or GMER

Status
Not open for further replies.
R

rlerner

Posts: 8   +0
When clicking on Google search results, sporadically taken to Scour, Infomash or other search sites. Have read several posts resolving this issue and the 8-step fix, but I'm on 64-bit Win7 some of the steps won't work. Cannot run Combofix or GMER (only for 32-bit systems?). Have run AV scan, MBAM, Hitman Pro, GooredFix, no joy.

The system is Win7-64, using FF 3.6.8. Have attached log files from DDS.

Would appreciate any help or suggestions.

Thanks!
 

Attachments

  • Attach.zip
    3.2 KB · Views: 1
  • DDS.txt
    28.5 KB · Views: 2
Welcome aboard
yahooo.gif


Please, never zip any logs.

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.
 
Thanks. Here's the MBR report:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows 7 Ultimate Edition
Windows Information: (build 7600), 64-bit
Base Board Manufacturer: ASUSTeK Computer INC.
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: System manufacturer
System Product Name: System Product Name
Logical Drives Mask: 0x0000079c

Kernel Drivers (total 215):
0x0325F000 \SystemRoot\system32\ntoskrnl.exe
0x03216000 \SystemRoot\system32\hal.dll
0x00BA4000 \SystemRoot\system32\kdcom.dll
0x00C4A000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00C8E000 \SystemRoot\system32\PSHED.dll
0x00CA2000 \SystemRoot\system32\CLFS.SYS
0x00D00000 \SystemRoot\system32\CI.dll
0x00EEF000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00F93000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00FA2000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x00E00000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
0x00E09000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x00E13000 \SystemRoot\system32\DRIVERS\pci.sys
0x00E46000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x00E53000 \SystemRoot\System32\drivers\partmgr.sys
0x00E68000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x00E7D000 \SystemRoot\System32\drivers\volmgrx.sys
0x00ED9000 \SystemRoot\system32\DRIVERS\pciide.sys
0x00DC0000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x00DD0000 \SystemRoot\system32\DRIVERS\jraid.sys
0x00C00000 \SystemRoot\system32\DRIVERS\SCSIPORT.SYS
0x00C2F000 \SystemRoot\System32\drivers\mountmgr.sys
0x01016000 \SystemRoot\system32\DRIVERS\iaStor.sys
0x012A7000 \SystemRoot\system32\DRIVERS\iaStorV.sys
0x013C5000 \SystemRoot\system32\DRIVERS\atapi.sys
0x013CE000 \SystemRoot\system32\DRIVERS\ataport.SYS
0x01200000 \SystemRoot\system32\DRIVERS\msahci.sys
0x0120B000 \SystemRoot\system32\DRIVERS\amdxata.sys
0x01216000 \SystemRoot\system32\drivers\fltmgr.sys
0x01262000 \SystemRoot\system32\drivers\fileinfo.sys
0x01132000 \SystemRoot\system32\DRIVERS\ndasfs.sys
0x014AC000 \SystemRoot\system32\DRIVERS\lfsfilt.sys
0x0161A000 \SystemRoot\System32\Drivers\Ntfs.sys
0x01519000 \SystemRoot\System32\Drivers\msrpc.sys
0x017BD000 \SystemRoot\System32\Drivers\ksecdd.sys
0x01577000 \SystemRoot\System32\Drivers\cng.sys
0x017D7000 \SystemRoot\System32\drivers\pcw.sys
0x017E8000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x018C3000 \SystemRoot\system32\drivers\ndis.sys
0x01800000 \SystemRoot\system32\drivers\NETIO.SYS
0x01860000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x01A02000 \SystemRoot\System32\drivers\tcpip.sys
0x019B5000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x0188B000 \SystemRoot\system32\DRIVERS\lpx6x.sys
0x018B2000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x01600000 \SystemRoot\system32\DRIVERS\vmstorfl.sys
0x01400000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x01610000 \SystemRoot\System32\Drivers\spldr.sys
0x0144C000 \SystemRoot\System32\drivers\rdyboost.sys
0x01486000 \SystemRoot\System32\Drivers\mup.sys
0x017F2000 \SystemRoot\System32\drivers\hwpolicy.sys
0x011A4000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x015EA000 \SystemRoot\system32\DRIVERS\disk.sys
0x01276000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x02F5B000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x02F85000 \SystemRoot\System32\Drivers\Null.SYS
0x02F8E000 \SystemRoot\System32\Drivers\Beep.SYS
0x02F95000 \SystemRoot\System32\drivers\vga.sys
0x02FA3000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x02FC8000 \SystemRoot\System32\drivers\watchdog.sys
0x02FD8000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x02FE1000 \SystemRoot\system32\drivers\rdpencdd.sys
0x02FEA000 \SystemRoot\system32\drivers\rdprefmp.sys
0x03E74000 \SystemRoot\system32\DRIVERS\ndasrofs.sys
0x04488000 \SystemRoot\system32\DRIVERS\ndasfat.sys
0x04528000 \SystemRoot\System32\Drivers\Msfs.SYS
0x04533000 \SystemRoot\System32\Drivers\Npfs.SYS
0x04544000 \SystemRoot\system32\DRIVERS\tdx.sys
0x04562000 \SystemRoot\system32\drivers\afd.sys
0x04400000 \SystemRoot\System32\DRIVERS\netbt.sys
0x04445000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x0444E000 \SystemRoot\system32\DRIVERS\pacer.sys
0x04474000 \SystemRoot\system32\DRIVERS\netbios.sys
0x03F7C000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x045EC000 \SystemRoot\system32\DRIVERS\termdd.sys
0x03F97000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x03FE8000 \SystemRoot\system32\drivers\nsiproxy.sys
0x03FF4000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x03E00000 \SystemRoot\System32\drivers\discache.sys
0x046FD000 \SystemRoot\system32\drivers\csc.sys
0x04780000 \SystemRoot\System32\Drivers\dfsc.sys
0x0479E000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x047AF000 \SystemRoot\system32\DRIVERS\avipbb.sys
0x047D1000 \SystemRoot\SysWow64\drivers\AsUpIO.sys
0x047D7000 \SystemRoot\SysWow64\drivers\AsIO.sys
0x04600000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x04626000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x0463C000 \SystemRoot\system32\DRIVERS\atikmpag.sys
0x04AB1000 \SystemRoot\system32\DRIVERS\atikmdag.sys
0x052D5000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x05200000 \SystemRoot\System32\drivers\dxgmms1.sys
0x05246000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x0526A000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x05277000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x053C9000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x0518D000 \SystemRoot\system32\DRIVERS\Rt64win7.sys
0x04A00000 \SystemRoot\system32\DRIVERS\1394ohci.sys
0x053DA000 \SystemRoot\system32\DRIVERS\ASACPI.sys
0x053E2000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x04A3E000 \SystemRoot\system32\DRIVERS\PS2.sys
0x04A47000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x04A56000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x04A63000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x052CD000 \SystemRoot\system32\DRIVERS\wacomvhid.sys
0x04A73000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x04A8C000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x04A95000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x051DC000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x04682000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x0468E000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x046BD000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x046D8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x047DD000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x03E0F000 \SystemRoot\system32\DRIVERS\rdpbus.sys
0x03E1A000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x052D0000 \SystemRoot\system32\DRIVERS\swenum.sys
0x03E29000 \SystemRoot\system32\DRIVERS\ks.sys
0x05CDF000 \SystemRoot\system32\DRIVERS\ndasbus.sys
0x05D5C000 \SystemRoot\system32\DRIVERS\umbus.sys
0x05D6E000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x05DC8000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x05DD5000 \SystemRoot\system32\DRIVERS\wacommousefilter.sys
0x05DDD000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x05C00000 \SystemRoot\system32\drivers\AtiHdmi.sys
0x05C23000 \SystemRoot\system32\drivers\portcls.sys
0x05C60000 \SystemRoot\system32\drivers\drmk.sys
0x05C82000 \SystemRoot\system32\drivers\ksthunk.sys
0x07809000 \SystemRoot\system32\drivers\RTKVHD64.sys
0x000D0000 \SystemRoot\System32\win32k.sys
0x079B6000 \SystemRoot\System32\drivers\Dxapi.sys
0x079C2000 \SystemRoot\System32\Drivers\crashdmp.sys
0x02E00000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x079D0000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x079E3000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x079F1000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x05C95000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x05CB2000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x05CCD000 \SystemRoot\system32\DRIVERS\monitor.sys
0x079F3000 \SystemRoot\system32\DRIVERS\usbprint.sys
0x05DF2000 \SystemRoot\system32\drivers\LVUSBS64.sys
0x02F1C000 \SystemRoot\system32\DRIVERS\usbscan.sys
0x02852000 \SystemRoot\system32\DRIVERS\LV302V64.SYS
0x02AD2000 \SystemRoot\system32\DRIVERS\lv302a64.sys
0x02AD5000 \SystemRoot\system32\drivers\usbaudio.sys
0x02AF0000 \SystemRoot\system32\DRIVERS\lvrs64.sys
0x02BB0000 \SystemRoot\system32\DRIVERS\wacmoumonitor.sys
0x02BB9000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x02BC7000 \SystemRoot\system32\DRIVERS\dc3d.sys
0x02BD3000 \SystemRoot\system32\DRIVERS\point64k.sys
0x00560000 \SystemRoot\System32\TSDDD.dll
0x00820000 \SystemRoot\System32\ATMFD.DLL
0x00750000 \SystemRoot\System32\cdd.dll
0x02800000 \SystemRoot\system32\drivers\luafv.sys
0x02823000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0x02F2D000 \SystemRoot\system32\drivers\WudfPf.sys
0x02BE1000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x011DE000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x07C72000 \SystemRoot\System32\Drivers\fastfat.SYS
0x07CA8000 \SystemRoot\system32\drivers\HTTP.sys
0x07D70000 \SystemRoot\system32\DRIVERS\bowser.sys
0x07D8E000 \SystemRoot\System32\drivers\mpsdrv.sys
0x07DA6000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x07C00000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x07C4E000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x07DD3000 \SystemRoot\System32\Drivers\adfs.SYS
0x080EF000 \SystemRoot\system32\drivers\peauth.sys
0x08195000 \SystemRoot\System32\Drivers\secdrv.SYS
0x081A0000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x081CD000 \SystemRoot\System32\drivers\tcpipreg.sys
0x08000000 \SystemRoot\System32\DRIVERS\srv2.sys
0x09C6B000 \SystemRoot\System32\DRIVERS\srv.sys
0x09D03000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x09DA5000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x09C00000 \SystemRoot\system32\DRIVERS\udfs.sys
0x09D34000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x77370000 \Windows\System32\ntdll.dll
0x484A0000 \Windows\System32\smss.exe
0xFF690000 \Windows\System32\apisetschema.dll
0xFF950000 \Windows\System32\autochk.exe
0xFF600000 \Windows\System32\shlwapi.dll
0xFF590000 \Windows\System32\gdi32.dll
0xFF580000 \Windows\System32\nsi.dll
0xFF320000 \Windows\System32\iertutil.dll
0xFF300000 \Windows\System32\imagehlp.dll
0x77540000 \Windows\System32\normaliz.dll
0x77270000 \Windows\System32\user32.dll
0xFF260000 \Windows\System32\comdlg32.dll
0x77150000 \Windows\System32\kernel32.dll
0xFF210000 \Windows\System32\Wldap32.dll
0xFF1E0000 \Windows\System32\imm32.dll
0xFF190000 \Windows\System32\ws2_32.dll
0xFF0F0000 \Windows\System32\msvcrt.dll
0xFEFC0000 \Windows\System32\wininet.dll
0xFEEB0000 \Windows\System32\msctf.dll
0xFEE30000 \Windows\System32\difxapi.dll
0xFEC50000 \Windows\System32\setupapi.dll
0xFEC40000 \Windows\System32\lpk.dll
0xFEB60000 \Windows\System32\advapi32.dll
0x77530000 \Windows\System32\psapi.dll
0xFDDD0000 \Windows\System32\shell32.dll
0xFDC50000 \Windows\System32\urlmon.dll
0xFDB80000 \Windows\System32\usp10.dll
0xFDA50000 \Windows\System32\rpcrt4.dll
0xFD970000 \Windows\System32\oleaut32.dll
0xFD8D0000 \Windows\System32\clbcatq.dll
0xFD8B0000 \Windows\System32\sechost.dll
0xFD6A0000 \Windows\System32\ole32.dll
0xFD600000 \Windows\System32\comctl32.dll
0xFD5C0000 \Windows\System32\wintrust.dll
0xFD450000 \Windows\System32\crypt32.dll
0xFD410000 \Windows\System32\cfgmgr32.dll
0xFD3F0000 \Windows\System32\devobj.dll
0xFD380000 \Windows\System32\KernelBase.dll
0xFD370000 \Windows\System32\msasn1.dll
0x75950000 \Windows\SysWOW64\normaliz.dll

Processes (total 87):
0 System Idle Process
4 System
384 C:\Windows\System32\smss.exe
512 csrss.exe
600 C:\Windows\System32\wininit.exe
620 csrss.exe
656 C:\Windows\System32\services.exe
676 C:\Windows\System32\lsass.exe
684 C:\Windows\System32\lsm.exe
796 C:\Windows\System32\svchost.exe
916 C:\Windows\System32\svchost.exe
976 C:\Windows\System32\atiesrxx.exe
140 C:\Windows\System32\winlogon.exe
400 C:\Windows\System32\svchost.exe
532 C:\Windows\System32\svchost.exe
812 C:\Windows\System32\svchost.exe
1172 C:\Windows\System32\svchost.exe
1264 C:\Windows\System32\atieclxx.exe
1280 C:\Windows\System32\wisptis.exe
1324 C:\Windows\System32\svchost.exe
1516 C:\Windows\System32\spoolsv.exe
1544 C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
1588 C:\Windows\System32\svchost.exe
1700 C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
1732 C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1756 C:\Program Files (x86)\Bonjour\mDNSResponder.exe
1792 C:\Program Files (x86)\Flip Video\FlipShare\FlipShareService.exe
1900 C:\Program Files (x86)\Common Files\microsoft shared\VS7DEBUG\mdm.exe
1940 C:\Program Files\NDAS\System\ndassvc.exe
1988 C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
1996 C:\Windows\System32\conhost.exe
2040 C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
2056 C:\Windows\System32\taskhost.exe
2188 C:\Windows\System32\wisptis.exe
2196 C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe
2208 C:\Windows\System32\dwm.exe
2272 C:\Windows\explorer.exe
2344 C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe
2708 C:\Windows\System32\svchost.exe
2732 C:\Windows\System32\Tablet.exe
2836 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2868 C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
2680 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
3088 C:\Windows\System32\WTablet\TabUserW.exe
3124 C:\Windows\System32\Tablet.exe
3232 unsecapp.exe
3308 WmiPrvSE.exe
3456 C:\Windows\System32\SearchIndexer.exe
3580 C:\Windows\System32\svchost.exe
3628 WUDFHost.exe
3700 C:\Windows\System32\svchost.exe
4036 C:\Windows\WindowsMobile\wmdc.exe
4064 C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
4072 C:\Windows\System32\svchost.exe
3096 C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
2160 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
3936 C:\Program Files (x86)\ATI Technologies\HydraVision\HydraGrd.exe
2596 C:\Program Files\NDAS\System\ndasmgmt.exe
4112 C:\Windows\System32\svchost.exe
4148 C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
4276 C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
4316 C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
4368 C:\Program Files (x86)\ATI Technologies\HydraVision\Grid64.exe
4476 C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe
4552 C:\Program Files (x86)\PowerGuard Smart\PowerGuard Smart.exe
4700 C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
4732 C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe
4916 C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
4964 C:\Program Files (x86)\iTunes\iTunesHelper.exe
3888 C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
4588 C:\Program Files\iPod\bin\iPodService.exe
3068 C:\Program Files\Windows Media Player\wmpnetwk.exe
1040 C:\Windows\System32\svchost.exe
5352 C:\Program Files (x86)\Mozilla Firefox\firefox.exe
6112 C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe
5792 C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE
2852 C:\Windows\System32\svchost.exe
3780 C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
3820 C:\Windows\System32\audiodg.exe
1360 C:\Windows\System32\taskhost.exe
1740 C:\Windows\splwow64.exe
3448 C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
1052 C:\Windows\SysWOW64\SearchProtocolHost.exe
5516 C:\Windows\System32\SearchProtocolHost.exe
3648 C:\Users\Richard\Desktop\MBRCheck.exe
5284 C:\Windows\System32\conhost.exe
2564 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`06500000 (NTFS)
\\.\E: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: bø€ÿÿà0ø€ÿÿ
PhysicalDrive1 Model Number: WDCWD2500KS-00MJB0, Rev: 02.01C03

Size Device Name MBR Status
--------------------------------------------
931 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79
232 GB \\.\PhysicalDrive1 Windows 2008 MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


Done!
 
OK, that looks clean.
Which browser is affected?

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
Using FF 3.6.8

OTL.txt & Extras.txt attached.

Thanks again
 

Attachments

  • OTL.Txt
    109.7 KB · Views: 8
  • Extras.Txt
    66.8 KB · Views: 5
While I'm checking your logs, can you check, if same redirection happens in IE?
 
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code: 
    :OTL
O4 - HKLM..\Run: [] File not found
O4 - HKCU..\Run: [AdobeBridge] File not found
O18:64bit: - Protocol\Handler\intu-help-qb3 {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\qbwc {FC598A64-626C-4447-85B8-53150405FD57} - Reg Error: Key error. File not found
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
[2010/07/20 11:03:56 | 000,000,000 | ---D | C] -- C:\Users\Richard\AppData\Local\{E01C3029-5983-4E8E-8E84-BF687425BA43}
[2010/07/20 11:01:14 | 000,000,000 | ---D | C] -- C:\Users\Richard\AppData\Local\qoaxloyak
[2010/07/20 11:03:58 | 000,000,000 | ---- | M] () -- C:\Users\Richard\AppData\Local\Ltovagayusaqi.bin
[2010/07/20 11:03:57 | 000,000,120 | ---- | M] () -- C:\Users\Richard\AppData\Local\Wjuwafa.dat


:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
 
Reboot log:

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\intu-help-qb3\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4}\ not found.
File {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - Reg Error: Key error. File not found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-help\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{314111c7-a502-11d2-bbca-00c04f8ec294}\ not found.
File {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\qbwc\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FC598A64-626C-4447-85B8-53150405FD57}\ not found.
File {FC598A64-626C-4447-85B8-53150405FD57} - Reg Error: Key error. File not found not found.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
C:\Users\Richard\AppData\Local\{E01C3029-5983-4E8E-8E84-BF687425BA43}\chrome\content folder moved successfully.
C:\Users\Richard\AppData\Local\{E01C3029-5983-4E8E-8E84-BF687425BA43}\chrome folder moved successfully.
C:\Users\Richard\AppData\Local\{E01C3029-5983-4E8E-8E84-BF687425BA43} folder moved successfully.
C:\Users\Richard\AppData\Local\qoaxloyak folder moved successfully.
C:\Users\Richard\AppData\Local\Ltovagayusaqi.bin moved successfully.
C:\Users\Richard\AppData\Local\Wjuwafa.dat moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Default
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: Richard
->Temp folder emptied: 367149 bytes
->Temporary Internet Files folder emptied: 13933649 bytes
->Java cache emptied: 2027 bytes
->FireFox cache emptied: 91971494 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 1450 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 5446 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 32902 bytes
RecycleBin emptied: 44718 bytes

Total Files Cleaned = 101.00 mb


[EMPTYFLASH]

User: Default

User: Public

User: Richard
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.9.1 log created on 08022010_221710

Files\Folders moved on Reboot...
File\Folder C:\Users\Richard\AppData\Local\Temp\~DF35D23C13E632BE4B.TMP not found!
File\Folder C:\Users\Richard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WJQ6OAML\search[4].htm not found!
File\Folder C:\Users\Richard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5G5FGOCV\search[2].htm not found!

Registry entries deleted on Reboot...
 

Attachments

  • OTL.Txt
    107.3 KB · Views: 1
Super :)

Yeah, I've noticed some bad files, which got on your computer at 2010/07/20 around 11AM.

Last scans...

1. Download Security Check from HERE, and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


2. Download Temp File Cleaner (TFC)
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.


3. Go to Kaspersky website and perform an online antivirus scan.

  • Disable your active antivirus program.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
 
Checkup.txt:

Results of screen317's Security Check version 0.99.5
Windows 7 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Avira AntiVir Personal - Free Antivirus
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
Avira successfully updated!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 21
Adobe Flash Player 10.1.53.64
````````````````````````````````
Process Check:
objlist.exe by Laurent
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
````````````````````````````````
DNS Vulnerability Check:
Unknown. This method cannot test your vulnerability to DNS cache poisoning. (Wireless connection?)

``````````End of Log````````````


Cleaned files. Will let Kapersky run overnight.

Thanks again for the great tech support!
 
Yes. All looks good at this point. Several days with no redirects. Got rid of that last folder, and Kaspersky did not find anything. Calling it solved.

Thanks again for your help. Great job.
 
Cool, but you still need to perform last steps...

OTL Clean-Up
Clean up with OTL:

* Double-click OTL.exe to start the program.
* Close all other programs apart from OTL as this step will require a reboot
* On the OTL main screen, press the CLEANUP button
* Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

=======================================================================

Your computer is clean


1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

8. Run Temporary File Cleaner (TFC) weekly.

9. Download and install Secunia Personal Software Inspector (PSI). The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

10. Run defrag at your convenience.

11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
 
Status
Not open for further replies.

Similar threads

C
  • Locked
Inactive-A Can't remove ADWcleaner findings
Replies
14
Views
6K
Broni
Broni
Tony76
Solved Google Chrome Processes (lots of 'em)
Replies
20
Views
6K
Broni
Broni
J
Solved Temp folder .exe files
Replies
24
Views
14K
Broni
Broni

Latest posts

Back