[pianoplayer07]

Hello all!

A newbie to Geeks to Go here.

So today I was browsing some links in Google and when I click on some of them they redirect to a completely different website than what I want. Other than that I haven't noticed any other problems, other than a very slightly decreased performance speed in my browser. I scanned my computer with Microsoft Security Essentials, which is my Anti-virus program (I've found it to be much better and real time reliable than AVG). It detected several infected files, but even after fixing the issues it detected, I am still having the redirect problem. Also, I did a scan with Malware Bytes, however it didn't detect anything. I've also ran tdsskiller, and it didn't show anything either. Like I said, after doing all of this, cleaning my computer with CCleaner and all, I'm still having this problem. I've downloaded HijackThis and ran a scan. The results are as follows:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:28:41 PM, on 9/12/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\ProgramData\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\SysWOW64\IoctlSvc.exe
C:\Program Files (x86)\DELL\DELL Webcam Manager\DellWMgr.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Windows\OEM02Mon.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [DELL Webcam Manager] "C:\Program Files (x86)\DELL\DELL Webcam Manager\DellWMgr.exe" /s
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [EPSON Stylus Photo R380 Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_FATIBOA.EXE /FU "C:\Windows\TEMP\E_S6854.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~3\OFFICE11\REFIEBAR.DLL
O20 - AppInit_DLLs: acaptuser32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FLEXnet Licensing Service 64 - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files (x86)\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\SysWOW64\IoctlSvc.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: SureThing Labelflash service - MicroVision Development, Inc. - C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 9864 bytes

Please, any help in ridding my computer of this nasty bug would be greatly appreciated. I always use safe browsing methods and don't really know how this got onto my machine, but it seems like websites anymore contain so many malicious popups and things that it's an inevitable situation.

Thank you guys and looking forward to a quick response!

-Marcus

Edited by pianoplayer07, 12 September 2010 - 05:38 PM.

[Advertisements]

Hello there Welcome to the GeeksToGo forums.
My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.

Please note the following:

• The fixes are specific to your problem and should only be used on this machine.
• Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
• It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.

Step 1

Download OTS to your Desktop

• Close ALL OTHER PROGRAMS.
• Double-click on OTS.exe to start the program.
• Check the box that says Scan All Users
• Make sure Include 64bit Scans is checked.
• Under Basic Scans please change the radio button under Registry from Safe List to All.
• Under Additional Scans check the following:
  
  • Reg - Desktop Components
  • Reg - Disabled MS Config Items
  • Reg - NetSvcs
  • Reg - Shell Spawning
  • Reg - Uninstall List
  • File - Lop Check
  • File - Purity Scan
  • Evnt - EvtViewer (last 10)
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post. To do so click on the blue "Add Reply" button and click on the "Browse.." button under "Manage Current Attachments"

To ensure that I get all the information this log will need to be attached. If it is too large to attach then upload it to Dropio and post the sharing link/url (The Drop's URL will be similar to : http:://drop.io/daerk)

Step 2

Please download MBRCheck.exe to your desktop.

• Be sure to disable your security programs
• Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
• A window similar to this should open on your desktop:
  
  
  
  
• If you are prompted with options, enter N at the prompt and press Enter
• Press Enter again
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.

[NeonFx]

Hello there Welcome to the GeeksToGo forums.
My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.

Please note the following:

• The fixes are specific to your problem and should only be used on this machine.
• Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
• It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.

Step 1

Download OTS to your Desktop

• Close ALL OTHER PROGRAMS.
• Double-click on OTS.exe to start the program.
• Check the box that says Scan All Users
• Make sure Include 64bit Scans is checked.
• Under Basic Scans please change the radio button under Registry from Safe List to All.
• Under Additional Scans check the following:
  
  • Reg - Desktop Components
  • Reg - Disabled MS Config Items
  • Reg - NetSvcs
  • Reg - Shell Spawning
  • Reg - Uninstall List
  • File - Lop Check
  • File - Purity Scan
  • Evnt - EvtViewer (last 10)
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post. To do so click on the blue "Add Reply" button and click on the "Browse.." button under "Manage Current Attachments"

To ensure that I get all the information this log will need to be attached. If it is too large to attach then upload it to Dropio and post the sharing link/url (The Drop's URL will be similar to : http:://drop.io/daerk)

Step 2

Please download MBRCheck.exe to your desktop.

• Be sure to disable your security programs
• Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
• A window similar to this should open on your desktop:
  
  
  
  
• If you are prompted with options, enter N at the prompt and press Enter
• Press Enter again
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.

[pianoplayer07]

Here is the OTS file from step one...

Attached Files

•  OTS.Txt   158.05KB   157 downloads

[pianoplayer07]

And here are the results from the MBRCheck:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: (build 7600), 64-bit
Base Board Manufacturer: Dell Inc.
BIOS Manufacturer: Dell Inc.
System Manufacturer: Dell Inc.
System Product Name: Inspiron 1720
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 172):
0x02A03000 \SystemRoot\system32\ntoskrnl.exe
0x02FDF000 \SystemRoot\system32\hal.dll
0x00B9B000 \SystemRoot\system32\kdcom.dll
0x00CF9000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00D3D000 \SystemRoot\system32\PSHED.dll
0x00D51000 \SystemRoot\system32\CLFS.SYS
0x00C00000 \SystemRoot\system32\CI.dll
0x00EA7000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00F4B000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00F5A000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x00FB1000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
0x00FBA000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x00FC4000 \SystemRoot\system32\DRIVERS\pci.sys
0x00E00000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x00E0D000 \SystemRoot\System32\drivers\partmgr.sys
0x00E22000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x00E2B000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x00E37000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x010E7000 \SystemRoot\System32\drivers\volmgrx.sys
0x01143000 \SystemRoot\system32\DRIVERS\intelide.sys
0x0114B000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x0115B000 \SystemRoot\System32\drivers\mountmgr.sys
0x01175000 \SystemRoot\system32\DRIVERS\atapi.sys
0x0117E000 \SystemRoot\system32\DRIVERS\ataport.SYS
0x011A8000 \SystemRoot\system32\DRIVERS\msahci.sys
0x011B3000 \SystemRoot\system32\DRIVERS\amdxata.sys
0x01000000 \SystemRoot\system32\drivers\fltmgr.sys
0x0104C000 \SystemRoot\system32\drivers\fileinfo.sys
0x01060000 \SystemRoot\System32\Drivers\PxHlpa64.sys
0x01204000 \SystemRoot\System32\Drivers\Ntfs.sys
0x0106C000 \SystemRoot\System32\Drivers\msrpc.sys
0x013A7000 \SystemRoot\System32\Drivers\ksecdd.sys
0x014E0000 \SystemRoot\System32\Drivers\cng.sys
0x01553000 \SystemRoot\System32\drivers\pcw.sys
0x01564000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x016B4000 \SystemRoot\system32\drivers\ndis.sys
0x01600000 \SystemRoot\system32\drivers\NETIO.SYS
0x01660000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x01803000 \SystemRoot\System32\drivers\tcpip.sys
0x017A6000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x0156E000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x017F0000 \SystemRoot\System32\Drivers\spldr.sys
0x015BA000 \SystemRoot\System32\drivers\rdyboost.sys
0x0168B000 \SystemRoot\System32\Drivers\mup.sys
0x0169D000 \SystemRoot\System32\drivers\hwpolicy.sys
0x01400000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x0143A000 \SystemRoot\system32\DRIVERS\disk.sys
0x01450000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x014AA000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x013C1000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0x014D4000 \SystemRoot\System32\Drivers\Null.SYS
0x017F8000 \SystemRoot\System32\Drivers\Beep.SYS
0x013EE000 \SystemRoot\System32\drivers\vga.sys
0x011BE000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x011E3000 \SystemRoot\System32\drivers\watchdog.sys
0x015F4000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x011F3000 \SystemRoot\system32\drivers\rdpencdd.sys
0x010CA000 \SystemRoot\system32\drivers\rdprefmp.sys
0x010D3000 \SystemRoot\System32\Drivers\Msfs.SYS
0x00E4C000 \SystemRoot\System32\Drivers\Npfs.SYS
0x00E5D000 \SystemRoot\system32\DRIVERS\tdx.sys
0x00E7B000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x02CE8000 \SystemRoot\system32\drivers\afd.sys
0x02D72000 \SystemRoot\System32\DRIVERS\netbt.sys
0x02DB7000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x02DC0000 \SystemRoot\system32\DRIVERS\pacer.sys
0x02DE6000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x02C00000 \SystemRoot\system32\DRIVERS\netbios.sys
0x02C0F000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x02C2A000 \SystemRoot\system32\DRIVERS\termdd.sys
0x02C3E000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x02C8F000 \SystemRoot\system32\drivers\nsiproxy.sys
0x02C9B000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x02CA6000 \SystemRoot\System32\drivers\discache.sys
0x02CB5000 \SystemRoot\System32\Drivers\dfsc.sys
0x02CD3000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x00CC0000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x00E88000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x03A11000 \SystemRoot\system32\DRIVERS\igdkmd64.sys
0x0409E000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x04192000 \SystemRoot\System32\drivers\dxgmms1.sys
0x041D8000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x04000000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x04056000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x04067000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x04288000 \SystemRoot\system32\DRIVERS\bcmwl664.sys
0x04530000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x0453D000 \SystemRoot\system32\DRIVERS\b44amd64.sys
0x04558000 \SystemRoot\system32\DRIVERS\1394ohci.sys
0x04596000 \SystemRoot\system32\DRIVERS\sdbus.sys
0x045B6000 \SystemRoot\system32\DRIVERS\rimmpx64.sys
0x045CA000 \SystemRoot\system32\DRIVERS\rimspx64.sys
0x04200000 \SystemRoot\system32\DRIVERS\rixdpx64.sys
0x04257000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x00DAF000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
0x04275000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x045E1000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x045F0000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x0408B000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x04090000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x041E5000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x04ABA000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x04AD0000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x04AF4000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x04B00000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x04B2F000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x04B4A000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x04B6B000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x04B85000 \SystemRoot\system32\DRIVERS\swenum.sys
0x04B87000 \SystemRoot\system32\DRIVERS\ks.sys
0x04BCA000 \SystemRoot\system32\DRIVERS\umbus.sys
0x04A00000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x04A5A000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x058B9000 \SystemRoot\system32\drivers\HdAudio.sys
0x05915000 \SystemRoot\system32\drivers\portcls.sys
0x05952000 \SystemRoot\system32\drivers\drmk.sys
0x05974000 \SystemRoot\system32\drivers\ksthunk.sys
0x0597A000 \SystemRoot\system32\DRIVERS\VSTAZL6.SYS
0x05A49000 \SystemRoot\system32\DRIVERS\VSTDPV6.SYS
0x05CD5000 \SystemRoot\system32\DRIVERS\VSTCNXT6.SYS
0x05DA0000 \SystemRoot\system32\drivers\modem.sys
0x00010000 \SystemRoot\System32\win32k.sys
0x05DAF000 \SystemRoot\System32\drivers\Dxapi.sys
0x05DBB000 \SystemRoot\System32\Drivers\crashdmp.sys
0x05DC9000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x05DD5000 \SystemRoot\System32\Drivers\dump_msahci.sys
0x05DE0000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x05C00000 \SystemRoot\system32\DRIVERS\monitor.sys
0x05C0E000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x05C2B000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x05C2D000 \SystemRoot\system32\DRIVERS\OEM02Dev.sys
0x05C6F000 \SystemRoot\system32\DRIVERS\OEM02Vfx.sys
0x004E0000 \SystemRoot\System32\TSDDD.dll
0x00780000 \SystemRoot\System32\cdd.dll
0x00850000 \SystemRoot\System32\ATMFD.DLL
0x05C78000 \SystemRoot\system32\drivers\luafv.sys
0x05C9B000 \SystemRoot\system32\drivers\WudfPf.sys
0x05CBC000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x05800000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x05BBD000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x05BD0000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x02600000 \SystemRoot\system32\drivers\HTTP.sys
0x026C8000 \SystemRoot\system32\DRIVERS\bowser.sys
0x026E6000 \SystemRoot\System32\drivers\mpsdrv.sys
0x026FE000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x0272B000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x02779000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x0279C000 \SystemRoot\System32\Drivers\adfs.SYS
0x0349A000 \SystemRoot\system32\drivers\peauth.sys
0x03540000 \SystemRoot\System32\Drivers\secdrv.SYS
0x0354B000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x03578000 \SystemRoot\System32\drivers\tcpipreg.sys
0x0358A000 \SystemRoot\System32\DRIVERS\srv2.sys
0x03400000 \SystemRoot\System32\DRIVERS\srv.sys
0x027B4000 \SystemRoot\system32\DRIVERS\MpNWMon.sys
0x027C4000 \SystemRoot\System32\Drivers\fastfat.SYS
0x07AB8000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x07ADA000 \SystemRoot\system32\drivers\PCTCore64.sys
0x07B14000 \??\C:\Program Files (x86)\Spyware Doctor\PCTSDInj64.sys
0x07B1E000 \SystemRoot\system32\drivers\ws2ifsl.sys
0x77B70000 \Windows\System32\ntdll.dll
0x48400000 \Windows\System32\smss.exe
0xFFE90000 \Windows\System32\apisetschema.dll
0xFF5E0000 \Windows\System32\autochk.exe
0xFFDA0000 \Windows\System32\oleaut32.dll
0xFFCD0000 \Windows\System32\usp10.dll
0xFFCA0000 \Windows\System32\imm32.dll
0xFFC00000 \Windows\System32\clbcatq.dll
0x77A50000 \Windows\System32\kernel32.dll
0xFFBF0000 \Windows\System32\lpk.dll
0xFFB80000 \Windows\System32\gdi32.dll
0xFEDF0000 \Windows\System32\shell32.dll

Processes (total 61):
0 System Idle Process
4 System
276 C:\Windows\System32\smss.exe
404 C:\Windows\System32\csrss.exe
468 C:\Windows\System32\wininit.exe
480 C:\Windows\System32\csrss.exe
524 C:\Windows\System32\services.exe
540 C:\Windows\System32\lsass.exe
548 C:\Windows\System32\lsm.exe
648 C:\Windows\System32\svchost.exe
720 C:\Windows\System32\winlogon.exe
764 C:\Windows\System32\svchost.exe
816 C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
936 C:\Windows\System32\svchost.exe
1000 C:\Windows\System32\svchost.exe
288 C:\Windows\System32\svchost.exe
296 C:\Windows\System32\svchost.exe
1128 C:\Windows\System32\svchost.exe
1292 C:\Windows\System32\spoolsv.exe
1320 C:\Windows\System32\svchost.exe
1416 C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1436 C:\Program Files (x86)\Bonjour\mDNSResponder.exe
1492 C:\ProgramData\EPSON\EPW!3 SSRP\E_S30RP1.EXE
1564 C:\Windows\System32\svchost.exe
1588 C:\Program Files (x86)\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
1664 C:\Windows\SysWOW64\IoctlSvc.exe
1700 C:\Windows\System32\svchost.exe
156 C:\Windows\System32\svchost.exe
2260 C:\Windows\System32\taskhost.exe
2328 C:\Windows\System32\dwm.exe
2340 C:\Windows\explorer.exe
2464 C:\Program Files\Microsoft Security Essentials\msseces.exe
2476 C:\Windows\System32\igfxtray.exe
2484 C:\Windows\System32\hkcmd.exe
2492 C:\Windows\System32\igfxpers.exe
2504 C:\Program Files\Dell\QuickSet\quickset.exe
2548 C:\Windows\System32\igfxsrvc.exe
2640 C:\Program Files\DellTPad\Apoint.exe
2676 C:\Program Files\Windows Sidebar\sidebar.exe
2720 C:\Program Files\DellTPad\ApMsgFwd.exe
2752 C:\Program Files (x86)\DELL\DELL Webcam Manager\DellWMgr.exe
2768 C:\Program Files\DellTPad\ApntEx.exe
2784 C:\Windows\System32\conhost.exe
2816 C:\Program Files\DellTPad\hidfind.exe
2828 C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe
2860 C:\Windows\System32\wbem\WmiPrvSE.exe
2996 C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
3056 C:\Windows\OEM02Mon.exe
3064 C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
2140 C:\Windows\System32\SearchIndexer.exe
2280 C:\Program Files (x86)\iTunes\iTunesHelper.exe
2432 C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
860 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
3156 C:\Program Files\Windows Media Player\wmpnetwk.exe
3348 C:\Program Files\iPod\bin\iPodService.exe
3784 C:\Windows\System32\svchost.exe
2300 C:\Windows\System32\taskhost.exe
4536 C:\Windows\System32\audiodg.exe
632 C:\Users\Marcus\Desktop\MBRCheck.exe
3488 C:\Windows\System32\conhost.exe
3940 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`0bb00000 (NTFS)

PhysicalDrive0 Model Number: WDCWD3200BEVT-75ZCT0, Rev: 11.01A11

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


Done!

Edited by pianoplayer07, 12 September 2010 - 08:39 PM.

[NeonFx]

A couple questions:

Do you have any other computers connected to the same network and are they experiencing the same symptoms?

What is the make and model of your router?

Do you notice the symptoms in both internet explorer and firefox?


Please update MalwareBytes and run a full scan. Attach the results here for me.


Is there any way you could get me the results of the MSE scan that found some stuff earlier?

[pianoplayer07]

I do have a desktop computer connected as well, however it is an older Dell Dimension 2400 that we rarely use anymore because it is just so outdated performance wise. An interesting note to make here is that the only time I am experiencing the redirect is just on a few links in Google. Everything else seems to link fine, although like I said I've noticed just a very slight decrease in browsing performance. These symptoms are occurring on both computers and browsers. That's why I am confused if there really is anything still lurking on my computer.

The model of the router is an actiontec gt724wgr.

I've attached the MSE report history. It included all of the things detected since this began happening. Note that I ran a scan yesterday (Sept. 12) and it found 2 new files, but since then I haven't ran a new scan and no alerts have come up.

I will run both a MSE scan and a MalwareBytes scan with the latest updates right now and when those are completed I'll post the results.

Thanks for all your help so far.

Attached Thumbnails

• 

[NeonFx]

Alright that confirms my suspicion. The infection probably lies on the router itself.

Along with the results of those two scans, please try resetting the router to its factory defaults:

"To reset a 'GT' Series Router, Gateway or Wireless Access Point, begin with the unit powered up and with a solid Green Power light. Then using a small tool depress and hold the Reset button on the back of the device just until you see the color of the Power light change from Green to Amber. Be sure to release the Reset button before the Power light turns Red.
The length of time that the Reset button must be held to accomplish the reset varies from model to model, but as long as the Reset button is released while the power light is Amber the Reset will be successful."

http://www.actiontec...ails.php?pid=73



Please note that this will reset any configurations on the device, such as wireless settings and passwords as well as the administrator password and any port forwarding rules you may have set. These will need to be reset manually. Let me know if you need any help with that. You can also use the support page I linked you to as it has manuals and other resources for your device.

[pianoplayer07]

Okay, I ran both scans and no threats were detected. The results of the MalwareBytes scan are:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4607

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

9/13/2010 11:49:31 AM
mbam-log-2010-09-13 (11-49-31).txt

Scan type: Full scan (C:\|)
Objects scanned: 270426
Time elapsed: 1 hour(s), 10 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I reset the router as well. From what I can tell all seems to be working correctly. Therefore I'm assuming the threats that were detected via MSE are all gone from my computer as well? It always worries me because sometimes I'll think they are gone but the thought that there may still be something I don't know about always lingers. Darn these little boogers that send this crap out! haha

Edited by pianoplayer07, 13 September 2010 - 01:45 PM.

[NeonFx]

You shouldn't worry too much about what MSE found. They're all basically half infections, droppers that never got the chance to truly infect your system. There are very few viruses that work on 64bit machines which is why I thought your router was most likely the device that got infected instead of this system.


STEP 1

Run OTS

• Under the Paste Fix Here box on the right, paste in the contents of following code box

[Kill All Processes]
[Unregister Dlls]
[Empty Temp Folders]
[EmptyFlash]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• This will create a log in C:\_OTS\MovedFiles\<date>_<time>.log where date and time are those of when the fix was run. Open it from there if it does not appear automatically on reboot. Please copy and paste or attach the contents of that file here.

Note: You may receive some errors while running the fix. Just press Ok and the fix should continue normally.
If it seems to get stuck, give it some time. It's probably still working.


STEP 2

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.



2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.


The program will then begin downloading and installing and will also update the database.


Please be patient as this can take quite a long time to download.

• Once the update is complete, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  
  • Spyware, adware, dialers, and other riskware
  • Archives
  • E-mail databases
• Click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View report... at the bottom.
• Click the Save report... button.
  
  
• Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

[pianoplayer07]

Here are the contents of step 1:

All Processes Killed
[Empty Temp Folders]


User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56504 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Marcus
->Temp folder emptied: 712771 bytes
->Temporary Internet Files folder emptied: 764204 bytes
->Java cache emptied: 140492 bytes
->FireFox cache emptied: 117189836 bytes
->Flash cache emptied: 38956 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 257578 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 114.00 mb


[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Marcus
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

< End of fix log >
OTS by OldTimer - Version 3.1.37.0 fix logfile created on 09132010_211301

Files\Folders moved on Reboot...
C:\Users\Marcus\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Marcus\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RJ20B692\31[1].png moved successfully.

Registry entries deleted on Reboot...


I'm working on step 2 right now, results in a bit.

[pianoplayer07]

And attached is the Kaspersky report. No threats were found.

Attached Files

•  KasReport.txt   800bytes   93 downloads

[NeonFx]

I'm glad to hear it. Make sure you set an administrator password on your router as keeping at its default could have been the reason it got infected this time.


Ready for my cleanup instructions?

[pianoplayer07]

Ready Freddy.

[NeonFx]

Excellent. Let's cleanup.


STEP 1

To clean up OldTimer's tools, along with a few others, do the following:

• Run OTS.exe by double clicking on it
• Click on the "CleanUp" button on the top.
• You will be asked if you wish to reboot your system, select "Yes"

STEP 2

Remove any other tools or files we used by right-clicking on them or any folders they created, hold down the Shift key, and select "Delete" by clicking on it. This will delete the files without sending them to the RecycleBin.

You can also uninstall the other programs (HijackThis or MalwareBytes if we used them) by going to Start > Control Panel > Add/Remove programs (The Control Panel is different in different versions of Windows. It will be Programs and Features in Vista and Programs > Uninstall a Program in 7)

You might want to keep MalwareBytes AntiMalware though and that's fine Make sure you update it before you run the scans in the future.

All Clean

Congratulations!, , your system is now clean. Now that your system is safe we would like you to keep it that way. Take the time to follow these instructions and it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

Microsoft Windows Update
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to (Start) > (All) Programs > Windows Update
To update Office
Open up any Office program.
Go to Help > Check for Updates


Install WinPatrol
Download it HERE
You can find information about how WinPatrol works HERE and HERE

Note: This program will work alongside all other security programs without conflicts. It might ask you to allow certain actions that security programs perform often, but if you tell Scotty to remember the action by checking the option, the alerts will lessen.

Other Software Updates
It is very important to update the other software on your computer to patch up any security issues you may have. Go HERE to scan your computer for any out of date software. In particular make sure you download the updates for Java and Adobe as these are subject to many security vulnerabilities.

Setting up Automatic Updates
So that it is not necessary to have to remember to update your computer regularly (something very important to securing your system), automatic updates should be configured on your computer. Microsoft has guides for XP and Vista on how to do this. See HERE for Windows 7.

Read further information HERE, HERE, and HERE on how to prevent Malware infections and keep yourself clean.



Let me know if there's anything else I can do for you.