google redirect virus/adware/whatever -.-

[nerdboyxxx]

I have it, and it won't go away. Don't tell me to download combofix, it isn't availabel for download and the publisher said it was unstable.

 

Here is a log I did with hijack this, if its any help:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:28:58 PM, on 16/12/2009

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18349)

Boot mode: Normal

 

Running processes:

C:\Windows\system32\Dwm[Caution: Executable File]

C:\Windows\Explorer[Caution: Executable File]

C:\Windows\system32\taskeng[Caution: Executable File]

C:\hp\support\hpsysdrv[Caution: Executable File]

C:\Windows\System32\hkcmd[Caution: Executable File]

C:\Windows\System32\igfxpers[Caution: Executable File]

C:\Program Files\HP\HP Software Update\hpwuSchd2[Caution: Executable File]

C:\Windows\system32\igfxsrvc[Caution: Executable File]

C:\Program Files\iTunes\iTunesHelper[Caution: Executable File]

C:\Program Files\Java\jre6\bin\jusched[Caution: Executable File]

C:\Program Files\Windows Sidebar\sidebar[Caution: Executable File]

C:\Users\rhys\Desktop\AceHideFree[Caution: Executable File]

C:\Windows\ehome\ehtray[Caution: Executable File]

C:\Program Files\DNA\btdna[Caution: Executable File]

C:\Windows\ehome\ehmsas[Caution: Executable File]

C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor[Caution: Executable File]

C:\Program Files\Windows Media Player\wmpnscfg[Caution: Executable File]

C:\Program Files\Windows Sidebar\sidebar[Caution: Executable File]

C:\Program Files\Microsoft Office\Office12\ONENOTEM[Caution: Executable File]

C:\Program Files\OpenOffice.org 3\program\soffice[Caution: Executable File]

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\Program Files\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst[Caution: Executable File]

C:\Windows\system32\conime[Caution: Executable File]

C:\hp\kbd\kbd[Caution: Executable File]

C:\Windows\system32\wuauclt[Caution: Executable File]

C:\Windows\msa[Caution: Executable File]

C:\Program Files\Mozilla Firefox\firefox[Caution: Executable File]

C:\Windows\system32\SearchFilterHost[Caution: Executable File]

C:\Users\rhys\Documents\HiJackThis[Caution: Executable File]

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=84&bd=Pavilion&pf=cndt

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://securityresponse.symantec.com/avcenter/fix_homepage/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://securityresponse.symantec.com/avcenter/fix_homepage/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://securityresponse.symantec.com/avcenter/fix_homepage/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit[Caution: Executable File]

O1 - Hosts: ::1 localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.7.2.11\IPSBHO.DLL

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll

O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui[Caution: Executable File] -hide

O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv[Caution: Executable File]

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub[Caution: Executable File]

O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray[Caution: Executable File]

O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd[Caution: Executable File]

O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers[Caution: Executable File]

O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler[Caution: Executable File]

O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2[Caution: Executable File]

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl[Caution: Executable File]"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask[Caution: Executable File]" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper[Caution: Executable File]"

O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager[Caution: Executable File]" -launchedbylogin

O4 - HKLM\..\Run: [Turbine Download Manager Tray Icon] "C:\Program Files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon[Caution: Executable File]"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched[Caution: Executable File]"

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar[Caution: Executable File] /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32[Caution: Executable File] oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar[Caution: Executable File] /detectMem (User 'NETWORK SERVICE')

O4 - Startup: FrostWire On Startup.lnk = C:\Program Files\FrostWire\FrostWire[Caution: Executable File]

O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM[Caution: Executable File]

O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart[Caution: Executable File]

O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire[Caution: Executable File]

O8 - Extra context menu item: &AOL Toolbar Search - C:\ProgramData\AOL\ieToolbar\resources\en-AU\local\search.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL[Caution: Executable File]/3000

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O13 - Gopher Prefix:

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.98,85.255.112.137

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.98,85.255.112.137

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.98,85.255.112.137

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\iEvony\Skype4COM.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService[Caution: Executable File]

O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService[Caution: Executable File]

O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade[Caution: Executable File]

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder[Caution: Executable File]

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService[Caution: Executable File]

O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService[Caution: Executable File]

O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service[Caution: Executable File]

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService[Caution: Executable File]

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc[Caution: Executable File]

O23 - Service: Turbine Message Service - Live (LiveTurbineMessageService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager\TurbineMessageService[Caution: Executable File]

O23 - Service: Turbine Network Service - Live (LiveTurbineNetworkService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager\TurbineNetworkService[Caution: Executable File]

O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst[Caution: Executable File]

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des[Caution: Executable File] (file missing)

O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA[Caution: Executable File]

O23 - Service: TunngleService - Tunngle.net GmbH - C:\Program Files\Tunngle\TnglCtrl[Caution: Executable File]

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio[Caution: Executable File]

 

--

End of file - 9597 bytes

 

I have tried many programs, and none of them are working for crap. If anyone can tell me a program that they know ACTUALLY works or knows how to manually remove it, please let me know. Its bogging down my internet like crazy, just getting onto tif was a pain in the [wagon].

 

Thanks for any help.

[Hobgoblinpie]

Check this directory for the mentioned file:

 

c:\windows\system32\wdmaud.sys

 

This can be the source of the problem. Note that if you have a file in that directory called wdmaud.drv, do not delete it.

[nerdboyxxx]

Check this directory for the mentioned file:

 

c:\windows\system32\wdmaud.sys

 

This can be the source of the problem. Note that if you have a file in that directory called wdmaud.drv, do not delete it.

 

I found wdmaud.dll, no sys files though :(.

[obfuscator]

Check C://Windows/System32/Driver/etc/hosts

 

Post the contents here.

[nerdboyxxx]

Okay I opened the file in notepad and this is what came up:

 

# Copyright © 1993-2006 Microsoft Corp.

#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

#

# For example:

#

# 102.54.94.97 rhino.acme.com # source server

# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

::1 localhost

 

If you meant something else please let me know.

 

Thanks for all the help so far :)

 

EDIT: I also have a file called imhosts.sam, in case you needed this here is the contents.

 

# Copyright © 1993-1999 Microsoft Corp.

#

# This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to computernames

# (NetBIOS) names. Each entry should be kept on an individual line.

# The IP address should be placed in the first column followed by the

# corresponding computername. The address and the computername

# should be separated by at least one space or tab. The "#" character

# is generally used to denote the start of a comment (see the exceptions

# below).

#

# This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts

# files and offers the following extensions:

#

# #PRE

# #DOM:<domain>

# #INCLUDE <filename>

# #BEGIN_ALTERNATE

# #END_ALTERNATE

# \0xnn (non-printing character support)

#

# Following any entry in the file with the characters "#PRE" will cause

# the entry to be preloaded into the name cache. By default, entries are

# not preloaded, but are parsed only after dynamic name resolution fails.

#

# Following an entry with the "#DOM:<domain>" tag will associate the

# entry with the domain specified by <domain>. This affects how the

# browser and logon services behave in TCP/IP environments. To preload

# the host name associated with #DOM entry, it is necessary to also add a

# #PRE to the line. The <domain> is always preloaded although it will not

# be shown when the name cache is viewed.

#

# Specifying "#INCLUDE <filename>" will force the RFC NetBIOS (NBT)

# software to seek the specified <filename> and parse it as if it were

# local. <filename> is generally a UNC-based name, allowing a

# centralized lmhosts file to be maintained on a server.

# It is ALWAYS necessary to provide a mapping for the IP address of the

# server prior to the #INCLUDE. This mapping must use the #PRE directive.

# In addtion the share "public" in the example below must be in the

# LanManServer list of "NullSessionShares" in order for client machines to

# be able to read the lmhosts file successfully. This key is under

# \machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares

# in the registry. Simply add "public" to the list found there.

#

# The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE

# statements to be grouped together. Any single successful include

# will cause the group to succeed.

#

# Finally, non-printing characters can be embedded in mappings by

# first surrounding the NetBIOS name in quotations, then using the

# \0xnn notation to specify a hex value for a non-printing character.

#

# The following example illustrates all of these extensions:

#

# 102.54.94.97 rhino #PRE #DOM:networking #net group's DC

# 102.54.94.102 "appname \0x14" #special app server

# 102.54.94.123 popular #PRE #source server

# 102.54.94.117 localsrv #PRE #needed for the include

#

# #BEGIN_ALTERNATE

# #INCLUDE \\localsrv\public\lmhosts

# #INCLUDE \\rhino\public\lmhosts

# #END_ALTERNATE

#

# In the above example, the "appname" server contains a special

# character in its name, the "popular" and "localsrv" server names are

# preloaded, and the "rhino" server name is specified so it can be used

# to later #INCLUDE a centrally maintained lmhosts file if the "localsrv"

# system is unavailable.

#

# Note that the whole file is parsed including comments on each lookup,

# so keeping the number of comments to a minimum will improve performance.

# Therefore it is not advisable to simply add lmhosts file entries onto the

# end of this file.

 

Thanks again :)

[obfuscator]

Hmm nothing wrong there, thats the extent of my knowledge, sorry :(

[JoeDaStudd]

I'd get rid of all those toolbars for a start, they tend to be evil on there own.

Then run malwarebytes antimalware, superantispyware and your AV (its its older then version 360 get rid of it as its a horrible resource hog)