Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Google Redirect Virus

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Google Redirect Virus

Unread postby mapas01 » May 15th, 2009, 1:58 pm

I have had this virus for a few months now, ive tried everything, ive installed and used many programs to remove it to no avail. Every time it seems like it worked, a few days later its back. My results do not always get redirected, only sometimes. I have tried installing Opera browser and it have never redirected my Google results. It seems to be only occurring in Firefox. Please help!

Here are my results of HijackThis scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:58:40 PM, on 5/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\Administrator\My Documents\Backups\Windows\Windows_security_backup files\Windows_security_update_3475_36_d.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\AbiSuite2\AbiWord\bin\AbiWord.exe
E:\NIGGA DRIVE\Programs\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AVGIDS] "C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Windows Security Update] C:\Documents and Settings\Administrator\My Documents\Backups\Windows\Windows_security_backup files\Windows_security_update_3475_36_d.exe
O4 - Global Startup: NCProTray.lnk = ?
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4408092250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4412566890
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5D0385D-1B08-4F93-BFA6-73E93762C25B}: NameServer = 192.168.0.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/html - {b9f70fba-ba57-4764-a4b1-a32fb95662b7} - (no file)
O20 - AppInit_DLLs: C:\WINDOWS\system32\wayumabe.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: AVGIDSAgent - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
O23 - Service: AVGIDSWatcher - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 6443 bytes
mapas01
Active Member
 
Posts: 5
Joined: May 15th, 2009, 1:52 pm
Advertisement
Register to Remove

Re: Google Redirect Virus

Unread postby Blade81 » May 18th, 2009, 10:48 am

Hi mapas01


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.


After that, please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt). Note: Do not run Option #2 yet.
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: Google Redirect Virus

Unread postby mapas01 » May 18th, 2009, 12:26 pm

Here are all my logs, thanks again!

ComboFix 09-05-17.08 - Administrator 05/18/2009 12:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1604 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: AVG Internet Security 3-pack *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bitipote.dll
c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((( Files Created from 2009-04-18 to 2009-05-18 )))))))))))))))))))))))))))))))
.

2009-05-14 01:51 . 2009-05-14 01:51 -------- d-----w c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-05-07 02:44 . 2009-05-07 02:44 48 ---ha-w c:\windows\system32\ezsidmv.dat
2009-05-07 02:43 . 2009-05-09 02:49 -------- d-----w c:\documents and settings\Administrator\Application Data\skypePM
2009-05-07 02:40 . 2009-05-09 03:12 -------- d-----w c:\documents and settings\Administrator\Application Data\Skype
2009-05-07 02:39 . 2009-05-07 02:39 -------- d-----w c:\program files\Common Files\Skype
2009-05-07 02:39 . 2009-05-07 02:39 -------- d-----r c:\program files\Skype
2009-05-07 02:39 . 2009-05-07 02:39 -------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-04-30 01:22 . 2009-04-30 01:22 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Opera
2009-04-30 01:22 . 2009-04-30 01:22 -------- d-----w c:\program files\Opera
2009-04-28 00:42 . 2009-05-10 21:05 -------- d--h--w C:\$AVG8.VAULT$
2009-04-27 04:03 . 2009-04-27 04:03 -------- d-sh--w c:\documents and settings\Administrator\Local Settings\Application Data\.#
2009-04-27 02:23 . 2009-04-27 02:23 -------- d-----w c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-04-27 02:23 . 2009-04-27 02:23 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-27 02:23 . 2009-04-27 02:23 12552 ----a-w c:\windows\system32\drivers\avgrkx86.sys
2009-04-27 02:23 . 2009-04-27 02:23 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-27 02:23 . 2009-04-27 02:23 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-27 02:23 . 2009-05-18 16:29 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-27 02:23 . 2009-04-28 02:16 -------- d-----w c:\documents and settings\Administrator\Application Data\AVGTOOLBAR
2009-04-27 01:55 . 2009-04-27 02:21 29208 ----a-w c:\windows\system32\drivers\avgfwdx.sys
2009-04-27 01:55 . 2009-04-27 02:21 50968 ----a-w c:\windows\system32\avgfwdx.dll
2009-04-23 13:35 . 2009-04-27 01:12 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-04-23 13:25 . 2009-04-23 13:25 -------- d-----w C:\VundoFix Backups
2009-04-23 00:10 . 2009-04-23 00:10 -------- d-----w c:\windows\F07AE5AB516C4CEBA0AAAD083B9182C6.TMP
2009-04-22 23:44 . 2009-04-23 13:17 -------- d-----w c:\program files\VideoLAN
2009-04-22 23:29 . 2009-04-22 23:29 -------- d-----w c:\program files\Haali
2009-04-21 18:28 . 2009-04-21 18:29 -------- d-----w c:\program files\BurnAware Free

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-17 04:22 . 2009-02-09 01:51 -------- d-----w c:\program files\Starcraft
2009-05-17 03:21 . 2009-02-09 01:52 34602 ----a-w c:\windows\scunin.dat
2009-05-17 03:21 . 2009-02-09 01:52 967 ----a-w c:\windows\ScUnin.pif
2009-05-17 03:21 . 2009-02-09 01:52 94208 ----a-w c:\windows\ScUnin.exe
2009-05-17 01:03 . 2008-01-29 01:08 -------- d-----w c:\program files\Steam
2009-05-07 15:42 . 2009-01-29 00:55 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-27 00:39 . 2009-04-10 04:57 -------- d-----w c:\program files\Burn4Free Toolbar
2009-04-27 00:37 . 2009-04-14 21:57 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-27 00:37 . 2008-02-01 22:13 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-27 00:36 . 2009-02-16 22:43 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-04-24 04:21 . 2009-04-24 04:20 14082048 ---ha-w c:\documents and settings\Administrator\ntuser.tmp
2009-04-24 03:08 . 2008-11-23 16:39 -------- d-----w c:\program files\PokerStars
2009-04-21 18:29 . 2008-10-22 00:08 21072 -c--a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-13 21:35 . 2008-12-23 06:10 -------- d-----w c:\program files\Warcraft III
2009-04-06 20:32 . 2009-01-29 00:55 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2009-01-29 00:55 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-02 23:31 . 2009-04-02 12:09 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-02 14:59 . 2009-04-02 14:59 -------- d-----w c:\program files\MSXML 4.0
2009-04-02 14:41 . 2009-04-02 14:41 -------- d-----w c:\program files\AVG
2009-04-02 14:05 . 2008-01-29 01:10 -------- d-----w c:\program files\Guild Wars
2009-04-02 13:59 . 2009-04-02 05:03 -------- d-----w c:\program files\McAfee
2009-04-02 06:21 . 2009-04-02 06:21 -------- d-----w c:\program files\MultiScreen
2009-04-02 06:21 . 2008-01-29 00:16 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-02 06:15 . 2009-04-02 06:15 -------- d-----w c:\program files\SEC
2009-04-02 05:03 . 2009-04-02 05:03 -------- d-----w c:\program files\Common Files\Cisco Systems
2009-03-31 01:59 . 2009-03-31 00:36 -------- d-----w c:\program files\Microsoft ActiveSync
2009-03-27 13:22 . 2009-03-12 01:22 -------- d-----w c:\program files\IZArc
2009-03-27 12:42 . 2009-03-27 12:42 -------- d-----w c:\program files\WinSCP
2009-03-16 05:09 . 2008-10-31 16:39 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-03-16 05:09 . 2008-10-22 00:09 1748 ----a-w c:\windows\system32\d3d8caps.dat
2009-03-06 14:22 . 2002-08-29 03:41 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-26 17:46 . 2009-02-26 17:46 74760 ----a-w c:\windows\system32\drivers\UniversalDD.sys
2009-02-26 17:46 . 2009-02-26 17:46 25608 ----a-w c:\windows\system32\drivers\AVGIDSErHr.sys
2009-02-20 08:10 . 2002-08-29 03:41 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2009-04-02 14:30 81920 ------w c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-13 133104]
"Windows Security Update"="c:\documents and settings\Administrator\My Documents\Backups\Windows\Windows_security_backup files\Windows_security_update_3475_36_d.exe" [2009-04-10 426713]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2006-05-25 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2006-05-25 126976]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-08-12 86016]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-12 7630848]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-27 1947928]
"AVGIDS"="c:\program files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe" [2009-02-26 1579528]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-04-06 401040]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-08-12 1519616]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NCProTray.lnk - c:\program files\SEC\Natural Color Pro\NCProTray.exe [2009-4-2 49220]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-27 02:23 11952 ----a-w c:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= DrvTrNTm.dll
"mixer"= DrvTrNTm.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"FileZilla Server"=3 (0x3)
"Messenger"=2 (0x2)
"NMSAccessU"=2 (0x2)
"ThreatFire"=3 (0x3)
"sdCoreService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\mapas001\\counter-strike\\hl.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2/26/2009 12:46 PM 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [4/26/2009 9:23 PM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/26/2009 9:23 PM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/26/2009 9:23 PM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [4/26/2009 9:22 PM 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/26/2009 9:22 PM 298776]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [4/26/2009 9:22 PM 1366904]
R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe [2/26/2009 12:46 PM 563720]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/28/2009 7:55 PM 179856]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [4/26/2009 8:55 PM 29208]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSDriver.sys [2/26/2009 12:46 PM 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSFilter.sys [2/26/2009 12:46 PM 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys [2/26/2009 12:46 PM 27232]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/28/2009 7:55 PM 15504]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [1/14/2009 3:34 PM 120472]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe [2/26/2009 12:46 PM 5576712]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [4/26/2009 8:55 PM 29208]
S3 pctplsg;pctplsg;\??\c:\windows\system32\drivers\pctplsg.sys --> c:\windows\system32\drivers\pctplsg.sys [?]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-05-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-1606980848-682003330-500.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-13 00:33]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
TCP: {C5D0385D-1B08-4F93-BFA6-73E93762C25B} = 192.168.0.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\5nw0u927.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/?account_id ... .com#inbox
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-18 12:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-789336058-1606980848-682003330-500\Software\SecuROM\License information*]
"datasecu"=hex:39,4a,ea,d6,0a,a8,12,93,9f,a4,9a,46,24,11,5d,a8,ed,d5,90,11,5c,
38,fa,01,f0,dc,be,e6,88,78,0f,c3,59,98,32,8f,8d,90,f0,eb,05,d9,22,0e,a8,c4,\
"rkeysecu"=hex:12,54,3c,6a,5e,78,f6,06,6a,f5,db,83,b0,2e,52,fb
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-18 12:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-18 17:23

Pre-Run: 7,128,768,512 bytes free
Post-Run: 7,520,555,008 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noguiboot /NoExecute=OptIn

219 --- E O F --- 2009-05-13 17:46


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:06 PM, on 5/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\Administrator\My Documents\Backups\Windows\Windows_security_backup files\Windows_security_update_3475_36_d.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AVGIDS] "C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Windows Security Update] C:\Documents and Settings\Administrator\My Documents\Backups\Windows\Windows_security_backup files\Windows_security_update_3475_36_d.exe
O4 - Global Startup: NCProTray.lnk = ?
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4408092250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4412566890
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5D0385D-1B08-4F93-BFA6-73E93762C25B}: NameServer = 192.168.0.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: AVGIDSAgent - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
O23 - Service: AVGIDSWatcher - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 6358 bytes

GooredFix v1.92 by jpshortstuff
Log created at 12:24 on 18/05/2009 running Option #1 (Administrator)
Firefox version 3.0.10 (en-US)

=====Suspect Goored Entries=====

C:\Program Files\Mozilla Firefox\extensions\{F1D5AEEA-75CA-471C-846E-AE39991F15C1}

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1d5287d1-8a92-0001-1f31-1cec198018d8}"="C:\Program Files\AVG\AVG8\ToolbarFF"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"
mapas01
Active Member
 
Posts: 5
Joined: May 15th, 2009, 1:52 pm

Re: Google Redirect Virus

Unread postby Blade81 » May 18th, 2009, 4:24 pm

Hi

Upload following file to Virustotal and post back the results:
c:\documents and settings\Administrator\My Documents\Backups\Windows\Windows_security_backup files\Windows_security_update_3475_36_d.exe


Please double-click GooredFix.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.


  • Read the requirements and privacy statement then click on the Accept button.

  • The program will launch and start to download the latest definition files.

  • You will be prompted to install an application from Kaspersky. Click Run

  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives

  • Click on My Computer under Scan.

  • Once the scan is complete, it will display the results. Click on View Scan Report.

  • Click on Save Report As....

  • Change the Files of type to Text file (.txt) before clicking on the Save button.

  • Save this report to a convenient place.

  • Copy and paste that information into your topic. Post also a fresh hjt log and above mentioned GooredFix report. How's the system running?

  • The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.
If you need a tutorial, see here
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: Google Redirect Virus

Unread postby mapas01 » May 18th, 2009, 8:58 pm

File Windows_Key_Generator.exe received on 05.09.2009 22:45:28 (CET)
Antivirus Version Last Update Result
a-squared - - Win32.SuspectCrc!IK
AhnLab-V3 - - -
AntiVir - - TR/Drop.Angel.ER
Antiy-AVL - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
Comodo - - -
DrWeb - - -
eSafe - - Win32.Banker
eTrust-Vet - - -
F-Prot - - -
F-Secure - - -
Fortinet - - -
GData - - -
Ikarus - - Win32.SuspectCrc
Jiangmin - - -
K7AntiVirus - - -
Kaspersky - - -
McAfee - - -
McAfee+Artemis - - Artemis!B8E5368DF85D
McAfee-GW-Edition - - Trojan.Drop.Angel.ER
Microsoft - - -
NOD32 - - -
Norman - - -
nProtect - - -
Panda - - -
PCTools - - -
Prevx - - High Risk Worm
Rising - - Trojan.Win32.Autoit.dwq
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
TrendMicro - - -
VBA32 - - -
ViRobot - - -
VirusBuster - - -
Additional information
MD5: b8e5368df85d92cc8ae57f47cabae58e
SHA1: 85080f11a02acae164c029cfe589c9960f2ca9a4
SHA256: 91f16e51fb147b9cb8dafa4aeadde5790f8e1ba6b41d1393535c6ccecc14e4a4
SHA512: 8d5e399bd68ba11e28c2711e441b0532505ce2b35d57ab85944f1e89646bac0eeac986ed58670d737771d604bf49dc670d40d66220bcc949a199442414900163

GooredFix v1.92 by jpshortstuff
Log created at 16:52 on 18/05/2009 running Option #2 (Administrator)
Firefox version 3.0.10 (en-US)

=====Goored Deletions=====
C:\Program Files\Mozilla Firefox\extensions\{F1D5AEEA-75CA-471C-846E-AE39991F15C1}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1d5287d1-8a92-0001-1f31-1cec198018d8}"="C:\Program Files\AVG\AVG8\ToolbarFF"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, May 18, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, May 18, 2009 20:28:01
Records in database: 2191809
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 49670
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 03:07:42


File name / Threat name / Threats count

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:58:09 PM, on 5/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\Administrator\My Documents\Backups\Windows\Windows_security_backup files\Windows_security_update_3475_36_d.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSMonitor.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\AbiSuite2\AbiWord\bin\AbiWord.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AVGIDS] "C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Windows Security Update] C:\Documents and Settings\Administrator\My Documents\Backups\Windows\Windows_security_backup files\Windows_security_update_3475_36_d.exe
O4 - Global Startup: NCProTray.lnk = ?
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4408092250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4412566890
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5D0385D-1B08-4F93-BFA6-73E93762C25B}: NameServer = 192.168.0.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: AVGIDSAgent - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
O23 - Service: AVGIDSWatcher - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 6878 bytes

I'm not sure how the system is running, I have not performed any google searches yet until I have done all the steps needed to try to fix it. :|
mapas01
Active Member
 
Posts: 5
Joined: May 15th, 2009, 1:52 pm

Re: Google Redirect Virus

Unread postby Blade81 » May 19th, 2009, 4:14 am

Hi

Did you upload correct file? If it was scanned before, please let the scanners do a re-scan. Post back updated results.
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: Google Redirect Virus

Unread postby mapas01 » May 19th, 2009, 10:09 am

That is the correct file, for some reason after uploading it the results display the file name as "Windows_Key_Generator" as opposed to the original name of "Windows_security_update_3475_36_d.exe"

http://www.virustotal.com/analisis/964d ... 6da31a65ef
mapas01
Active Member
 
Posts: 5
Joined: May 15th, 2009, 1:52 pm

Re: Google Redirect Virus

Unread postby Blade81 » May 19th, 2009, 12:21 pm

Hi

When you uploaded the file did you see a question that the file had been already scanned and if you wanted it to be re-scanned? You should choose yes to that. As you can see bolded below is the date that is earlier than the one you uploaded the file on.

File Windows_Key_Generator.exe received on 05.09.2009 22:45:28 (CET)
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: Google Redirect Virus

Unread postby mapas01 » May 19th, 2009, 12:39 pm

Oops sorry about that, I didn't understand what you meant until I saw the date thing and realized what the website does unless you select "Reanalyze file". Here are the results:

http://www.virustotal.com/analisis/46c5 ... de17ece08d

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.19 Win32.SuspectCrc!IK
AhnLab-V3 5.0.0.2 2009.05.19 -
AntiVir 7.9.0.168 2009.05.19 TR/Drop.Angel.ER
Antiy-AVL 2.0.3.1 2009.05.19 -
Authentium 5.1.2.4 2009.05.19 -
Avast 4.8.1335.0 2009.05.18 -
AVG 8.5.0.336 2009.05.19 -
BitDefender 7.2 2009.05.19 -
CAT-QuickHeal 10.00 2009.05.19 -
ClamAV 0.94.1 2009.05.19 -
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.19 -
eSafe 7.0.17.0 2009.05.19 Win32.Banker
eTrust-Vet 31.6.6511 2009.05.19 -
F-Prot 4.4.4.56 2009.05.18 -
F-Secure 8.0.14470.0 2009.05.19 -
Fortinet 3.117.0.0 2009.05.19 -
GData 19 2009.05.19 -
Ikarus T3.1.1.49.0 2009.05.19 Win32.SuspectCrc
K7AntiVirus 7.10.739 2009.05.19 -
Kaspersky 7.0.0.125 2009.05.19 -
McAfee 5620 2009.05.19 -
McAfee+Artemis 5619 2009.05.18 Artemis!B8E5368DF85D
McAfee-GW-Edition 6.7.6 2009.05.19 Trojan.Drop.Angel.ER
Microsoft 1.4602 2009.05.19 -
NOD32 4087 2009.05.19 -
Norman 6.01.05 2009.05.18 -
nProtect 2009.1.8.0 2009.05.19 -
Panda 10.0.0.14 2009.05.18 Suspicious file
PCTools 4.4.2.0 2009.05.18 -
Prevx 3.0 2009.05.19 High Risk Worm
Rising 21.30.14.00 2009.05.19 Trojan.Win32.Autoit.dwq
Sophos 4.41.0 2009.05.19 -
Sunbelt 3.2.1858.2 2009.05.18 -
Symantec 1.4.4.12 2009.05.19 -
TheHacker 6.3.4.1.327 2009.05.19 -
TrendMicro 8.950.0.1092 2009.05.19 -
VBA32 3.12.10.5 2009.05.19 -
ViRobot 2009.5.19.1740 2009.05.19 -
Additional information
File size: 426713 bytes
MD5...: b8e5368df85d92cc8ae57f47cabae58e
SHA1..: 85080f11a02acae164c029cfe589c9960f2ca9a4
SHA256: 91f16e51fb147b9cb8dafa4aeadde5790f8e1ba6b41d1393535c6ccecc14e4a4
SHA512: 8d5e399bd68ba11e28c2711e441b0532505ce2b35d57ab85944f1e89646bac0e
eac986ed58670d737771d604bf49dc670d40d66220bcc949a199442414900163
ssdeep: 6144:8lZ/zUMu4pDSxsCMRzf7x3SfS1JAzXBtL76lMLawqc1uEIVrx/9dmYQp6Lb
I:8HLUMuiv9RgfSjAzRtyMLAWClP/s
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
TrID..: File type identification
UPX compressed Win32 Executable (43.8%)
Win32 EXE Yoda's Crypter (38.1%)
Win32 Executable Generic (12.2%)
Generic Win/DOS Executable (2.8%)
DOS Executable Generic (2.8%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xab1d0
timedatestamp.....: 0x4951fa17 (Wed Dec 24 09:00:07 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x6b000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x6c000 0x40000 0x3f400 7.93 a5f4fb3e4432cd1e1aa40a6202ebdbed
.rsrc 0xac000 0x4000 0x3800 4.99 772f9e1c4ab0400b4dd2b32b967ca13d

( 16 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
> ADVAPI32.dll: AddAce
> COMCTL32.dll: ImageList_Remove
> COMDLG32.dll: GetSaveFileNameW
> GDI32.dll: BitBlt
> MPR.dll: WNetGetConnectionW
> ole32.dll: CoInitialize
> OLEAUT32.dll: -
> PSAPI.DLL: EnumProcesses
> SHELL32.dll: DragFinish
> USER32.dll: GetDC
> USERENV.dll: LoadUserProfileW
> VERSION.dll: VerQueryValueW
> WININET.dll: FtpOpenFileW
> WINMM.dll: timeGetTime
> WSOCK32.dll: -

( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set
-
packers (Kaspersky): PE_Patch.UPX, UPX
CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=b8e5368df85d92cc8ae57f47cabae58e' target='_blank'>http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=b8e5368df85d92cc8ae57f47cabae58e</a>
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=b8e5368df85d92cc8ae57f47cabae58e' target='_blank'>http://www.threatexpert.com/report.aspx?md5=b8e5368df85d92cc8ae57f47cabae58e</a>
packers (F-Prot): UPX
<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=E613BBFAD9B8885482A806E23F7C7A00D8583B5C' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=E613BBFAD9B8885482A806E23F7C7A00D8583B5C</a>
mapas01
Active Member
 
Posts: 5
Joined: May 15th, 2009, 1:52 pm

Re: Google Redirect Virus

Unread postby Blade81 » May 19th, 2009, 12:55 pm

Hi again,

I recommend to change all your online passwords using other system than the one we're now cleaning. It's namely possible you have password stealer there.


Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=42847&p=438523#p438523

Collect::
C:\Documents and Settings\Administrator\My Documents\Backups\Windows\Windows_security_backup files\Windows_security_update_3475_36_d.exe

DirLook::
C:\Documents and Settings\Administrator\My Documents\Backups\Windows\Windows_security_backup files

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Security Update"=-



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe. You'll be asked to submit some samples. Follow the instructions given to carry out submitting successfully.
Then post the resultant log, reboot and post a fresh hjt log. How's the system running?
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: Google Redirect Virus

Unread postby NonSuch » May 24th, 2009, 4:43 pm

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 61 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware