Google redirect virus

[cruddell001]

I seem to be infected by a virus which is similar to or the same as the "google redirect virus" that others have had. It doesn't happen everytime, but often when I search on Google and click on one of the results, I get redirected to an alternative webpage (often an advertising page).

I am running Kapersky Antivirus, which hasn't been able to find the virus. Also, I downloaded SuperAntiSpyware, which found some issues but didn't resolve this redirect problem.

Per the "new instructions" page for posting to this forum, I tried to download DDS and GMER per the "new instructions" page. However, I was unable to run either one. The DDS script just produces a dos-style pop-up box (see attached image file). The GMER program failed 3 times on me. The first and third times I got a "this program has closed unexpectedly" error. The second time gave me the blue-screen of death. (I am running Vista).

Any help would be appreciated.

okay, so I realize now my ignorance! Just have to let that pop-up box run for a while.

Here are the two DDS reports:

DDS.txt:

DDS (Ver_09-05-14.01) - NTFSx86
Run by Chris Ruddell at 22:07:45.09 on Thu 06/18/2009
Internet Explorer: 8.0.6001.18783 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2046.875 [GMT -5:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: MalwareRemovalBot *disabled* (Updated) {1A84E498-2492-4031-A358-94BEA4AD0BE2}
SP: Kaspersky Anti-Virus *enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\System32\svchost.exe -k Cognizance
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
c:\Program Files\Bioscrypt\VeriSoft\Bin\AsGHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Program Files\NBC Direct\DirectPlayerCore.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\System32\rundll32.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Chris Ruddell\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IE to GetRight Helper: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\getright\xx2gr.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\ievkbd.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: VeriSoft Access Manager: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\bioscrypt\verisoft\bin\ItIEAddIn.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [Pando Media Booster] "c:\program files\pando networks\media booster\PMB.exe"
uRun: [DirectPlayerCore] "c:\program files\nbc direct\DirectPlayerCore.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SpW3CSemanticInterpretationClass] regsvr32 /s /u "c:\users\chris ruddell\appdata\local\spw3csemanticinterpretation\SpW3CSemanticInterpretationClass.dll"
uRun: [DeploymentToolkit] regsvr32 /s /u "c:\users\chris ruddell\appdata\local\deployment\DeploymentToolkit.dll"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [CognizanceTS] rundll32.exe c:\progra~1\bioscr~1\verisoft\bin\ASTSVCC.dll,RegisterModule
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\chrisr~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\sprint~1.lnk - c:\windows\RM.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\getright.lnk - c:\program files\getright\GetRight.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\SCIEPlgn.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38E51477-DDB4-4aed-9D61-D0C193E10749} - c:\program files\drmremoval\YouTubeRipper.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: lbxfile - {56831180-F115-11d2-B6AA-00104B2B9943} - c:\program files\libronix dls\system\FileProt.dll
Handler: lbxres - {24508F1B-9E94-40EE-9759-9AF5795ADF52} - c:\program files\libronix dls\system\ResProt.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: APSHook.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli ASWLNPkg

================= FIREFOX ===================

FF - ProfilePath - c:\users\chrisr~1\appdata\roaming\mozilla\firefox\profiles\jo36sxs1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - component: c:\users\chris ruddell\appdata\roaming\mozilla\firefox\profiles\jo36sxs1.default\extensions\{fcab6fdd-5585-425b-95c1-5ed856f3fd08}\components\nsCatcher.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\nbc direct\npDirectPlayerMozilla.dll
FF - plugin: c:\users\chris ruddell\appdata\roaming\idm\bin\flash\platform\winnt\plugins\npidmdcp.dll

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2008-3-26 20496]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2009-2-4 21504]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2009-2-4 21504]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R3 DrmRAudio;DrmRAudio;c:\windows\system32\drivers\DrmRAudio.sys [2009-6-11 23096]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S3 SMServer;SMServer;c:\windows\system32\snmvtsvc.exe [2009-6-11 245760]

=============== Created Last 30 ================

2009-06-18 21:01 <DIR> --d----- c:\program files\Trend Micro
2009-06-18 19:08 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-06-18 19:08 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-18 19:07 <DIR> --d----- c:\program files\iPod
2009-06-18 19:07 <DIR> --d----- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-18 19:07 <DIR> --d----- c:\program files\iTunes
2009-06-18 19:07 <DIR> --d----- c:\progra~2\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-18 19:05 <DIR> --d----- c:\programdata\Apple Computer
2009-06-17 17:05 <DIR> --d----- c:\users\chrisr~1\appdata\roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-06-17 14:15 <DIR> --d----- c:\programdata\NOS
2009-06-17 11:20 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-06-17 11:20 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-06-17 11:19 <DIR> --d----- c:\users\chrisr~1\appdata\roaming\SUPERAntiSpyware.com
2009-06-17 11:19 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-17 11:19 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-15 13:45 <DIR> --d----- c:\users\chrisr~1\appdata\roaming\Malwarebytes
2009-06-15 13:45 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 13:45 <DIR> --d----- c:\programdata\Malwarebytes
2009-06-15 13:45 <DIR> --d----- c:\progra~2\Malwarebytes
2009-06-15 13:45 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-15 13:45 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-15 13:28 <DIR> --d----- c:\users\chrisr~1\appdata\roaming\MalwareRemovalBot
2009-06-14 14:23 428,544 a------- c:\windows\system32\EncDec.dll
2009-06-14 14:23 293,376 a------- c:\windows\system32\psisdecd.dll
2009-06-14 14:23 217,088 a------- c:\windows\system32\psisrndr.ax
2009-06-14 14:23 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-06-14 14:23 80,896 a------- c:\windows\system32\MSNP.ax
2009-06-11 12:51 <DIR> --d----- C:\Converted
2009-06-11 12:51 <DIR> --d----- C:\Big Whiskey and the GrooGrux King
2009-06-11 12:16 245,760 a------- c:\windows\system32\snmvtsvc.exe
2009-06-11 12:16 23,096 a------- c:\windows\system32\DrmRAudio.sys
2009-06-11 12:16 23,096 a------- c:\windows\system32\drivers\DrmRAudio.sys
2009-06-11 12:16 19,099 a------- c:\windows\system32\DrmRAudio.inf
2009-06-11 12:16 10,936 a------- c:\windows\system32\DrmRVideo.dll
2009-06-11 12:16 3,768 a------- c:\windows\system32\DrmRVideo.sys
2009-06-11 12:16 2,577 a------- c:\windows\system32\DrmRVideo.inf
2009-06-11 12:16 2,539 a------- c:\windows\system32\DrmRVideo.cat
2009-06-11 12:16 2,100 a------- c:\windows\system32\DrmRAudio.cat
2009-06-11 12:16 <DIR> --d----- c:\program files\DrmRemoval
2009-06-10 00:03 2,033,152 a------- c:\windows\system32\win32k.sys
2009-05-26 17:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2009-05-26 17:18 57,344 a------- c:\windows\system32\QuickTime.qts
2009-05-21 16:46 815,104 a------- c:\windows\system32\xvidcore.dll
2009-05-21 16:46 180,224 a------- c:\windows\system32\xvidvfw.dll
2009-05-21 16:46 77,824 a------- c:\windows\system32\xvid.ax
2009-05-21 16:46 <DIR> --d----- c:\program files\Xvid
2009-05-21 15:14 <DIR> --d----- c:\program files\SourceTec
2009-05-21 15:11 <DIR> --d----- c:\program files\common files\SourceTec
2009-05-20 13:05 329,752 a------- c:\windows\system32\drivers\iaStor.sys

==================== Find3M ====================

2009-06-18 21:15 4,244 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-06-18 21:14 5,884,960 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-06-18 21:11 49,152 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-06-18 21:09 925,728 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-06-18 19:03 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-18 19:03 86,016 a------- c:\windows\inf\infstor.dat
2009-06-18 19:03 51,200 a------- c:\windows\inf\infpub.dat
2009-06-04 10:07 13,401 a------- c:\users\chrisr~1\appdata\roaming\nvModes.dat
2009-05-20 12:55 105,395 a------- c:\windows\system32\drivers\klin.dat
2009-05-20 12:55 94,643 a------- c:\windows\system32\drivers\klick.dat
2009-05-14 10:27 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-09 00:50 915,456 a------- c:\windows\system32\wininet.dll
2009-05-09 00:34 71,680 a------- c:\windows\system32\iesetup.dll
2009-04-23 07:43 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-04-23 07:42 636,928 a------- c:\windows\system32\localspl.dll
2009-03-31 15:35 17,160 a------- c:\windows\help\oem\scripts\HC_TotalCareAdvisorUpdate.exe
2009-03-30 17:30 17,160 a------- c:\windows\help\oem\scripts\HC_DanzkaDubraBIOSUpdate.exe
2009-03-07 19:32 174 a--sh--- c:\program files\desktop.ini
2009-03-07 19:23 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2006-05-03 05:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 06:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-03-16 08:30 216,064 ---shr-- c:\windows\system32\nbDX.dll

============= FINISH: 22:08:44.33 ===============


Attach.txt:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 11/23/2007 11:03:16 PM
System Uptime: 6/18/2009 9:29:22 PM (1 hours ago)

Motherboard: Wistron | | 30CE
Processor: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz | U2E1 | 2001/667mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 103 GiB total, 27.572 GiB free.
D: is FIXED (NTFS) - 8 GiB total, 0.752 GiB free.
E: is FIXED (NTFS) - 1 GiB total, 0.911 GiB free.
F: is CDROM ()
G: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================


==== Installed Programs ======================


µTorrent
2007 Microsoft Office Suite Service Pack 1 (SP1)
32 Bit HP CIO Components Installer
Able2Extract Professional v6.0
Ace DivX Player v2.1
Acrobat.com
Activation Assistant for the 2007 Microsoft Office suites
ActiveCheck component for HP Active Support Library
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Reader 9.1.2
AnswerWorks 5.0 English Runtime
Apple Mobile Device Support
Apple Software Update
Audacity 1.3.7 (Unicode)
AuthenTec Fingerprint Sensor Minimum Install
Bible Data Type System Files
Bonjour
Bullzip PDF Printer 6.0.0.744
Common System Files
Conexant HD Audio
DrmRemoval 3.8.5
e-Sword
ESU for Microsoft Vista
FileZilla Client 3.2.4.1
GetRight
Google Toolbar for Internet Explorer
Google Video Uploader
GPL Ghostscript Lite 8.63
Graphical Query Editor
HDAUDIO Soft Data Fax Modem with SmartCP
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Active Support Library 32 bit components
HP Customer Experience Enhancements
HP Doc Viewer
HP Easy Setup - Frontend
HP Help and Support
HP Photosmart Essential 2.0
HP Photosmart Essential2.5
HP Quick Launch Buttons 6.20 B1
HP QuickPlay 3.2
HP Total Care Advisor
HP Update
HP User Guides 0060
HP Wireless Assistant
HPAsset component for HP Active Support Library
HPNetworkAssistant
IDM Flash 4.4.0.459
ImgBurn
Intel® Matrix Storage Manager
ISO Recorder
iTunes
Java(TM) 6 Update 13
Java(TM) SE Runtime Environment 6
Kaspersky Anti-Virus 2009
LAME v3.98.2 for Audacity
Libronix Digital Library System
Libronix DLS Application
LibronixUpdate
LightScribe 1.4.136.1
LLS Resource Driver
Malwarebytes' Anti-Malware
Marvell Miniport Driver
Microsoft .NET Framework 3.5 SP1
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
mIRC
Mozilla Firefox (3.0.11)
Mp3tag v2.42
MSCU for Microsoft Vista
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 6.0
My HP Games
NBC Direct
NetWaiting
NVIDIA Drivers
OEB Resource Driver
Paint.NET v3.36
Pando Media Booster
PDF Resource Driver
Playlist Creator 3
Print Artist 2003
PSSWCORE
QuickTime
Rhapsody Player Engine
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile USB DRIVER(4.40.7.0) v1.6
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Sentence Diagramming
SierraAddressBook 3.0
Sothink FLV Player
Sprint media manager
SUPER © Version 2009.bld.35 (Jan 5, 2009)
SUPERAntiSpyware Free Edition
TomTom HOME 2.5.2.60
Touch Pad Driver
TurboTax 2008
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wmoiper
TurboTax 2008 wrapper
Ultra QuickTime Converter 3.2.0104
UnPacker 1,5,0,1909
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
VC_MergeModuleToMSI
VeriSoft Access Manager
Walmart Digital Photo Manager
win:viftool2 (remove only)
Windows Media Player Firefox Plugin
Xvid 1.2.1 final uninstall

==== End Of File ===========================

[cruddell001]

*bump*

[cruddell001]

*bump**bump* (please help, somebody!)

[tetonbob]

Hello -

I'd like to try to get a GMER scan in.

Let's try this version of gmer.


Download GMER Rootkit Scanner from here to your desktop.

• Double click the exe file.
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.
  
  
  
  Click the image to enlarge it
  
  
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Devices
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If it still fails to run, try running the scan in Safe Mode.

Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account.

[cruddell001]

Okay - seemed to work that time. Strange. Attached is the ark.txt file.

[tetonbob]

Well, that didn't help as much as I'd have liked it to.

Are the redirects in Firefox only? Do they happen in Internet Explorer also?

[cruddell001]

Well, I don't generally use Internet Explorer, but from what I can tell the problem seems limited to Firefox. Also, it primarily seems to happen when I search using the Google search bar on the top-right of Firefox, rather than going to google.com directly.

[tetonbob]

Let's see if this sheds any light on it.

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Double-click GooredFix.exe to run it.
• Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
• A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: Do not run Option #2 yet.

[cruddell001]

Okay - that was a really quick scan, but it didn't give much. Here are the contents of the log it created:

GooredFix v1.92 by jpshortstuff
Log created at 09:41 on 26/06/2009 running Option #1 (Chris Ruddell)
Firefox version 3.0.11 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.11\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.11\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"flashplugin@idm"="C:\Users\Chris Ruddell\AppData\Roaming\IDM\bin\flash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"

[tetonbob]

I see you have HijackThis installed.


Copy Hosts File

• Open HiJackThis
• Click on the button " Open the Misc Tools section"
• Click on the Box that says "Open hosts File Manager"
• Click on the button "Open in Notepad"
• Copy and past the List from the notepad file into your post
• If it's a large file, save it somewhere you can find it, and attach it in reply.

Also....please delete your existing copy of DDS, and download it again from one of the links below, run a new scan, and post the logs.

Download DDS from here or here.

[cruddell001]

Okay. Here is the HiJackthis host log:

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
::1 localhost


-------------------------------------------------------------

Here is the new dds.txt:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Chris Ruddell at 11:10:12.18 on Fri 06/26/2009
Internet Explorer: 8.0.6001.18783 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2046.1114 [GMT -5:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: MalwareRemovalBot *disabled* (Updated) {1A84E498-2492-4031-A358-94BEA4AD0BE2}
SP: Kaspersky Anti-Virus *enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\System32\svchost.exe -k Cognizance
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
C:\Windows\system32\taskeng.exe
c:\Program Files\Bioscrypt\VeriSoft\Bin\AsGHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Internet Explorer\IELowutil.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\msfeedssync.exe
C:\Users\Chris Ruddell\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IE to GetRight Helper: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\getright\xx2gr.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\ievkbd.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: VeriSoft Access Manager: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\bioscrypt\verisoft\bin\ItIEAddIn.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [SpW3CSemanticInterpretationClass] regsvr32 /s /u "c:\users\chris ruddell\appdata\local\spw3csemanticinterpretation\SpW3CSemanticInterpretationClass.dll"
uRun: [DeploymentToolkit] regsvr32 /s /u "c:\users\chris ruddell\appdata\local\deployment\DeploymentToolkit.dll"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [CognizanceTS] rundll32.exe c:\progra~1\bioscr~1\verisoft\bin\ASTSVCC.dll,RegisterModule
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\chrisr~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\autoru~1\sprint~1.lnk - c:\windows\RM.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoru~1\getright.lnk - c:\program files\getright\GetRight.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\SCIEPlgn.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38E51477-DDB4-4aed-9D61-D0C193E10749} - c:\program files\drmremoval\YouTubeRipper.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: lbxfile - {56831180-F115-11d2-B6AA-00104B2B9943} - c:\program files\libronix dls\system\FileProt.dll
Handler: lbxres - {24508F1B-9E94-40EE-9759-9AF5795ADF52} - c:\program files\libronix dls\system\ResProt.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: APSHook.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli ASWLNPkg

================= FIREFOX ===================

FF - ProfilePath - c:\users\chrisr~1\appdata\roaming\mozilla\firefox\profiles\jo36sxs1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - component: c:\users\chris ruddell\appdata\roaming\mozilla\firefox\profiles\jo36sxs1.default\extensions\{fcab6fdd-5585-425b-95c1-5ed856f3fd08}\components\nsCatcher.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\nbc direct\npDirectPlayerMozilla.dll
FF - plugin: c:\users\chris ruddell\appdata\roaming\idm\bin\flash\platform\winnt\plugins\npidmdcp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2008-3-26 20496]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2009-2-4 21504]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2009-2-4 21504]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R3 DrmRAudio;DrmRAudio;c:\windows\system32\drivers\DrmRAudio.sys [2009-6-11 23096]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S3 SMServer;SMServer;c:\windows\system32\snmvtsvc.exe [2009-6-11 245760]

=============== Created Last 30 ================

2009-06-19 14:54 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-06-19 14:54 <DIR> --d----- c:\program files\FileMaker
2009-06-19 13:42 <DIR> --d----- C:\backup filemaker pro
2009-06-19 13:36 <DIR> --d----- c:\programdata\FLEXnet
2009-06-18 21:01 <DIR> --d----- c:\program files\Trend Micro
2009-06-18 19:08 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-06-18 19:08 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-18 19:07 <DIR> --d----- c:\program files\iPod
2009-06-18 19:07 <DIR> --d----- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-18 19:07 <DIR> --d----- c:\program files\iTunes
2009-06-18 19:07 <DIR> --d----- c:\progra~2\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-18 19:05 <DIR> --d----- c:\programdata\Apple Computer
2009-06-17 17:05 <DIR> --d----- c:\users\chrisr~1\appdata\roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-06-17 14:15 <DIR> --d----- c:\programdata\NOS
2009-06-17 11:20 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-06-17 11:20 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-06-17 11:19 <DIR> --d----- c:\users\chrisr~1\appdata\roaming\SUPERAntiSpyware.com
2009-06-17 11:19 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-17 11:19 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-15 13:45 <DIR> --d----- c:\users\chrisr~1\appdata\roaming\Malwarebytes
2009-06-15 13:45 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 13:45 <DIR> --d----- c:\programdata\Malwarebytes
2009-06-15 13:45 <DIR> --d----- c:\progra~2\Malwarebytes
2009-06-15 13:45 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-15 13:45 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-15 13:28 <DIR> --d----- c:\users\chrisr~1\appdata\roaming\MalwareRemovalBot
2009-06-14 14:23 428,544 a------- c:\windows\system32\EncDec.dll
2009-06-14 14:23 293,376 a------- c:\windows\system32\psisdecd.dll
2009-06-14 14:23 217,088 a------- c:\windows\system32\psisrndr.ax
2009-06-14 14:23 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-06-14 14:23 80,896 a------- c:\windows\system32\MSNP.ax
2009-06-11 12:51 <DIR> --d----- C:\Converted
2009-06-11 12:51 <DIR> --d----- C:\Big Whiskey and the GrooGrux King
2009-06-11 12:16 245,760 a------- c:\windows\system32\snmvtsvc.exe
2009-06-11 12:16 23,096 a------- c:\windows\system32\DrmRAudio.sys
2009-06-11 12:16 23,096 a------- c:\windows\system32\drivers\DrmRAudio.sys
2009-06-11 12:16 19,099 a------- c:\windows\system32\DrmRAudio.inf
2009-06-11 12:16 10,936 a------- c:\windows\system32\DrmRVideo.dll
2009-06-11 12:16 3,768 a------- c:\windows\system32\DrmRVideo.sys
2009-06-11 12:16 2,577 a------- c:\windows\system32\DrmRVideo.inf
2009-06-11 12:16 2,539 a------- c:\windows\system32\DrmRVideo.cat
2009-06-11 12:16 2,100 a------- c:\windows\system32\DrmRAudio.cat
2009-06-11 12:16 <DIR> --d----- c:\program files\DrmRemoval
2009-06-10 00:03 2,033,152 a------- c:\windows\system32\win32k.sys

==================== Find3M ====================

2009-06-25 15:00 5,974,560 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-06-25 14:35 49,852 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-06-25 10:26 950,304 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-06-25 10:25 4,328 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-06-24 14:37 13,401 a------- c:\users\chrisr~1\appdata\roaming\nvModes.dat
2009-06-18 19:03 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-18 19:03 86,016 a------- c:\windows\inf\infstor.dat
2009-06-18 19:03 51,200 a------- c:\windows\inf\infpub.dat
2009-05-20 12:55 105,395 a------- c:\windows\system32\drivers\klin.dat
2009-05-20 12:55 94,643 a------- c:\windows\system32\drivers\klick.dat
2009-05-14 10:27 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-09 00:50 915,456 a------- c:\windows\system32\wininet.dll
2009-05-09 00:34 71,680 a------- c:\windows\system32\iesetup.dll
2009-04-23 07:43 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-04-23 07:42 636,928 a------- c:\windows\system32\localspl.dll
2009-03-31 15:35 17,160 a------- c:\windows\help\oem\scripts\HC_TotalCareAdvisorUpdate.exe
2009-03-30 17:30 17,160 a------- c:\windows\help\oem\scripts\HC_DanzkaDubraBIOSUpdate.exe
2009-03-07 19:32 174 a--sh--- c:\program files\desktop.ini
2009-03-07 19:23 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2006-05-03 05:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 06:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-03-16 08:30 216,064 ---shr-- c:\windows\system32\nbDX.dll

============= FINISH: 11:12:08.31 ===============


----------------------------------------------------------------------

And here is the new attach.txt:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 11/23/2007 11:03:16 PM
System Uptime: 6/26/2009 11:02:42 AM (0 hours ago)

Motherboard: Wistron | | 30CE
Processor: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz | U2E1 | 2001/667mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 103 GiB total, 24.203 GiB free.
D: is FIXED (NTFS) - 8 GiB total, 0.752 GiB free.
E: is FIXED (NTFS) - 1 GiB total, 0.911 GiB free.
F: is CDROM ()
G: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================


==== Installed Programs ======================


µTorrent
2007 Microsoft Office Suite Service Pack 1 (SP1)
32 Bit HP CIO Components Installer
Able2Extract Professional v6.0
Ace DivX Player v2.1
Acrobat.com
Activation Assistant for the 2007 Microsoft Office suites
ActiveCheck component for HP Active Support Library
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Reader 9.1.2
AnswerWorks 5.0 English Runtime
Apple Mobile Device Support
Apple Software Update
Audacity 1.3.7 (Unicode)
AuthenTec Fingerprint Sensor Minimum Install
Bible Data Type System Files
Bonjour
Bullzip PDF Printer 6.0.0.744
Common System Files
Conexant HD Audio
DrmRemoval 3.8.5
e-Sword
ESU for Microsoft Vista
FileMaker Pro 9
FileZilla Client 3.2.4.1
GetRight
Google Toolbar for Internet Explorer
Google Video Uploader
GPL Ghostscript Lite 8.63
Graphical Query Editor
HDAUDIO Soft Data Fax Modem with SmartCP
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Active Support Library 32 bit components
HP Customer Experience Enhancements
HP Doc Viewer
HP Easy Setup - Frontend
HP Help and Support
HP Photosmart Essential 2.0
HP Photosmart Essential2.5
HP Quick Launch Buttons 6.20 B1
HP QuickPlay 3.2
HP Total Care Advisor
HP Update
HP User Guides 0060
HP Wireless Assistant
HPAsset component for HP Active Support Library
HPNetworkAssistant
IDM Flash 4.4.0.459
ImgBurn
Intel® Matrix Storage Manager
ISO Recorder
iTunes
Java(TM) 6 Update 13
Java(TM) SE Runtime Environment 6
Kaspersky Anti-Virus 2009
LAME v3.98.2 for Audacity
Libronix Digital Library System
Libronix DLS Application
LibronixUpdate
LightScribe 1.4.136.1
LLS Resource Driver
Malwarebytes' Anti-Malware
Marvell Miniport Driver
Microsoft .NET Framework 3.5 SP1
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
mIRC
Mozilla Firefox (3.0.11)
Mp3tag v2.42
MSCU for Microsoft Vista
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 6.0
My HP Games
NBC Direct
NetWaiting
NVIDIA Drivers
OEB Resource Driver
Paint.NET v3.36
Pando Media Booster
PDF Resource Driver
Playlist Creator 3
Print Artist 2003
PSSWCORE
QuickTime
Rhapsody Player Engine
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile USB DRIVER(4.40.7.0) v1.6
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Sentence Diagramming
SierraAddressBook 3.0
Sothink FLV Player
Sprint media manager
SUPER © Version 2009.bld.35 (Jan 5, 2009)
SUPERAntiSpyware Free Edition
TomTom HOME 2.5.2.60
Touch Pad Driver
TurboTax 2008
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wmoiper
TurboTax 2008 wrapper
Ultra QuickTime Converter 3.2.0104
UnPacker 1,5,0,1909
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
VC_MergeModuleToMSI
VeriSoft Access Manager
Walmart Digital Photo Manager
win:viftool2 (remove only)
Windows Media Player Firefox Plugin
Xvid 1.2.1 final uninstall

==== End Of File ===========================

[tetonbob]

I see you have Malwarebytes' AntiMalware installed.

Please update it's definitions, and run a new Quick Scan.

• Launch Malwarebytes' Antimalware
• On the updates tab, click on Check for Updates
• If an update is found, it will begin. Once the update is complete..
• Click on the Scanner tab. Select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Save it to your desktop. Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.

===================================

Please go to: VirusTotal

• On the page you'll find a "Browse" button.
  
• Next to the browse button you'll see a box to enter text.
• Please copy/paste the following:
  
  c:\users\chris ruddell\appdata\local\spw3csemanticinterpretation\SpW3CSemanticInterpretationClass.dll
  
  
• Then click the "Send File " button just below.
• This will scan the file. Please be patient.
• If you get a message saying File has already been analyzed: click Reanalyze file now
• Once scanned, copy and paste the results in your next reply.

• Please visit this site:
  
  http://www.bleepingcomputer.com/subm...php?channel=28
  
  
• In the Link to topic where this file was requested: area, copy and paste this
  
  
  http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/386868-google-redirect-virus.html#post2209404
  
  
• In the Browse to the file you want to submit: area, copy and paste this
  
  c:\users\chris ruddell\appdata\local\spw3csemanticinterpretation\SpW3CSemanticInterpretationClass.dll
  
  
• Then click Send File.
  
• Once it shows:
  

  Quote:

  Your file was successfully submitted. Please let the user helping you know that you have submitted the file.

• Close the site and let me know.

[cruddell001]

Okay. Attached are the two Malwarebytes logs (one before I clicked 'remove selected' and one after it removed the items).

Also, I've attached the output from the VirusTotal page. The formatting was screwy when I tried to copy and paste, so I just printed the results page to a PDF and attached that file.

Also, I've submitted the file to Bleeping Computer.

Thanks

---

Okay, it looks like I'll have to attach the VirusTotal pdf in the next reply, since I can only upload a max of 2 files at a time.

[cruddell001]

Here is the other report.

[tetonbob]

I'm not having much success identifying this registry entry and file:

uRun: [SpW3CSemanticInterpretationClass] regsvr32 /s /u "c:\users\chris ruddell\appdata\local\spw3csemanticinterpretation\SpW3CSemanticInterpretationClass.dll"

There appears to be no version info available to tell me what company it's from.

I see you have some language and library applications installed. Could it be part of one of those?

Are you still being redirected? What if you don't use the Search Engines window in the upper right of Firefox, but just the main Google search in a new tab?

Can you capture a screenshot of a redirect as it occurs, please?

[cruddell001]

Okay. I tried a few things and learned a few things.

1) The problem is not limited to the Google toolbar search, but also occurs from the normal Google search page.

2) The file you are asking about is not something I'm familiar with. But, it's the only file in that folder, and the folder and file were both created on 6/11/09. I don't remember installing any significant software then, but that's probably about how long the google redirect problem has been going on.

3) I captured the Google redirect problem in action. Since the toolbar causes the problem more frequently, I was able to get the capture using that method. I tried the normal Google search for a few times first, but it seemed to be working fine those times. (Although before I started the capture I saw the redirect occur through the normal iGoogle homepage.) Unfortunately, the video capture I created is nearly 18mb, so it's too big to upload to this thread. So, I opened an account at a free file-sharing website, and you should be able to get to the file at this link:

http://www.4shared.com/file/11433062..._15_42_14.html

If that doesn't work, let me know and I'll try something else. I did try zipping it, but the zip file was still 8mb, double the size limit allowed on this forum.

[cruddell001]

Update: I also just completed a full file search of C:\ for "spw3c*.*". The only two things that came up were the dll file and the folder containing it.

[tetonbob]

Unfortunately, the video is very blurry, and I can't see enough detail. What would be good to know are the URLs showing in the Status bar on the lower left.

I'd like a simple screen grab if possible.

Since you don't know what created that startup, it seems to have arrived at the same time your troubles started, and it's flagged as suspicious by a couple scanners, I'd like to remove it.

As you have HijackThis on the machine already, we'll use it, so it can create a backup. First.....

Open HijackThis (right click on HijackThis.exe and select "Run as an Administrator") and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

[cruddell001]

Weird. The avi file looks clean on my computer. Did you try downloading it or just viewing it on the website's video viewer? Anyway, I went as close to frame-by-frame as I could in Windows Media Player, and found the following displayed in the lower-left of Firefox while the redirect was happening. The first entry I believe was simply when the mouse was over the link, and the 2nd entry was when I clicked on the link.


--------------------------------------------------

The hijackthis logfile is attached.

[tetonbob]

Ah, yes...I was using the site's player. Much better viewed locally. I've saved and edited out the URLs you posted. Thanks.

Please upload this file to the same site as before

C:\Users\Chris Ruddell\AppData\Local\Deployment\DeploymentToolkit.dll

http://www.bleepingcomputer.com/subm...php?channel=28


================================

Open HijackThis by right clicking on it, and selecting Run As Administrator.

Click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O4 - HKCU\..\Run: [SpW3CSemanticInterpretationClass] regsvr32 /s /u "C:\Users\Chris Ruddell\AppData\Local\SpW3CSemanticInterpretation\SpW3CSemanticInterpretationClass.dll"
O4 - HKCU\..\Run: [DeploymentToolkit] regsvr32 /s /u "C:\Users\Chris Ruddell\AppData\Local\Deployment\DeploymentToolkit.dll"

Close HijackThis now.

---------------------------------------------------------------------------------------------


Please now rename, do not delete, these files.

C:\Users\Chris Ruddell\AppData\Local\SpW3CSemanticInterpretation\SpW3CSemanticInterpretationClass.dll
C:\Users\Chris Ruddell\AppData\Local\Deployment\DeploymentToolkit.dll

Add a .old extension to them It should render them inert, and allow us to see if that has the desired effect.

Open HijackThis (right click on HijackThis.exe and select "Run as an Administrator") and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.