Inactive have google redirect bug plus fake security warning

Charles Herold · 2010/03/31

[Inactive] have google redirect bug plus fake security warning

I have a bunch of issues that are probably related (they all happened while I was on vacation, so I suspect my cat sitter downloaded something she shouldn't have).

1) When I run a search via google.com, I see my results in google for just a fraction of a second and then the page redirects. This happens in Firefox but it has not, so far, happened in Google Chrome (Internet Explorer started crashing on startup a month ago but I haven't looked into why yet). Sometimes google does work properly, but that is rare.

2) Sometimes when I click a link on a web page a new page opens up for results.google-analytics.com, which almost immediately opens into some spammy website. (I have only seen this in Firefox, but that's the only browser I use extensively.)

3) Periodically I get a pop-up telling me there's a security problem. The text reads, in part, "your browser is under the threat of infection." (Of course, now that I would like that to pop-up so I could get a screen shot it's not happening).

So far I have run MalwareBytes Anti-Malware and SuperAntiSpyware. MalWareBytes found some registry issues and fixed them (see below). I ran SuperAntiSpyware after and it didn't find anything more. My anti-virus is Avira AntiVir Personal, which doesn't seem to have caught it.

Below are my two DDS reports followed by my Anti-Malware log. Thank you for your help.

=============== DDS.txt =========

DDS (Ver_10-03-17.01) - NTFSx86
Run by Charles Herold at 13:55:37.59 on Wed 03/31/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2815.1479 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\IDrive\IDriveE Service.exe
C:\Program Files\IDrive\IDriveWebM.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Documents and Settings\Charles Herold\Local Settings\Application Data\Meebo\Meebo Notifier\MeeboNotifier.exe
C:\Documents and Settings\Charles Herold\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Memento\Memento.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\DateInTray\DateInTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\IDrive\IDriveETray.exe
C:\Program Files\IDrive\IDriveEBackground.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Documents and Settings\Charles Herold\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Charles Herold\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Charles Herold\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Charles Herold\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Charles Herold\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Charles Herold\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Charles Herold\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Charles Herold\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Charles Herold\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\HijackThis (PC analysis)\HijackThis.exe
C:\Documents and Settings\Charles Herold\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\PROGRA~1\NFODIZ~1.0\nfodiz.exe
C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\mozOpenDownload\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://search.myheritage.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: MHURLSearchHook Class: {1c4ab6a5-595f-4e86-b15f-f93cce2bbd48} - c:\program files\celebrity toolbar\tbhelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - :c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Copernic Desktop Search - Home Toolbar: {4a1c6093-14f9-44d7-860e-5d265cfca9d9} - c:\program files\copernic desktop search - home\toolbar\ToolbarContainer101000048.dll
TB: Celebrity Toolbar: {fd2fd708-1f6f-4b68-b141-c5778f0c19bb} - c:\program files\celebrity toolbar\tbcore3.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Copernic Desktop Search - Home Toolbar: {4a1c6093-14f9-44d7-860e-5d265cfca9d9} - c:\program files\copernic desktop search - home\toolbar\ToolbarContainer101000048.dll
EB: Copernic Desktop Search - Home: {9c3fca1f-99e3-48f2-a7f4-dd3931b2f99a} - c:\program files\copernic desktop search - home\DeskbandIntegration301000049.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [IDriveE Startup] "c:\program files\idrive\IDrvieEStartup.exe" Hide
uRun: [WeatherWatcher] "c:\program files\weather watcher\ww.exe "
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Google Update] "c:\documents and settings\charles herold\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] :c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Meebo Notifier] "c:\documents and settings\charles herold\local settings\application data\meebo\meebo notifier\MeeboNotifier.exe" /startup
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
mRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe "
StartupFolder: c:\docume~1\charle~1\startm~1\programs\startup\clear_~1.lnk - c:\program files\utilities\clear_recent_docs.bat
StartupFolder: c:\docume~1\charle~1\startm~1\programs\startup\datein~1.lnk - c:\program files\dateintray\DateInTray.exe
StartupFolder: c:\docume~1\charle~1\startm~1\programs\startup\idrive~1.lnk - c:\program files\idrive\IDriveEReg2ini.exe
StartupFolder: c:\docume~1\charle~1\startm~1\programs\startup\superf~1.lnk - c:\program files\superfinder (search for files)\SuperFinder.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\memento.lnk - c:\program files\memento\Memento.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\~disab~1\miniey~1.lnk - c:\program files\eyeq (speed reading)\ARLaunch.exe
uPolicies-explorer: NoNetworkConnections = 01000000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237433210546
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1237436168953
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: NameServer = 93.188.164.226,93.188.161.83
TCP: {A1631753-E5F1-4854-B673-F4B81CE503CE} = 93.188.164.226,93.188.161.83
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\charle~1\applic~1\mozilla\firefox\profiles\jenl2cru.default\
FF - prefs.js: browser.search.selectedEngine - YouTube
FF - prefs.js: browser.startup.homepage - hxxp://www.skip-search.com/?cfg=2-82-0-rwaX\n
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
FF - component: c:\documents and settings\charles herold\application data\mozilla\firefox\profiles\jenl2cru.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - component: c:\documents and settings\charles herold\application data\mozilla\firefox\profiles\jenl2cru.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\documents and settings\charles herold\application data\mozilla\firefox\profiles\jenl2cru.default\extensions\{dd43485f-44cc-4452-a6c6-69356a7e33da}\platform\winnt_x86-msvc\components\ahWinUtils_32.dll
FF - component: c:\documents and settings\charles herold\application data\mozilla\firefox\profiles\jenl2cru.default\extensions\refractor@developer.mozilla.org\components\prism.dll
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
FF - plugin: c:\documents and settings\charles herold\application data\mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\charles herold\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\charles herold\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.131.11\npGoogleOneClick5.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref( "html5.enable ", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-6-18 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2001-8-23 14336]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-6-18 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-6-18 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-4-6 56816]
R2 IDriveE Service;IDriveE Service;c:\program files\idrive\IDriveE Service.exe [2009-10-17 143360]
R2 IDriveWebM;IDrive WebManager;c:\program files\idrive\IDriveWebM.exe [2009-10-17 118784]
R2 VfSfilter;VfSfilter;c:\windows\system32\drivers\VfSfilter.sys [2009-10-15 36752]
S2 gupdate1ca122f970d360e;Google Update Service (gupdate1ca122f970d360e);c:\program files\google\update\GoogleUpdate.exe [2009-7-31 133104]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-11-23 30192]
S3 MediaMall Server;MediaMall Server;c:\program files\mediamall\MediaMallServer.exe [2009-10-17 3013632]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]

=============== Created Last 30 ================

2010-03-31 17:42:48 0 d-----w- c:\program files\HijackThis (PC analysis)
2010-03-28 22:01:29 0 d-----w- c:\windows\system32\NtmsData
2010-03-27 19:31:53 0 d-----w- c:\program files\Remove Empty Directories
2010-03-27 07:05:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-27 07:05:41 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-27 07:05:40 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-01 21:35:28 0 d-----w- c:\docume~1\charle~1\applic~1\Metacafe
2010-03-01 21:34:54 0 d-----w- c:\program files\common files\Akamai
2010-03-01 21:34:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Metacafe
2010-03-01 21:34:34 0 d-----w- c:\program files\Metacafe
2010-03-01 19:49:42 2322 ----a-w- c:\temp\find.reg

==================== Find3M ====================

2010-03-31 11:43:32 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-03-31 11:43:28 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-03-27 17:29:25 3532 ----a-w- C:\drmHeader.bin
2010-01-10 00:17:02 22464 ---ha-w- c:\windows\system32\mlfcache.dat
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll

============= FINISH: 13:56:18.75 ===============

=================Attach.txt=================

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 3/18/2009 10:22:11 PM
System Uptime: 3/31/2010 7:43:09 AM (6 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5N32-SLI-Deluxe
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | LGA 775 | 3000/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 2.118 GiB free.
D: is FIXED (NTFS) - 56 GiB total, 0.157 GiB free.
E: is Removable
G: is CDROM ()
H: is CDROM ()
I: is FIXED (NTFS) - 233 GiB total, 1.804 GiB free.
Z: is FIXED (NTFS) - 149 GiB total, 2.118 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller
Device ID: PCI\VEN_11AB&DEV_4362&SUBSYS_532111AB&REV_22\4&2145A711&0&0038
Manufacturer: Marvell
Name: Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller
PNP Device ID: PCI\VEN_11AB&DEV_4362&SUBSYS_532111AB&REV_22\4&2145A711&0&0038
Service: yukonwxp

Class GUID:
Description: Mobility CF/SM Adapter
Device ID: USB\VID_1342&PID_0305\6&399D8B9C&0&6
Manufacturer:
Name: Mobility CF/SM Adapter
PNP Device ID: USB\VID_1342&PID_0305\6&399D8B9C&0&6
Service:

==== System Restore Points ===================

RP412: 3/28/2010 5:28:33 AM - System Checkpoint
RP413: 3/30/2010 5:00:57 PM - System Checkpoint
RP414: 3/31/2010 7:46:33 AM - Software Distribution Service 3.0

==== Installed Programs ======================

µTorrent
AAC Decoder
AccessCrawler (BETA)
ACDSee Photo Manager 2009
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Shockwave Player 11.5
AI RoboForm (All Users)
All Star Strip Poker: Girls Next Door
Antispyware
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Application Mover
AsusUpdate
Audacity 1.2.6
AutoUpdate
Avidemux 2.5
Avira AntiVir Personal - Free Antivirus
Bonjour
BrainWave Generator
CCleaner
Celebrity Toolbar
ClipName
CmdHere Powertoy For Windows XP
CombiMovie version 2
Compatibility Pack for the 2007 Office system
CoView
Crayon Physics Deluxe - release 51
Critical Update for Windows Media Player 11 (KB959772)
D-Fend Reloaded 0.8.1 (deinstall)
DateInTray 1.5
dBpoweramp Music Converter
Diskeeper 2008 Pro Premier
DivX Codec
DivX Converter
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
Dr. DivX 2.0 OSS
EasyCleaner
EasyMPEG MX
EVEREST Home Edition v2.20
EVGA Display Driver
eyeQ
ffdshow [rev 610] [2006-12-01]
Foxit PDF Editor
Foxit PDF IFilter
Foxit Reader
Foxit Toolbar
FreeRIP v3.2
FTDI USB Serial Converter Drivers
GMail Drive Shell Extension
Gnucleus(remove only)
GOM Player
Google Chrome
Google Desktop
Google Earth
Google Talk (remove only)
Google Update Helper
Google Updater
GSpot Codec Information Appliance
H.264 Decoder
Hercules Uploader 0.95 beta
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
IDrive version 3.3.1 October 14, 2009
Image Resizer Powertoy for Windows XP
iTunes
IZArc 3.81
Java(TM) 6 Update 17
K-Lite Mega Codec Pack 4.7.0
L&H TTS3000 British English
LAME v3.98.2 for Audacity
Launchy 2.1.2
Logitech Updater
Logitech Vid
Logitech Webcam Software
Logitech Webcam Software Driver Package
Malwarebytes' Anti-Malware
Marvell Miniport Driver
MediaMonkey 3.1
Medieval CUE Splitter
Meebo Notifier
Memento 1.12
Metacafe
MGTEK dopisp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Bootvis
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MKV Splitter
MMaster
Moyea FLV Editor Pro Version: 3.1.13.0
Mozilla Firefox (3.6.2)
Mozilla Thunderbird (3.0.3)
MozyHome Remote Backup
NfoDiz 6.0 Setup
NirSoft OpenedFilesView
NirSoft ShellExView
Now Playing: A Windows Media Player Plugin
nrg2iso
NVIDIA Drivers
NVIDIA nView Desktop Manager
NVIDIA PhysX
Oxin's Style! 3D Sexvilla 2.055.001
Oxin's Style! Hentai3D 2.056.001
PlayOn
Quick Zip 4.60.019
QuickTime
Realtek AC'97 Audio
Remove Empty Directories 2.1
Riva FLV Encoder 2.0
RocketReader Version 8.00
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Silent Hill
Spybot - Search & Destroy
StartupRun
Steam
SUPER © Version 2009.bld.36 (June 10, 2009)
SUPERAntiSpyware Free Edition
t@b ZS4 Video Editor v0.958-686
Tales of Monkey Island - The Trial and Execution of Guybrush Threepwood
The Path
TreeSize Professional 5.2.2
Turbo Lister 2
Tweak UI
Unity Web Player
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
VideoPad Video Editor
VideoReDo TVSuite Version 3.1.5.564
ViOrb
Virtual Folder 1.05
VirtualCloneDrive
ViStart
VuePrint
Weather Watcher
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Winwonk OpenTarget (remove only)
ZEN V Series Media Explorer

==== Event Viewer Messages From Past Week ========

3/31/2010 7:54:46 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Microsoft .NET Framework 2.0 Service Pack 2 Security Update for Windows 2000, Windows Server 2003, and Windows XP (KB974417).
3/30/2010 6:31:29 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.
3/28/2010 1:41:10 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000007F' while processing the file 'DCBC2A71-7 .. EA3FDF.ini' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
3/27/2010 6:18:45 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000007F' while processing the file 'change.log' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
3/25/2010 8:58:15 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the IDriveE Service service.

==== End Of File ===========================

============MalwareBytes log================

Malwarebytes' Anti-Malware 1.37
Database version: 2268
Windows 5.1.2600 Service Pack 3

6/12/2009 5:14:04 PM
mbam-log-2009-06-12 (17-14-04).txt

Scan type: Quick Scan
Objects scanned: 91212
Time elapsed: 7 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{44b71ad2-4f42-4312-bff3-9b68a41de078} (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\e20d6ec50a67ec04083b1251f2935d09 (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{44b71ad2-4f42-4312-bff3-9b68a41de078} (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\10cd00a0c66d64141805e4416afb7576 (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\77b12cd46424a9b459aed6602d99c187 (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\856d81ed094ec834f8e9b0200b2661db (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\f3cb2b9f6374b3f4fa195696edbc71c1 (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\f93664c5193d3144e99dc1ac7da0c6a6 (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Admin. · 2010/03/31

I see you have P2P software ( Azures, Limewire, BitTorrent, uTorrent etc…) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

References for the risk of these programs are here, and here.

I would strongly recommend that you uninstall them, and read the links above for educational value!

Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at WindowsBBS Malware and Virus removal.

A Malware expert will have a look at your log in due course.

crunchie · 2010/03/31

Try updating MBA-M as yours is months out of date.
Once you have done that, run a quick scan, remove what is found and reboot.
Post the MBA-M log back here please.

Charles Herold · 2010/04/01

"crunchie said: ↑

Try updating MBA-M as yours is months out of date.
Once you have done that, run a quick scan, remove what is found and reboot.
Post the MBA-M log back here please.
Click to expand...

Turns out I can't update it, nor can I access the Malwarebytes website, or a lot of other security websites. Avira AntiVir seems to update just fine, but a complete scan from it didn't find anything.

When I realized I couldn't access security sites I googled for that and found a suggestion to try GMER, but it didn't find anything either.

crunchie · 2010/04/01

Are you getting an error message from MBA-M when you attempt to update it?
Try this direct link for the download; http://www.malwarebytes.org/mbam/database/mbam-rules.exe I am uncertain if it the very latest, but it should be close.
If you managed that ok, run MBA-M again and post the log.

==

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT

* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

Log in or Sign up

Inactive have google redirect bug plus fake security warning

Charles Herold Inactive Thread Starter

Admin. Administrator Administrator Staff

crunchie Inactive

Charles Herold Inactive Thread Starter

crunchie Inactive

Share This Page

Log in or Sign up

Inactive have google redirect bug plus fake security warning

Charles Herold Inactive Thread Starter

Admin. Administrator Administrator Staff

crunchie Inactive

Charles Herold Inactive Thread Starter

crunchie Inactive

Share This Page

Useful Searches