Inactive Facebook & Google redirect virus

gng2 · 2009/12/25

[Inactive] Facebook & Google redirect virus

I got the Google redirect virus about 24 hours ago. But I think I got it first from Facebook, it started redirecting me when I clicked on Facebook links. Then I noticed it starting to happen when I clicked on Google links, and now, 24 hours later I think it's spread because it started redirecting me to "netshoppers" when I clicked some links in this forum.

Also, I have tried Combofix.exe...but it told me that it was only compatible with Windows XP or 2000, I am using Vista.

Here are my DDS.txt and Attach.txt...I don't know if or think I have any script disabling programs so I didn't disable anything

DDS.txt

DDS (Ver_09-12-01.01) - NTFSX64
Run by Owner at 1:24:40.87 on Fri 12/25/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_16
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.4085.2279 [GMT -5:00]

AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Webroot Spy Sweeper *enabled* (Updated) {68A41C74-A1E9-48F8-B2E5-D8232211AB6D}
SP: Norton Internet Security *disabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\sttray64.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\dllhost.exe
C:\Program Files (X86)\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\lxdncoms.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\SysWOW64\PSIService.exe
C:\Program Files (x86)\IDT\WDM\STacSV64.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Wacom_Tablet.exe
C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe
C:\Program Files (x86)\Webroot\Spy Sweeper\SpySweeper.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WTablet\Wacom_TabletUser.exe
C:\Windows\system32\Wacom_Tablet.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Creative\ZEN Media Explorer\CTCheck.exe
C:\Program Files (x86)\Lexmark 2600 Series\lxdnmon.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Lexmark 2600 Series\lxdnMsdMon.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files (x86)\AIM6\aim6.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files (x86)\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files (x86)\Winamp\winampa.exe
C:\Program Files\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files (x86)\AIM6\aolsoftware.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files (x86)\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
C:\Program Files (x86)\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\splwow64.exe
C:\Windows\system32\wuauclt.exe
C:\PROGRA~2\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\uTorrent.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\Owner\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6866
uDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6866
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6866
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6866
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6866
uURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files (x86)\asksbar\srchastt\1.bin\A2SRCHAS.DLL
mWinlogon: Userinit=userinit.exe
BHO: Ask Search Assistant BHO: {0579b4b1-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files (x86)\asksbar\srchastt\1.bin\A2SRCHAS.DLL
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files (x86)\common files\symantec shared\coshared\browser\2.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~2\common~1\symant~1\ids\IPSBHO.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files (x86)\microsoft office\office12\GrooveShellExtensions.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Ask Toolbar BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files (x86)\asksbar\bar\1.bin\ASKSBAR.DLL
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files (x86)\common files\symantec shared\coshared\browser\2.5\CoIEPlg.dll
TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files (x86)\asksbar\bar\1.bin\ASKSBAR.DLL
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files (x86)\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [Sidebar] "c:\program files\windows sidebar\sidebar.exe "
uRun: [ehTray.exe] "c:\windows\ehome\ehTray.exe "
uRun: [Aim6] "c:\program files (x86)\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [CTSyncU.exe] "c:\program files (x86)\creative\sync manager unicode\CTSyncU.exe "
uRun: [AdobeBridge]
uRun: [WMPNSCFG] c:\program files (x86)\windows media player\WMPNSCFG.exe
uRun: [notepad] rundll32.exe c:\users\owner\ntload.dll,_IWMPEvents@0
mRun: [ccApp] "c:\program files (x86)\common files\symantec shared\ccApp.exe "
mRun: [QuickTime Task] "c:\program files (x86)\quicktime\QTTask.exe" -atboottime
mRun: [WinampAgent] "c:\program files (x86)\winamp\winampa.exe "
mRun: [VirtualCloneDrive] "c:\program files\virtualclonedrive\VCDDaemon.exe" /s
mRun: [Acrobat Assistant 8.0] "c:\program files (x86)\adobe\acrobat 9.0\acrobat\Acrotray.exe "
mRun: [<NO NAME>]
mRun: [AdobeCS4ServiceManager] "c:\program files (x86)\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "c:\program files (x86)\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe "
mRun: [Adobe_ID0ENQBO] "c:\progra~2\common~1\adobe\adobe version cue cs4\server\bin\VersionCueCS4Tray.exe "
mRun: [GrooveMonitor] "c:\program files (x86)\microsoft office\office12\GrooveMonitor.exe "
mRun: [SunJavaUpdateSched] "c:\program files (x86)\java\jre6\bin\jusched.exe "
mRun: [FaxCenterServer] "c:\program files (x86)\lexmark fax solutions\fm3032.exe" /s
mRun: [SpySweeper] "c:\program files (x86)\webroot\spy sweeper\SpySweeperUI.exe" /startintray
StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\openoffice.org 3.1.lnk - c:\program files (x86)\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\users\owner\appdata\roaming\microsoft\windows\start menu\programs\startup\scandisk.dll
StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\scandisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\microsoft office\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~2\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\microsoft office\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files (x86)\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files (x86)\microsoft office\office12\GrooveShellExtensions.dll
TB-X64: Show Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -
TB-X64: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB-X64: {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} - No File
mRun-x64: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun-x64: [IgfxTray] "c:\windows\system32\igfxtray.exe "
mRun-x64: [HotKeysCmds] "c:\windows\system32\hkcmd.exe "
mRun-x64: [Persistence] "c:\windows\system32\igfxpers.exe "
mRun-x64: [IAAnotif] "c:\program files (x86)\intel\intel matrix storage manager\Iaanotif.exe "
mRun-x64: [SigmatelSysTrayApp] "c:\windows\sttray64.exe "
mRun-x64: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe "
mRun-x64: [CTCheck] "c:\program files\creative\zen media explorer\CTCheck.exe "
mRun-x64: [lxdnmon.exe] "c:\program files (x86)\lexmark 2600 series\lxdnmon.exe "
mRun-x64: [lxdnamon] "c:\program files (x86)\lexmark 2600 series\lxdnamon.exe "
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

================= FIREFOX ===================

FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\7x0oo5r7.default\
FF - prefs.js: browser.startup.homepage - hxxp://igoogle.com/
FF - component: c:\program files (x86)\mozilla firefox\components\coFFPlgn.dll
FF - plugin: c:\program files (x86)\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files (x86)\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: c:\program files\divx\divx web player\npdivx32.dll
FF - plugin: c:\users\owner\appdata\roaming\mozilla\firefox\profiles\7x0oo5r7.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v2.00.13
============= SERVICES / DRIVERS ===============

R0 PxHlpa64;PxHlpa64;c:\windows\system32\drivers\PxHlpa64.sys [2008-5-23 54480]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-8-9 36976]
R1 IDSvia64;Symantec Intrusion Prevention Driver;c:\progra~3\symantec\definitions\symcdata\ipsdefs\20090811.004\IDSvia64.sys [2009-8-11 370224]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files (x86)\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe -service --> c:\windows\system32\lxdncoms.exe -service [?]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-1-7 3580712]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files (x86)\viewpoint\common\ViewpointService.exe [2008-8-25 24652]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files (x86)\webroot\spy sweeper\SpySweeper.exe [2008-8-9 3585384]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-19 131632]
R3 NETw4v64;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\drivers\NETw4v64.sys [2008-4-8 3146752]
R3 Symantec Core LC;Symantec Core LC;c:\progra~2\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-8-19 1245064]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2009-2-19 47664]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-1-7 18216]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files (x86)\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 b57nd60a;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60a.sys [2008-1-20 214016]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe [2009-8-26 93184]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-8-19 25424]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\common files\macrovision shared\flexnet publisher\FNPLicensingService64.exe [2009-3-26 1038088]
S3 PerfHost;Performance Counter DLL Host;c:\windows\syswow64\perfhost.exe [2008-1-20 19968]

=============== Created Last 30 ================

2009-12-23 23:00:28 0 d-----w- c:\windows\system32\drivers\NSSx64
2009-12-23 23:00:28 0 d-----w- c:\program files (x86)\Norton Security Scan
2009-12-11 07:06:51 32768 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-11 07:06:51 24064 ----a-w- c:\windows\syswow64\nshhttp.dll
2009-12-11 07:06:29 610304 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-11 07:06:26 33792 ----a-w- c:\windows\system32\httpapi.dll
2009-12-11 07:06:21 31232 ----a-w- c:\windows\syswow64\httpapi.dll
2009-12-09 04:28:33 295936 ----a-w- c:\windows\system32\raschap.dll
2009-12-09 04:28:33 280576 ----a-w- c:\windows\system32\rastls.dll
2009-12-09 04:28:33 244224 ----a-w- c:\windows\syswow64\rastls.dll
2009-12-09 04:28:32 281600 ----a-w- c:\windows\syswow64\raschap.dll
2009-11-30 08:12:20 2048 ----a-w- c:\windows\syswow64\tzres.dll
2009-11-30 08:12:20 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-29 02:38:42 1875456 ----a-w- c:\windows\system32\msxml3.dll
2009-11-29 02:38:42 1794560 ----a-w- c:\windows\system32\msxml6.dll
2009-11-29 02:38:41 1399296 ----a-w- c:\windows\syswow64\msxml6.dll
2009-11-29 02:38:40 1257472 ----a-w- c:\windows\syswow64\msxml3.dll
2009-11-29 02:38:31 880640 ----a-w- c:\windows\system32\timedate.cpl
2009-11-29 02:38:31 714240 ----a-w- c:\windows\syswow64\timedate.cpl

==================== Find3M ====================

2009-10-27 13:45:07 1032704 ----a-w- c:\windows\system32\wininet.dll
2009-10-27 13:41:03 86528 ----a-w- c:\windows\system32\ieencode.dll
2009-10-27 13:20:19 833024 ----a-w- c:\windows\syswow64\wininet.dll
2009-10-27 13:20:05 1174528 ----a-w- c:\windows\syswow64\urlmon.dll
2009-10-27 13:18:49 146432 ----a-w- c:\windows\syswow64\occache.dll
2009-10-27 13:17:35 671232 ----a-w- c:\windows\syswow64\mstime.dll
2009-10-27 13:17:21 3584000 ----a-w- c:\windows\syswow64\mshtml.dll
2009-10-27 13:17:19 458240 ----a-w- c:\windows\syswow64\msfeeds.dll
2009-10-27 13:16:43 28160 ----a-w- c:\windows\syswow64\jsproxy.dll
2009-10-27 13:16:30 6069248 ----a-w- c:\windows\syswow64\ieframe.dll
2009-10-27 13:16:30 270848 ----a-w- c:\windows\syswow64\iertutil.dll
2009-10-27 13:16:28 78336 ----a-w- c:\windows\syswow64\ieencode.dll
2009-10-27 13:16:28 389120 ----a-w- c:\windows\syswow64\iedkcs32.dll
2009-10-27 13:16:28 380928 ----a-w- c:\windows\syswow64\ieapfltr.dll
2009-10-27 13:16:27 230400 ----a-w- c:\windows\syswow64\ieaksie.dll
2009-10-27 11:20:07 32768 ----a-w- c:\windows\system32\ieUnatt.exe
2009-10-27 10:55:39 26624 ----a-w- c:\windows\syswow64\ieUnatt.exe
2009-09-19 16:32:33 51200 ----a-w- c:\windows\inf\infpub.dat
2009-09-19 16:32:33 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-09-19 16:32:08 86016 ----a-w- c:\windows\inf\infstor.dat
2009-08-20 08:15:08 135630545 ----a-w- c:\program files (x86)\openofficeorg1.cab
2009-08-20 08:13:26 9815040 ----a-w- c:\program files (x86)\openofficeorg31.msi
2009-08-19 08:31:00 336 ----a-w- c:\program files (x86)\setup.ini
2009-03-26 10:36:32 451928 ----a-w- c:\program files (x86)\setup.exe
2009-02-10 07:37:45 270128 ----a-w- c:\program files\uTorrent.exe
2008-08-20 21:40:19 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 03:21:59 174 --sha-w- c:\program files\desktop.ini
2008-01-21 03:21:59 174 --sha-w- c:\program files (x86)\desktop.ini
2006-11-02 15:14:56 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 15:14:56 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 15:14:56 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 15:14:56 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2002-03-11 09:06:30 1822520 ----a-w- c:\program files (x86)\instmsiw.exe
2002-03-11 08:45:04 1708856 ----a-w- c:\program files (x86)\instmsia.exe
2009-01-07 10:30:01 8 --sh--r- c:\windows\syswow64\B449A04F3B.sys
2009-01-07 10:44:05 1056 --sha-w- c:\windows\syswow64\KGyGaAvL.sys

============= FINISH: 1:38:30.80 ===============

Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 5/23/2008 5:45:43 AM
System Uptime: 12/24/2009 2:54:18 AM (23 hours ago)

Motherboard: Gateway | |
Processor: Intel(R) Core(TM)2 Duo CPU T5750 @ 2.00GHz | U2E1 | 2000/667mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 282 GiB total, 107.492 GiB free.
D: is FIXED (NTFS) - 16 GiB total, 8.015 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is FIXED (NTFS) - 233 GiB total, 144.016 GiB free.

==== Disabled Device Manager Items =============

Class GUID:
Description:
Device ID: HID\WACOMVIRTUALHID&COL03\1&2D595CA7&0&0002
Manufacturer:
Name:
PNP Device ID: HID\WACOMVIRTUALHID&COL03\1&2D595CA7&0&0002
Service:

==== System Restore Points ===================

==== Installed Programs ======================

µTorrent
ABBYY FineReader 6.0 Sprint
Acrobat.com
Adobe Acrobat 9 Pro - English, FranÃ§ais, Deutsch
Adobe After Effects CS4
Adobe After Effects CS4 Presets
Adobe AIR
Adobe Anchor Service CS4
Adobe Asset Services CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles AE CS4
Adobe Color Video Profiles CS CS4
Adobe Creative Suite 4 Master Collection
Adobe CS4 American English Speech Analysis Models
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Dreamweaver CS4
Adobe Drive CS4
Adobe Dynamiclink Support
Adobe Encore CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Fireworks CS4
Adobe Flash CS4
Adobe Flash CS4 Extension - Flash Lite STI en
Adobe Flash CS4 STI-en
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player 9 Plugin
Adobe Fonts All
Adobe Illustrator CS4
Adobe InDesign CS4
Adobe InDesign CS4 Application Feature Set Files (Roman)
Adobe InDesign CS4 Common Base Files
Adobe InDesign CS4 Icon Handler
Adobe Linguistics CS4
Adobe Media Encoder CS4
Adobe Media Encoder CS4 Additional Exporter
Adobe Media Encoder CS4 Dolby
Adobe MotionPicture Color Files CS4
Adobe OnLocation CS4
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Premiere Pro CS4
Adobe Premiere Pro CS4 Functional Content
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe SGM CS4
Adobe Shockwave Player 11.5
Adobe SING CS4
Adobe Soundbooth CS4
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe Version Cue CS4 Server
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Compatibility Pack for the 2007 Office system
Connect
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
InterActual Player
Java(TM) 6 Update 16
kuler
Lexmark Tools for Office
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Works
Mozilla Firefox (3.0.16)
Norton Security Scan
OpenOffice.org 3.1
PDF Settings CS4
Photoshop Camera Raw
Pixel Bender Toolkit
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Suite Shared Configuration CS4
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb976884)
VLC media player 0.9.8a

==== End Of File ===========================

Please help! It's getting worse!
Thanks in advance!

Admin. · 2009/12/25

I see you have P2P software ( Azures, Limewire, BitTorrent, uTorrent etc…) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

References for the risk of these programs are here, and here.

I would strongly recommend that you uninstall them,

Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at WindowsBBS Malware and Virus removal.

A Malware expert will have a look at your log in due course.

gng2 · 2009/12/25

thanks, have uninstalled it

broni · 2009/12/25

Combofix works fine on Vista....

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE. If Combofix asks you to install Recovery Console, please allow it.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
by clicking on Installer under Version 2.0.2
[DO NOT download version 2.0.3 (beta)]
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!

NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator

gng2 · 2009/12/26

Here's a screenshot of what I'm getting when I try to run Combofix, it says it's only compatible with XP and 2000:

http://img32.imageshack.us/img32/2744/screenshotnj.jpg

gng2 · 2009/12/26

I just did a Google search for Combofix Vista and turns out many people are having trouble using Combofix with Vista, any idea why this might be and how to fix it? I can't click any of the links so I can't find out, but I did try to disable my User Account Control and run Combofix as administrator, that didn't work.

broni · 2009/12/26

Oh, I see now, my fault. You have 64-bit Vista. Combofix won't run there.
You can delete Combofix file.

Which browser is getting redirected?

gng2 · 2009/12/26

I use Firefox. When I first got the virus 2 days ago, it was only affecting facebook and google, now it's affecting all the websites I go to, including this one.

broni · 2009/12/26

Please download [color= "#FF0000"]GooredFix[/color] from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

Ensure all Firefox windows are closed.

To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).

When prompted to run the scan, click Yes.

GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

broni · 2009/12/26

Please, run Gooredfix.

gng2 · 2009/12/26

sorry, with the virus, there's incredible lag and I keep getting redirected, I'm trying to right now, hold on

broni · 2009/12/26

Ok....

gng2 · 2009/12/26

Sorry, it keeps redirecting this website and is getting worse. Took my forever but here it is:

GooredFix by jpshortstuff (06.12.09.1)
Log created at 21:58 on 26/12/2009 (Owner)
Firefox version 3.0.16 (en-US)

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files (x86)\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [00:59 24/08/2008]
{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [02:17 10/09/2009]

C:\Users\Owner\Application Data\Mozilla\Firefox\Profiles\7x0oo5r7.default\extensions\
moveplayer@movenetworks.com [05:21 16/05/2009]
{20a82645-c095-46ed-80e3-08825760534b} [18:28 30/08/2009]
{AE93811A-5C9A-4d34-8462-F7B864FC4696} [04:39 23/09/2009]
{c45c406e-ab73-11d8-be73-000a95be3b12} [02:50 11/07/2009]
{FFA36170-80B1-4535-B0E3-A4569E497DD0} [16:39 29/10/2008]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b} "= "c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [06:39 26/08/2009]

-=E.O.F=-

broni · 2009/12/26

Nothing there...
Delete GooredFix and the GooredFix Backups folder from the Desktop.

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

STEP 1. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes ". If not, update the definitions before scanning by selecting "Check for Updates ". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.

PHYSICALLY DISCONNECT FROM THE INTERNET

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Click Scan your Computer... button.
* Click Scanning Preferences/Control Center... button.
* Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):

Close browsers before scanning.

Terminate memory threats before quarantining.

* Click the Close button to leave the control center screen.
* On the left, make sure you check C:\Fixed Drive.
* On the right, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.

Click Preferences, then click the Statistics/Logs tab.

Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.

Please copy and paste the Scan Log results in your next reply.

* Click Close to exit the program.
Post SUPERAntiSpyware log.

RECONNECT TO THE INTERNET

RESTART COMPUTER!

STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 3. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

RESTART COMPUTER

STEP 4. Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
by clicking on Installer under Version 2.0.2
[DO NOT download version 2.0.3 (beta)]
Install, and run it.
Post HijackThis log.
NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
Do NOT attempt to "fix" anything!

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

gng2 · 2009/12/26

I wasn't able to click on the download links because I kept getting redirected, but I did a system restore on my computer and restored it to 5 days ago, before I got the virus. Everything works fine now! Thanks for your help!

broni · 2009/12/26

I strongly recommend, you still run those scans.
Something may be hiding in the background.
System restore rarely cures an infection.

Log in or Sign up

Inactive Facebook & Google redirect virus

gng2 Inactive Thread Starter

Admin. Administrator Administrator Staff

gng2 Inactive Thread Starter

broni Moderator Malware Analyst

gng2 Inactive Thread Starter

gng2 Inactive Thread Starter

broni Moderator Malware Analyst

gng2 Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

gng2 Inactive Thread Starter

broni Moderator Malware Analyst

gng2 Inactive Thread Starter

broni Moderator Malware Analyst

gng2 Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Inactive Facebook & Google redirect virus

gng2 Inactive Thread Starter

Admin. Administrator Administrator Staff

gng2 Inactive Thread Starter

broni Moderator Malware Analyst

gng2 Inactive Thread Starter

gng2 Inactive Thread Starter

broni Moderator Malware Analyst

gng2 Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

gng2 Inactive Thread Starter

broni Moderator Malware Analyst

gng2 Inactive Thread Starter

broni Moderator Malware Analyst

gng2 Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches