Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Google searches redirected, cannot change hosts file

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Google searches redirected, cannot change hosts file

Unread postby nigel08 » December 12th, 2009, 11:32 pm

I recently accidentally ran a suspicious program that I found on the Internet and it gave me a ton of problems, including redirecting my searches when I use google. After cleaning up with Malwarebytes' Anti-Malware, my anti-virus program, and spybot there is still a lingering issue where my hosts file located in C:\WINDOWS\System32\drivers\etc\hosts is filled with a whole bunch of stuff besides the normal 'localhost' entry. Spybot cannot access this file and I can't save over it myself - trying to delete or rename it from the command prompt results in "The system cannot find the file specified".

My situation seems to be exactly the same as a previous user in this thread: http://forums.spybot.info/showthread.php?p=351278

Same messages from HiJackThis as the previous user reported. I followed the same instructions including running ComboFix with no issues, but I will post the logs here. Hopefully someone can help me get rid of the search redirecting! I think that's the only virus/malware that's left...

HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:37:45, on 12/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
E:\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Nigel Menger\Application Data\SystemProc\lsass.exe
C:\Documents and Settings\Nigel Menger\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
E:\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 67.215.245.21 www.google-analytics.com
O1 - Hosts: 95.211.99.112 google.ae
O1 - Hosts: 95.211.99.112 google.as
O1 - Hosts: 95.211.99.112 google.at
O1 - Hosts: 95.211.99.112 google.az
O1 - Hosts: 95.211.99.112 google.ba
O1 - Hosts: 95.211.99.112 google.be
O1 - Hosts: 95.211.99.112 google.bg
O1 - Hosts: 95.211.99.112 google.bs
O1 - Hosts: 95.211.99.112 google.ca
O1 - Hosts: 95.211.99.112 google.cd
O1 - Hosts: 95.211.99.112 google.com.gh
O1 - Hosts: 95.211.99.112 google.com.hk
O1 - Hosts: 95.211.99.112 google.com.jm
O1 - Hosts: 95.211.99.112 google.com.mx
O1 - Hosts: 95.211.99.112 google.com.my
O1 - Hosts: 95.211.99.112 google.com.na
O1 - Hosts: 95.211.99.112 google.com.nf
O1 - Hosts: 95.211.99.112 google.com.ng
O1 - Hosts: 95.211.99.112 google.ch
O1 - Hosts: 95.211.99.112 google.com.np
O1 - Hosts: 95.211.99.112 google.com.pr
O1 - Hosts: 95.211.99.112 google.com.qa
O1 - Hosts: 95.211.99.112 google.com.sg
O1 - Hosts: 95.211.99.112 google.com.tj
O1 - Hosts: 95.211.99.112 google.com.tw
O1 - Hosts: 95.211.99.112 google.dj
O1 - Hosts: 95.211.99.112 google.de
O1 - Hosts: 95.211.99.112 google.dk
O1 - Hosts: 95.211.99.112 google.dm
O1 - Hosts: 95.211.99.112 google.ee
O1 - Hosts: 95.211.99.112 google.fi
O1 - Hosts: 95.211.99.112 google.fm
O1 - Hosts: 95.211.99.112 google.fr
O1 - Hosts: 95.211.99.112 google.ge
O1 - Hosts: 95.211.99.112 google.gg
O1 - Hosts: 95.211.99.112 google.gm
O1 - Hosts: 95.211.99.112 google.gr
O1 - Hosts: 95.211.99.112 google.ht
O1 - Hosts: 95.211.99.112 google.ie
O1 - Hosts: 95.211.99.112 google.im
O1 - Hosts: 95.211.99.112 google.in
O1 - Hosts: 95.211.99.112 google.it
O1 - Hosts: 95.211.99.112 google.ki
O1 - Hosts: 95.211.99.112 google.la
O1 - Hosts: 95.211.99.112 google.li
O1 - Hosts: 95.211.99.112 google.lv
O1 - Hosts: 95.211.99.112 google.ma
O1 - Hosts: 95.211.99.112 google.ms
O1 - Hosts: 95.211.99.112 google.mu
O1 - Hosts: 95.211.99.112 google.mw
O1 - Hosts: 95.211.99.112 google.nl
O1 - Hosts: 95.211.99.112 google.no
O1 - Hosts: 95.211.99.112 google.nr
O1 - Hosts: 95.211.99.112 google.nu
O1 - Hosts: 95.211.99.112 google.pl
O1 - Hosts: 95.211.99.112 google.pn
O1 - Hosts: 95.211.99.112 google.pt
O1 - Hosts: 95.211.99.112 google.ro
O1 - Hosts: 95.211.99.112 google.ru
O1 - Hosts: 95.211.99.112 google.rw
O1 - Hosts: 95.211.99.112 google.sc
O1 - Hosts: 95.211.99.112 google.se
O1 - Hosts: 95.211.99.112 google.sh
O1 - Hosts: 95.211.99.112 google.si
O1 - Hosts: 95.211.99.112 google.sm
O1 - Hosts: 95.211.99.112 google.sn
O1 - Hosts: 95.211.99.112 google.st
O1 - Hosts: 95.211.99.112 google.tl
O1 - Hosts: 95.211.99.112 google.tm
O1 - Hosts: 95.211.99.112 google.tt
O1 - Hosts: 95.211.99.112 google.us
O1 - Hosts: 95.211.99.112 google.vu
O1 - Hosts: 95.211.99.112 google.ws
O1 - Hosts: 95.211.99.112 google.co.ck
O1 - Hosts: 95.211.99.112 google.co.id
O1 - Hosts: 95.211.99.112 google.co.il
O1 - Hosts: 95.211.99.112 google.co.in
O1 - Hosts: 95.211.99.112 google.co.jp
O1 - Hosts: 95.211.99.112 google.co.kr
O1 - Hosts: 95.211.99.112 google.co.ls
O1 - Hosts: 95.211.99.112 google.co.ma
O1 - Hosts: 95.211.99.112 google.co.nz
O1 - Hosts: 95.211.99.112 google.co.tz
O1 - Hosts: 95.211.99.112 google.co.ug
O1 - Hosts: 95.211.99.112 google.co.uk
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: gwprimawega - {f2c1cbd0-20b1-4ff3-e092-48cbab0e8486} - C:\WINDOWS\system32\X_J-y2ICkx.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [net] "C:\WINDOWS\system32\net.net"
O4 - HKLM\..\Run: [System Defender] "C:\Documents and Settings\All Users\Application Data\239710a\WS2397.exe" /s /d
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Nigel Menger\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKLM\..\Policies\Explorer\Run: [RTHDBPL] C:\Documents and Settings\Nigel Menger\Application Data\SystemProc\lsass.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1454471165-1292428093-725345543-1006\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'postgres')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-U ... E_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/sho ... wflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b56986.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c9a8e9f3bc8738) (gupdate1c9a8e9f3bc8738) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe

--
End of file - 12269 bytes

ComboFix log:

ComboFix 09-12-11.05 - Nigel Menger 12/12/2009 21:48:31.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1705 [GMT -5:00]
Running from: c:\documents and settings\Nigel Menger\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Nigel Menger\Application Data\System Defender
c:\documents and settings\Nigel Menger\Application Data\System Defender\cookies.sqlite
c:\documents and settings\Nigel Menger\Application Data\System Defender\Instructions.ini
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\windows\system32\9PhmWpCKLSMr-Q.exe
c:\windows\system32\net.net
c:\windows\system32\tmp.reg
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2009-11-13 to 2009-12-13 )))))))))))))))))))))))))))))))
.

2009-12-13 00:58 . 2009-12-13 00:58 -------- d-----w- c:\program files\Trend Micro
2009-12-12 22:47 . 2009-12-12 22:47 -------- d-sh--w- c:\documents and settings\All Users\Application Data\WSUUHRRJD_APDM
2009-12-12 22:47 . 2009-12-12 22:47 -------- d-sh--w- c:\documents and settings\Nigel Menger\Application Data\SystemProc
2009-12-12 22:47 . 2009-12-12 22:47 58880 --sh--w- c:\documents and settings\Nigel Menger\Application Data\SystemProc\lsass.exe
2009-11-26 23:16 . 2009-12-12 22:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-11-26 23:16 . 2009-11-26 23:16 -------- d-----w- c:\documents and settings\Nigel Menger\Application Data\Yahoo!
2009-11-26 23:16 . 2009-11-26 23:16 -------- d-----w- c:\program files\Yahoo!
2009-11-26 23:16 . 2009-11-26 23:16 -------- d-----w- c:\program files\CCleaner
2009-11-26 23:15 . 2009-12-13 00:26 -------- d-----w- c:\program files\DivX
2009-11-26 23:15 . 2009-11-26 23:15 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-11-22 19:08 . 2009-11-22 19:08 -------- d-----w- C:\extension
2009-11-19 11:49 . 2009-11-19 11:49 1183744 ----a-w- c:\windows\system32\X_J-y2ICkx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-12 22:51 . 2008-08-30 13:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-12 21:52 . 2008-12-17 19:10 -------- d-----w- c:\program files\Full Tilt Poker
2009-12-12 21:51 . 2008-08-30 12:26 -------- d-----w- c:\program files\PokerStars
2009-12-12 12:30 . 2009-03-19 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-12-03 00:14 . 2009-03-19 23:24 -------- d-----w- c:\program files\Google
2009-11-16 23:57 . 2008-10-05 20:00 -------- d-----w- c:\documents and settings\Nigel Menger\Application Data\uTorrent
2009-11-09 04:12 . 2008-08-31 13:56 -------- d-----w- c:\program files\Java
2009-11-09 04:12 . 2009-11-09 04:12 152576 ----a-w- c:\documents and settings\Nigel Menger\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-29 07:45 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-27 21:12 . 2008-08-30 13:00 -------- d-----w- c:\documents and settings\Nigel Menger\Application Data\Apple Computer
2009-10-27 20:49 . 2009-10-27 20:48 -------- d-----w- c:\program files\iTunes
2009-10-27 20:49 . 2009-10-27 20:48 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-27 20:48 . 2009-10-27 20:48 -------- d-----w- c:\program files\iPod
2009-10-27 20:48 . 2008-08-30 12:58 -------- d-----w- c:\program files\Common Files\Apple
2009-10-27 20:47 . 2009-10-27 20:47 -------- d-----w- c:\program files\Bonjour
2009-10-27 20:47 . 2009-10-27 20:46 -------- d-----w- c:\program files\QuickTime
2009-10-27 20:44 . 2009-10-27 20:44 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-10-24 17:49 . 2008-10-12 15:53 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-21 05:38 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-16 23:11 . 2008-08-30 14:32 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-15 22:32 . 2009-04-05 17:42 -------- d-----w- c:\program files\Microsoft
2009-10-13 10:30 . 2004-08-04 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 09:17 . 2008-11-10 09:13 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-19 11:49 . 2009-12-12 22:47 1261568 ----a-w- c:\program files\mozilla firefox\components\v68XHj_6.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f2c1cbd0-20b1-4ff3-e092-48cbab0e8486}]
2009-11-19 11:49 1183744 ----a-w- c:\windows\system32\X_J-y2ICkx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="e:\spybot - search & destroy\TeaTimer.exe" [2009-03-05 2260480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-19 39408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Google Update"="c:\documents and settings\Nigel Menger\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-01 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-13 16857600]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2009-06-11 86016]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"RTHDBPL"="c:\documents and settings\Nigel Menger\Application Data\SystemProc\lsass.exe" [2009-12-12 58880]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2007-01-20 07:09 200704 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Nigel Menger\\Desktop\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Maple 13\\jre\\bin\\maple.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Games\\Magic\\Manalink.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

S2 gupdate1c9a8e9f3bc8738;Google Update Service (gupdate1c9a8e9f3bc8738);c:\program files\Google\Update\GoogleUpdate.exe [19/03/2009 6:25 PM 133104]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [19/09/2008 2:03 AM 65536]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Nigel Menger\Application Data\Mozilla\Firefox\Profiles\anqe58ll.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - component: c:\program files\Mozilla Firefox\components\v68XHj_6.dll
FF - plugin: c:\documents and settings\Nigel Menger\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-System Defender - c:\documents and settings\All Users\Application Data\239710a\WS2397.exe
AddRemove-9PhmWpCKLSMr-Q - c:\windows\system32\9PhmWpCKLSMr-Q.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-12 21:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
RTHDBPL = c:\documents and settings\Nigel Menger\Application Data\SystemProc\lsass.exe???????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-12-12 21:52:58
ComboFix-quarantined-files.txt 2009-12-13 02:52

Pre-Run: 60,701,515,776 bytes free
Post-Run: 60,680,269,824 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 1B028F70C1C278F15FC81130A434332C


Thanks for your help and Merry Christmas!
Nigel
nigel08
Active Member
 
Posts: 2
Joined: December 12th, 2009, 11:08 pm
Advertisement
Register to Remove

Re: Google searches redirected, cannot change hosts file

Unread postby MWR 3 day Mod » December 17th, 2009, 1:34 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Google searches redirected, cannot change hosts file

Unread postby NonSuch » December 21st, 2009, 10:40 pm

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27305
Joined: February 23rd, 2005, 7:08 am
Location: California


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 68 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware