Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Google redirection virus

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Google redirection virus

Unread postby will122k3 » June 25th, 2009, 2:04 am

No, I definitely do not. I don't create files or folders with names that I would not immediately recognize.
will122k3
Active Member
 
Posts: 11
Joined: June 17th, 2009, 9:49 pm
Advertisement
Register to Remove

Re: Google redirection virus

Unread postby Shaba » June 25th, 2009, 2:22 am

So we continue with this:

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    Folder::
    c:\documents and settings\All Users\Application Data\97300776
    c:\documents and settings\All Users\Application Data\17290784
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Google redirection virus

Unread postby will122k3 » June 28th, 2009, 11:18 am

Here is the log:
ComboFix 09-06-23.01 - root 06/28/2009 10:12.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1517 [GMT -4:00]
Running from: c:\documents and settings\root.CHANGEME\Desktop\Columbo.exe
Command switches used :: c:\documents and settings\root.CHANGEME\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\17290784
c:\documents and settings\All Users\Application Data\97300776
c:\documents and settings\All Users\Application Data\17290784\17290784.glu
c:\documents and settings\All Users\Application Data\17290784\pc17290784cnf
c:\documents and settings\All Users\Application Data\17290784\pc17290784ins

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-28 )))))))))))))))))))))))))))))))
.

2009-06-25 01:37 . 2009-06-25 01:37 -------- dc----w- c:\windows\system32\dllcache\cache
2009-06-23 04:56 . 2009-06-23 05:16 -------- d-----w- C:\New
2009-06-18 00:45 . 2009-06-18 00:45 -------- d-----w- c:\program files\Trend Micro
2009-06-18 00:33 . 2009-06-18 00:33 1033728 -c--a-w- c:\windows\system32\dllcache\explorer.exe
2009-06-18 00:33 . 2009-06-18 00:33 1033728 ----a-w- c:\windows\Explorer.EXE
2009-06-17 21:18 . 2009-06-27 22:52 -------- d-----w- c:\program files\WinClamAVShield
2009-06-17 21:16 . 2009-06-25 16:03 -------- d-----w- c:\documents and settings\root.CHANGEME\Application Data\Spyware Terminator
2009-06-17 21:16 . 2009-06-17 21:16 6144 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\sp_rsdel.exe
2009-06-17 21:16 . 2009-06-17 21:16 5632 ----a-w- c:\documents and settings\All Users\Application Data\Spyware Terminator\fileobjinfo.sys
2009-06-17 21:16 . 2009-06-17 21:16 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-06-17 21:16 . 2009-06-27 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-06-17 21:16 . 2009-06-25 00:34 -------- d-----w- c:\program files\Spyware Terminator
2009-06-17 21:12 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 21:12 . 2009-06-17 21:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-17 21:12 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-17 20:11 . 2009-06-25 02:52 -------- d-----w- c:\program files\a-squared Free
2009-06-17 19:00 . 2009-06-17 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-17 18:50 . 2009-06-17 18:50 2052888 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-06-17 18:50 . 2009-06-17 12:11 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-06-17 18:50 . 2009-06-17 12:11 27784 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmfx86.sys
2009-06-17 18:50 . 2009-06-17 12:11 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-06-17 18:50 . 2009-06-17 12:11 1261344 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwd.dll
2009-06-17 18:50 . 2009-06-17 12:11 1452312 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-06-17 12:28 . 2009-06-20 16:33 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-17 12:11 . 2009-06-17 12:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-17 12:11 . 2009-06-17 12:11 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-17 12:11 . 2009-06-17 12:11 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-17 12:11 . 2009-06-17 18:50 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-17 12:11 . 2009-06-24 14:43 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-17 12:11 . 2009-06-17 12:11 -------- d-----w- c:\program files\AVG
2009-05-31 19:51 . 2009-05-31 19:51 -------- d-----w- c:\documents and settings\root.CHANGEME\Local Settings\Application Data\Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-25 15:10 . 2005-01-29 01:48 66640 -c--a-w- c:\documents and settings\root.CHANGEME\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-25 02:52 . 2005-08-05 18:00 -------- d-----w- c:\documents and settings\hpiccari\Application Data\Lavasoft
2009-06-25 01:04 . 2009-01-07 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-17 19:10 . 2007-07-20 13:20 -------- d-----w- c:\program files\McAfee
2009-06-17 12:08 . 2009-01-21 21:18 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-31 19:45 . 2005-10-25 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo!
2009-05-31 19:45 . 2005-10-25 17:31 -------- d-----w- c:\program files\Yahoo!
2009-05-31 19:44 . 2009-04-21 14:07 -------- d-----w- c:\program files\LightSpeed
2009-05-29 00:50 . 2004-03-11 17:56 -------- d-----w- c:\documents and settings\root.CHANGEME\Application Data\AdobeUM
2009-05-24 23:23 . 2009-05-24 23:23 136 ----a-w- c:\documents and settings\root.CHANGEME\Local Settings\Application Data\fusioncache.dat
2009-05-22 01:31 . 2009-05-25 03:16 607472 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUpdater\yupdater.exe
2009-05-19 00:10 . 2009-05-19 00:10 -------- d-----w- c:\documents and settings\root.CHANGEME\Application Data\InstallShield Installation Information
2009-05-19 00:10 . 2009-05-19 00:10 -------- d-----w- c:\documents and settings\root.CHANGEME\Application Data\2K Games
2009-05-19 00:08 . 2009-05-19 00:08 -------- d-----w- c:\documents and settings\root.CHANGEME\Application Data\InstallShield
2009-05-07 20:57 . 2009-05-07 20:57 -------- d-----w- c:\program files\Lexmark X74-X75
2009-04-30 05:01 . 2009-04-30 05:01 -------- d-----w- c:\documents and settings\root.CHANGEME\Application Data\Lavasoft
.

((((((((((((((((((((((((((((( SnapShot@2009-06-25_01.31.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-25 01:37 . 2007-04-17 02:45 53080 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-06-25 01:37 . 2008-04-14 09:42 82432 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-06-25 01:37 . 2008-04-14 09:42 26112 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-06-25 01:37 . 2008-04-14 09:42 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-06-25 01:37 . 2008-04-14 09:42 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-06-25 01:37 . 2008-04-14 09:42 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-06-25 01:37 . 2008-04-14 09:42 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-06-25 01:37 . 2008-04-14 04:09 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-06-25 01:37 . 2008-04-14 04:23 36608 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-06-25 01:37 . 2008-04-14 09:42 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
+ 2004-02-20 03:04 . 2009-06-27 22:49 245512 c:\windows\system32\FNTCACHE.DAT
+ 2009-06-25 01:37 . 2008-04-14 09:42 507904 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-06-25 01:37 . 2008-04-14 09:42 666112 c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-06-25 01:37 . 2008-04-14 09:42 578560 c:\windows\system32\dllcache\cache\user32.dll
+ 2009-06-25 01:37 . 2008-04-14 09:42 295424 c:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-06-25 01:37 . 2008-04-14 04:50 361344 c:\windows\system32\dllcache\cache\tcpip.sys
+ 2009-06-25 01:37 . 2008-04-14 09:42 108544 c:\windows\system32\dllcache\cache\services.exe
+ 2009-06-25 01:37 . 2008-04-14 04:50 182656 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-06-25 01:37 . 2008-04-14 09:41 989696 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-06-25 01:37 . 2008-04-14 09:41 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2009-06-25 01:37 . 2008-04-14 09:41 167936 c:\windows\system32\dllcache\cache\appmgmts.dll
+ 2009-06-25 01:37 . 2008-04-14 09:42 1614848 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-25 01:37 . 2008-04-14 04:57 2188928 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-25 01:37 . 2008-04-14 04:01 2065792 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-25 01:37 . 2009-06-18 00:33 1033728 c:\windows\system32\dllcache\cache\Explorer.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-08-01 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-08-01 618496]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2007-03-27 136768]
"TpHotkey"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2004-01-15 94208]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-20 32881]
"QCWLIcon"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2003-07-30 53248]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2004-02-05 20480]
"BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2004-02-05 395264]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"Lexmark X74-X75"="c:\program files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 57344]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2004-02-05 106496]
"eFax 4.3"="c:\program files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 116224]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2009-06-17 2174464]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2003-09-04 77824]
"Mouse Suite 98 Daemon"="ICO.EXE" - c:\windows\system32\ico.exe [2003-11-20 57344]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
eFax 4.3.lnk - c:\program files\eFax Messenger 4.3\J2GTray.exe [2007-8-15 629248]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
TIBCO Software Inc. VPN Client.lnk - c:\program files\Cisco Systems\VPN 3000 Client\ipsecdialer.exe [2004-4-28 1269836]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-17 12:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1469188156-960889200-926709054-21729\Scripts\Logon\0\0]
"Script"=mcafee.cmd

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Inc Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DataViz Inc Messenger.lnk
backup=c:\windows\pss\DataViz Inc Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"sp_rssrv"=2 (0x2)
"MDM"=2 (0x2)
"McAfeeFramework"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"a2free"=2 (0x2)
"cisvc"=3 (0x3)
"LexBceS"=2 (0x2)
"avg8wd"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\FSRremoS.EXE"=
"c:\\Program Files\\Adobe\\Acrobat 6.0\\Reader\\AcroRd32.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\root.CHANGEME\\Application Data\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Civilization4.exe"=
"c:\\Documents and Settings\\root.CHANGEME\\Application Data\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Documents and Settings\\root.CHANGEME\\Application Data\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords.exe"=
"c:\\WINDOWS\\system32\\TpShocks.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Spyware Terminator\\SpywareTerminatorUpdate.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2/19/2004 6:11 PM 52136]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/17/2009 8:11 AM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/17/2009 8:11 AM 108552]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [6/17/2009 5:16 PM 142592]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2/19/2004 7:08 PM 15360]
R2 CVPNDRV;TIBCO Software Inc. IPsec Driver;c:\windows\system32\drivers\CVPNDrv.sys [4/28/2004 6:28 PM 263751]
R2 PPNT;PPNT;c:\windows\system32\drivers\ppnt.sys [8/3/2005 7:10 PM 13824]
R2 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2/19/2004 6:11 PM 4225]
S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;c:\windows\system32\drivers\cben5.sys [2/23/2004 5:36 PM 46108]
S3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [6/7/2004 12:30 PM 16384]
S3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\pelusblf.sys [6/7/2004 12:30 PM 9216]
S3 WPC11;Instant Wireless Network PC Card V3.0 Driver;c:\windows\system32\drivers\LSWLNDS.sys [8/5/2005 11:18 AM 54083]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/17/2009 8:11 AM 298776]
.
Contents of the 'Scheduled Tasks' folder

2009-06-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-06-28 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2004-02-19 09:36]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/def ... earch.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: google.com
Trusted Zone: youtube.com
FF - ProfilePath -
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1020)
c:\windows\system32\CSGina.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\iphlpapi.dll
.
Completion time: 2009-06-28 10:17
ComboFix-quarantined-files.txt 2009-06-28 14:17
ComboFix2.txt 2009-06-25 03:27
ComboFix3.txt 2009-06-25 01:38

Pre-Run: 49,207,021,568 bytes free
Post-Run: 49,196,978,176 bytes free

226 --- E O F --- 2009-06-25 16:02
will122k3
Active Member
 
Posts: 11
Joined: June 17th, 2009, 9:49 pm

Re: Google redirection virus

Unread postby Shaba » June 28th, 2009, 12:17 pm

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Google redirection virus

Unread postby will122k3 » June 28th, 2009, 6:26 pm

I have noticed the google redirection has gotten better, but there have been a few times where I was still redirected. Here are the two logs,


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, June 28, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, June 28, 2009 19:46:54
Records in database: 2399841
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: no

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 94675
Threat name: 7
Infected objects: 8
Suspicious objects: 0
Duration of the scan: 01:34:50


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\SKYNETudnwqgot.sys.vir Infected: Trojan.Win32.Tdss.ahxq 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETgkxbcpmn.dll.vir Infected: Trojan.Win32.Small.bzc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACexgendsxfsajtlg.dll.vir Infected: Trojan.Win32.TDSS.aekg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACjmoxwcnfeahtjdb.dll.vir Infected: Trojan.Win32.TDSS.aegg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACljgxeofbvrmnqun.dll.vir Infected: Trojan.Win32.TDSS.adzx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmlkyguqcvbpvujy.dll.vir Infected: Packed.Win32.Tdss.m 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACuocgkcvjdnjetvk.dll.vir Infected: Packed.Win32.Tdss.m 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACwuvhejnrcpaxbox.dll.vir Infected: Trojan.Win32.TDSS.adzz 1

The selected area was scanned.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:59 PM, on 6/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN 3000 Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\GameSpy\Comrade\Comrade.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QCWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Comrade.exe] C:\Program Files\GameSpy\Comrade\Comrade.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: TIBCO Software Inc. VPN Client.lnk = C:\Program Files\Cisco Systems\VPN 3000 Client\ipsecdialer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.tibco.com
O17 - HKLM\Software\..\Telephony: DomainName = na.tibco.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.tibco.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN 3000 Client\cvpnd.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 10064 bytes
will122k3
Active Member
 
Posts: 11
Joined: June 17th, 2009, 9:49 pm

Re: Google redirection virus

Unread postby Shaba » June 28th, 2009, 11:50 pm

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click GooredFix.exe to run it.
  • Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: Do not run Option #2 yet.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Google redirection virus

Unread postby Shaba » July 3rd, 2009, 5:01 am

Due to lack of response this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 304 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware