Jump to content

Redirect virus


Recommended Posts

Not sure what this is, but I read somewhere DWM.exe could be a disuised file for it. Not every time, but a lot of times I get redirected to a different page when I search in a search engine. Help?

I ran DDS and got this. If I need to run hijackthis as well, let me know

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.6.2

Run by clint at 20:47:55 on 2012-12-13

.

============== Running Processes ================

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\nvvsvc.exe

C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Program Files\Microsoft Security Client\MsMpEng.exe

C:\Windows\system32\SLsvc.exe

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Windows\system32\atashost.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Microsoft Security Client\NisSrv.exe

C:\Windows\system32\taskeng.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\ehome\ehRecvr.exe

C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Zune\ZuneNss.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Program Files\Zune\ZuneLauncher.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Windows\System32\wpcumi.exe

C:\Program Files\Steam\steam.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Users\clint\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Steam\SteamService.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

C:\Windows\System32\mobsync.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\Microsoft Security Client\MpCmdRun.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k bthsvcs

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\svchost.exe -k WindowsMobile

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/ig/dell

uDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

uURLSearchHooks: {81fae9c9-cfbd-4cb3-8322-412e72f55f65} - <orphaned>

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll

BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -

BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll

TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -

uRun: [steam] "c:\program files\steam\Steam.exe" -silent

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

uRun: [spotify Web Helper] "c:\users\clint\appdata\roaming\spotify\data\SpotifyWebHelper.exe"

mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

dRun: [Nokia.PCSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

uPolicies-Explorer: HideSCAHealth = dword:1

uPolicies-Explorer: NoDrives = dword:0

mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0

mPolicies-Explorer: NoDrives = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

Trusted Zone: hp.com

Trusted Zone: hp.com

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: NameServer = 192.168.1.1

TCP: Interfaces\{DD0571B8-8BD8-4722-91BF-26FB404685C0} : DHCPNameServer = 192.168.1.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: HPDCS - {ba135f49-a12c-4e26-a2c4-6ea945999072} - c:\program files\common files\hewlett-packard\hp device communication services\app\hpdcsapp.dll

Handler: hppfile - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - c:\program files\hewlett-packard\hp easy printer care\HPPCtrls.dll

Handler: hppsam - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - c:\program files\hewlett-packard\hp easy printer care\HPPCtrls.dll

Handler: hppzip - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - c:\program files\hewlett-packard\hp easy printer care\HPPCtrls.dll

Notify: igfxcui - igfxdev.dll

AppInit_DLLs= c:\progra~1\google\google~2\GoogleDesktopNetwork3.dll

LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\clint\appdata\roaming\mozilla\firefox\profiles\0su737fw.default\

FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - component: c:\programdata\norton\{78ca3bf0-9c3b-40e1-b46d-38c877ef059a}\nsm_2.1.0.37\cofffw\components\coFFFw.dll

FF - component: c:\users\clint\appdata\roaming\mozilla\firefox\profiles\0su737fw.default\extensions\appbar@alot.com\components\AlotXpcom.dll

FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL

FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL

FF - plugin: c:\progra~1\palm\packag~1\NPInstal.dll

FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll

FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npPDFXCviewNPPlugin.dll

FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll

FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll

FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll

FF - plugin: c:\program files\tracker software\pdf viewer\npPDFXCviewNPPlugin.dll

FF - plugin: c:\users\clint\appdata\local\roblox\versions\version-7f608c9e01fb44d4\NPRobloxProxy.dll

FF - plugin: c:\users\clint\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll

FF - plugin: c:\users\clint\appdata\roaming\move networks\plugins\npqmp071505000010.dll

FF - plugin: c:\users\clint\appdata\roaming\move networks\plugins\npqmp071505000011.dll

FF - plugin: c:\windows\system32\npDeployJava1.dll

FF - plugin: c:\windows\system32\npmproxy.dll

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true

.

============= SERVICES / DRIVERS ===============

.

R? AngelUsb;Angel USB MPEG Device

R? APL531;OVT Scanner

R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86

R? EITUACService;EITUACService

R? EzEITService;EzEITService

R? ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver

R? rockusb;Driver for rockusb Device

R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0

S? atashost;WebEx Service Host for Support Center

S? ATMhelpr;ATMhelpr

S? AV88BASE;Cx2388x Base Driver

S? FontCache;Windows Font Cache Service

S? MBAMProtector;MBAMProtector

S? MBAMScheduler;MBAMScheduler

S? MBAMService;MBAMService

S? MpFilter;Microsoft Malware Protection Driver

S? NisDrv;Microsoft Network Inspection System

S? NisSrv;Microsoft Network Inspection

S? RosettaStoneDaemon;RosettaStoneDaemon

S? Stereo Service;NVIDIA Stereoscopic 3D Driver Service

S? VST_DPV;VST_DPV

S? VSTHWBS2;VSTHWBS2

.

=============== File Associations ===============

.

ShellExec: BlazeDVD.exe: open=".\BlazePhotoUI.exe" "%1"

.

=============== Created Last 30 ================

.

2012-12-14 02:45:51 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-12-14 02:09:28 -------- d-----w- c:\program files\CCleaner

2012-12-13 18:12:33 6812136 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{9f3049f2-0627-49d6-a80f-9ec3bb8796e1}\mpengine.dll

2012-12-12 09:06:33 9728 ----a-w- c:\windows\system32\Wdfres.dll

2012-12-12 09:06:26 66560 ----a-w- c:\windows\system32\drivers\WUDFPf.sys

2012-12-12 09:06:26 16896 ----a-w- c:\windows\system32\winusb.dll

2012-12-12 09:06:26 155136 ----a-w- c:\windows\system32\drivers\WUDFRd.sys

2012-12-12 09:06:25 73216 ----a-w- c:\windows\system32\WUDFSvc.dll

2012-12-12 09:06:25 172032 ----a-w- c:\windows\system32\WUDFPlatform.dll

2012-12-12 09:06:24 526952 ----a-w- c:\windows\system32\drivers\Wdf01000.sys

2012-12-12 09:06:24 47720 ----a-w- c:\windows\system32\drivers\WdfLdr.sys

2012-12-12 09:06:23 38912 ----a-w- c:\windows\system32\WUDFCoinstaller.dll

2012-12-12 09:06:23 34944 ----a-w- c:\windows\system32\drivers\winusb.sys

2012-12-12 09:06:23 196608 ----a-w- c:\windows\system32\WUDFHost.exe

2012-12-12 09:06:22 613888 ----a-w- c:\windows\system32\WUDFx.dll

2012-12-11 23:43:03 6812136 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll

2012-12-11 19:10:37 2048000 ----a-w- c:\windows\system32\win32k.sys

2012-12-11 19:10:35 376320 ----a-w- c:\windows\system32\dpnet.dll

2012-12-11 19:10:35 23040 ----a-w- c:\windows\system32\dpnsvr.exe

2012-12-11 19:10:32 224640 ----a-w- c:\windows\system32\drivers\volsnap.sys

2012-12-11 19:10:30 34304 ----a-w- c:\windows\system32\atmlib.dll

2012-12-11 19:10:30 293376 ----a-w- c:\windows\system32\atmfd.dll

2012-12-11 19:10:16 2048 ----a-w- c:\windows\system32\tzres.dll

2012-12-10 03:46:23 -------- d-----w- c:\users\clint\appdata\local\Roblox

2012-12-05 14:11:44 58848 ----a-w- c:\program files\mozilla firefox\libEGL.dll

2012-12-05 14:11:44 472544 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll

2012-12-05 14:11:44 115168 ----a-w- c:\program files\mozilla firefox\maintenanceservice.exe

2012-12-05 14:11:43 916960 ----a-w- c:\program files\mozilla firefox\firefox.exe

2012-12-05 14:11:43 4220896 ----a-w- c:\program files\mozilla firefox\gkmedias.dll

2012-12-05 14:11:43 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2012-12-05 14:11:43 258528 ----a-w- c:\program files\mozilla firefox\freebl3.dll

2012-12-05 14:11:43 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll

2012-12-05 14:11:43 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll

2012-12-05 14:11:43 116192 ----a-w- c:\program files\mozilla firefox\crashreporter.exe

2012-12-05 14:11:42 73696 ----a-w- c:\program files\mozilla firefox\breakpadinjector.dll

2012-12-05 14:11:42 18912 ----a-w- c:\program files\mozilla firefox\AccessibleMarshal.dll

2012-11-28 15:29:37 740840 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{8c2895f5-4977-4780-8670-01a542622995}\gapaengine.dll

2012-11-26 02:55:22 -------- d-----w- c:\users\clint\appdata\roaming\0ad

2012-11-26 02:55:22 -------- d-----w- c:\users\clint\appdata\local\0ad

2012-11-26 02:46:41 -------- d-----w- c:\users\clint\appdata\local\0 A.D. alpha

2012-11-24 04:11:35 -------- d-----w- c:\program files\Cisco Systems

2012-11-24 04:03:46 -------- d-----w- c:\programdata\Cisco Systems

2012-11-20 09:17:10 740784 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\nisbackup\gapaengine.dll

2012-11-18 00:49:16 -------- d-----w- c:\program files\Microsoft Security Client

2012-11-14 15:48:10 75776 ----a-w- c:\windows\system32\synceng.dll

.

==================== Find3M ====================

.

2012-11-14 02:09:22 1800704 ----a-w- c:\windows\system32\jscript9.dll

2012-11-14 01:58:15 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-11-14 01:57:37 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-11-14 01:49:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-11-14 01:48:27 420864 ----a-w- c:\windows\system32\vbscript.dll

2012-11-14 01:44:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-10-11 03:15:04 1867112 ----a-w- c:\windows\system32\nvcuvenc.dll

2012-10-11 03:15:00 2574696 ----a-w- c:\windows\system32\nvcuvid.dll

2012-10-11 03:14:50 888168 ----a-w- c:\windows\system32\nvdispgenco32.dll

2012-10-11 03:14:50 12501352 ----a-w- c:\windows\system32\nvwgf2um.dll

2012-10-11 03:14:46 17559912 ----a-w- c:\windows\system32\nvcompiler.dll

2012-10-11 03:14:44 2428776 ----a-w- c:\windows\system32\nvapi.dll

2012-10-11 03:14:42 7697768 ----a-w- c:\windows\system32\nvcuda.dll

2012-10-11 03:14:28 10837352 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys

2012-10-11 03:14:22 19906920 ----a-w- c:\windows\system32\nvoglv32.dll

2012-10-11 03:14:22 1009512 ----a-w- c:\windows\system32\nvdispco32.dll

2012-10-11 03:14:16 6127464 ----a-w- c:\windows\system32\nvopencl.dll

2012-10-11 03:14:16 15309160 ----a-w- c:\windows\system32\nvd3dum.dll

2012-10-02 19:29:42 645992 ----a-w- c:\windows\system32\nvvsvc.exe

2012-10-02 19:29:41 62312 ----a-w- c:\windows\system32\nvshext.dll

2012-10-02 19:29:41 2557288 ----a-w- c:\windows\system32\nvsvcr.dll

2012-10-02 19:29:41 108392 ----a-w- c:\windows\system32\nvmctray.dll

2012-10-02 19:29:22 2853224 ----a-w- c:\windows\system32\nvsvc.dll

2012-10-02 19:28:53 3965288 ----a-w- c:\windows\system32\nvcpl.dll

2012-10-02 19:15:52 430952 ----a-w- c:\windows\system32\nvStreaming.exe

2012-09-30 01:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2008-03-25 18:44:16 1943040 ----a-w- c:\program files\rcfiles.exe

2006-01-14 18:06:02 2558976 ----a-w- c:\program files\robinson.exe

.

============= FINISH: 20:51:27.23 ===============

and attach.txt

.

==== Installed Programs ======================

.

.

==== End Of File ===========================

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.