Active first google redirected, weird audio now crashed

[Active] first google redirected, weird audio now crashed

Hello,
My first problem was that I heard this audio from an advertisement being played on my computer without any program appearing to be running. Then I noticed that in my IE7 google kept redirecting my search results in new windows to different sites.
This morning I turned on my computer and the mouse works but i can not open anything, nor can i use the keyboard to open anything. I can only get the computer to work properly in safe mode.
I can not get trend micro internet security to install updates either.

Unfortunately I can not get my laptop connected to the internet so i cant post a hijak this log. There is a fiel called xaudioservice when i run the hijack log. Should i remove this? ANy other suggestions? ITs getting desperate.
I am using my other laptop at the moment.

THe infected computer runs vista, and is a compaq presario.
Thankyou

 

Welcome to WindowsBBS rmlaw0482

Please see this post then post the DDS logs here.

 

Log

okay, here it is.
since the last post i grew impatient and ran a hijackthis log, and saw a file named xaudio.exe I deleted this, and now I havent had the same problems with my computer crashing and can access the internet again. however, there is still the issue of google redirecting and general strange things happening.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Rob at 18:09:45.45 on Fri 13/02/2009
Internet Explorer: 7.0.6000.16764
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6000.0.1252.61.1033.18.1013.165 [GMT 11:00]

AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\BlazeVideo\BlazeDTV 2.5a\MediaDetector.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\Rob\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehsched.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\system32\taskeng.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\ctfmon.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10a.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Users\Rob\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Rob\AppData\Local\Temp\perce.jpg.exe
C:\Users\Rob\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Rob\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.unimelb.edu.au/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=81&bd=Presario&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=81&bd=Presario&pf=laptop
uInternet Settings,ProxyServer = 172.16.1.35:80
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll
BHO: Ask Toolbar BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [BlazeServoTool] "c:\program files\blazevideo\blazedtv 2.5a\MediaDetector.exe "
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [Cognac] c:\users\rob\appdata\local\temp\perce.jpg.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Google Update] "c:\users\rob\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe "
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe "
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\1.0 "
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_02\bin\jusched.exe "
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe "
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.39,85.255.112.40
TCP: {792E47A1-6130-4FEB-9AFF-5B8F5CA6B9BB} = 85.255.112.39,85.255.112.40
TCP: {FD0787C6-9F34-4B97-BDA3-C73891D494F8} = 85.255.112.39,85.255.112.40
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2007-12-17 141840]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2007-12-17 36368]
R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2007-12-17 234512]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-5-21 52240]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-8-5 29184016]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [2008-10-24 18432]
S3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2008-5-4 488768]
S3 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2008-5-4 648456]

=============== Created Last 30 ================

2009-02-12 12:28 <DIR> --d----- C:\fixwareout
2009-02-11 13:39 211,642,788 a------- c:\windows\MEMORY.DMP
2009-02-11 11:37 924,432 a------- c:\windows\system32\temp.007
2009-02-11 11:37 326,656 a------- c:\windows\system32\temp.006
2009-02-11 11:35 924,432 a------- c:\windows\system32\temp.005
2009-02-11 11:35 326,656 a------- c:\windows\system32\temp.004
2009-02-11 11:33 <DIR> --d----- c:\program files\Palisade
2009-02-08 14:37 268 ---shr-- C:\autorun.inf
2009-01-29 14:05 401 a------- c:\windows\system32\Graph.lic
2009-01-29 14:00 <DIR> --d----- c:\programdata\LocalCache
2009-01-29 14:00 <DIR> --d----- c:\progra~2\LocalCache
2009-01-23 16:18 <DIR> --d----- c:\programdata\Google

==================== Find3M ====================

2009-01-06 09:33 3,751,995 a------- c:\windows\system32\GPhotos.scr
2009-01-05 16:07 51,200 a------- c:\windows\inf\infpub.dat
2009-01-05 16:07 86,016 a------- c:\windows\inf\infstrng.dat
2009-01-05 16:07 86,016 a------- c:\windows\inf\infstor.dat
2008-12-19 21:50 174 a--sh--- c:\program files\desktop.ini
2008-12-16 14:14 290,304 a------- c:\windows\system32\drivers\srv.sys
2008-06-25 23:20 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 23:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 23:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 23:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 23:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 20:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 20:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 20:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 20:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 18:10:50.31 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft® Windows Vistaâ„¢ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 9/04/2008 1:44:17 AM
System Uptime: 13/02/2009 3:47:50 PM (3 hours ago)

Motherboard: Hewlett-Packard | | 30D9
Processor: Intel(R) Pentium(R) Dual CPU T2370 @ 1.73GHz | CPU | 1733/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 139 GiB total, 86.857 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 1.085 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================


==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.0
Adobe Shockwave Player
AIM 6
Ask Toolbar
Atheros Driver Installation Program
BlazeDTV 2.5a
Business Contact Manager for Outlook 2007 SP1
Canon RAW Codec
Cards_Calendar_OrderGift_DoMorePlugout
Conexant HD Audio
Crystal Reports for ESRI
CyberLink YouCam
DVD Suite
ESU for Microsoft Vista
GDR 3073 for SQL Server Database Services 2005 ENU (KB954606)
Google Chrome
Google SketchUp 7
Google Toolbar for Internet Explorer
HDAUDIO Soft Data Fax Modem with SmartCP
Hewlett-Packard Active Check
Hewlett-Packard Asset Agent for Health Check
HijackThis 2.0.2
HP Active Support Library
HP Customer Experience Enhancements
HP Doc Viewer
HP DVD Play 3.6
HP Easy Setup - Frontend
HP Help and Support
HP Photosmart Essential 2.5
HP Quick Launch Buttons 6.30 E2
HP Update
HP User Guides 0093
HP Wireless Assistant
HPPhotoSmartDiscLabel_PaperLabel
HPPhotoSmartDiscLabel_PrintOnDisc
HPPhotoSmartDiscLabel_Tattoo
HPPhotoSmartDiscLabelContent1
hpphotosmartdisclabelplugin
HPPhotoSmartPhotobookHolidayPack1
HPPhotoSmartPhotobookModernPack1
HPPhotoSmartPhotobookPlayfulPack1
HPPhotoSmartPhotobookScrapbookPack1
HPPhotoSmartPhotobookWebPack1
Intel(R) Graphics Media Accelerator Driver
Intel(R) Matrix Storage Manager
Intel(R) TV Wizard
Java(TM) 6 Update 2
LabelPrint
MediaRing Talk
Microsoft Office 2003 Web Components
Microsoft Office Professional Edition 2003
Microsoft Office Small Business Connectivity Components
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
MSCU for Microsoft Vista
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 6.1
My HP Games
National Carbon Accounting System: Data Viewer 2.1
National Carbon Accounting Toolbox v1.0
NetWaiting
Picasa 3
Power2Go
PowerDirector
PSSWCORE
Python 2.1
Python 2.1 combined Win32 extensions
QuickPlay SlingPlayer 0.4.4
Realtek 8139 and 8139C+ Ethernet Network Card Driver for Windows Vista
Realtek USB 2.0 Card Reader
SoulSeek Client 156c
Steinberg Cubase LE 4
Switch Sound File Converter
Syncrosoft License Control
Touch Pad Driver
Trend Micro Internet Security
VideoToolkit01
Viewpoint Media Player
WAV MP3 Converter 2.9 build 889
WavePad Sound Editor
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant

==== End Of File ===========================

 

You have some other infections present, including a DNS hijack. First download Malwarebytes' Anti-Malware (MBAM) from here or here and save the file to your desktop.

Double click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, close it for now.

Please visit the following webpage for instructions for downloading and running ComboFix

How to use ComboFix


Download ComboFix by sUBs from here, saving the file to your desktop.

If you are connected to a router you will need to stay disconnected until completing all instructions. If there are other computers connected to the router, they will also need to have MBAM updated, then disconnected from the router as well.

If it is a wireless router with wireless connections, you will likely need to reconfigure the router when done using a wired connection. If you do not know how to access and configure the router, post the make and model prior to beginning the following steps.


Disconnect from the router (all computers) then on this computer, disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

• Close all open programs and windows
• Double click ComboFix.exe and follow the prompts.
• It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Close it for now.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


Now open MBAM and do a complete system scan.

• Make sure that everything found is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Now run MBAM the same way on all other computers.

Next, you will need to reset the router to factory defaults. You will need something small such as a pencil lead to press and hold for at least 10 seconds, the recessed reset button located on the back of the router.

Once the router has been reset and all computers disinfected, reconnect to the router and login to it's control panel.
Change the default password and if able to, the login username.


Now post the contents of the MBAM log and the C:\ComboFix.txt log here.

I would also recommend posting DDS logs and MBAM reports from all other computers connected.