Browser gets redirected to another web site

[tobias2000]

My Firefox and IE browsers get redirected intermittently to a different website other than the intended link I click on in a Google search results page. I also am unable to perform any windows updates from the microsoft website.

Can you help me?


DDS (Ver_09-09-29.01) - NTFSx86
Run by Toby Choy at 16:10:47.10 on 10/08/09
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.834 [GMT -7:00]

AV: avast! antivirus 4.8.1229 [VPS 091008-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\Program Files\PDF\pdfSaver\pdfSaver3.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Vinade\Reminder\Reminder.exe
C:\Program Files\WinCleaner Memory Optimizer\WinMemOpt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\GridVista\GridVistaU.exe
C:\Program Files\SyncBack\SyncBack.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird 3 Beta 1\thunderbird.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Siber Systems\AI RoboForm\Passcards.exe
C:\Documents and Settings\Toby Choy\My Documents\Downloads\dds(5).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ebay.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: {7C7A8947-5935-4430-AC0E-E7D04697414E} - No File
BHO: {9aa2f14f-e956-44b8-8694-a5b615cdf341} - NOW!Imaging
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: metaspinner GmbH: {cd9b7762-dfbc-42b1-bb30-02a78287b456} - c:\progra~1\pricep~1\pricep~1\IEBUTT~2.DLL
BHO: metaspinner GmbH: {e9e027bf-c3f3-4022-8f6b-8f6d39a59684} - c:\progra~1\pricep~1\pricep~1\IEBUTT~1.DLL
TB: NVRIEbar.IEbar: {bcbf738c-4891-4b9a-959a-c6bf7f608c3a} - c:\program files\naturalsoft\naturalreader\NVRIEBar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: {D79559E8-9991-41C5-AA2B-A96EC766F43F} - No File
TB: ZoneAlarm Spy Blocker Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {335F0F8C-A84A-4A83-8F7D-F98462C32492} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [pdfSaver3] "c:\program files\pdf\pdfsaver\pdfSaver3.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Vinade Reminder] c:\program files\vinade\reminder\Reminder.exe
uRun: [WinMem] c:\program files\wincleaner memory optimizer\WinMemOpt.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Ink Monitor] c:\program files\epson\ink monitor\InkMonitor.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Samsung Common SM] "c:\windows\samsung\comsmmgr\ssmmgr.exe" /autorun
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Dgesijegohew] rundll32.exe "c:\windows\efisodamape.dll",Startup
mRun: [ZoneAlarm Client] "c:\program files\zonealarm\zlclient.exe"
StartupFolder: c:\docume~1\tobych~1\startm~1\programs\startup\gridvi~1.lnk - c:\program files\gridvista\GridVistaU.exe
StartupFolder: c:\docume~1\tobych~1\startm~1\programs\startup\syncback.lnk - c:\program files\syncback\SyncBack.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\iomega~1.lnk - c:\program files\iomega quiksync 3\quiksync3.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Logitech Desktop Messenger.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Logitech SetPoint.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE:
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: &Google Search - c:\program files\google\GoogleToolbar3.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
IE: Add to AMV Converter... - c:\program files\diablotek mp3 player utilities 4.09\amvconverter\grab.html
IE: Add to Media Manager... - c:\program files\diablotek mp3 player utilities 4.09\mediamanager\grab.html
IE: Backward Links - c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar3.dll/cmcache.html
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: eBay - Home Page - c:\program files\pricepirates\pricepirates\SearchEbay.htm
IE: eBay - My eBay - c:\program files\pricepirates\pricepirates\SearchEbaymein.htm
IE: eBay - Powersearch - c:\program files\pricepirates\pricepirates\SearchEbaypower.htm
IE: eBay - Start Search - c:\program files\pricepirates\pricepirates\SearchEbay.htm
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Google - Search - c:\program files\pricepirates\pricepirates\SearchGoogle.htm
IE: Google - Start Search - c:\program files\pricepirates\pricepirates\SearchGoogle.htm
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Similar Pages - c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar3.dll/cmtrans.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {350F4DA2-3886-4BB8-A1A8-D7F57B56DFFF} - c:\program files\pricepirates\pricepirates\preispiraten3ie.exe
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE}
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3}
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68}
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38146.7204861111
DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: CShellExecuteHookImpl Object: {54d9498b-cf93-414f-8984-8ce7fde0d391} - c:\program files\ewido anti-malware\shellhook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tobych~1\applic~1\mozilla\firefox\profiles\bolkzr6u.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol305.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint_03050024.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin2.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin3.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin4.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin5.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin6.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows

presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {FF49E9A1-1B43-4089-B5E9-0F0CAC39FE25} - c:\documents and settings\toby choy\local settings\application

data\{FF49E9A1-1B43-4089-B5E9-0F0CAC39FE25}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-10 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-12 78416]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2006-2-16 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2006-6-9 74480]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-7-15 353672]
R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-9-25 464264]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-12 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2006-5-12 147640]
R2 ewido security suite control;ewido security suite control;c:\program files\ewido anti-malware\ewidoctrl.exe [2005-11-30 13888]
R2 MSSQL$AUCTIONI;SQL Server (AUCTIONI);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2006-5-12 348344]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2006-5-12 250040]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3.tmp --> c:\windows\system32\3.tmp [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]

=============== Created Last 30 ================

2009-09-25 11:30 <DIR> --d----- c:\program files\AskBarDis
2009-09-23 19:20 120 a------- c:\windows\Wnuqanerulatoqez.dat
2009-09-23 19:20 0 a------- c:\windows\Xmaledes.bin
2009-09-18 10:06 <DIR> --ds---- C:\ComboFix
2009-09-18 09:16 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-09-18 08:59 <DIR> --d----- c:\windows\ERUNT
2009-09-17 20:38 7,396 a------- c:\windows\system32\drivers\pctcore.cat
2009-09-16 16:20 <DIR> --d-h--- C:\RD4B335D2AF9F44185AFC417F8D8D4B473DR
2009-09-16 01:59 <DIR> a-dshr-- C:\cmdcons
2009-09-16 01:57 389,120 a------- c:\windows\system32\CF13744.exe
2009-09-10 23:04 15,688 a------- c:\windows\system32\lsdelete.exe
2009-09-10 17:11 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-09-10 17:09 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-09 03:36 153,088 -c------ c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-10-08 15:13 17,408 a------- c:\windows\system32\rpcnetp.exe
2009-10-08 15:13 56,680 a------- c:\windows\system32\rpcnet.dll
2009-10-08 15:13 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-10-08 15:13 0 a------- c:\windows\system32\drivers\logiflt.iad
2009-10-06 09:25 17,408 a------- c:\windows\system32\rpcnetp.dll
2009-09-25 11:29 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-04 09:21 81,208 a------- c:\docume~1\tobych~1\applic~1\GDIPFONTCACHEV1.DAT
1758-07-03 19:09 4,263 ---sh--- c:\windows\windllreg1c.sys
2006-05-03 02:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 03:47 31,232 ---shr-- c:\windows\system32\msfDX.dll

============= FINISH: 16:14:21.18 ===============

[tetonbob]

Hello -

It appears as though you've run ComboFix.

A Reminder....

As seen in Post #2 of our sticky topic 'NEW INSTRUCTIONS Read this Before Posting For Malware Removal Help'

Quote:

Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix

If ComboFix ran to completion, it should have produced a log, located at C:\ComboFix.txt Please post it.

[tobias2000]

Hello, this issue has been resolved. You may now close or remove the case. Thank you for your response.

[tetonbob]

Thanks for letting me know.

I see you were able to get this resolved on another forum. That's fine, but you've known for a few days you were receiving help elsewhere. The courteous thing to do would have been to return immediately upon receiving help elsewhere to let us know, so I could help someone else here. I take a limited number of topics at a time. Malware removal assistance is a time consuming and difficult process.

From our pre-posting topic, which you should have read in it's entirety:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

Quote:

NOTE: We are aware that users sometimes seek help from several Forums at the same time. Unfortunately, this can cause confusion and actually wastes time and resources - yours, ours and other Volunteers across the community. If you have already posted at another Forum, please advise us, or them, and choose just one.

Since this issue appears to be resolved, this topic will now be closed.