Hi,
I can not run cmd.exe and regedit.exe and can not update Antispy software. Additionally earlier I could not stop rasman.dll service. This is remote connection service. Now I have blocked it using firewall software. When I search(google or yahoo) in the browser window and click on the results I am redirected to some other site.
Here is firefox history on how the Google redirect works.
First line is google query
http://209.85.171.80/x/?i=g0ccb403911eed1705a572468ddae0503eZm9ydW1zLnNweWJvdC5pbmZvL3Nob3d0aHJlYWQucGhwP3Q9MzE3Ng==
http://c.incomeppc.com/?d=rAbyIZzhtmtD_PPxM4lkfD9mFO5WFAuWJP8w9w3jfeORsCkRzxhK1SIqsnddAjtyFqltVXWAo86P_fiQws_u0s9Q4UaTLltXPWRiRDeUq9Vm_dkpLSYiz8F3l7G37cUiwAaha382xtzSXRPXpctaXZxbYQWr-SdxTpctDs_StxQFGOWFyhFvkXvRZxojq5RjRJIL2uQM4WLoL9pquqgsH9eIESJCl1naogj-SgMosFw4nl3iQ-eBKBGhCO_er76JLObZf6hyI5EyrGXAksDn1IbENj5ZzWywoe7I4QSaURwLnt6AyTSkPovPDgsKs03hV7memu3AcxfCj8JY4tHH-mGqnp7rcyQ_UUaidp7gQpEUm1mlcuLzp182SQ7ZlezJ1joZ4Lb-3hI9bcI6-dm5Nfyjtb5qq9c7i3pfqAeubQXN7cbBsI6D40QeMx3NkqNArghPZ7rHsrSUc_zrutl-rAAgiaNMs7feA89yTi9S9lL9BM2COG2u5FC-f5hYBHrb5jAUUXVHxSryyIx0Ie9JTBh0sGaBGvGkNso718SXmdz5SxAoaJQqp45d7DIue_w20xzM7FjtdtXtsrDcpl1rJ_1Uv-QUVcRS5tMmJIxDbZYQXw-C0DqlvpN6PH4wC5vtL74Yya7dGHBMo_dB2U39gjMiGb5UbjaaH8CHIuaqp-0OLmsuud6uHG00JvoTBmikhFMuhbA8H-wwICZkvN97ftiGZYHjCXdazGh2tJMjhfGKnc5SiwlV9Se5GmOanofePWXBIUbqTvuc12fklP4bOkaKRxdw21Zfl_XEBDJ3OtWabGErU5MY-zhinRKsC86tyhBejfz288WeiBXGuKGl6gM6lchWXy6aCYe6Ajqez7CPKgugy7VLNvx3x1f4ayQugXGIzdph7cXEGeZ3TK0kMABGah5FqIRVA96aqD3Npjm7KZfTkxKAL3FCdhBJGmUXinAqJw1hNGmVTUgejXyTRHlYuqs0XOk8VKfAe3nheNQPRYDspWa48O20owL8etQ0BDCSF1ahGIEblGh1MJbQ8kb11vrc81gO4bl-CFdSURTR2SCj53O6NdIuLpn7dDDpCUBiVic9jaXr0YoryJhD9cKevTUBso8cYsZw8CgRexOi1ddOaykUlobOSPhJi97RfI-zK3Riwqx63HhXFICpM2P44I2P0CVaWx1JStoEWYzUQ-pIS3N-C4MH0eHyel02_g2iHGDfqM4e4VJ5o0vTzSiy4ZegY-Arnyklp5gwldznYFYKIl36ZE0zUv47Jr3DmWLC1zLGtAI7jBJzfXI6SL-wE8wvG7k8qCgfYY_9WZRsvAtCMCjC5Bz2HscQ8D9QC9YTo5hjsIfXno23cw1ob74Ggq6LRig7vNa56dyNXpMsXo-umIPZYtjhGnj4L6eb7jEq7ygZJPUzTH8cakVE8EXPATrfXUXJWcwU_jRoSfYA-=-=-AmLhBF4kAv4kAGpiLl5jnUN/p3jlZwLjsQI8ZwDkZUkwLJ5ho3DtpaIhVTAgMPOlMJqyMTy0sQRjZGL3AKj1sQO8ATRjL2HmZwW8AGt1AGIxZQq8ZUj1ZJMwLmquA3j0AmuvLzH2L3j0p2IupzAbqTyjpl5ipzp=-=-=-2b00cdb7a76d
http://76.9.16.157/c.php?s=eNolVMmugzgQ_CCkZ4yxsQ9zSB5JSNhJWC8j9j3wsrBEfPxEmkuX1FVdfaqqNwglSdygIKJNb86C_svDjf_h0f9D4HnGYygKCJEvEQrHd9Iz_qxcYFLvm8S3y7T37pHvjNnun382kgmFKECKcpgnKMkoLDJe-FqkGcpgQf_FgkDSTBJSluSixKiEMkbwd5EwEWVY2hDZ4JYbY9cdhdtfU9rVRFWPy1anbtw-FtZbfSj4ay3vD-rOXOTuPB_re76WYBoMs6ulV5RleTKNxfQa1VoRAw5MmJljbr7V4DFnHEjYag6NlGFxCbiCQtfXf03uI7zrzh3NpksPw8WL4gUU-zTdac7eplD_HHnvqc7tDcRHz1zyphYmc182FD7MyrmW1wbM4Yo-3uV9opV6-qz5Aslwgo5dd9p7v3csdNrhoDKA7poOfV6Q40DrZk3AxdANetuCM7eUfeFHp_mehgy-eNNtvnAZf7srN89lGv9F9yY9OZ2PBT2h5SP-s5uLOUeo5wNHHKIUkFellVk0Vr9WGOu0fTnOTiTxAfb718FKzqm5FkNbnWDdc45q7QVhr_j20kmZ7SwgqgKgfeQpcy1eW_1Hi-DHIpEF5gZzWVkQoMLDKj-P0QdyicA6CU4jP5igY74Lln7qTUOZb_qO2H39twZvTo5HownnU8PUVhndc-0BYzfhhq6hUT00WibGOzvxuSZhuoN8U-jjVPMxiA97sgvTMLUwPKqnmTu2gWZwusTXap5FvjyI9Fr5TzBnabsrCJKOVHodGihp12sxyC4oBxnXEkqj21Msy_KROQW3BgJnoTReH5ZL-muvaEXfP86gluOrwsm288JrvOKThXTy6tZ6ypuJKl6nPLr6Nwdrm7PCXthtl7IYAik3k1s4nlDhtKTVmqcu7pKRTrM3GX0xZNOTnu5SdVEIN96ndQ3Acwz7XMsGxkXNY3SPquOWTzHKvaNdWj1uATzIGHtrwKlGEUyLhdf0KBx8IXsNr3aurADCELQfcJn48B20bjY8rgD0OQPFS1nuTVRoyTu1ZWoD8xo11iep81tB4oy-PSqFHEGE2FPw53B6AqVhYca7qQQcPHOvIvp9wnKe0LbelWuQ9pXriGHOfb8pLfMj8PtErkBv1qqBnlxHyboBFCuWv97EsV-mX3Evjdk63UuKSVPcZ2C44V2C0PInJk1WFgbRJLmHD-cVF3A-P4ZU0rUlry02_t2vUTQsdZ4r4IW5b0iGmFvl4MrtL-Nealxyc5tjyqmaLSLXVy36MR0mHi47We3QzJYP1mYTgNV7wOWmsKV6FY-jR8jiT7x8dPtsLL_9JMEfiNgPZPwP5Om2UfpD8Q9DP9LGb5uwfVsKab23pj1bo74Ttd6YEvt7iAn56qlAKcZfKb-hzVCMLgwuTaw4Y6ro7wRd7ltMWCHmGU8pnxIR8RKCNGesKHKWJpjH_wEbFsLN
http://76.9.16.157/c.php?re=1&r=eNolVMmugzgQ_CCkZ4yxsQ9zSB5JSNhJWC8j9j3wsrBEfPxEmkuX1FVdfaqqNwglSdygIKJNb86C_svDjf_h0f9D4HnGYygKCJEvEQrHd9Iz_qxcYFLvm8S3y7T37pHvjNnun382kgmFKECKcpgnKMkoLDJe-FqkGcpgQf_FgkDSTBJSluSixKiEMkbwd5EwEWVY2hDZ4JYbY9cdhdtfU9rVRFWPy1anbtw-FtZbfSj4ay3vD-rOXOTuPB_re76WYBoMs6ulV5RleTKNxfQa1VoRAw5MmJljbr7V4DFnHEjYag6NlGFxCbiCQtfXf03uI7zrzh3NpksPw8WL4gUU-zTdac7eplD_HHnvqc7tDcRHz1zyphYmc182FD7MyrmW1wbM4Yo-3uV9opV6-qz5Aslwgo5dd9p7v3csdNrhoDKA7poOfV6Q40DrZk3AxdANetuCM7eUfeFHp_mehgy-eNNtvnAZf7srN89lGv9F9yY9OZ2PBT2h5SP-s5uLOUeo5wNHHKIUkFellVk0Vr9WGOu0fTnOTiTxAfb718FKzqm5FkNbnWDdc45q7QVhr_j20kmZ7SwgqgKgfeQpcy1eW_1Hi-DHIpEF5gZzWVkQoMLDKj-P0QdyicA6CU4jP5igY74Lln7qTUOZb_qO2H39twZvTo5HownnU8PUVhndc-0BYzfhhq6hUT00WibGOzvxuSZhuoN8U-jjVPMxiA97sgvTMLUwPKqnmTu2gWZwusTXap5FvjyI9Fr5TzBnabsrCJKOVHodGihp12sxyC4oBxnXEkqj21Msy_KROQW3BgJnoTReH5ZL-muvaEXfP86gluOrwsm288JrvOKThXTy6tZ6ypuJKl6nPLr6Nwdrm7PCXthtl7IYAik3k1s4nlDhtKTVmqcu7pKRTrM3GX0xZNOTnu5SdVEIN96ndQ3Acwz7XMsGxkXNY3SPquOWTzHKvaNdWj1uATzIGHtrwKlGEUyLhdf0KBx8IXsNr3aurADCELQfcJn48B20bjY8rgD0OQPFS1nuTVRoyTu1ZWoD8xo11iep81tB4oy-PSqFHEGE2FPw53B6AqVhYca7qQQcPHOvIvp9wnKe0LbelWuQ9pXriGHOfb8pLfMj8PtErkBv1qqBnlxHyboBFCuWv97EsV-mX3Evjdk63UuKSVPcZ2C44V2C0PInJk1WFgbRJLmHD-cVF3A-P4ZU0rUlry02_t2vUTQsdZ4r4IW5b0iGmFvl4MrtL-Nealxyc5tjyqmaLSLXVy36MR0mHi47We3QzJYP1mYTgNV7wOWmsKV6FY-jR8jiT7x8dPtsLL_9JMEfiNgPZPwP5Om2UfpD8Q9DP9LGb5uwfVsKab23pj1bo74Ttd6YEvt7iAn56qlAKcZfKb-hzVCMLgwuTaw4Y6ro7wRd7ltMWCHmGU8pnxIR8RKCNGesKHKWJpjH_wEbFsLN&u=d5e57906e0f435e3b0d5ecf5af1de699&cid=84c592afd3501ba2948b3ab3d1f34f3a&rc=0&pa=&ref1=&ref2=
http://feed.ndot.com/clickn.php?fb=aSlAXz5iW2g%20bWcxRGJDaDBQUztpUGR6RG1bej5tdXE%20YltoPm1nMURqMC0wJGQmOEJDWkRtW2g%20bXUxRG1EWT5gJTFHaEBZOGBDWWkkMGpSVkQjOGhAQj5ZRF8lbWk6diksWT5gJTFHaEBZbk4taFJ4Py8wVkQjOGhAaCVtQFlpQmRqPiksID4kZG1pKURGPil4ajApRDZHKXpqR2hhRjApYTolbVI7PkklWT5gJTE%20SUBZaUJGL2lCWyZRJGFZPmAlMSVoRDFEbWRqaW1hXyVtdUIwKWloJW1hOiVJUi0wJGQtaW1hXyVJLDowJCxgMEk4aERtW2g%20bTsxRGpGLzhgZCZSTi1bMEpEIzhoQEY%20KUBZJW1%20Oj5KWjpHSlpGR1Z%20XyVoQGhHbUA6JVZEIzhoQGg%20WVM2OGo6WT5gJTFHbSwxRGp6WlInfjF2Xz9GUiR4IlEkUy8wViAtOGJTalFQZ0VRTj86dmpHIlEkR2VpanhFUV8gRTBQYUxYYGQvMEk2PmR1OEZhJGFGZENTSlM7LXVYKXVGR2g4WkRtW2g%20bWExRGpbOjhOO1k%20YCUxR21AWT5JRHE%20SSw2RG1baD5tRDFEai07RG1baD5tLDFEbSxCR21%20cURtW2g%20bTgxRGpbLXJQUkw4amFZPmAlMSVtRDFEakd6bmogTFJWMl9SJHFnaUI2O0QnUy0wQkM7UVBhWT5gJTElbUBZUVB%20WT5gJTElKWExRG04RnZtdWg%20SnFGPil%20RSUpfnFEbVtoPm11Xz5ZU21uYENFUidTIFBCR0wwTixZPmAlMSVtQFlDQyVZPmAlMSVoQFlpJDBqRG1baD5tLDFEbXVGR2g4WkRtW2g%20bWkxRGJHNmlqeGowWUQjOGhAWj5ZREYlbWFoRG1baD5tJTFEalMvMFZEIzhoQEY%20WUQ6RG1baD5tODFEajZ6cng/bThOJVk%20YCUxJSlAWSVWRCM4aEAgPllTalFQei0weD9tOE4lWT5gJTFHSUBZJVZxOiVfRCM4aEBCPllTbWkkR0AwJGFZPkI7MSVJW2g%20bXVoPllTejAnMC04YmQvOEJDX1BCLTtEbVtoPm1hMURtdV9HKTtZPmA2aD5tJTFEajY7R0pEIzhoQGglbUBZPil%20Rj5JQ1lHJFNtR0JpOj4kYWhpbWQtPiR1X2kpflpHSUdtJUJkOyUpOFk%20YFp9&b=MC4wMw==&p=MA==
http://qualibid.errfix.hop.clickbank.net/?tid=NDG1Ad1ERR&ID=11774&fb=aSlAXz5iW2g%2BbWcxRGJDaDBQUztpUGR6RG1bej5tJTFyYCUxJW1AWVEkYVk%2BYCUxPklAWUdJYXFHbThxJWg4WT5gJTElKUQxRGp4O1JqQ19STi1oMEM%2FLzBWRCM4aEA2PllENkdtaTo%2BVkQjOGhAWj5ZU2U4JzIvRG1baD5taTFEbWdfPklnNkdKRCMmUCUxJWhAWW4kYTZEbVtoPm0lXz5ZRDpHQnVaR0lnOiUkYWBpaGR6JSl%2BOiUpaUYlaHo7MCl1YEdoYSBpbTBtaV9EIyZhfX0%3D
http://qualibid.errfix.hop.clickbank.net/hop/?CBRehoppp2=http%3A%2F%2Fwww.errorfix.com%2Flp1.php%3Fhop%3Dqualibid&vend=errfix&code=000000000000000&affi=qualibid.ndg1ad1err&hfid=&parms=ID%3D11774%26fb%3DaSlAXz5iW2g%252BbWcxRGJDaDBQUztpUGR6RG1bej5tJTFyYCUxJW1AWVEkYVk%252BYCUxPklAWUdJYXFHbThxJWg4WT5gJTElKUQxRGp4O1JqQ19STi1oMEM%252FLzBWRCM4aEA2PllENkdtaTo%252BVkQjOGhAWj5ZU2U4JzIvRG1baD5taTFEbWdfPklnNkdKRCMmUCUxJWhAWW4kYTZEbVtoPm0lXz5ZRDpHQnVaR0lnOiUkYWBpaGR6JSl%252BOiUpaUYlaHo7MCl1YEdoYSBpbTBtaV9EIyZhfX0%253D&key=7F6D878E311685F123DE014AD148F329
It redirected me to errorfix.com.
I have found some of the IP addresses from above and who they belong to.
76.9.16.157 belongs to ISPrime, Inc.
Address: 300 Boulevard East Suite 100
City: Weehawken NJ
c.incomeppc.com is 88.85.93.34
OrgName: RIPE Network Coordination Centre
Address: P.O. Box 10096
City: Amsterdam
PostalCode: 1001EB
Country: NL
qualibid.errfix.hop.clickbank.net belongs to via.net
ViaNet Communications VIANETCO
IP addresses 209.81.0.0 – 209.81.63.255 Address:Palo Alto CA
Now I have noscript addon for firefox with XSS disbled for even google.com
Thank you.
Can you get to any of the following to try scanning your system with several of them?
MS Malicious Software Removal Tool
http://www.microsoft.com/security/malwareremove/default.mspx
Windows Live OneCare
http://onecare.live.com/site/en-us/default.htm
Malwarebytes’ Anti-Malware
http://www.malwarebytes.org/mbam.php
Spybot Search & Destroy
http://www.safer-networking.org/en/download/index.html
LavaSoft Ad-Aware
http://www.lavasoft.com/products/ad-aware_se_personal.php
SuperAntiSpyware
http://www.superantispyware.com/
It is a trial and error process to find a product that will detect and remove any specific problem. It is also possible that if you could get malwarebytes updated that it would be able to find the problem.
However, in the event that you can’t find this with a variety of products, you may want to go to a malware removal forum where they specialize in customized assistance.
As far as I know, you can’t modify your tags once you’ve posted, but I did that for you.
You’re not the only one seeing this behavior. I’ve had reports of this for a couple of weeks locally here in my country/town.
I suggest you try this little gem from symantec which is a registry fix as an inf file. This should reset your file execution parameters and allow access to registry tools and more. – The tool is made for Windows XP and earlier, and I have no clue if it will actually work or even install on the Vista systems.
http://securityresponse.symantec.com/avcenter/UnHookExec.inf
Download and save, then right click and select install.
Not sure if this fixes the problem, but you should be able to execute files/programs and perform registry functions after installation.
Couple of explanations:
RIPE is the european registry and address asignment organization.
88.85.93.34 points to Incomeproject B.V. Netherlands
This looks like a click for money scheme that has gone crazy. At least the domains/IP’s suggest that.
Try to get to some or all of the scanners Kaleh suggested and run these to clean up the PC.