google redirection problem

[Leef_me]

Thank you in advance for your time.

I started getting redirection from google search links about 60 hours ago.

I have McAfee present on system for more than 1 year, updated automatically.

I did a full scan with McAfee without finding a problem (before trying other things)

I attempted a few searches for the remedy and tried using the following programs:

each claimed (if I recall properly) that it found & removed rootkit virus (various places)

At this time, only McAfee and Malwarebytes are still installed.

Malwarebytes' Anti-Malware first program tried, I have lost the original log, below is most recent run

Hitman Pro

spybotsd162

tdsskiller Kaspersky

asc-setup --->Advanced System Care didn't seem to find problem

CCleaner --- used on a little, I only erased areeas I knew to be junk/unimportant, I realized it wasn't finding 'problem'

the following link lead me to this forum http://forums.malwarebytes.org/index.php?showtopic=9573

I did not try to install Avira AntiVir Personal, since I already have McAfee :frown:

In the attachement is the attach.txt and ark.txt, the latter is for only about 30 seconds of scan.

When I leave GMER running longer than that, GMER and the system locks up and I get no results

Below are Malwarebytes & DDS files.

Leef_me

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4103

Windows 6.0.6001 Service Pack 1

Internet Explorer 7.0.6001.18000

5/17/2010 12:30:34 PM

mbam-log-2010-05-17 (12-30-34).txt

Scan type: Quick scan

Objects scanned: 131613

Time elapsed: 8 minute(s), 0 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS (Ver_10-03-17.01) - NTFSx86

Run by Lee at 9:10:33.51 on Mon 05/17/2010

Internet Explorer: 7.0.6001.18000

Microsoft

attach.zip

[extremeboy]

Hello and welcome!

I'm Extremeboy and I will help you out here.

The partial GMER log you posted already helps. Let's get another scan using OTL please so I can take a look.

We need to create an OTL Report

1. Please download OTL from one of the following mirrors:
   • This is THE Mirror
     

[*]Save it to your desktop.

[*]Double click on the icon on your desktop.

[*]Click the "Scan All Users" checkbox.

[*]Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.

[*]Copy and Paste the following code into the textbox. Do not include the word "Code"

netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%ALLUSERSPROFILE%\Application Data\*.
%ALLUSERSPROFILE%\Application Data\*.exe /s
%APPDATA%\*.
%APPDATA%\*.exe /s
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
CREATERESTOREPOINT

[*]Push

[*]Two reports will open, copy and paste them in a reply here:

• OTListIt.txt <-- Will be opened
  
• Extra.txt <-- Will be minimized
  

[Leef_me]

Thank you Extremeboy.

Btw, steps 8 & 9 seem to conflict. One says 1 report the other says 2 reports. Just FYI, maybe it will help the next poor victim. Here are the reports.

OTL Extras logfile created on: 5/17/2010 7:16:25 PM - Run 1

OTL by OldTimer - Version 3.2.4.1 Folder = C:\Users\Lee\Desktop

Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation

Internet Explorer (Version = 7.0.6001.18000)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 49.00% Memory free

6.00 Gb Paging File | 4.00 Gb Available in Paging File | 73.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 69.77 Gb Total Space | 27.54 Gb Free Space | 39.47% Space Free | Partition Type: NTFS

Drive D: | 69.52 Gb Total Space | 69.42 Gb Free Space | 99.86% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: LEE-PC

Current User Name: Lee

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)

.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()

Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

"VistaSp1" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"EnableFirewall" = 0

"DisableNotifications" = 0

========== Authorized Applications List ==========

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{2DB0D4CD-B2DF-4B8D-A799-713AA609B8DE}" = dir=in | app=c:\program files\acer arcade deluxe\dvdivine\dvdivine.exe |

"{339AC5CC-2C75-4CD4-9E53-772721457D43}" = dir=in | app=c:\program files\acer arcade deluxe\play movie\playmovie.exe |

"{6428063C-9F11-45BB-B17A-305674F09A43}" = dir=in | app=c:\program files\acer arcade deluxe\play movie\pmvservice.exe |

"{7560C95E-C2C8-4610-B5FA-BDB963B81A99}" = protocol=17 | dir=in | app=c:\program files\ivt corporation\bluesoleil\bluesoleil.exe |

"{7BE445BA-44E1-4DBC-9EE3-016A94466077}" = dir=in | app=c:\program files\acer arcade deluxe\videomagician\videomagician.exe |

"{99C07B8D-A8BE-4488-B577-82DB2EA0CAA7}" = protocol=6 | dir=in | app=c:\program files\ivt corporation\bluesoleil\bluesoleil.exe |

"{AC846853-A17D-4956-A17B-9D3EF71083FD}" = dir=in | app=c:\program files\acer arcade deluxe\dv wizard\dv wizard.exe |

"{BAD1F110-300F-4425-9FD7-E502C0334440}" = dir=in | app=c:\program files\acer arcade deluxe\acer arcade deluxe\acer arcade deluxe.exe |

"{DCC10654-4776-4FC6-BAA0-239FE924642C}" = dir=in | app=c:\program files\acer arcade deluxe\homemedia\homemedia.exe |

"{DEAF1ACB-D8D1-48B1-9FB6-41D9B9ACAA91}" = dir=in | app=c:\program files\common files\mcafee\mna\mcnasvc.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator

"{03D1988F-469F-4843-8E6E-E5FE9D17889D}" = WIDCOMM Bluetooth Software 6.0.1.4900

"{09D5DA72-5232-41F5-AB97-939FE65C3FF4}" = National Audio Selection Guide

"{0E30336A-B8BC-11D5-B96C-000103E0A7B3}" = Transmogrifier

"{11316260-6666-467B-AC34-183FCB5D4335}" = Acer Mobility Center Plug-In

"{116FF17B-1A30-4FC2-9B01-5BC5BD46B0B3}" = Acer eLock Management

"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_CNQ2413" = CanoScan LiDE 100 Scanner Driver

"{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker

"{1598034D-7147-432C-8CA8-888E0632D124}" = NTI Backup NOW! 4.7

"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime

"{23970E31-948B-466E-8376-1224D32FDF0C}" = Convert

"{2624B969-7135-4EB1-B0F6-2D8C397B45F7}_is1" = Media Player Classic - Home Cinema v. 1.3.1249.0

"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java 6 Update 18

"{284A25AA-96B4-449D-BBA0-D0C97A5E213E}" = PCB Artist Version 1.3.2

"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java 6 Update 7

"{44564479-0533-4542-8D5A-4937EA4BFBAC}" = MPLAB Tools v8.30

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{51B6E32D-5FE8-4A07-AD54-43B5A383883E}_is1" = V1.3.1

"{57265292-228A-41FA-9AEC-4620CBCC2739}" = Acer eAudio Management

"{58E5844B-7CE2-413D-83D1-99294BF6C74F}" = Acer ePower Management

"{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01

"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites

"{67AFAFB8-93A4-427B-BCF2-A08DE3583408}" = ViewMate 11.0

"{68A35043-C55A-4237-88C9-37EE1C63ED71}" = Microsoft Visual J# 2.0 Redistributable Package

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{6b06f1b7-74f9-4d41-95f3-c9551420ab5f}" = PicoScope 6

"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works

"{7243C38C-D318-4AE2-A4A4-8DF9E920CC0E}" = ViewMate 10.4

"{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}" = Acer ScreenSaver

"{8122EA8B-C921-11D3-8512-004005429C32}" = WinBoard PCB

"{81C5AD1D-C7C6-48AC-AC85-8F04293B1780}" = USB Display Device (Trigger 1+) 9.10.0526.0159

"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110111700}" = Zuma Deluxe

"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110113233}" = Bookworm Deluxe

"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11029123}" = Bricks of Egypt

"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110322783}" = Big Kahuna Reef

"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110411970}" = Chuzzle

"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111118433}" = Mystery Case Files - Huntsville

"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111199750}" = Cake Mania

"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111252743}" = Mahjong Escape Ancient China

"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111324990}" = Kick N Rush

"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111543617}" = Backspin Billiards

"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111692950}" = Mahjongg Artifacts

"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111771833}" = Jewel Quest Solitaire

"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111796363}" = Mystery Solitaire - Secret Island

"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111872660}" = Diner Dash Flo on the Go

"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-112310577}" = Flip Words 2

"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-112531267}" = Chicken Invaders 3

"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-112615863}" = Agatha Christie Death on the Nile

"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-112920767}" = Alice Greenfingers

"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-113009953}" = Turbo Pizza

"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-113080210}" = Azada

"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable

"{85309D89-7BE9-4094-BB17-24999C6118FC}" = ArcSoft PhotoStudio 5.5

"{8F85CC2C-4B26-4CF6-B835-DC59BCEDD287}" = Bluesoleil2.7.0.13 VoIP Release 071227

"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007

"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007

"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007

"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007

"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007

"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007

"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007

"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007

"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007

"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007

"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007

"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007

"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007

"{90AF0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office PowerPoint Viewer 2003

"{91120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007

"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver

"{A3723EB8-255B-4A2D-9831-0752C0D06FF6}_is1" = EssentialFax

"{A5633652-3795-4829-BB0B-644F0279E279}" = Acer eDataSecurity Management

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{AB6097D9-D722-4987-BD9E-A076E2848EE2}" = Acer Empowering Technology

"{AC1ACE88-C471-494E-B5FA-0B7C21F22E4F}" = Orion

"{AC76BA86-7AD7-1033-7B44-A81000000003}" = Adobe Reader 8.1.0

"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer

"{B8EF780F-126C-4CF0-AAB2-1B68BF06BA1C}" = Motorola Driver Installation 3.7.0

"{BF839132-BD43-4056-ACBF-4377F4A88E2A}" = Acer ePresentation Management

"{C06554A1-2C1E-4D20-B613-EE62C79927CC}" = Acer eNet Management

"{C9FAA69F-A990-44CF-B34D-86F74533A35A}" = SundayPlus

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{CE386A4E-D0DA-4208-8235-BCE43275C694}" = LightScribe 1.4.142.1

"{CE65A9A0-9686-45C6-9098-3C9543A412F0}" = Acer eSettings Management

"{E209F988-EF49-4B3D-84A6-3CBB67F058AC}" = Google SketchUp 7

"{EA528B2C-DF8F-45BB-BFDB-B588536992EB}" = SolidWorks eDrawings 2009

"{EE4DFEC2-B8AB-11D3-84F7-004005429C32}" = WinDraft Schematics

"{EFBDC2B0-FAA8-4B78-8DE1-AEBE7958FA37}" = Acer Arcade Deluxe

"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver

"{F44DA61E-720D-4E79-871F-F6E628B33242}" = OpenOffice.org 3.0

"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth

"2B92EA9865777B996CE7FFF8BD7A40F883C18BE0" = Windows Driver Package - Das (Siudi-Stick) USB (02/13/2009 1.1.0)

"3A66BC15DC4D478459742138077230185DB7DAEB" = Windows Driver Package - Das (Siudi) USB (02/13/2009 1.5.1)

"7-Zip" = 7-Zip 4.65

"Acer Assist" = Acer Assist

"Acer GameZone Console_is1" = Acer GameZone Console 2.0.1.1

"Acer Registration" = Acer Registration

"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"AnalogX SayIt" = AnalogX SayIt

"Audacity_is1" = Audacity 1.2.6

"AutoHotkey" = AutoHotkey 1.0.48.05

"BtcMaestro" = HP Wireless Multimedia Keyboard and Mouse Driver V1.3

"Canon CanoScan LiDE 100 User Registration" = Canon CanoScan LiDE 100 User Registration

"CanonSolutionMenu" = Canon Utilities Solution Menu

"CCS C Compiler Plug-In for MPLAB" = CCS C Compiler Plug-In for MPLAB

"CCSLOAD" = CCSLOAD

"CD Audio Reader Filter" = CD Audio Reader Filter (remove only)

"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFAOR2C06_118" = HDAUDIO Soft Data Fax Modem with SmartCP

"D3D6DC2FA20B3DC5B824649028CE6BF9E945A776" = Windows Driver Package - Das (Stick) USB (10/30/2008 1.0.0)

"DC-Bass Source" = DC-Bass Source 1.1.1

"DirectVobSub" = DirectVobSub (remove only)

"doPDF 6 printer_is1" = doPDF 6.2 printer

"Download Accelerator Plus (DAP)" = Download Accelerator Plus (DAP)

"DScaler 5 Mpeg Decoders_is1" = DScaler 5 Mpeg Decoders

"Elation Compu 2006_is1" = Elation Compu 2006

"ENTERPRISER" = Microsoft Office Enterprise 2007

"eSpeak_is1" = eSpeak version 1.42.04

"Everything" = Everything 1.2.1.371

"F1907F08F174D3035B56EE70B8C23FC2F86EBADD" = Windows Driver Package - Das (Siudi) USB (05/30/2008 1.4.0)

"ffdshow_is1" = ffdshow [rev 2527] [2008-12-19]

"foobar2000" = foobar2000 v0.9.6.9

"Free RAR Extract Frog 1.00" = Free RAR Extract Frog 1.00

"Frhed" = Frhed 1.6.0

"FTDICOMM" = FTDI USB Serial Converter Drivers

"GOM Player" = GOM Player

"GridVista" = Acer GridVista

"HaaliMkx" = Haali Media Splitter

"Hexagon 2.5" = Hexagon

"Hexplorer" = ICY Hexplorer (remove only)

"IconsExtract" = IconsExtract

"InstallShield_{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker

"InstallShield_{1598034D-7147-432C-8CA8-888E0632D124}" = NTI Backup NOW! 4.7

"InstallShield_{44564479-0533-4542-8D5A-4937EA4BFBAC}" = MPLAB Tools v8.30

"KONICA MINOLTA magicolor 1600W" = KONICA MINOLTA magicolor 1600W

"LManager" = Launch Manager

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"MediaCoder Audio Edition" = MediaCoder Audio Edition 0.7.2.4540

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Microsoft Visual J# 2.0 Redistributable Package" = Microsoft Visual J# 2.0 Redistributable Package

"MONOGRAM AMR Splitter/Decoder" = MONOGRAM AMR Splitter/Decoder (remove only)

"MP Navigator EX 2.0" = Canon MP Navigator EX 2.0

"MSC" = McAfee SecurityCenter

"MSTTS" = Microsoft Text-to-Speech Engine 4.0 (English)

"Network Stumbler" = Network Stumbler 0.4.0 (remove only)

"NTFS Undelete_is1" = NTFS Undelete v0.94

"NVIDIA Drivers" = NVIDIA Drivers

"OpenSource DTS/AC3/DD+ Source Filter" = OpenSource DTS/AC3/DD+ Source Filter (remove only)

"OpenSource Flash Video Splitter" = OpenSource Flash Video Splitter (remove only)

"PCW" = PCW

"PCWH" = PCWH

"PDF4Free_is1" = PDF4Free 2.0

"Pdf995" = Pdf995

"pdfsam" = pdfsam

"PUSBCOMM&10C4&803B" = Pololu USB-to-serial adapter driver (Driver Removal)

"RarZilla Free Unrar 2.53" = RarZilla Free Unrar 2.53

"RealMedia" = RealMedia (remove only)

"SMPlayer" = SMPlayer 0.6.8

"SpeedBit Video Downloader" = SpeedBit Video Downloader

"ST6UNST #1" = JumpKeys Pro

"SUPER

[Leef_me]

Btw, Extremeboy I have a number of windows updates pending and

have been getting the following error every few hours.

"[Window Title] Microsoft Windows

[Main Instruction] Host Process for Windows Services has stopped working

[Content] Windows is checking for a solution to the problem...

[Cancel] "

[extremeboy]

Btw, steps 8 & 9 seem to conflict. One says 1 report the other says 2 reports. Just FYI, maybe it will help the next poor victim. Here are the reports.

Yes, thanks for notcing that. It has been changed and updated to reflect that.

There's actually a few things still on your machine that requires removal. We are going to start off with Combofix and continue from there.

Download and Run Combofix

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.

[Leef_me]

ComboFix 10-05-17.01 - Lee 05/18/2010 14:15:44.1.2 - x86

Microsoft

[Leef_me]

Hi Extremeboy,

I did some google searches (on topics I knew) and clicked on some of the links.

Of about 10 attempts, I did not get any redirects.

I wait to hear from you on the "all clear" .

BTW, can the thread here be removed? I'm feeling a little uncertain of the info lingering.

I don't know that this is or is not related. but I wonder of the "infection" might account for 2 other problems I've had.

1. using Google maps, when I grab the little person icon and drop them on a street this browser page does not display streetview.

2. at random times my system will report that a USB port is no longer working. I have been able to track down the port to a particular connector on the laptop itself and it isn't one I typically have been using.

Sorry if these questions are beyond the 'malware' umbrella.

[extremeboy]

Hello.

That's good. It seems Combofix dealt with it successfully.

Sorry for the delay, for some reason I didn't see you reply yet. Let's keep going here.

BTW, can the thread here be removed? I'm feeling a little uncertain of the info lingering.

Logs, can be edited if you feel the need due to own privacy situations.

Sorry if these questions are beyond the 'malware' umbrella.

Doesn't seem malware related as you said too, more of perhaps some hard-ware or device related, we can take a look into it near the end.

Update and Scan with MalwareBytes Anti-Malware

• Launch Malwarebytes' Anti-Malware
  
• Go to the Update tab
  
• Select Check for Update and let MBAM download and install any available updates.
  
• After the update is complete go to the Scanner tab.
  
• Make sure the "Perform Quick Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.
  
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply and exit MBAM.
  

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,

Extremeboy

[Leef_me]

>>Sorry for the delay, for some reason I didn't see you reply yet. Let's keep going here.

I've seem these advisory in your posts and I was so hoping the PM/gripe at you (NOT!) but you still had ~ 5 hours

>>If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

Here are the logs

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4121

Windows 6.0.6001 Service Pack 1

Internet Explorer 7.0.6001.18000

5/20/2010 4:25:38 PM

mbam-log-2010-05-20 (16-25-38).txt

Scan type: Quick scan

Objects scanned: 134351

Time elapsed: 9 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS (Ver_10-03-17.01) - NTFSx86

Run by Lee at 16:27:16.06 on Thu 05/20/2010

Internet Explorer: 7.0.6001.18000

Microsoft

Attach__2_.zip

[extremeboy]

I've seem these advisory in your posts and I was so hoping the PM/gripe at you (NOT!) but you still had ~ 5 hours

Yup, Feel free to PM me if I haven't replied with 48 hours. Usually we should get at least 1 reply per day more if applicable -during the weekends.

Your logs are looking good now. Let's perform an online scan.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Open the Kaspersky WebScanner
  page.
  
• Click on the button on the main page.
  
• The program will launch and fill in the Information section on the left.
  
• Read the "Requirements and Limitations" then press the button.
  
• The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  
• Once the files have been downloaded, click on the ...button.
  In the scan settings make sure the following are selected:
  • Detect malicious programs of the following categories:
    Viruses, Worms, Trojan Horses, Rootkits
    Spyware, Adware, Dialers and other potentially dangerous programs
    
  • Scan compound files (doesn't apply to the File scan area):
    Archives
    Mail databases
    By default the above items should already be checked.
    
  • Click the button, if you made any changes.
    

  [*]Now under the Scan section on the left:

  Select My Computer

  [*]The program will now start and scan your system. This will run for a while, be patient and let it finish.

  [*]Once the scan is complete, click on View scan report

  [*]Now, click on the Save Report as button.

  [*]Save the file to your desktop.

  [*]Copy and paste that information in your next post.

You can refer to this animation by sundavis if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,

Extremeboy

[Leef_me]

KASPERSKY found some more problem locations, but I have not attempted to fix.

>>Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply.

>>Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

You asked about "running" in your last mssage and I failed to answer.

I have lost the 'redirection' symptom, so that is good. I hadn't noticed any other problems besides that.

I've had some what I believe are noise related problems with a USB hub or wires & an electrical fan that may be electrically noisy when switched between speeds. The problem I noticed was coincident with switching the fan and has not been repeated.

Other than that things seem to be ok.

Here are the logs.

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Saturday, May 22, 2010

Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Saturday, May 22, 2010 19:55:54

Records in database: 4163735

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

Scan statistics:

Objects scanned: 172849

Threats found: 4

Infected objects found: 6

Suspicious objects found: 0

Scan duration: 04:42:29

File name / Threat / Threats count

C:\Qoobox\Quarantine\C\Windows\system32\Drivers\netbt.sys.vir Infected: Rootkit.Win32.TDSS.ap 1

C:\Users\Lee\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\5c0c5955-52d95d4d Infected: Trojan-Downloader.Java.Agent.bk 2

C:\Users\Lee\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\5c0c5955-52d95d4d Infected: Exploit.Java.Agent.f 1

C:\Users\Lee\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\5c0c5955-52d95d4d Infected: Exploit.Java.Agent.a 1

C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6001.18000_none_6064c861f7442765\netbt.sys Infected: Rootkit.Win32.TDSS.ap 1

Selected area has been scanned.

DDS (Ver_10-03-17.01) - NTFSx86

Run by Lee at 21:35:42.14 on Sat 05/22/2010

Internet Explorer: 7.0.6001.18000

Microsoft

05222010aAttach.zip

[extremeboy]

That good to hear.

Most of what Kaspersky detected were just infected java cache which can be removed easily. However, there's a system file that we need to deal with first.

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

• Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
  
• A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  
• Copy and Paste the content of the following codebox into the main textfield under "File":
  

  :filefind
  netbt.sys

  
  

• Please Confirm everything is copied and Pasted as I have provided above
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan.
  
• Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task

Can you then upload the following file to me through the Submission Channel.

C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6001.18000_none_6064c861f7442765\netbt.sys <= This file

Thanks.

[Leef_me]

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 19:49 on 23/05/2010 by Lee (Administrator - Elevation successful)

========== filefind ==========

Searching for "netbt.sys"

C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6002.18005_none_6250416df465f2b1\netbt.sys --a--- 185856 bytes [00:09 17/09/2009] [04:45 11/04/2009] ECD64230A59CBD93C85F1CD1CAB9F3F6

C:\Windows\System32\drivers\netbt.sys --a--- 184320 bytes [02:24 21/01/2008] [02:24 21/01/2008] 7C5FEE5B1C5728507CD96FB4A13E7A02

C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6001.18000_none_6064c861f7442765\netbt.sys --a--- 184320 bytes [02:24 21/01/2008] [02:24 21/01/2008] ED880884714C70D1087F81A5235A6916

-=End Of File=-

>>Malware Submission

>>Your file was successfully submitted. Please let the user helping you know that you have submitted the file.

[extremeboy]

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.

• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  
• Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:

  FCopy::
  C:\Windows\System32\drivers\netbt.sys | C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6001.18000_none_6064c861f7442765\netbt.sys

  Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
  
  Refering to the picture above, drag CFScript into ComboFix.exe.
  

When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Run SystemLook again once Combofix is done.

Thanks.

[Leef_me]

>>Run SystemLook again once Combofix is done

previously you wanted this script run

:filefind

netbt.sys

After combofix, I tried to run Systemlook

but could not because it gave this message.

"Illegal access to a system key marked for deletion."

And when I tried to run I.E. the same message was displayed.

I rebooted the computer, and things work again.

I missed reading about dragging the CF script to combofix, so I did that part again. below are both logs.

Also, the log for systemlook

ComboFix 10-05-24.03 - Lee 05/24/2010 13:23:48.2.2 - x86

Microsoft

[extremeboy]

Reboot your computer once more. This should resolve the error you got from Combofix.

Run Systemlook again,

[Leef_me]

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 20:41 on 25/05/2010 by Lee (Administrator - Elevation successful)

========== filefind ==========

Searching for "netbt.sys"

C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6002.18005_none_6250416df465f2b1\netbt.sys --a--- 185856 bytes [00:09 17/09/2009] [04:45 11/04/2009] ECD64230A59CBD93C85F1CD1CAB9F3F6

C:\Windows\System32\drivers\netbt.sys ------ 184320 bytes [02:24 21/01/2008] [02:24 21/01/2008] 7C5FEE5B1C5728507CD96FB4A13E7A02

-=End Of File=-

[extremeboy]

Hello.

Good, that's done.

Please follow/read the steps below to remove the tools we used and for some more information.

Uninstall ComboFix

Remove Combofix now that we're done with it.

• Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  
• Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
  
  
• Please follow the prompts to uninstall Combofix.
  
• You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
  

This will uninstall Combofix and anything assoicated with it.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.

• Download OTC by OldTimer and save it to your desktop.
  
• Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  
• Then Click the big button.
  
• You will get a prompt saying "Being Cleanup Process". Please select Yes.
  
• Restart your computer when prompted.
  

Congratulations! You now appear clean!

Now that you are clean, please follow and read some of the prevention tips >over here<. Is your system a bit slow? If so, try some of the points and things suggested here.

If you would like, visit my http://computermalwaresecurity.blogspot.com/ and Subscribe/Follow along.

If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks.

With Regards,

Extremeboy

[Leef_me]

Hi Extremeboy,

I started to do the operations as instructed and I noticed that Combofix was missing.

I had downloaded file to my desk and it was not there anymore, the win-R could not find it.

I didn't fin it in the start->Programs-> ????

So I downloaded & installed it and then I did the Uninstall ComboFix .

Then I performed "download and Run OTC" , other than reboot, the results were anticlimactic.

Somewhere in all the actions I had to uninstall & reinstall a USB hub, that was acting kinda strange.

"Strange" in that items plugged in downstream were reporting the hub as non-2.0

All appears well now.

I don't know which, but some piece of software thinks "hide extension for known file types" should be checked.

I believe that would be combofix or OTC.

I have confirmed again that google redirection appears corrected.

I have saved a copy of this thread and a Mhtml so I can review as needed, especially the other links you provided.

I have reviewed the data posted in the thread and realize it shows I have a few special programs installed but

otherwise no big deal.

the thread is not a potential problem for me. Therefore no need to remove it.

>>If you have no more questions, comments or problems please tell us, so we can close off the topic.

I still wish I knew what I did to diable google street views. My guess was it happened some time before the virus.

For me, I guess the thread/topic can be closed.

[extremeboy]

Glad all worked out.

Please note that what we did here may not work for every situation you are in and definitely, Combofix is not a tool to be used on a daily basis or be used as a scanning tool. It is a very powerful tool.

---

Since the problem appears to be resolved, this topic is now Closed. Glad we can help.

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic.

With Regards,

Extremeboy