Jump to content

Google results redirect; GMER crashes


Recommended Posts

I've been trying for the past few days to figure out this problem... whenever I do a Google search for anything related to viruses, malware removal, etc., the results page looks okay but clicking on the links redirects to various ad pages. Sometimes they will appear out of nowhere as well, while the browser is running. This happens in both IE and Firefox. While trying to follow the instructions on this forum, I was unsuccessful at saving any GMER log files--the GMER program would lock up, and lsass.exe or winlogon.exe would start eating up to 50% of my CPU after I clicked the "save" button for the log. The first time I tried to run a scan the GMER program simply crashed and quit immediately. Here is my DDS log, and attached is the Attach.txt document. MBAM and Norton AV both scanned clean. Any help you could offer would be appreciated...

DDS (Ver_09-12-01.01) - NTFSx86

Run by Administrator at 16:10:55.51 on Sun 01/24/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.293 [GMT -6:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Ahead\InCD\InCDsrv.exe

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\D-Link\RangeBooster G WUA-2340\AirPlusCFG.exe

C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

C:\WINDOWS\CTHELPER.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE

C:\Program Files\Ahead\InCD\InCD.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie_rsearch.html

uDefault_Page_URL = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

mSearchAssistant = hxxp://www.google.com/ie_rsearch.html

mWinlogon: SfcDisable=-99 (0xffffff9d)

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [CTxfiHlp] CTXFIHLP.EXE

mRun: [D-Link RangeBooster G WUA-2340] c:\program files\d-link\rangebooster g wua-2340\AirPlusCFG.exe

mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [CTSysVol] c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe

mRun: [CTDVDDet] c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDet.EXE

mRun: [updReg] c:\windows\UpdReg.EXE

mRun: [CTStartup] "c:\program files\creative\splash screen\CTEaxSpl.EXE" /run

mRun: [CTHelper] CTHELPER.EXE

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [vptray] c:\progra~1\symant~1\VPTray.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [iJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [inCD] c:\program files\ahead\incd\InCD.exe

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

dRunOnce: [setDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'

dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe

dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32

dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

uPolicies-explorer: NoInternetIcon = 1 (0x1)

uPolicies-explorer: NoSMHelp = 1 (0x1)

uPolicies-explorer: NoResolveTrack = 1 (0x1)

uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

uPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)

uPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)

mPolicies-explorer: StartMenuFavorites = 0 (0x0)

mPolicies-explorer: Start_ShowMyComputer = 1 (0x1)

mPolicies-explorer: Start_ShowMyDocs = 1 (0x1)

mPolicies-explorer: Start_ShowMyMusic = 0 (0x0)

mPolicies-explorer: Start_ShowRun = 1 (0x1)

mPolicies-explorer: Start_ShowSearch = 0 (0x0)

mPolicies-system: DisableCAD = 1 (0x1)

dPolicies-explorer: NoInternetIcon = 1 (0x1)

dPolicies-explorer: NoSMHelp = 1 (0x1)

dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)

dPolicies-explorer: NoResolveTrack = 1 (0x1)

dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

dPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)

dPolicies-explorer: NoActiveDesktop = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office10\EXCEL.EXE/3000

IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\administrator\start menu\programs\imvu\Run IMVU.lnk

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SecurityProviders: schannel.dll, digest.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\96fl69b1.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\program files\microsoft\office live\npOLW.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2009-7-28 22168]

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]

R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]

R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]

R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]

R3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [2008-12-14 377920]

R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2002-12-30 12160]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-1-6 102448]

R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2008-12-14 57376]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100123.003\naveng.sys [2010-1-23 84912]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100123.003\navex15.sys [2010-1-23 1323568]

S2 BT848;KWorld TV878 Video Capture;c:\windows\system32\drivers\cxvcap.sys [2008-12-14 63232]

S2 BTXBAR;KWorld TV878 Crossbar;c:\windows\system32\drivers\cxxbar.sys [2008-12-14 9472]

S2 CXTUNER;KWorld TV878 Tuner;c:\windows\system32\drivers\cxtuner.sys [2008-12-14 30080]

S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\d-link\rangebooster g wua-2340\jswutil\jswpsapi.exe [2008-12-14 352338]

S3 VYTIAJHFZAWTAH;VYTIAJHFZAWTAH;c:\docume~1\admini~1\locals~1\temp\VYTIAJHFZAWTAH.exe [2010-1-23 531328]

=============== Created Last 30 ================

2010-01-24 21:51:43 0 ----a-w- c:\documents and settings\administrator\defogger_reenable

2010-01-24 20:09:30 0 d-----w- C:\VundoFix Backups

2010-01-24 08:15:26 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-01-24 08:15:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2009-12-27 00:47:54 79872 ------w- c:\windows\system32\dllcache\raschap.dll

2009-12-27 00:47:54 149504 ------w- c:\windows\system32\dllcache\rastls.dll

2009-12-27 00:46:13 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll

2009-12-27 00:46:13 265728 ------w- c:\windows\system32\dllcache\http.sys

2009-12-27 00:46:13 25088 ------w- c:\windows\system32\dllcache\httpapi.dll

2009-12-27 00:45:41 270336 ------w- c:\windows\system32\dllcache\oakley.dll

2009-12-27 00:45:06 354816 ------w- c:\windows\system32\dllcache\winhttp.dll

2009-12-27 00:44:24 0 d-----w- c:\program files\MSXML 4.0

2009-12-27 00:41:59 58880 ------w- c:\windows\system32\dllcache\msasn1.dll

2009-12-27 00:41:31 126976 ------w- c:\windows\system32\dllcache\ftpsvc2.dll

2009-12-27 00:37:57 1435648 ------w- c:\windows\system32\dllcache\query.dll

2009-12-27 00:37:30 153088 ------w- c:\windows\system32\dllcache\triedit.dll

2009-12-27 00:35:43 135168 ------w- c:\windows\system32\dllcache\shsvcs.dll

2009-12-27 00:35:15 81920 ------w- c:\windows\system32\dllcache\fontsub.dll

2009-12-27 00:35:15 119808 ------w- c:\windows\system32\dllcache\t2embed.dll

2009-12-27 00:34:46 84992 ------w- c:\windows\system32\dllcache\avifil32.dll

2009-12-27 00:34:19 128512 ------w- c:\windows\system32\dllcache\dhtmled.ocx

2009-12-27 00:33:50 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll

2009-12-27 00:33:25 58880 ------w- c:\windows\system32\dllcache\atl.dll

2009-12-27 00:33:01 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

2009-12-27 00:32:36 132096 ------w- c:\windows\system32\dllcache\wkssvc.dll

2009-12-27 00:32:10 92928 ------w- c:\windows\system32\dllcache\ksecdd.sys

2009-12-27 00:32:10 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll

2009-12-27 00:32:09 54272 ------w- c:\windows\system32\dllcache\wdigest.dll

2009-12-27 00:32:09 301568 ------w- c:\windows\system32\dllcache\kerberos.dll

2009-12-27 00:32:09 147456 ------w- c:\windows\system32\dllcache\schannel.dll

2009-12-27 00:31:44 80896 ------w- c:\windows\system32\dllcache\tlntsess.exe

2009-12-27 00:31:44 76288 ------w- c:\windows\system32\dllcache\telnet.exe

2009-12-27 00:30:54 345600 ------w- c:\windows\system32\dllcache\localspl.dll

2009-12-27 00:30:31 268288 ------w- c:\windows\system32\dllcache\httpext.dll

2009-12-27 00:30:08 585216 ------w- c:\windows\system32\dllcache\rpcrt4.dll

2009-12-27 00:28:45 2560 ------w- c:\windows\system32\xpsp4res.dll

2009-12-27 00:28:45 1203922 ------w- c:\windows\system32\dllcache\sysmain.sdb

2009-12-27 00:28:44 215552 ------w- c:\windows\system32\dllcache\wordpad.exe

2009-12-27 00:28:21 91648 ------w- c:\windows\system32\dllcache\mtxoci.dll

2009-12-27 00:28:20 956928 ------w- c:\windows\system32\dllcache\msdtctm.dll

2009-12-27 00:28:20 66560 ------w- c:\windows\system32\dllcache\mtxclu.dll

2009-12-27 00:28:20 58880 ------w- c:\windows\system32\dllcache\msdtclog.dll

2009-12-27 00:28:20 161792 ------w- c:\windows\system32\dllcache\msdtcuiu.dll

2009-12-27 00:26:33 459264 ------w- c:\windows\system32\dllcache\msfeeds.dll

2009-12-27 00:26:32 52224 ------w- c:\windows\system32\dllcache\msfeedsbs.dll

2009-12-27 00:26:31 268288 ------w- c:\windows\system32\dllcache\iertutil.dll

2009-12-27 00:26:29 63488 ------w- c:\windows\system32\dllcache\icardie.dll

2009-12-27 00:26:29 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe

2009-12-27 00:26:28 380928 ------w- c:\windows\system32\dllcache\ieapfltr.dll

2009-12-27 00:26:24 2452872 ------w- c:\windows\system32\dllcache\ieapfltr.dat

2009-12-27 00:26:23 991232 ------w- c:\windows\system32\dllcache\ieframe.dll.mui

2009-12-27 00:26:20 6067200 ------w- c:\windows\system32\dllcache\ieframe.dll

==================== Find3M ====================

2010-01-24 21:54:39 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

2010-01-24 21:54:36 0 ----a-w- c:\windows\system32\drivers\logiflt.iad

2010-01-07 22:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 22:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-29 19:16:58 3598336 ------w- c:\windows\system32\dllcache\mshtml.dll

2009-10-28 14:36:11 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2009-10-28 06:54:16 634632 ------w- c:\windows\system32\dllcache\iexplore.exe

2009-10-28 06:52:46 161792 ------w- c:\windows\system32\dllcache\ieakui.dll

2008-12-20 02:23:57 604 ---ha-w- c:\program files\STLL Notifier

2009-09-02 20:40:17 16384 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

2009-09-02 20:40:17 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009090220090903\index.dat

2009-09-02 20:40:16 32768 --sha-w- c:\windows\temp\cookies\index.dat

2009-09-02 20:40:16 49152 --sha-w- c:\windows\temp\history\history.ie5\index.dat

2009-09-02 20:40:16 180224 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 16:12:44.26 ===============

Attach.txt

Link to post
Share on other sites

Okay, after reading some of the other posts on this forum, I decided to run ComboFix, and it seemed to detect some rootkit activity. Claims to have found and disinfected atapi.sys, and restored a copy from "Kitty ate it :D"

I'm not sure where "Kitty ate it :)" is, but so far things appear to be back to normal. Hopefully that will continue. Is there anything else I should do to make sure I don't have any more problems from this?

ComboFix log attached. Thanks!!

ComboFix.txt

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.