advice please - malware

gsp119

Hi
Can anyone advise how to get rid of this virus/malware. keep getting directed to crappy add sites ( gomeo/blinx)any time i search from google. ran all the checks list in sticky. malwarebytes, superantibot etc. found 7/8 trojans and deleted.. but still getting hijacked in google - any help appreciated as i'm not very pc techy. - will post logs below ( sorry if they are not correct ones)

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4584
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18943
09/09/2010 23:52:25
mbam-log-2010-09-09 (23-52-25).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 288781
Time elapsed: 1 hour(s), 6 minute(s), 49 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\Users\john\AppData\Local\Temp\sshnas21.dll (Trojan.Downloader) -> Delete on reboot.
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\OTGV1DNWQQ (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\YXE7DXCQ37 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\metropolis (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\idln2 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yxe7dxcq37 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Users\john\AppData\Local\Temp\aermswoxcn.exe (Rootkit.Dropper) -> Quarantined and deleted successfully.
C:\Users\john\AppData\Local\Temp\sshnas21.dll (Trojan.Downloader) -> Delete on reboot.
C:\Users\john\Templates\memory.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\john\AppData\Local\Temp\Ufn.exe (Trojan.FakeAlert) -> Delete on reboot.

DDS (Ver_10-03-17.01)
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 25/03/2008 10:58:06
System Uptime: 09/11/2010 23:35:36 (-1416 hours ago)
Motherboard: FOXCONN | | Irvine
Processor: Intel(R) Core(TM)2 Duo CPU E4600 @ 2.40GHz | Socket 775 | 2400/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 455 GiB total, 204.412 GiB free.
is FIXED (NTFS) - 10 GiB total, 1.394 GiB free.
E: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable
K: is FIXED (NTFS) - 149 GiB total, 134.588 GiB free.
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP1357: 06/09/2010 18:54:12 - Scheduled Checkpoint
RP1359: 09/09/2010 20:17:17 - Scheduled Checkpoint
RP1361: 10/09/2010 21:28:45 - Scheduled Checkpoint
RP1363: 11/09/2010 17:03:49 - Scheduled Checkpoint
RP1364: 11/09/2010 23:31:49 - Automatic Restore Point
==== Installed Programs ======================

AAC Decoder
AC3Filter (remove only)
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AutoUpdate
AVG Free 9.0
Bonjour
Canon Easy-WebPrint EX
Canon MP Navigator EX 3.0
Canon MP270 series MP Drivers
DS (Ver_10-03-17.01) - NTFSx86
Run by john at 23:43:15.77 on 11/09/2010
Internet Explorer: 8.0.6001.18943
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3325.2118 [GMT 1:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe

Gavin "shels"

http://www.boards.ie/vbulletin/showpost.php?p=67311874&postcount=2

bhickey

gsp119 wrote: »

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

It look like you also have a few different AntiVirus products installed? I'd remove them all and install just MSE (Microsoft Security Essentials) for now.

gsp119

tried TDSKILLER programe - nothing found. but theres still something there. keep getting redorected from google.. normally i only have avg running on pc - however tried malwarebytes,superantispyware since infection..

anyone any suggestions please

bhickey

It could be a DNS-related issue so check the DNS settings for whichever connection (e.g. Wireless or Local Area Connection) you're using and verify that they're not manually set.

• Go to the Windows Vista Control Panel from the Start menu.
• Click “Network and Internet” and then “Network and Sharing Center.”
• Click “Manage network connections.”
• Choose whichever network connection you're using. Right click on it and select “Properties.”
• Click the “Networking” tab.
• Choose either Internet Protocol Version 4 (TCP/IPv4)
• Make sure that “Obtain DNS Server Address Automatically” is enabled.

Then check your hosts file to make sure it hasn't been messed with. It's in the Windows\System32\drivers\etc folder.

gsp119

checked DNS settings. all fine. and host files too

bhickey

gsp119 wrote: »

checked DNS settings. all fine. and host files too

Did you remove all the various anti-virus programs? The DDS data that you posted should have had a list of running processes but I don't see it. DDS generates 2 files (DDS.txt and Attach.txt) so could you run it again and attach the DDS.txt info?

hearny

Download Hijack This install it, run a scan and upload the log:

http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

kodak

Hi I have the same prob on a friends laptop,
this is the log from trend micro....
thanks for any help


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:13:59, on 23/09/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18943)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\O2\O2 Broadband USB Modem\O2 Broadband\O2 Broadband.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKCU\..\Run: [VoipStunt] "C:\Program Files\VoipStunt.com\VoipStunt\VoipStunt.exe" -nosplash -minimized
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe" -s
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Metropolis] rundll32.exe C:\Users\SHELLY~1\AppData\Local\Temp\sshnas21.dll,GetHandle
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - User Startup: winhelp.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1285182746401
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EBA9973-EE2E-4B65-92E4-C1D403494F96}: NameServer = 212.129.64.220 212.129.64.221
O17 - HKLM\System\CCS\Services\Tcpip\..\{4631C60D-B289-4A08-856B-C845099E1A11}: NameServer = 62.231.32.10,62.231.32.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{7EBCFB4E-788E-4C1E-8C26-D1B5CA78FE1B}: NameServer = 62.40.32.33 8.8.8.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{1EBA9973-EE2E-4B65-92E4-C1D403494F96}: NameServer = 212.129.64.220 212.129.64.221
O17 - HKLM\System\CS2\Services\Tcpip\..\{1EBA9973-EE2E-4B65-92E4-C1D403494F96}: NameServer = 212.129.64.220 212.129.64.221
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll (file missing)
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--

hearny

The following entries should be deleted:
Restart the PC in safe mode (Best chance of removing infections) and run hijackthis.

Check the following options then click remove.
Rescan to see if the entries come back.
Restart and see how you get on.

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKCU\..\Run: [Metropolis] rundll32.exe C:\Users\SHELLY~1\AppData\Local\Temp\sshnas21.dll,GetHandle
O4 - User Startup: winhelp.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EBA9973-EE2E-4B65-92E4-C1D403494F96}: NameServer = 212.129.64.220 212.129.64.221
O17 - HKLM\System\CCS\Services\Tcpip\..\{4631C60D-B289-4A08-856B-C845099E1A11}: NameServer = 62.231.32.10,62.231.32.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{7EBCFB4E-788E-4C1E-8C26-D1B5CA78FE1B}: NameServer = 62.40.32.33 8.8.8.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{1EBA9973-EE2E-4B65-92E4-C1D403494F96}: NameServer = 212.129.64.220 212.129.64.221
O17 - HKLM\System\CS2\Services\Tcpip\..\{1EBA9973-EE2E-4B65-92E4-C1D403494F96}: NameServer = 212.129.64.220 212.129.64.221
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll (file missing)

old_aussie

Hi,

Run the Free Eset Online Antivirus scan.

http://www.eset.com/online-scanner

kodak

hearny wrote: »

The following entries should be deleted:
Restart the PC in safe mode (Best chance of removing infections) and run hijackthis.

Check the following options then click remove.
Rescan to see if the entries come back.
Restart and see how you get on.

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKCU\..\Run: [Metropolis] rundll32.exe C:\Users\SHELLY~1\AppData\Local\Temp\sshnas21.dll,GetHandle
O4 - User Startup: winhelp.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EBA9973-EE2E-4B65-92E4-C1D403494F96}: NameServer = 212.129.64.220 212.129.64.221
O17 - HKLM\System\CCS\Services\Tcpip\..\{4631C60D-B289-4A08-856B-C845099E1A11}: NameServer = 62.231.32.10,62.231.32.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{7EBCFB4E-788E-4C1E-8C26-D1B5CA78FE1B}: NameServer = 62.40.32.33 8.8.8.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{1EBA9973-EE2E-4B65-92E4-C1D403494F96}: NameServer = 212.129.64.220 212.129.64.221
O17 - HKLM\System\CS2\Services\Tcpip\..\{1EBA9973-EE2E-4B65-92E4-C1D403494F96}: NameServer = 212.129.64.220 212.129.64.221
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll (file missing)

Did as you say and so far so good

Thank you so much

hearny

Can you run the Scan again and post the results.

Then restart the pc in safe mode with networking and see if browsing works as it should.
While in safe mode resan with Hijackthis and post the log file too.

hearny

Try the following too

Click on Start button.
Type Cmd in the Start Search text box.
Press Ctrl-Shift-Enter keyboard shortcut to run Command Prompt as Administrator. Allow elevation request.
Type netsh winsock reset in the Command Prompt shell, and then press the Enter key.
Type netsh int ip reset in the Command Prompt shell, and then press the Enter key.
Restart the computer.

DublinWriter

OP - had the same and fixed it yesterday, was being redirected into the gomeo and blinkx sites - see my I think the MBR on one of my PCs is borked thread.