Inactive Using Firefox or IE if open Google, get redirect to Google.com.br

Status
Not open for further replies.
Let me know, what you want to do, or....continue with instructions, including Eset scan.
 
new virus..or attack...
the recommended (products) files.. do not apply
my machine is wobbly,.. my laptop is very unstable
Appreciate your hard work...
where do we go from here?
 
New virus or dns attack, the reason malware programs not able to remove.
Laptop is getting redirects when on firefox,home page is google as well,and it will redirect to different websites.

PC still the same. Google.com is replaced with Google.com.br

Yahoo shows my location in different cities

Craigslist shows different cities almost every time I bring it up.

Noticed when disconnected from satellite/Router on laptop and used Sprint
wireless modem the problem disappears on laptop...no redirect.

Originally did ipconfig /flush on pc. but no luck.
You have helped out tremendously, just wondering if this is not virus but some kind of firmware error on router.
Placed call to Skycasters, satellite internet they will call monday.
Any thoughts?
 
Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • List content of Hosts
  • List IP configuration
Click Go and post the result.
 
MiniToolBox by Farbar
Ran by admin at 2011-03-06 12:32:20
Windows (TM) Vista Home Premium Service Pack 2 (X64)

***************************************************************************


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= End of IE Proxy Settings ========================
=============== Hosts content: ============================================

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

=============== End of Hosts ==============================================

================= IP Configuration: =======================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : admin-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82567LF-2 Gigabit Network Connection
Physical Address. . . . . . . . . : 00-24-E8-14-4A-6B
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::a148:c14f:c95e:e31d%11(Preferred)
IPv4 Address. . . . . . . . . . . : 76.239.149.90(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Lease Obtained. . . . . . . . . . : Sunday, March 06, 2011 12:15:49 PM
Lease Expires . . . . . . . . . . : Monday, March 07, 2011 12:15:49 AM
Default Gateway . . . . . . . . . : 76.239.149.89
DHCP Server . . . . . . . . . . . : 76.239.149.89
DHCPv6 IAID . . . . . . . . . . . : 251667688
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-11-77-00-3A-00-24-E8-14-4A-6B
DNS Servers . . . . . . . . . . . : 76.239.149.89
75.7.64.62
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 6:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{61601A34-0C30-467E-95F8-A432826500A0}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:3449:114a:b310:6aa5(Preferred)
Link-local IPv6 Address . . . . . : fe80::3449:114a:b310:6aa5%10(Preferred)
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Local Area Connection* 11:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 6TO4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2002:4cef:955a::4cef:955a(Preferred)
Default Gateway . . . . . . . . . : 2002:c058:6301::c058:6301
DNS Servers . . . . . . . . . . . : 76.239.149.89
75.7.64.62
NetBIOS over Tcpip. . . . . . . . : Disabled
Server: UnKnown
Address: 76.239.149.89

Name: google.com
Addresses: 74.125.47.99
74.125.47.103
74.125.47.104
74.125.47.105
74.125.47.147
74.125.47.106



Pinging google.com [74.125.47.99] with 32 bytes of data:

Reply from 74.125.47.99: bytes=32 time=607ms TTL=47

Reply from 74.125.47.99: bytes=32 time=567ms TTL=47



Ping statistics for 74.125.47.99:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 567ms, Maximum = 607ms, Average = 587ms

Server: UnKnown
Address: 76.239.149.89

Name: yahoo.com
Addresses: 209.191.122.70
67.195.160.76
69.147.125.65
72.30.2.43
98.137.149.56



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:

Reply from 209.191.122.70: bytes=32 time=555ms TTL=46

Reply from 209.191.122.70: bytes=32 time=573ms TTL=46



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 555ms, Maximum = 573ms, Average = 564ms



Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
11 ...00 24 e8 14 4a 6b ...... Intel(R) 82567LF-2 Gigabit Network Connection
1 ........................... Software Loopback Interface 1
12 ...00 00 00 00 00 00 00 e0 isatap.{61601A34-0C30-467E-95F8-A432826500A0}
10 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
13 ...00 00 00 00 00 00 00 e0 6TO4 Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 76.239.149.89 76.239.149.90 20
76.239.149.88 255.255.255.252 On-link 76.239.149.90 276
76.239.149.90 255.255.255.255 On-link 76.239.149.90 276
76.239.149.91 255.255.255.255 On-link 76.239.149.90 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 76.239.149.90 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 76.239.149.90 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
13 1125 ::/0 2002:c058:6301::c058:6301
1 306 ::1/128 On-link
10 18 2001::/32 On-link
10 266 2001:0:4137:9e76:3449:114a:b310:6aa5/128
On-link
13 1025 2002::/16 On-link
13 281 2002:4cef:955a::4cef:955a/128
On-link
11 276 fe80::/64 On-link
10 266 fe80::/64 On-link
10 266 fe80::3449:114a:b310:6aa5/128
On-link
11 276 fe80::a148:c14f:c95e:e31d/128
On-link
1 306 ff00::/8 On-link
10 266 ff00::/8 On-link
11 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

================= End of IP Configuration =================================
 
Looks normal.

Possibly, you got reinfected.

Update Malwarebytes, run it and give me a new log.
 
Malwarebytes will not respond, rebooted, turned of Avast, still will not respond.
still getting redirect.
removed Linksys router and now am directly on Satellite modem.
 
Malware will run now, but will not allow me to update it becomes "not responding"

Here is log.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5976

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

3/6/2011 3:32:28 PM
mbam-log-2011-03-06 (15-32-28).txt

Scan type: Quick scan
Objects scanned: 164952
Time elapsed: 2 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
Are you still getting redirected, when connected straight to the modem?

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Yes still getting Google.com.br
and now IE will not connect to the internet.
So it is not a error with the Linksys, may be something with the ISP.

Do I need to delete the ComboFix I already have?

Rkill did not load the last go around, but will try again.
 
Here is the message I get when trying to download Rkill.com,.scr or .exe

Virus Download Blocked

Download of the virus has been blocked in accordance with company policy. Please contact your system administrator if you believe this is in error.

File name: download.bleepingcomputer.com
 
This is false positive warning. Disregard it.

Yes, you need to delete your Combofix file.

What country are you located in?
 
used a different computer, my laptop with a sprint modem and downloaded rkill to a jump stick.
Now in the first 8 steps Rkill and DDS would not let me download.
I will also download DDS to jumpstick.

Let me know if i should delete the existing ComboFix first before i download it again
thanks
 
Here is new ComboFix file:

ComboFix 11-03-06.01 - admin 03/06/2011 18:45:42.3.8 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.8182.6315 [GMT -6:00]
Running from: c:\users\admin\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-02-07 to 2011-03-07 )))))))))))))))))))))))))))))))
.
.
2011-03-07 00:52 . 2011-03-07 00:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-06 17:02 . 2011-03-03 18:16 25048 ----a-w- c:\program files (x86)\Mozilla Firefox\components\browserdirprovider.dll
2011-03-06 17:02 . 2011-03-03 18:16 140248 ----a-w- c:\program files (x86)\Mozilla Firefox\components\brwsrcmp.dll
2011-03-06 04:07 . 2011-03-06 04:07 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2011-03-06 03:59 . 2011-03-06 03:59 -------- d-----w- c:\windows\SysWow64\wbem\Logs
2011-03-06 01:06 . 2011-03-06 01:06 -------- d-----w- C:\_OTL
2011-03-06 00:59 . 2011-02-03 03:40 472808 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
2011-03-06 00:59 . 2011-02-03 03:40 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-03-06 00:58 . 2011-03-06 00:58 -------- d-----w- c:\programdata\McAfee
2011-03-05 01:53 . 2011-03-05 01:54 -------- d-----w- c:\program files (x86)\FileBulldog Toolbar
2011-03-05 01:53 . 2011-03-05 01:53 -------- d-----w- c:\program files (x86)\Temp File Cleaner
2011-03-04 21:33 . 2011-02-11 07:30 7947600 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{64085234-D7AC-4F4E-9D03-52AB13065D9F}\mpengine.dll
2011-03-03 05:22 . 2011-03-03 05:22 -------- d-----w- c:\program files (x86)\ESET
2011-03-01 13:33 . 2011-03-01 13:33 -------- d-----w- c:\program files (x86)\Common Files\Skype
2011-03-01 04:52 . 2011-02-23 14:57 505176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-02-24 02:50 . 2011-02-24 02:50 -------- d-----w- c:\program files\iPod
2011-02-24 02:50 . 2011-02-24 02:50 -------- d-----w- c:\programdata\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2011-02-24 02:50 . 2011-02-24 02:50 -------- d-----w- c:\program files\iTunes
2011-02-24 02:42 . 2011-02-24 02:42 -------- d-----w- c:\program files\Bonjour
2011-02-24 02:42 . 2011-02-24 02:42 -------- d-----w- c:\program files (x86)\Bonjour
2011-02-21 23:42 . 2011-02-21 23:42 -------- d-----w- c:\users\admin\AppData\Local\Yahoo!
2011-02-10 03:36 . 2011-01-20 16:46 900480 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-02-10 03:35 . 2010-10-15 14:02 4699024 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-02-10 03:35 . 2010-10-15 13:43 1168512 ----a-w- c:\windows\SysWow64\ntdll.dll
2011-02-10 03:35 . 2010-10-15 13:43 1585168 ----a-w- c:\windows\system32\ntdll.dll
2011-02-10 03:35 . 2011-01-08 09:03 48128 ----a-w- c:\windows\system32\atmlib.dll
2011-02-10 03:35 . 2011-01-08 08:47 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2011-02-10 03:35 . 2011-01-08 06:45 367104 ----a-w- c:\windows\system32\atmfd.dll
2011-02-10 03:35 . 2011-01-08 06:28 292352 ----a-w- c:\windows\SysWow64\atmfd.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-23 15:04 . 2010-07-10 19:29 40648 ----a-w- c:\windows\avastSS.scr
2011-02-23 15:04 . 2010-05-15 15:06 190016 ----a-w- c:\windows\SysWow64\aswBoot.exe
2011-02-23 15:04 . 2011-01-22 16:22 238968 ----a-w- c:\windows\system32\aswBoot.exe
2011-02-23 14:57 . 2010-05-15 15:06 280408 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-02-23 14:55 . 2010-05-15 15:06 53592 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-02-23 14:55 . 2010-05-15 15:06 31064 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-02-23 14:55 . 2010-05-15 15:06 64344 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-02-23 14:54 . 2010-05-15 15:06 22360 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-02-02 23:11 . 2010-08-22 18:32 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-01-23 00:51 . 2011-01-23 00:51 53248 ----a-r- c:\users\admin\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2010-12-28 16:08 . 2011-01-12 09:34 466944 ----a-w- c:\windows\system32\odbc32.dll
2010-12-28 15:55 . 2011-01-12 09:34 413696 ----a-w- c:\windows\SysWow64\odbc32.dll
2010-12-21 00:09 . 2009-05-18 03:30 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2010-12-21 00:08 . 2009-10-03 22:58 24152 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-14 16:15 . 2011-01-12 09:34 1251840 ----a-w- c:\windows\system32\sdclt.exe
.
.
((((((((((((((((((((((((((((( SnapShot_2011-03-06_18.17.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-21 03:20 . 2011-03-06 18:16 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 03:20 . 2011-03-07 00:54 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-21 03:20 . 2011-03-06 18:16 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-21 03:20 . 2011-03-07 00:54 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2011-03-06 18:16 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 03:20 . 2011-03-07 00:54 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 02:23 . 2011-03-07 00:56 61168 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 15:45 . 2011-03-07 00:56 79516 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-05-17 18:48 . 2011-03-07 00:56 12298 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3792922179-2174670505-3486552871-1000_UserData.bin
- 2009-05-17 18:45 . 2011-03-06 17:28 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-05-17 18:45 . 2011-03-06 22:23 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-05-17 18:45 . 2011-03-06 22:23 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-05-17 18:45 . 2011-03-06 17:28 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-05-17 18:45 . 2011-03-06 17:28 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-05-17 18:45 . 2011-03-06 22:23 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-26 21:14 . 2011-03-04 14:40 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-26 21:14 . 2011-03-06 23:05 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-26 21:14 . 2011-03-04 14:40 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-26 21:14 . 2011-03-06 23:05 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-26 21:14 . 2011-03-04 14:40 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-26 21:14 . 2011-03-06 23:05 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-26 21:14 . 2011-03-07 00:53 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-26 21:14 . 2011-03-06 17:36 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-26 21:14 . 2011-03-06 17:36 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-26 21:14 . 2011-03-07 00:53 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-03-07 00:53 . 2011-03-07 00:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-03-06 18:15 . 2011-03-06 18:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-03-07 00:53 . 2011-03-07 00:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-03-06 18:15 . 2011-03-06 18:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2006-11-02 12:46 . 2011-03-06 17:42 604264 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2011-03-06 23:31 604264 c:\windows\system32\perfh009.dat
- 2006-11-02 12:46 . 2011-03-06 17:42 103964 c:\windows\system32\perfc009.dat
+ 2006-11-02 12:46 . 2011-03-06 23:31 103964 c:\windows\system32\perfc009.dat
- 2010-04-30 05:55 . 2011-03-06 18:14 328912 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2010-04-30 05:55 . 2011-03-07 00:52 328912 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2010-05-01 04:13 . 2011-03-07 00:52 957760 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3792922179-2174670505-3486552871-1000-8192.dat
- 2010-05-01 04:13 . 2011-03-06 18:14 957760 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3792922179-2174670505-3486552871-1000-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
"Steam"="c:\program files (x86)\steam\steam.exe" [2010-11-18 1242448]
"msnmsgr"="c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe" [2008-12-03 3882312]
"Logitech Vid"="c:\program files (x86)\Logitech\Vid\vid.exe" [2010-05-11 6061400]
"Logitech Vid HD"="c:\program files (x86)\Logitech\Vid\vid.exe" [2010-05-11 6061400]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-07-16 61440]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"nmctxth"="c:\program files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856]
"LWS"="c:\program files (x86)\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-08 165208]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2009-08-29 49152]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2007-11-14 53488]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2008-12-22 88576]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-11-25 202752]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-02-23 64344]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-09-24 155648]
S2 LinksysUpdater;Linksys Updater;c:\program files (x86)\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-11-13 204800]
S2 LVPrcS64;Process Monitor;c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe [2010-05-08 197976]
S2 WinFLdrv;WinFLdrv;SysWOW64\WinFLdrv.sys [x]
S3 CompFilter64;UVCCompositeFilter;c:\windows\system32\DRIVERS\lvbflt64.sys [2010-11-10 24032]
S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y60x64.sys [2008-09-28 316544]
S3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [2010-05-08 30304]
S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [2010-11-10 341856]
S3 LVUVC64;Logitech HD Pro Webcam C910(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [2010-11-10 4162784]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-07 c:\windows\Tasks\SDMsgUpdate (SD).job
- c:\progra~2\SMARTD~1\Messages\SDNotify.exe [2011-01-19 17:29]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 15:04 134384 ----a-w- c:\program files\Alwil Software\Avast5\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2008-12-22 6931488]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.bing.com/?pc=Z045&form=ZGAPHP
mLocal Page = %SystemRoot%\system32\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\caulprq5.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z045&form=ZGAADF&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Zemanta: firefox@zemanta.com - %profile%\extensions\firefox@zemanta.com
FF - Ext: KGen: kgen@elitwork.com - %profile%\extensions\kgen@elitwork.com
FF - Ext: TACO with Abine: optout@dubfire.net - %profile%\extensions\optout@dubfire.net
FF - Ext: SeoQuake Plugin - Seolinx: seoquake-plugin-seolinx@seoquake.com - %profile%\extensions\seoquake-plugin-seolinx@seoquake.com
FF - Ext: SeoQuake: {317B5128-0B0B-49b2-B2DB-1E7560E16C74} - %profile%\extensions\{317B5128-0B0B-49b2-B2DB-1E7560E16C74}
FF - Ext: SEOpen: {ff6bdc07-eed6-4815-ad95-d7938b673ab5} - %profile%\extensions\{ff6bdc07-eed6-4815-ad95-d7938b673ab5}
FF - user.js: yahoo.homepage.dontask - true
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3792922179-2174670505-3486552871-1000\Software\SecuROM\License information*]
"datasecu"=hex:5d,7a,11,54,95,f3,ed,78,68,27,50,c9,80,1c,b0,4d,56,c3,a4,bc,f8,
4e,78,92,67,65,1d,08,5f,90,a3,cc,14,61,cb,39,d7,d1,3f,7d,5e,f3,93,38,05,c3,\
"rkeysecu"=hex:44,08,c1,7a,cf,c3,bf,2d,ef,f6,ad,12,77,f9,0e,ed
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Common Files\Logishrd\LVMVFM\LVPrS64H.exe
c:\windows\SysWOW64\PnkBstrA.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\SysWOW64\java.exe
c:\program files (x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2011-03-06 19:04:59 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-07 01:04
ComboFix2.txt 2011-03-06 18:26
ComboFix3.txt 2011-03-05 22:57
.
Pre-Run: 377,477,726,208 bytes free
Post-Run: 377,322,381,312 bytes free
.
- - End Of File - - EE07911224A9679D12F70E3B7B4BCD9E
 
Broni,

USA,
Here is RKill file:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 03/06/2011 at 19:14:36.
Operating System: Windows (TM) Vista Home Premium


Processes terminated by Rkill or while it was running:

C:\Program Files\Alwil Software\Avast5\defs\11030601\Sf.bin


Rkill completed on 03/06/2011 at 19:14:56.
 
Go Start>Run (Start search in Vista), type in:
cmd
Click OK (in Vista and Windows 7, while holding CTRL, and SHIFT, press Enter).

In Command Prompt window, type in following commands, and hit Enter after each one:
ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew
net stop "dns client"
net start "dns client"


Turn the computer off.

On your router, you'll find a pinhole marked "Reset".
Keep pushing the hole, using a pencil, or a paperclip until all lights briefly come off and on.
NOTE. Simple router disconnecting from a power source will NOT do.
Restart computer and check for redirections.

NOTE. You may need to re-check your router security settings, as described HERE
 
Created new user, still redirect to google.com.br
pretty sure this is an issue with ISP, I have to have one of the cleanest pc's around.
problem disappears when using wireless modem from sprint, no redirect, just good old google.
So in a nut shell google has decided my IP is in Brasil, while Yahoo, MSN know my IP is USA based.
Thank you for all your help.
I will work with my ISP: and if no luck submit request to Google to redirect my IP to a USA standing.
Thanks again.
Will let you know howit works out.
 
Status
Not open for further replies.

Similar threads

B
Severe problem in sending pockets from router to PC (Using ethernet)
Replies
19
Views
2K
BuPher
B
T
Solved Google redirect virus - Mozilla Firefox
2
Replies
30
Views
8K
Broni
Broni
C
  • Locked
Solved Need help with a Google redirect
2
Replies
32
Views
6K
Jay Pfoutz
Jay Pfoutz

Latest posts

Back