Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Google Redirect

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Google Redirect

Unread postby melboy » July 24th, 2011, 4:17 am

Hi darius_dax1

darius_dax1 wrote:I tried a few times (before) and have not had re-direct issues.

Great! Not long to go now. Well done so far.


SystemLook

You should still have this on your desktop.

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :file
    C:\WINDOWS\system32\termsw32.dll
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt



TFC

You should still have this on your desktop.

  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • Click the Start button in the bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.



ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here to run the scan.
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Click on scan now
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic.
  • Now click on: Image (Selecting Uninstall application on close if you so wish)
  • Re-enable your anti-virus software.




In your next reply:
  1. SystemLook.txt
  2. ESET log
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK
Advertisement
Register to Remove

Re: Google Redirect

Unread postby darius_dax1 » July 24th, 2011, 10:29 am

SYSTEMLOOK


SystemLook 04.09.10 by jpshortstuff
Log created at 07:58 on 24/07/2011 by David
Administrator - Elevation successful

========== file ==========

C:\WINDOWS\system32\termsw32.dll - Unable to find/read file.

-= EOF =-

---------------------------------------------------------------------------
ESET


C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll.vir Win32/Adware.Yontoo application
C:\Qoobox\Quarantine\C\Program Files\Search Toolbar\SearchToolbar.dll.vir Win32/Toolbar.Zugo application
C:\Qoobox\Quarantine\C\WINDOWS\system32\6to4ex.dll.vir a variant of Win32/Routmo.N trojan
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP461\A0126153.dll Win32/Adware.Yontoo application
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP461\A0126158.dll Win32/Toolbar.Zugo application
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP461\A0126163.dll a variant of Win32/Routmo.N trojan
darius_dax1
Regular Member
 
Posts: 21
Joined: July 1st, 2011, 9:10 am

Re: Google Redirect

Unread postby melboy » July 25th, 2011, 7:54 am

Hi

Good - Let me know how things are running after following the instructions below. Only run combofix after you have uninstalled the programs if they still exist.

We should be just about done after this if you've no more problems.


Uninstall Programs

  • click on start
  • Click on control panel
  • Double click the icon add/remove programs
  • click on the first program in the list and click Remove
  • Continue through the list below (one at a time) until all programs have been removed.
  • If something isn't found, please continue with the next entry in the list.
Setup Support for ShopToWin 1.0
Yontoo Layers Client 1.10.01




COMBOFIX-Script

A word of warning: Please do not run ComboFix on your own. This tool is not for everyday use.

If combofix prompts you that an update is available, please allow it to update.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    Folder::
    c:\program files\Setup Support for ShopToWin
    c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar
    c:\program files\yontoo layers client
    
    Driver:: 
    TermServices
    
    Registry:: 
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    "termsvc"=-
    
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Google Redirect

Unread postby darius_dax1 » July 25th, 2011, 11:52 am

ComboFix 11-07-25.02 - David 07/25/2011 10:40:06.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2337 [GMT -5:00]
Running from: c:\documents and settings\David\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\David\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar
c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar\dtx.ini
c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar\guid.dat
c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar\setupCfg.xml
c:\program files\yontoo layers client
c:\windows\system32\searchindexer.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_TERMSERVICES
-------\Service_TermServices
-------\Legacy_WSearch
-------\Service_WSearch
.
.
((((((((((((((((((((((((( Files Created from 2011-06-25 to 2011-07-25 )))))))))))))))))))))))))))))))
.
.
2011-07-24 13:05 . 2011-07-24 13:05 -------- d-----w- c:\program files\ESET
2011-07-24 12:59 . 2011-07-24 12:59 -------- d-----w- c:\documents and settings\David\Local Settings\Application Data\Stardock_Corporation
2011-07-23 16:50 . 2011-07-23 16:52 -------- d-----w- c:\documents and settings\David\Application Data\Apple Computer
2011-07-23 16:50 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-07-23 16:50 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-07-23 16:49 . 2011-07-23 16:49 -------- d-----w- c:\program files\iPod
2011-07-23 16:49 . 2011-07-23 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-07-23 16:49 . 2011-07-23 16:50 -------- d-----w- c:\program files\iTunes
2011-07-23 16:49 . 2011-07-23 16:49 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2011-07-23 16:49 . 2011-07-23 16:49 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2011-07-23 16:47 . 2011-07-23 16:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2011-07-23 16:47 . 2011-07-23 16:50 -------- d-----w- c:\documents and settings\David\Local Settings\Application Data\Apple Computer
2011-07-22 19:11 . 2011-07-22 19:11 664 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp
2011-07-22 18:02 . 2011-07-22 18:02 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Identities
2011-07-22 13:25 . 2011-07-22 13:25 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-07-22 13:25 . 2011-07-22 13:25 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Windows Search
2011-07-22 13:23 . 2011-07-23 16:49 -------- d-----w- c:\program files\QuickTime
2011-07-12 16:20 . 2011-07-12 16:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 16:20 . 2011-07-12 16:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 16:20 . 2011-07-12 16:20 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 16:20 . 2011-07-12 16:20 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-01 12:22 . 2011-07-01 12:22 -------- d-----w- c:\program files\Common Files\Java
2011-07-01 12:21 . 2011-07-01 12:21 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-01 12:21 . 2011-07-01 12:21 -------- d-----w- c:\program files\Java
2011-06-28 16:41 . 2011-06-28 16:41 -------- d-----w- c:\documents and settings\David\Application Data\vmntemplate
2011-06-27 14:02 . 2011-06-27 14:02 398760 ----a-r- c:\windows\cpnprt2.cid
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-07 00:52 . 2010-10-19 04:33 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 00:52 . 2010-10-19 04:33 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-01 12:21 . 2011-05-22 05:54 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-27 14:02 . 2010-09-21 21:26 398760 ------w- c:\windows\system32\cpnprt2.cid
2011-06-03 13:09 . 2011-06-03 13:09 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:07 . 2008-04-25 16:16 1867904 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:31 . 2008-04-25 21:27 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2008-04-25 16:16 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2008-04-25 16:16 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-23_22.27.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-25 15:46 . 2011-07-25 15:46 16384 c:\windows\Temp\Perflib_Perfdata_178.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-05-30 2495816]
.
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2011-05-30 16:33 2495816 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-05-30 2495816]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-05-30 2495816]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-09-02 13351304]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-13 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-04 18084864]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-04 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-04 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-04 150040]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"USSShReg"="c:\progra~1\ULEADS~1\ULEADP~1.2\SSaver\Ussshreg.exe" [1997-11-23 20992]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2009-11-03 86016]
"CamserviceDeluxe2"="c:\program files\Hercules\Deluxe Optical Glass\Camservice.exe" [2007-08-10 81920]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-04-18 2334560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-22 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]
.
c:\documents and settings\David\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-5-28 1320288]
Trillian.lnk - c:\program files\Trillian\trillian.exe [2011-6-28 2068832]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-5-28 1320288]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Hercules\\Deluxe Optical Glass\\Station2.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Turbine\\DDO Unlimited\\dndclient.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56880:TCP"= 56880:TCP:Pando Media Booster
"56880:UDP"= 56880:UDP:Pando Media Booster
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 4:27 PM 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 4:48 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [12/8/2010 5:12 AM 248656]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [11/12/2010 2:19 PM 297168]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [4/18/2011 5:39 PM 7398752]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 5:33 AM 269520]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [12/18/2008 2:05 PM 155648]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/19/2010 9:42 PM 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/19/2010 9:42 PM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/19/2010 9:42 PM 27216]
R3 camfilt2;camfilt2;c:\windows\system32\drivers\camfilt2.sys [1/6/2010 12:57 PM 94720]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/13/2010 12:52 PM 135664]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [5/12/2011 8:52 AM 1025352]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/13/2010 12:52 PM 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2011-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 17:52]
.
2011-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 17:52]
.
2011-07-14 c:\windows\Tasks\Norton Security Scan for Kristy.job
- c:\program files\Norton Security Scan\Engine\3.0.1.8\Nss.exe [2011-01-15 14:06]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
DPF: {E7DA7F8D-27AB-4EE9-8FC0-3FEC9ECFE758} - hxxps://access.wisconsin.gov/access/DynamicWebTWAIN.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-25 10:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(168)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG10\avgchsvx.exe
c:\progra~1\AVG\AVG10\avgrsx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\AVG\AVG10\avgnsx.exe
c:\program files\AVG\AVG10\avgemcx.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Apple\Apple Application Support\distnoted.exe
c:\program files\Common Files\Apple\Mobile Device Support\SyncServer.exe
.
**************************************************************************
.
Completion time: 2011-07-25 10:51:40 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-25 15:51
ComboFix2.txt 2011-07-23 22:31
.
Pre-Run: 440,854,245,376 bytes free
Post-Run: 440,925,429,760 bytes free
.
- - End Of File - - 7D0EAA827A4FDFF17E9C1E8A69FBF006
darius_dax1
Regular Member
 
Posts: 21
Joined: July 1st, 2011, 9:10 am

Re: Google Redirect

Unread postby darius_dax1 » July 25th, 2011, 11:53 am

Things were running fantastically before this step. I have not noticed an improvement yet..but I just finished the scan.
darius_dax1
Regular Member
 
Posts: 21
Joined: July 1st, 2011, 9:10 am

Re: Google Redirect

Unread postby melboy » July 25th, 2011, 1:09 pm

Hi

Looks good :thumbleft:

A couple of registry alterations and we're done.


Backup the Registry:

Modifying the Registry can create unforseen problems, so it always wise to create a backup before doing so.

  • Please go here and download ERUNT.
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Install ERUNT by following the prompts.
  • Use the default install settings but say no to the portion that asks you to add ERUNT to the Start-Up folder. You can enable this option later if you wish.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.(System registry & Current user registry)
  • Click on OK
  • When the Question pop-up appears click on Yes to create the folder.
  • After a short duration the Registry backup is complete! popup will appear
  • Now click on OK. A backup has been created.



OTM

Download OTM by Old Timer and save it to your Desktop.

  • Double-click OTM.exe to run it.
  • Paste the following code under the Image area. Do not include the word Code.
    Code: Select all
    :Reg
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications"=dword:00000000
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000000
    "FirewallOverride"=dword:00000000
    
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [purity]
    [emptytemp]
    [ClearAllRestorePoints]
    [Reboot]
    
  • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Push the large Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot. Copy/paste the contents of that report back here in your next reply.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Google Redirect

Unread postby darius_dax1 » July 25th, 2011, 2:12 pm

All processes killed
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\"DisableNotifications"|dword:00000000 /E : value set successfully!
HKEY_LOCAL_MACHINE\software\microsoft\security center\\"AntiVirusOverride"|dword:00000000 /E : value set successfully!
HKEY_LOCAL_MACHINE\software\microsoft\security center\\"FirewallOverride"|dword:00000000 /E : value set successfully!
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\David\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\David\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: David
->Temp folder emptied: 1090524 bytes
->Temporary Internet Files folder emptied: 13235822 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 59499 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Kristy
->Temp folder emptied: 790967 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2242 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 15.00 mb


Restore points cleared and new OTM Restore Point set!

OTM by OldTimer - Version 3.1.18.0 log created on 07252011_130137

Files moved on Reboot...

Registry entries deleted on Reboot...
darius_dax1
Regular Member
 
Posts: 21
Joined: July 1st, 2011, 9:10 am

Re: Google Redirect

Unread postby melboy » July 25th, 2011, 2:35 pm

Your log now appears to be clean. Congratulations!
This is my general post for when your logs show no more signs of malware ;) - Please let me know if you still are having problems with your computer and what these problems are. If not, please continue with the instructions below!


Update Adobe Reader

Your Adobe Reader is out of date.
Older versions may have vulnerabilities that malware can use to infect your system.

  • Uninstall via Start > Control Panel > Add/Remove Programs:
    Adobe Reader 9.4.0

    Please visit the Adobe Site & download & install Adobe Reader X (10.1).



Uninstall Combofix

We Need to Remove ComboFix

  1. Please go to Start -> Run
  2. Enter "ComboFix /uninstall" (without quotes). Note the space between "ComboFix" and "/uninstall", it needs to be there.
    Image
  3. Press OK (Or hit enter).
  4. Allow ComboFix to remove itself.



OTM by OldTimer

  • Double-click OTM.exe
  • Click the CleanUp! button
  • Select Yes when the Begin cleanup Process? Prompt appears
  • If you are prompted to Reboot during the cleanup, select Yes
  • The tool will delete itself once it finishes, if not delete it by yourself


===============================================

Your computer was infected with a ROOTKIT. In particular, the TDL4 rootkit, also known as Win32/Alureon. A rootkit is a set of software tools intended for concealing running processes, files or system data from the operating system.

Due to its rootkit functionality, it's impossible to tell what may have been done when the system was compromised.

Therefore it may be prudent to:

  1. Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts.
  2. Change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password)

How do I respond to a possible identity theft and how do I prevent it

===============================================


General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.


  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
    Uninstall Tools for Major Antivirus Products

  • Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
    Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install. Even if you do not use Internet Explorer as you Primary/Default browser it is important to keep it updated. Internet Explorer can be utilised by other programs and therefore must be kept updated to avoid exploitable vulnerabilities.

  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.


Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.

  • Malwarebytes' Anti-Malware
    As you already have Malwarebytes' Anti-Malware on board I would keep it regularly updated and run regular quick scans with it. Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. The Full version can be used as an addition to an anti-virus & includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.
    It's IP Protection provides an additional layer of security for your computer, by preventing access to known malicious IP addresses and IP ranges.
    You can now trial the full versions features within the program. Click the Protection Tab to see.

  • Hosts File
    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.

  • Use an alternative Internet Browser
    Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
    Firefox
    Opera


Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs and other applications & programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Google Redirect

Unread postby darius_dax1 » July 26th, 2011, 9:07 am

I have read your post and understand. Thank you so much for helping me out of a jam. Hopefully I never have to return to this site except to make a donation. You guys are great! It helps to know that there is a balance to the evil people that create malware and viruses in the first place.
darius_dax1
Regular Member
 
Posts: 21
Joined: July 1st, 2011, 9:10 am

Re: Google Redirect

Unread postby darius_dax1 » July 26th, 2011, 9:49 am

One more question for you: Should I remove rootkit unhooker, ASWmbr, erunt, ntregopt, and any of the logs associated with them?
darius_dax1
Regular Member
 
Posts: 21
Joined: July 1st, 2011, 9:10 am

Re: Google Redirect

Unread postby melboy » July 26th, 2011, 12:03 pm

You're welcome. :)

With regards to Rootkit Unhooker etc, yes, just right click the files and select delete to remove them.

If you've no other questions I'll have this topic closed :)
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Google Redirect

Unread postby darius_dax1 » July 26th, 2011, 7:25 pm

No questions. Thanks much again!
darius_dax1
Regular Member
 
Posts: 21
Joined: July 1st, 2011, 9:10 am

Re: Google Redirect

Unread postby Wingman » July 27th, 2011, 7:56 am

As your problems appear to have been resolved, this topic is now closed.
We are pleased we could help you resolve your computer's malware issues.

If you are satisfied with our assistance and wish to donate to help with the costs of this volunteer site, please read :
Donations For Malware Removal
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 282 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware