Jump to content

Google redirect


Recommended Posts

Working on my sons Dell Studio laptop running Windows 7. I originally started with fixing a Smart HDD issue with Malwarebytes that seemed to be cleared up easily. Then as I started trying to install a regular Anti Virus program like Avast or AVG, ran into other problems...like it tries to remove what it has found on a scan and then wants to restart, but when I restart it gives me a message that it can't restart and it will do a start up repair and restore to a previous point. Which it seems to do. Any internet search still winds up redirected to strange unrelated websites. Thanks for any advice you can give. I have tried a bunch of things (ie. virus scans from Trend Micro, Avast, AVG) but I think I need to just start over and get more experienced advice. Thanks!!!

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421

Run by Kyle at 11:35:59 on 2012-04-21

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3031.1215 [GMT -7:00]

.

AV: McAfee VirusScan *Enabled/Outdated* {86355677-4064-3EA7-ABB3-1B136EB04637}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: McAfee VirusScan *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

FW: McAfee Personal Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_73e1f0dede412369\STacSV64.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files\Dell\DellDock\DockLogin.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\WLANExt.exe

C:\Windows\system32\conhost.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_73e1f0dede412369\AESTSr64.exe

C:\Windows\system32\svchost.exe -k apphost

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files (x86)\Bonjour\mDNSResponder.exe

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\svchost.exe -k iissvcs

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Windows\System32\WLTRYSVC.EXE

C:\Windows\System32\bcmwltry.exe

C:\program files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe

C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe

C:\Program Files\DellTPad\Apoint.exe

C:\Program Files\IDT\WDM\sttray64.exe

C:\Windows\System32\WLTRAY.EXE

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Windows\system32\conhost.exe

C:\Program Files (x86)\Skype\Phone\Skype.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe

C:\Program Files\Dell\DellDock\DellDock.exe

C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe

C:\Users\Kyle\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Kyle\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\SysWOW64\ping.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\ping.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\ping.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\svchost.exe -k swprv

C:\Windows\SysWOW64\NOTEPAD.EXE

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uWindow Title = Internet Explorer provided by Dell

uInternet Settings,ProxyOverride = *.local

mWinlogon: Userinit=userinit.exe,

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB: @C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

uRun: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe

uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background

uRun: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized

uRun: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

uRun: [Google Update] "C:\Users\Kyle\AppData\Local\Google\Update\GoogleUpdate.exe" /c

mRun: [Adobe Reader Speed Launcher] "c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

mRun: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m

mRun: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume

mRun: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRunOnce: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe

dRun: [dplaysvr] C:\Windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe

StartupFolder: C:\Users\Kyle\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\DELLDO~1.LNK - C:\Program Files (x86)\Dell\DellDock\DellDock.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\OFFICE11\EXCEL.EXE/3000

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~3\OFFICE11\REFIEBAR.DLL

LSP: mswsock.dll

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab

DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{1F4D235C-0DCD-409F-B0EE-043D225DC666} : DhcpNameServer = 192.168.15.1

TCP: Interfaces\{56467FCC-C224-483F-9B7D-7C862B1D7945} : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{56467FCC-C224-483F-9B7D-7C862B1D7945}\46C696E6B6 : DhcpNameServer = 192.168.0.1

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

Notify: kpewatq - C:\Windows\system32\config\systemprofile\AppData\Local\kpewatq.dll

SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

BHO-X64: Search Helper - No File

BHO-X64: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

BHO-X64: Skype Plug-In: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO-X64: SkypeIEPluginBHO - No File

BHO-X64: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB-X64: @C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll

TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

mRun-x64: [Adobe Reader Speed Launcher] "c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun-x64: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

mRun-x64: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m

mRun-x64: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

mRun-x64: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume

mRun-x64: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRunOnce-x64: [Launcher] C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe

Hosts: 94.63.147.16 www.google.com

Hosts: 94.63.147.17 www.bing.com

.

============= SERVICES / DRIVERS ===============

.

R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]

R2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_73e1f0dede412369\AESTSr64.exe [2009-9-9 89600]

R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]

R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2009-9-9 705856]

R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;C:\Windows\system32\drivers\IntcHdmi.sys --> C:\Windows\system32\drivers\IntcHdmi.sys [?]

R3 itecir;ITECIR Infrared Receiver;C:\Windows\system32\DRIVERS\itecir.sys --> C:\Windows\system32\DRIVERS\itecir.sys [?]

R3 k57nd60a;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]

R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;C:\Windows\system32\DRIVERS\OA001Ufd.sys --> C:\Windows\system32\DRIVERS\OA001Ufd.sys [?]

R3 OA001Vid;Creative Camera OA001 Function Driver;C:\Windows\system32\DRIVERS\OA001Vid.sys --> C:\Windows\system32\DRIVERS\OA001Vid.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-1-30 135664]

S2 McMPFSvc;McAfee Personal Firewall;"C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc --> C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [?]

S3 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]

S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2012-3-8 1492840]

S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-1-30 135664]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe --> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [?]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

.

=============== Created Last 30 ================

.

2012-04-21 17:15:27 -------- d-----w- C:\Users\Kyle\AppData\Local\{8A992053-FB72-42A8-9068-E5AD8CBC979B}

2012-04-21 17:15:15 -------- d-----w- C:\Users\Kyle\AppData\Local\{24420736-49F6-456B-BD4C-D80E1E50953B}

2012-04-21 15:30:21 -------- d-----w- C:\Users\Kyle\AppData\Local\{B7DBC661-D275-46AC-AC0F-B2E0B1378CBC}

2012-04-21 15:30:09 -------- d-----w- C:\Users\Kyle\AppData\Local\{6369E90B-CA4F-4115-942A-DE27D916DFE2}

2012-04-21 05:21:47 -------- d--h--w- C:\ProgramData\Common Files

2012-04-21 05:21:35 -------- d-----w- C:\Windows\SysWow64\drivers\AVG

2012-04-21 05:21:05 -------- d--h--w- C:\$AVG

2012-04-21 05:21:04 -------- d-----w- C:\ProgramData\AVG2012

2012-04-21 05:19:49 -------- d-----w- C:\Program Files (x86)\AVG

2012-04-21 05:16:26 -------- d-----w- C:\ProgramData\MFAData

2012-04-21 01:21:13 -------- d-----w- C:\ProgramData\AVAST Software

2012-04-21 01:21:13 -------- d-----w- C:\Program Files\AVAST Software

2012-04-21 00:38:05 -------- d-----w- C:\Windows\SysWow64\BestPractices

2012-04-21 00:38:04 -------- d-----w- C:\Windows\System32\BestPractices

2012-04-21 00:38:04 -------- d-----w- C:\inetpub

2012-04-20 22:12:25 -------- d-----w- C:\Users\Kyle\AppData\Local\{52E5ACA4-1C40-4BAC-A475-AF53A4DD50D8}

2012-04-20 22:12:13 -------- d-----w- C:\Users\Kyle\AppData\Local\{E29F7C50-712A-406E-A193-B4646C1EA76B}

2012-04-20 04:40:37 -------- d-----w- C:\Users\Kyle\AppData\Local\{DCD9B624-B2F4-49C0-8E96-C4EB477C600C}

2012-04-20 04:40:19 -------- d-----w- C:\Users\Kyle\AppData\Local\{765104BA-1CBE-401B-812E-AB972530204E}

2012-04-20 04:37:59 -------- d-----w- C:\Windows\en

2012-04-20 04:30:52 -------- d-----w- C:\Windows\PCHEALTH

2012-04-20 04:25:47 -------- d-----w- C:\Users\Kyle\AppData\Local\{EB9B97A8-2672-4B06-B7A5-E1E00B14511E}

2012-04-20 04:25:34 -------- d-----w- C:\Users\Kyle\AppData\Local\{73F4908D-C8C1-4028-856C-94E89DDA941D}

2012-04-20 04:17:34 48488 ----a-w- C:\Windows\System32\drivers\fssfltr.sys

2012-04-20 04:10:03 -------- d-----w- C:\Users\Kyle\AppData\Local\{A3288CEB-D7E5-4A45-B33C-A52786AA1AA7}

2012-04-20 04:09:18 -------- d-----w- C:\Users\Kyle\AppData\Local\{7F2E7918-70F7-4B19-BFC9-F79F291D8955}

2012-04-20 04:09:06 -------- d-----w- C:\Users\Kyle\AppData\Local\{30A20F8B-917C-4547-9F05-481F27A12587}

2012-04-20 00:44:33 -------- d-----w- C:\Users\Kyle\AppData\Local\{89592B6B-E83C-41A6-BA03-42AD9E10EC0A}

2012-04-20 00:44:21 -------- d-----w- C:\Users\Kyle\AppData\Local\{1DAF6771-1041-4242-BADC-222CAB192470}

2012-04-20 00:29:39 19352 ----a-w- C:\ProgramData\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2012-04-20 00:25:54 15712 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\25ebb4091cd1e8c02\MeshBetaRemover.exe

2012-04-20 00:25:53 89944 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\255a80181cd1e8c01\DSETUP.dll

2012-04-20 00:25:53 537432 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\255a80181cd1e8c01\DXSETUP.exe

2012-04-20 00:25:53 1801048 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\255a80181cd1e8c01\dsetup32.dll

2012-04-20 00:24:36 -------- d-----w- C:\Users\Kyle\AppData\Local\{AEE4A84B-9882-4A27-A48B-F8374A24B805}

2012-04-20 00:24:21 -------- d-----w- C:\Users\Kyle\AppData\Local\{2EF8EB09-CEFE-4C61-89CB-E59FD8E28E47}

2012-04-20 00:21:00 -------- d-----w- C:\TDSSKiller_Quarantine

2012-04-20 00:09:49 -------- d-----w- C:\Users\Kyle\AppData\Local\{B659158B-D6C0-4FDA-B3F8-0CC17F7F2877}

2012-04-20 00:09:34 -------- d-----w- C:\Users\Kyle\AppData\Local\{6AEC70AC-B203-492A-BE00-ABCDFB988E24}

2012-04-20 00:09:32 20480 ----a-w- C:\Windows\svchost.exe

2012-04-19 22:41:24 -------- d-----w- C:\Users\Kyle\AppData\Local\{9DCDB9CA-BCE4-4688-AD5A-D001F5DF0469}

2012-04-19 22:41:08 -------- d-----w- C:\Users\Kyle\AppData\Local\{467B2AD9-ADC8-4EA4-ACEF-D5FD0B9D4BA0}

2012-04-19 22:23:01 -------- d-----w- C:\Users\Kyle\AppData\Local\{D00C36C0-02F7-40FC-82E6-81AEA4AB642D}

2012-04-19 22:22:45 -------- d-----w- C:\Users\Kyle\AppData\Local\{3CF78D9F-7F76-4141-9B8E-B541F8D309B4}

2012-04-19 04:31:21 -------- d-----w- C:\Users\Kyle\AppData\Local\{CCA91F3A-A682-470F-82A4-39BDEA7C8CDE}

2012-04-19 04:31:18 0 --sha-w- C:\Windows\System32\dds_trash_log.cmd

2012-04-19 04:31:10 -------- d-----w- C:\Users\Kyle\AppData\Local\{5FA9D679-6B57-474E-8365-B87523CCBDFC}

2012-04-19 04:17:24 -------- d-----w- C:\Users\Kyle\AppData\Local\{B2151183-2B6E-4AF6-A17F-8D786B29ABAB}

2012-04-19 04:08:06 -------- d-----w- C:\Users\Kyle\AppData\Roaming\Malwarebytes

2012-04-19 04:06:48 -------- d-----w- C:\ProgramData\Malwarebytes

2012-04-19 04:06:47 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-04-19 04:06:47 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware

2012-04-19 03:58:59 -------- d-----w- C:\Users\Kyle\AppData\Local\{3454C9AC-2DA5-4F87-A9EB-F229776353A9}

2012-04-19 03:40:42 -------- d-----w- C:\Users\Kyle\AppData\Local\{0D76BFF7-C115-4866-BDCC-88B15E0E9F65}

2012-04-15 05:39:00 -------- d-----w- C:\Users\Kyle\AppData\Local\{A2C2C5AC-5CCF-419B-9DCA-0DF187F98F38}

2012-04-15 05:30:03 -------- d-----w- C:\Users\Kyle\AppData\Local\{DE7CFF9E-2ACE-437C-A1ED-9534C1F20701}

2012-04-15 04:21:58 -------- d-----w- C:\Users\Kyle\AppData\Local\{294F9304-842D-413C-9B74-2318C0A9EC3F}

2012-04-15 04:12:35 -------- d-----w- C:\Users\Kyle\AppData\Local\{895F3F91-EA79-48F5-8189-DA5BA8A6AA8C}

2012-04-15 03:58:07 -------- d-----we C:\Windows\system64

2012-04-14 08:19:55 -------- d-----w- C:\Users\Kyle\AppData\Local\{A6B41745-5551-4A15-AB5F-4D480B6718EE}

2012-04-14 03:46:25 -------- d-----w- C:\Users\Kyle\AppData\Local\{830966E2-C4E0-4FD9-8AFD-6D91DC7D7FD9}

2012-04-13 06:48:41 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe

2012-04-13 06:48:40 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2012-04-13 06:48:40 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2012-04-13 06:42:40 81408 ----a-w- C:\Windows\System32\imagehlp.dll

2012-04-13 06:42:40 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys

2012-04-13 06:42:40 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll

2012-04-13 06:42:39 5120 ----a-w- C:\Windows\SysWow64\wmi.dll

2012-04-13 06:42:39 5120 ----a-w- C:\Windows\System32\wmi.dll

2012-04-13 06:42:39 220672 ----a-w- C:\Windows\System32\wintrust.dll

2012-04-13 06:42:39 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll

2012-04-10 05:03:58 -------- d-----w- C:\Users\Kyle\AppData\Local\{22C56681-D407-433F-A698-BACE67D40A11}

2012-04-07 05:24:51 -------- d-----w- C:\Users\Kyle\AppData\Local\{0936EE37-CEDD-4BE1-A769-26BACB8F20FE}

2012-04-06 06:01:34 -------- d-----w- C:\Users\Kyle\AppData\Local\{EA12FB84-7B62-4C1D-A051-70D45B984FC4}

2012-04-04 01:34:07 3145728 ----a-w- C:\Windows\System32\win32k.sys

2012-04-04 01:34:04 1544192 ----a-w- C:\Windows\System32\DWrite.dll

2012-04-04 01:34:04 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll

2012-04-04 01:33:29 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe

2012-04-04 01:33:29 77312 ----a-w- C:\Windows\System32\rdpwsx.dll

2012-04-04 01:33:29 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll

2012-04-04 01:33:28 1031680 ----a-w- C:\Windows\System32\rdpcore.dll

2012-04-04 01:33:27 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll

2012-04-04 01:33:27 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys

2012-04-04 01:33:27 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys

.

==================== Find3M ====================

.

2012-04-21 00:33:06 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2012-03-09 01:50:28 49016 ----a-w- C:\Windows\SysWow64\sirenacm.dll

2012-03-09 01:37:20 302448 ----a-w- C:\Windows\WLXPGSS.SCR

2012-02-28 06:56:48 2311168 ----a-w- C:\Windows\System32\jscript9.dll

2012-02-28 06:49:56 1390080 ----a-w- C:\Windows\System32\wininet.dll

2012-02-28 06:48:57 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl

2012-02-28 06:42:55 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2012-02-28 01:18:55 1799168 ----a-w- C:\Windows\SysWow64\jscript9.dll

2012-02-28 01:11:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2012-02-28 01:11:07 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-02-28 01:03:16 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

.

============= FINISH: 11:36:23.37 ===============

Attach.txt

DDS.txt

Link to post
Share on other sites

Welcome to the forum.

Looks like you're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system (don't run any other options)

Post back the report.

MrC

Link to post
Share on other sites

Thanks so much!

Here is the RogueKiller report:

RogueKiller V7.3.3 [04/22/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User: Kyle [Admin rights]

Mode: Scan -- Date: 04/22/2012 08:00:28

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 8 ¤¤¤

[WallPP] HKCU\[...]\Desktop : Wallpaper () -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

[HJ] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

[ZeroAccess] sys32\consrv.dll present!

¤¤¤ HOSTS File: ¤¤¤

94.63.147.16 www.google.com

94.63.147.17 www.bing.com

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9250315AS ATA Device +++++

--- User ---

[MBR] 253ba310102c76a5e6702297238b8848

[bSP] 33e870195992370a52af789e14cb7fe0 : Windows 7 MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 78 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 161792 | Size: 15360 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 31619072 | Size: 223035 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Link to post
Share on other sites

¤¤¤ Infection : ZeroAccess ¤¤¤

[ZeroAccess] sys32\consrv.dll present!

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards and......

  • There's a possibility that you'll lose your internet connections which I may not be able to correct and will require a repair install.
  • There's also a possibility that during the cleaning procedure the computer will become unusable (won't boot) which will result in a repair install or complete format and install.
  • I strongly suggest you back up all of the important items on the system before we continue.

Please let me know you have read this and agree to it.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

-------------------------------------------

Please make sure system restore is running and create a new restore point before continuing.

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

tdss_1.jpg

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

tdss_2.jpg

------------------------

Click the Start Scan button.

tdss_3.jpg

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose delete.

tdss_4.jpg

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

tdss_5.jpg

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

MrC

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.