Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Google Redirect

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Google Redirect

Unread postby deltalima » September 6th, 2010, 1:59 pm

Hi SDub2032,

I am seeking further advice as to how to proceed with this and will get back to you soon.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK
Advertisement
Register to Remove

Re: Google Redirect

Unread postby SDub2032 » September 6th, 2010, 2:05 pm

Thanks deltalima,
i was wondering, is this quite a major problem? And is there any way to know where it came from or what caused it so I know what to avoid in future?
SDub2032
Regular Member
 
Posts: 17
Joined: September 3rd, 2010, 7:14 pm

Re: Google Redirect

Unread postby deltalima » September 6th, 2010, 2:30 pm

i was wondering, is this quite a major problem? And is there any way to know where it came from or what caused it


It needs to be fixed, if we can't fix it then I would recommend a reformat of the computer. Difficult to say where it came from but those infected download music files are a likely source.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Google Redirect

Unread postby deltalima » September 6th, 2010, 3:08 pm

Hi SDub2032,

Please go here and click download to download the Windows XP Service Pack 2 Network Installation Package and save the file. I will get back to you later with further instructions.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Google Redirect

Unread postby deltalima » September 6th, 2010, 3:45 pm

Hi SDub2032,

If any of these instructions are unclear please ask before continuing.

  • Now use Windows Explorer to create a folder called sp2 in the root of drive C:
  • Move the service pack install file into that folder
  • Open a command prompt widow (start – run – cmd)
  • At the command prompt
  • Type C: and press enter
  • Type cd \sp2 and press enter
  • Type WindowsXP-KB835935-SP2-ENU.exe -x: c:\sp2 and press enter
  • This should now extract the service pack files into that folder, if it tries to do anything else cancel and let me know.
  • Type cd i386 and press enter
  • Type expand winlogon.ex_ winlogon.exe and press enter
  • Type exit and press enter to close the command console

Now use Windows Explorer navigate to the folder c:\sp2\i386 and locate the file winlogon.exe . Right click and select copy

Now navigate to the folder c:\windows\system32\dllcache and paste in the file you copied

Next run Combofix again and post the log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Google Redirect

Unread postby SDub2032 » September 6th, 2010, 4:36 pm

Hi, I did everything you said in the instructions, the scan finished on combofix, then it restarted the computer, it took me to the log-in screen, I put my password on the username and then it came up with a big blue screen saying something about a Fatal Error(the same as last time). I turned it off and on again and it worked and opened up the log:

ComboFix 10-09-06.02 - Owner 09/06/2010 15:16:19.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.639 [GMT -5:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

c:\windows\system32\winlogon.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-08-06 to 2010-09-06 )))))))))))))))))))))))))))))))
.

2010-09-06 20:08 . 2004-08-04 05:56 502272 ----a-w- c:\windows\system32\dllcache\winlogon.exe
2010-09-06 19:58 . 2010-09-06 20:03 -------- d-----w- C:\sp2
2010-09-06 15:26 . 2010-09-06 15:26 -------- d-----w- C:\_OTL
2010-09-06 11:44 . 2010-09-06 11:44 -------- d-----w- c:\program files\Common Files\Java
2010-09-06 11:44 . 2010-09-06 11:44 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2b9c3cad-n\msvcp71.dll
2010-09-06 11:44 . 2010-09-06 11:44 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2b9c3cad-n\jmc.dll
2010-09-06 11:44 . 2010-09-06 11:44 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2b9c3cad-n\msvcr71.dll
2010-09-06 11:44 . 2010-09-06 11:44 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3660a6f6-n\decora-sse.dll
2010-09-06 11:44 . 2010-09-06 11:44 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3660a6f6-n\decora-d3d.dll
2010-09-06 11:44 . 2010-09-06 11:43 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-03 23:08 . 2010-09-03 23:08 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-03 23:08 . 2010-09-03 23:08 -------- d-----w- c:\program files\Trend Micro
2010-09-03 21:23 . 2004-08-04 05:56 23552 -c--a-w- c:\windows\system32\dllcache\wdmaud.drv
2010-09-03 21:23 . 2004-08-04 05:56 23552 ----a-w- c:\windows\system32\wdmaud.drv
2010-09-03 21:16 . 2010-09-03 21:16 -------- d-----w- C:\_OTM
2010-09-01 14:37 . 2001-08-18 03:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2010-09-01 14:37 . 2001-08-18 03:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2010-09-01 14:37 . 2001-08-18 03:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-09-01 14:37 . 2001-08-18 03:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
2010-09-01 14:37 . 2001-08-17 19:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-09-01 14:37 . 2001-08-17 19:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2010-09-01 14:37 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd106.dll
2010-09-01 14:37 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
2010-09-01 14:37 . 2001-08-17 19:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2010-09-01 14:37 . 2001-08-17 19:55 5632 ----a-w- c:\windows\system32\kbd103.dll
2010-09-01 14:37 . 2001-08-17 19:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2010-09-01 14:37 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2010-08-28 22:40 . 2010-08-28 22:40 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-08-28 20:06 . 2009-11-11 12:26 557056 ----a-w- c:\windows\system32\Netw2c32.dll
2010-08-28 20:06 . 2009-11-11 12:26 2732032 ----a-w- c:\windows\system32\Netw2r32.dll
2010-08-28 20:03 . 2010-08-28 20:03 -------- d-----w- c:\program files\SystemRequirementsLab
2010-08-28 20:03 . 2010-08-28 20:03 84480 ----a-w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab\srlproxy_intel_4.1.66.0A.dll
2010-08-28 20:03 . 2010-08-28 20:03 -------- d-----w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab
2010-08-20 19:34 . 2010-08-20 19:34 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple
2010-08-19 21:31 . 2010-08-19 21:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-08-12 15:59 . 2010-09-06 10:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-12 15:59 . 2010-09-06 10:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-10 21:40 . 2010-08-10 21:40 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-08-10 21:40 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-10 21:40 . 2010-08-10 21:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-10 21:40 . 2010-08-10 21:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-10 21:40 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-10 21:20 . 2010-08-10 21:20 -------- d-----w- C:\39a3b5f57eeccf5fabfa
2010-08-10 21:18 . 2010-08-10 21:18 -------- d-----w- C:\0c2e2e01440008a243ceb5adf9
2010-08-10 20:05 . 2010-08-10 22:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-10 19:12 . 2010-08-25 21:05 120 ----a-w- c:\windows\Khebirewapanuvaz.dat
2010-08-10 19:12 . 2010-08-25 12:07 0 ----a-w- c:\windows\Ymigobel.bin
2010-08-10 18:49 . 2010-08-10 22:19 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\iiahuxpfn
2010-08-10 18:49 . 2010-08-10 22:19 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\xgjjttnaa
2010-08-10 18:48 . 2010-08-10 22:19 -------- d-----w- c:\documents and settings\Owner\Application Data\1EB04BB0A0261C3CCE50398692309223
2010-08-10 17:45 . 2010-08-10 17:45 -------- d-----w- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-06 11:43 . 2006-05-09 04:48 -------- d-----w- c:\program files\Java
2010-09-06 10:21 . 2005-06-22 12:07 40320 ----a-w- c:\windows\system32\drivers\ql1080.sys
2010-09-04 10:45 . 2006-05-09 04:45 -------- d-----w- c:\program files\Google
2010-09-03 23:10 . 2006-07-25 08:09 36816 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-31 13:48 . 2009-08-24 17:18 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-24 17:01 . 2005-10-28 02:39 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Isyvq
2010-08-24 08:47 . 2009-05-22 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-08-19 21:35 . 2005-08-14 10:59 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Sydu
2010-08-19 21:35 . 2010-08-19 21:35 8 ----a-w- c:\windows\system32\config\systemprofile\Application Data\pnmfzy.dat
2010-08-17 21:42 . 2007-10-10 21:54 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2010-08-12 16:12 . 2009-02-03 19:55 -------- d-----w- c:\documents and settings\Owner\Application Data\Kyuh
2010-08-11 17:58 . 2010-07-12 08:08 -------- d-----w- c:\documents and settings\Owner\Application Data\Pyku
2010-08-02 21:38 . 2009-03-01 12:04 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2010-07-09 16:47 . 2009-03-01 12:08 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2010-06-25 07:37 . 2010-06-25 07:37 50354 ----a-w- c:\documents and settings\Owner\Application Data\Facebook\uninstall.exe
2010-06-14 14:30 . 2005-06-22 10:29 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-09 10:45 . 2010-06-09 10:45 5591040 ----a-w- c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_3.dll
.

------- Sigcheck -------

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
[-] 2004-08-04 . 496903C2892759B902EE0DC7C56B805F . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
[-] 2004-08-04 . 6B7DA0EBB2C439AEB4AD21D87F774A2C . 502272 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\winlogon.exe

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
[-] 2007-06-13 . C59C3671DE1D07F89429D7B2848C94FF . 1033216 . . [6.00.2900.3156] . . c:\windows\explorer.exe
[7] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2008-10-01 07:40 192960 ------w- c:\program files\Yontoo Layers Client for Internet Explorer\YontooIEClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-30 68856]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-10-31 95536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2005-04-26 271872]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-02-01 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-08 2048352]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2008-10-31 54576]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-16 05:09 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-15 18:27 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2004-08-04 12:00 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\LoginKey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 10:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2006-11-01 14:18 32256 ----a-w- c:\windows\system32\tpgwlnot.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-04-29 04:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2004-10-15 18:27 385024 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-08-12 23:16 1121792 ----a-w- c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 05:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2005-02-26 00:24 966656 ----a-w- c:\windows\creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Snippet]
2005-02-25 20:20 68296 ----a-w- c:\program files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2004-11-05 14:47 688218 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2004-11-05 14:47 98394 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TabletWizard]
2004-08-04 12:00 16384 ----a-w- c:\windows\Help\splshwrp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MskService"=2 (0x2)
"MpfService"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/22/2009 5:34 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/22/2009 5:34 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/25/2009 10:20 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/25/2009 10:20 AM 297752]
R3 FinePnt;FinePoint Innovations HID Driver;c:\windows\system32\drivers\FpHidDrv.sys [5/8/2006 11:40 PM 17280]
R3 MSTabBtn;Tablet PC Buttons HID Driver;c:\windows\system32\drivers\MSTabBtn.sys [5/8/2006 11:40 PM 9600]
S0 psffw;psffw; [x]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [6/21/2005 10:25 PM 69692]
S3 USA19H;USA19H;c:\windows\system32\drivers\USA19H2k.sys [8/5/2006 12:37 PM 727908]
S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\drivers\USA19H2kp.sys [8/5/2006 12:37 PM 44928]
.
Contents of the 'Scheduled Tasks' folder

2010-08-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
DPF: {9FC84F7D-D177-4A75-A7BB-429DA5BD0A3E} - hxxp://download.signgate.com/download/c ... taller.cab
DPF: {BBB0FC2D-1D95-45CA-BDCF-03B53F247FCC}
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\g3letwqi.default\
FF - plugin: c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-06 15:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1040)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(1624)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\windows journal\nbmaptip.dll
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\Ink\TCServer.exe
c:\windows\system32\npkcmsvc.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\System32\tabbtnu.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-09-06 15:31:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-06 20:31
ComboFix2.txt 2010-09-06 16:57

Pre-Run: 50,412,916,736 bytes free
Post-Run: 50,399,309,824 bytes free

- - End Of File - - 56FB67E93D0AFA788E327E5C19E605E4
SDub2032
Regular Member
 
Posts: 17
Joined: September 3rd, 2010, 7:14 pm

Re: Google Redirect

Unread postby deltalima » September 6th, 2010, 5:05 pm

Hi SDub2032,

Still being advised as to the next step, will be back as soon as possible.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Google Redirect

Unread postby deltalima » September 7th, 2010, 4:23 am

Hi SDub2032,

Process Explorer
Please download Process Explorer...by By Mark Russinovich.
Save it to your desktop.
  1. Right click on ProcessExplorer.zip and select "Extract All"....
  2. Click Next on the "Welcome to the Compressed (zipped) Folders Extraction Wizard."
  3. Click on the Browse...button, then click on Desktop, then click OK.
  4. Once done, check (tick) the Show extracted files box and click Finish.
  5. Double click procexp.exe to run Process Explorer.
  6. In the top window... find the Process (below) in the list of Processes:
    Winlogon.exe
  7. Right click on the identified process... choose Suspend.

Now open a command prompt window - (start – run – cmd)

Type move c:\windows\system32\winlogon.exe C:\Winlogon.bad and press enter
Type copy c:\windows\system32\dllcache\winlogon.exe c:\windows\system32\winlogon.exe and press enter

Use Windows Explorer to navigate to the file c:\windows\explorer.exe

Right click on the file and select copy

Paste a copy into the root folder of drive C:

Use Windows Explorer to navigate to the file c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

Right click on the file and select copy

Paste a copy into the folder c:\windows

Now you will need to reboot by removing power form the computer (remove the battery if a laptop).

Reboot and run a new scan with Combofix and post the log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Google Redirect

Unread postby SDub2032 » September 7th, 2010, 6:11 am

deltalima wrote:Hi SDub2032,

Process Explorer

Right click on the file and select copy

Paste a copy into the root folder of drive C:

Use Windows Explorer to navigate to the file c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

Right click on the file and select copy

Paste a copy into the folder c:\windows


Hi, I have a question about this step. I have done everything that you have said up to this and it worked, but then maybe I am doing something wrong. I pasted the copy into the root folder of drive C: (I assume that means paste it in C:, which I did), I then found the explorer.exe file in the $hf... folder (which is written in light blue for some reason), I copied it, but then when I pasted it into the Windows folder it said there is already one there (the one from earlier I assume), I had the option to either overwrite or cancel...I tried overwrite but it said I can't as it's in use. Did I do something wrong?
SDub2032
Regular Member
 
Posts: 17
Joined: September 3rd, 2010, 7:14 pm

Re: Google Redirect

Unread postby deltalima » September 7th, 2010, 6:22 am

Let me check.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Google Redirect

Unread postby deltalima » September 7th, 2010, 6:54 am

Hi SDub2032,

amended instructions

Use Windows Explorer to navigate to the file c:\windows\explorer.exe

Click on explorer.exe then drag it and drop it into the root folder of drive C:

Use Windows Explorer to navigate to the file c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

Right click on the file and select copy

Paste a copy into the folder c:\windows

Now you will need to reboot by removing power form the computer (remove the battery if a laptop).

Reboot and run a new scan with Combofix and post the log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Google Redirect

Unread postby SDub2032 » September 7th, 2010, 8:45 am

Hi deltalima, I think I did everything okay...here is the log:
ComboFix 10-09-06.04 - Owner 09/07/2010 7:29.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.558 [GMT -5:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\explorer.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

c:\windows\system32\winlogon.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-08-07 to 2010-09-07 )))))))))))))))))))))))))))))))
.

2010-09-07 12:14 . 2007-06-13 11:26 1033216 ----a-w- c:\windows\explorer.exe
2010-09-07 10:01 . 2004-08-04 05:56 502272 ----a-w- c:\windows\system32.winlogon.exe
2010-09-06 20:08 . 2004-08-04 05:56 502272 ----a-w- c:\windows\system32\dllcache\winlogon.exe
2010-09-06 19:58 . 2010-09-06 20:03 -------- d-----w- C:\sp2
2010-09-06 15:26 . 2010-09-06 15:26 -------- d-----w- C:\_OTL
2010-09-06 11:44 . 2010-09-06 11:44 -------- d-----w- c:\program files\Common Files\Java
2010-09-06 11:44 . 2010-09-06 11:43 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-03 23:08 . 2010-09-03 23:08 -------- d-----w- c:\program files\Trend Micro
2010-09-03 21:23 . 2004-08-04 05:56 23552 -c--a-w- c:\windows\system32\dllcache\wdmaud.drv
2010-09-03 21:23 . 2004-08-04 05:56 23552 ----a-w- c:\windows\system32\wdmaud.drv
2010-09-03 21:16 . 2010-09-03 21:16 -------- d-----w- C:\_OTM
2010-09-01 14:37 . 2001-08-18 03:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2010-09-01 14:37 . 2001-08-18 03:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2010-09-01 14:37 . 2001-08-18 03:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-09-01 14:37 . 2001-08-18 03:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
2010-09-01 14:37 . 2001-08-17 19:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-09-01 14:37 . 2001-08-17 19:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2010-09-01 14:37 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd106.dll
2010-09-01 14:37 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
2010-09-01 14:37 . 2001-08-17 19:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2010-09-01 14:37 . 2001-08-17 19:55 5632 ----a-w- c:\windows\system32\kbd103.dll
2010-09-01 14:37 . 2001-08-17 19:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2010-09-01 14:37 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2010-08-28 22:40 . 2010-08-28 22:40 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-08-28 20:06 . 2009-11-11 12:26 557056 ----a-w- c:\windows\system32\Netw2c32.dll
2010-08-28 20:06 . 2009-11-11 12:26 2732032 ----a-w- c:\windows\system32\Netw2r32.dll
2010-08-28 20:03 . 2010-08-28 20:03 -------- d-----w- c:\program files\SystemRequirementsLab
2010-08-28 20:03 . 2010-08-28 20:03 -------- d-----w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab
2010-08-20 19:34 . 2010-08-20 19:34 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple
2010-08-19 21:31 . 2010-08-19 21:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-08-12 15:59 . 2010-09-06 10:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-12 15:59 . 2010-09-06 10:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-10 21:40 . 2010-08-10 21:40 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-08-10 21:40 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-10 21:40 . 2010-08-10 21:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-10 21:40 . 2010-08-10 21:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-10 21:40 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-10 21:20 . 2010-08-10 21:20 -------- d-----w- C:\39a3b5f57eeccf5fabfa
2010-08-10 21:18 . 2010-08-10 21:18 -------- d-----w- C:\0c2e2e01440008a243ceb5adf9
2010-08-10 20:05 . 2010-08-10 22:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-10 19:12 . 2010-08-25 21:05 120 ----a-w- c:\windows\Khebirewapanuvaz.dat
2010-08-10 19:12 . 2010-08-25 12:07 0 ----a-w- c:\windows\Ymigobel.bin
2010-08-10 18:49 . 2010-08-10 22:19 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\iiahuxpfn
2010-08-10 18:49 . 2010-08-10 22:19 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\xgjjttnaa
2010-08-10 18:48 . 2010-08-10 22:19 -------- d-----w- c:\documents and settings\Owner\Application Data\1EB04BB0A0261C3CCE50398692309223
2010-08-10 17:45 . 2010-08-10 17:45 -------- d-----w- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-06 11:44 . 2010-09-06 11:44 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2b9c3cad-n\msvcp71.dll
2010-09-06 11:44 . 2010-09-06 11:44 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2b9c3cad-n\jmc.dll
2010-09-06 11:44 . 2010-09-06 11:44 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2b9c3cad-n\msvcr71.dll
2010-09-06 11:44 . 2010-09-06 11:44 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3660a6f6-n\decora-sse.dll
2010-09-06 11:44 . 2010-09-06 11:44 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3660a6f6-n\decora-d3d.dll
2010-09-06 11:43 . 2006-05-09 04:48 -------- d-----w- c:\program files\Java
2010-09-06 10:21 . 2005-06-22 12:07 40320 ----a-w- c:\windows\system32\drivers\ql1080.sys
2010-09-04 10:45 . 2006-05-09 04:45 -------- d-----w- c:\program files\Google
2010-09-03 23:10 . 2006-07-25 08:09 36816 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-03 23:08 . 2010-09-03 23:08 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-31 13:48 . 2009-08-24 17:18 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-28 20:03 . 2010-08-28 20:03 84480 ----a-w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab\srlproxy_intel_4.1.66.0A.dll
2010-08-24 17:01 . 2005-10-28 02:39 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Isyvq
2010-08-24 08:47 . 2009-05-22 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-08-19 21:35 . 2005-08-14 10:59 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Sydu
2010-08-19 21:35 . 2010-08-19 21:35 8 ----a-w- c:\windows\system32\config\systemprofile\Application Data\pnmfzy.dat
2010-08-17 21:42 . 2007-10-10 21:54 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2010-08-12 16:12 . 2009-02-03 19:55 -------- d-----w- c:\documents and settings\Owner\Application Data\Kyuh
2010-08-11 17:58 . 2010-07-12 08:08 -------- d-----w- c:\documents and settings\Owner\Application Data\Pyku
2010-08-02 21:38 . 2009-03-01 12:04 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2010-07-09 16:47 . 2009-03-01 12:08 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2010-06-25 07:37 . 2010-06-25 07:37 50354 ----a-w- c:\documents and settings\Owner\Application Data\Facebook\uninstall.exe
2010-06-14 14:30 . 2005-06-22 10:29 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
.

------- Sigcheck -------

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
[-] 2004-08-04 . 496903C2892759B902EE0DC7C56B805F . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
[-] 2004-08-04 . 6B7DA0EBB2C439AEB4AD21D87F774A2C . 502272 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\winlogon.exe

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
[-] 2007-06-13 . C59C3671DE1D07F89429D7B2848C94FF . 1033216 . . [6.00.2900.3156] . . c:\windows\explorer.exe
[7] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2008-10-01 07:40 192960 ------w- c:\program files\Yontoo Layers Client for Internet Explorer\YontooIEClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-30 68856]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-10-31 95536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2005-04-26 271872]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-02-01 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-08 2048352]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2008-10-31 54576]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-16 05:09 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-15 18:27 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2004-08-04 12:00 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\LoginKey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 10:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2006-11-01 14:18 32256 ----a-w- c:\windows\system32\tpgwlnot.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-04-29 04:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2004-10-15 18:27 385024 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-08-12 23:16 1121792 ----a-w- c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 05:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2005-02-26 00:24 966656 ----a-w- c:\windows\creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Snippet]
2005-02-25 20:20 68296 ----a-w- c:\program files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2004-11-05 14:47 688218 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2004-11-05 14:47 98394 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TabletWizard]
2004-08-04 12:00 16384 ----a-w- c:\windows\Help\splshwrp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MskService"=2 (0x2)
"MpfService"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/22/2009 5:34 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/22/2009 5:34 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/25/2009 10:20 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/25/2009 10:20 AM 297752]
R3 FinePnt;FinePoint Innovations HID Driver;c:\windows\system32\drivers\FpHidDrv.sys [5/8/2006 11:40 PM 17280]
R3 MSTabBtn;Tablet PC Buttons HID Driver;c:\windows\system32\drivers\MSTabBtn.sys [5/8/2006 11:40 PM 9600]
S0 psffw;psffw; [x]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [6/21/2005 10:25 PM 69692]
S3 USA19H;USA19H;c:\windows\system32\drivers\USA19H2k.sys [8/5/2006 12:37 PM 727908]
S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\drivers\USA19H2kp.sys [8/5/2006 12:37 PM 44928]
.
Contents of the 'Scheduled Tasks' folder

2010-08-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
DPF: {9FC84F7D-D177-4A75-A7BB-429DA5BD0A3E} - hxxp://download.signgate.com/download/c ... taller.cab
DPF: {BBB0FC2D-1D95-45CA-BDCF-03B53F247FCC}
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\g3letwqi.default\
FF - plugin: c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-07 07:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1040)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(3552)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\windows journal\nbmaptip.dll
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Common Files\Microsoft Shared\Ink\TCServer.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\npkcmsvc.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\System32\tabbtnu.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-09-07 07:43:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-07 12:43
ComboFix2.txt 2010-09-06 20:31
ComboFix3.txt 2010-09-06 16:57

Pre-Run: 50,299,850,752 bytes free
Post-Run: 50,286,194,688 bytes free

- - End Of File - - C1CA446F74098700A64000D6444AB27C
SDub2032
Regular Member
 
Posts: 17
Joined: September 3rd, 2010, 7:14 pm

Re: Google Redirect

Unread postby deltalima » September 7th, 2010, 9:19 am

Hi SDub2032,

OK, let's alter those instructions slightly and run again.

Process Explorer

  • Double click procexp.exe to run Process Explorer.
  • In the top window... find the Process (below) in the list of Processes:
    Winlogon.exe
  • Right click on the identified process... choose Suspend.

Now open a command prompt window - (start – run – cmd)

Type move c:\windows\system32\winlogon.exe C:\Winlogon.bad1 and press enter
Type copy c:\sp2\i386\winlogon.exe c:\windows\system32\winlogon.exe and press enter

Use Windows Explorer to navigate to the file c:\windows\explorer.exe

Click on explorer.exe then drag it and drop it into the root folder of drive C:

Use Windows Explorer to navigate to the file c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

Right click on the file and select copy

Paste a copy into the folder c:\windows

Now you will need to reboot by removing power form the computer (remove the battery if a laptop).

Reboot and run a new scan with Combofix and post the log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Google Redirect

Unread postby SDub2032 » September 7th, 2010, 9:53 am

Hi, for the first time Combofix didn't restart the computer and so it didn't do the blue screen with the 'Fatal Error' message, which is a relief as that scares me every time!

ComboFix 10-09-06.04 - Owner 09/07/2010 8:42.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.440 [GMT -5:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\explorer.exe

.
((((((((((((((((((((((((( Files Created from 2010-08-07 to 2010-09-07 )))))))))))))))))))))))))))))))
.

2010-09-07 13:34 . 2007-06-13 11:26 1033216 ----a-w- c:\windows\explorer.exe
2010-09-07 13:32 . 2004-08-04 05:56 502272 ----a-w- c:\windows\system32\winlogon.exe
2010-09-07 10:01 . 2004-08-04 05:56 502272 ----a-w- c:\windows\system32.winlogon.exe
2010-09-06 20:08 . 2004-08-04 05:56 502272 ----a-w- c:\windows\system32\dllcache\winlogon.exe
2010-09-06 19:58 . 2010-09-06 20:03 -------- d-----w- C:\sp2
2010-09-06 15:26 . 2010-09-06 15:26 -------- d-----w- C:\_OTL
2010-09-06 11:44 . 2010-09-06 11:44 -------- d-----w- c:\program files\Common Files\Java
2010-09-06 11:44 . 2010-09-06 11:44 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2b9c3cad-n\msvcp71.dll
2010-09-06 11:44 . 2010-09-06 11:44 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2b9c3cad-n\jmc.dll
2010-09-06 11:44 . 2010-09-06 11:44 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2b9c3cad-n\msvcr71.dll
2010-09-06 11:44 . 2010-09-06 11:44 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3660a6f6-n\decora-sse.dll
2010-09-06 11:44 . 2010-09-06 11:44 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3660a6f6-n\decora-d3d.dll
2010-09-06 11:44 . 2010-09-06 11:43 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-03 23:08 . 2010-09-03 23:08 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-03 23:08 . 2010-09-03 23:08 -------- d-----w- c:\program files\Trend Micro
2010-09-03 21:23 . 2004-08-04 05:56 23552 -c--a-w- c:\windows\system32\dllcache\wdmaud.drv
2010-09-03 21:23 . 2004-08-04 05:56 23552 ----a-w- c:\windows\system32\wdmaud.drv
2010-09-03 21:16 . 2010-09-03 21:16 -------- d-----w- C:\_OTM
2010-09-01 14:37 . 2001-08-18 03:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2010-09-01 14:37 . 2001-08-18 03:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2010-09-01 14:37 . 2001-08-18 03:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-09-01 14:37 . 2001-08-18 03:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
2010-09-01 14:37 . 2001-08-17 19:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-09-01 14:37 . 2001-08-17 19:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2010-09-01 14:37 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd106.dll
2010-09-01 14:37 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
2010-09-01 14:37 . 2001-08-17 19:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2010-09-01 14:37 . 2001-08-17 19:55 5632 ----a-w- c:\windows\system32\kbd103.dll
2010-09-01 14:37 . 2001-08-17 19:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2010-09-01 14:37 . 2001-08-17 19:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2010-08-28 22:40 . 2010-08-28 22:40 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-08-28 20:06 . 2009-11-11 12:26 557056 ----a-w- c:\windows\system32\Netw2c32.dll
2010-08-28 20:06 . 2009-11-11 12:26 2732032 ----a-w- c:\windows\system32\Netw2r32.dll
2010-08-28 20:03 . 2010-08-28 20:03 -------- d-----w- c:\program files\SystemRequirementsLab
2010-08-28 20:03 . 2010-08-28 20:03 84480 ----a-w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab\srlproxy_intel_4.1.66.0A.dll
2010-08-28 20:03 . 2010-08-28 20:03 -------- d-----w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab
2010-08-20 19:34 . 2010-08-20 19:34 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple
2010-08-19 21:31 . 2010-08-19 21:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-08-12 15:59 . 2010-09-06 10:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-12 15:59 . 2010-09-06 10:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-10 21:40 . 2010-08-10 21:40 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-08-10 21:40 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-10 21:40 . 2010-08-10 21:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-10 21:40 . 2010-08-10 21:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-10 21:40 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-10 21:20 . 2010-08-10 21:20 -------- d-----w- C:\39a3b5f57eeccf5fabfa
2010-08-10 21:18 . 2010-08-10 21:18 -------- d-----w- C:\0c2e2e01440008a243ceb5adf9
2010-08-10 20:05 . 2010-08-10 22:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-10 19:12 . 2010-08-25 21:05 120 ----a-w- c:\windows\Khebirewapanuvaz.dat
2010-08-10 19:12 . 2010-08-25 12:07 0 ----a-w- c:\windows\Ymigobel.bin
2010-08-10 18:49 . 2010-08-10 22:19 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\iiahuxpfn
2010-08-10 18:49 . 2010-08-10 22:19 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\xgjjttnaa
2010-08-10 18:48 . 2010-08-10 22:19 -------- d-----w- c:\documents and settings\Owner\Application Data\1EB04BB0A0261C3CCE50398692309223
2010-08-10 17:45 . 2010-08-10 17:45 -------- d-----w- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-06 11:43 . 2006-05-09 04:48 -------- d-----w- c:\program files\Java
2010-09-06 10:21 . 2005-06-22 12:07 40320 ----a-w- c:\windows\system32\drivers\ql1080.sys
2010-09-04 10:45 . 2006-05-09 04:45 -------- d-----w- c:\program files\Google
2010-09-03 23:10 . 2006-07-25 08:09 36816 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-31 13:48 . 2009-08-24 17:18 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-24 17:01 . 2005-10-28 02:39 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Isyvq
2010-08-24 08:47 . 2009-05-22 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-08-19 21:35 . 2005-08-14 10:59 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Sydu
2010-08-19 21:35 . 2010-08-19 21:35 8 ----a-w- c:\windows\system32\config\systemprofile\Application Data\pnmfzy.dat
2010-08-17 21:42 . 2007-10-10 21:54 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2010-08-12 16:12 . 2009-02-03 19:55 -------- d-----w- c:\documents and settings\Owner\Application Data\Kyuh
2010-08-11 17:58 . 2010-07-12 08:08 -------- d-----w- c:\documents and settings\Owner\Application Data\Pyku
2010-08-02 21:38 . 2009-03-01 12:04 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2010-07-09 16:47 . 2009-03-01 12:08 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2010-06-25 07:37 . 2010-06-25 07:37 50354 ----a-w- c:\documents and settings\Owner\Application Data\Facebook\uninstall.exe
2010-06-14 14:30 . 2005-06-22 10:29 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2008-10-01 07:40 192960 ------w- c:\program files\Yontoo Layers Client for Internet Explorer\YontooIEClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-30 68856]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-10-31 95536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2005-04-26 271872]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-02-01 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-08 2048352]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2008-10-31 54576]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-16 05:09 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-15 18:27 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2004-08-04 12:00 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\LoginKey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 10:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2006-11-01 14:18 32256 ----a-w- c:\windows\system32\tpgwlnot.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-04-29 04:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2004-10-15 18:27 385024 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-08-12 23:16 1121792 ----a-w- c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 05:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2005-02-26 00:24 966656 ----a-w- c:\windows\creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Snippet]
2005-02-25 20:20 68296 ----a-w- c:\program files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2004-11-05 14:47 688218 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2004-11-05 14:47 98394 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TabletWizard]
2004-08-04 12:00 16384 ----a-w- c:\windows\Help\splshwrp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MskService"=2 (0x2)
"MpfService"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/22/2009 5:34 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/22/2009 5:34 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/25/2009 10:20 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/25/2009 10:20 AM 297752]
R3 FinePnt;FinePoint Innovations HID Driver;c:\windows\system32\drivers\FpHidDrv.sys [5/8/2006 11:40 PM 17280]
R3 MSTabBtn;Tablet PC Buttons HID Driver;c:\windows\system32\drivers\MSTabBtn.sys [5/8/2006 11:40 PM 9600]
S0 psffw;psffw; [x]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [6/21/2005 10:25 PM 69692]
S3 USA19H;USA19H;c:\windows\system32\drivers\USA19H2k.sys [8/5/2006 12:37 PM 727908]
S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\drivers\USA19H2kp.sys [8/5/2006 12:37 PM 44928]
.
Contents of the 'Scheduled Tasks' folder

2010-08-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
DPF: {9FC84F7D-D177-4A75-A7BB-429DA5BD0A3E} - hxxp://download.signgate.com/download/c ... taller.cab
DPF: {BBB0FC2D-1D95-45CA-BDCF-03B53F247FCC}
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\g3letwqi.default\
FF - plugin: c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-07 08:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1044)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2010-09-07 08:50:49
ComboFix-quarantined-files.txt 2010-09-07 13:50
ComboFix2.txt 2010-09-07 12:43
ComboFix3.txt 2010-09-06 20:31
ComboFix4.txt 2010-09-06 16:57

Pre-Run: 50,288,099,328 bytes free
Post-Run: 50,272,997,376 bytes free

- - End Of File - - 9B815E1A9EF33F60F381875161FFC2CB
SDub2032
Regular Member
 
Posts: 17
Joined: September 3rd, 2010, 7:14 pm

Re: Google Redirect

Unread postby deltalima » September 7th, 2010, 10:06 am

Hi SDub2032,

Excellent! That looks good.

Please run another scan with Kaspersky and post the log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: pgmigg and 46 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware