Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Google Hijacked!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Google Hijacked!

Unread postby raynorth » July 1st, 2010, 11:57 am

When I go to click on a link from a google search, my browser is redirected to other garbage webpages, some of which trigger a caution from my security software. I can manually enter a website into the browser and get to a page, but the linking from the google website sends me to the wrong places. Can you help me?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:47:46 AM, on 7/1/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\isafe.exe
C:\Program Files\Canon\VDC\AuVdc.exe
C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
C:\Program Files\VPN Client\cvpnd.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$EMMSDE\Binn\sqlservr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\cryptainersrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\WINDOWS\system32\svcprs32.exe
C:\WINDOWS\xlsp.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CA\CA Internet Security Suite\casc.exe
C:\Program Files\Roboform\RoboTaskBarIcon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\1.2.1.24.01026390\Light\CAGlobalLight.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\Yahoo!\Companion\Installs\cpn9\ytbb.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:1361
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn9\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn9\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: CA Toolbar Helper - {FBF2401B-7447-4727-BE5D-C19B2075CA84} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\1.2.1.24.01026390\Toolbar\CallingIDIE.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn9\YTSingleInstance.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Roboform\roboform.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn9\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: CA Toolbar - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\1.2.1.24.01026390\Toolbar\CallingIDIE.dll
O3 - Toolbar: MP3 Rocket Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [VetStart] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe" -r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\casc.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Roboform\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Roboform\RoboTaskBarIcon.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Roboform\RoboTaskBarIcon.exe" (User 'Default user')
O4 - Startup: RCA Detective.lnk = RCA Detective\RCADetective.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Roboform\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Roboform\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Roboform\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Roboform\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Roboform\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Roboform\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Roboform\RoboFormComSavePass.html
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Roboform\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Roboform\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://www.allregs.com
O15 - Trusted Zone: http://www.classmates.com
O15 - Trusted Zone: http://*.mortgagemarketguide.com
O16 - DPF: {070DC617-E3B7-468B-A29C-D4E84FAE938C} - http://utilities.pcpitstop.com/pctuneup ... tuneup.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en ... nicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup ... 9797503453
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9797489953
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.samsphotoclub.com/upload/Fuj ... Client.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install ... stallX.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/s ... wflash.cab
O16 - DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} (PtClickLoan Control) - https://www.clickloan.com/CAB/PtClickLo ... ckLoan.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
O18 - Protocol: callingid - {086D03BA-57AC-4C8E-A33D-0BAABF742411} - C:\Program Files\CA\CA Internet Security Suite\CA Website Inspector\1.2.1.24.01026390\Toolbar\CallingIDToolbar.dll
O18 - Protocol: jpip - {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Program Files\LizardTech\Express View\expressview.dll
O18 - Protocol: sidlet - {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Program Files\LizardTech\Express View\expressview.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\isafe.exe
O23 - Service: Canon NetSpot Suite Service - CANON INC. - C:\Program Files\Canon\VDC\AuVdc.exe
O23 - Service: CA Common Scheduler Service (ccSchedulerSVC) - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\VPN Client\cvpnd.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMovieServer - SoundMovieServer - C:\WINDOWS\system32\snmvtsvc.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix Software (India) Pvt. Ltd. - C:\WINDOWS\SYSTEM32\cryptainersrv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: WinSock Extention Manager (WinExtManager) - Unknown owner - C:\WINDOWS\system32\mdmcls32.exe
O23 - Service: WinSock Svchost Manager (WinSvchostManager) - Unknown owner - C:\WINDOWS\system32\svcprs32.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: xlsp - Warranty Corporation of America - C:\WINDOWS\xlsp.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 15292 bytes
---------------------------------------------------------------------------------------------------------------------
ACDSee
ACT!
ACT! for Palm OS®
ACT! Standard 9.0
Adobe Acrobat 7.1.0 Professional
Adobe Flash Player 10 ActiveX
Adobe Reader 8.2.3
Adobe Shockwave Player 11
Adobe SVG Viewer 3.0
AGENTLINK
AI RoboForm (All Users)
AMRT
Apple Software Update
ArcExplorer Java Edition
ArcGIS Explorer
Ask Toolbar
ASX to MP3 Converter 2.7.5.800 2006.11.11
ATT-RemoteControl
Autodesk DWF Viewer
Battleship
BigFix
Broadcom 802.11 Wireless LAN Adapter
Broadcom Wireless Utility
Business PlanMaker Professional
CA Anti-Virus Plus
CA Internet Security Suite
CA Website Inspector
CA Yahoo! Anti-Spy (remove only)
Citrix Presentation Server Client
Comparator
Compatibility Pack for the 2007 Office system
Conexant AC-Link Audio
Corel Graphics Suite 11
Coupon Printer for Windows
COWON Media Center - jetAudio Basic
Critical Update for Windows Media Player 11 (KB959772)
CutePDF Writer 2.5
DeductionPro 2007
Digital Media Reader
DivX Converter
DivX Player
DivX Web Player
DNAMigrator
Documents To Go
DriverGuide Toolkit
DWG TrueView 2008
Encompass
eNeighborhoods Personal Edition
File Own Guard by Thegrideon Software
FranklinCovey Planning Software
Free CD to WAV MP3 WMA AMR AC3 AAC Ripper 1.1
Free WMA to MP3 Converter 1.08
GDR 4053 for SQL Server Database Services 2005 ENU (KB970892)
GDR 4053 for SQL Server Tools and Workstation Components 2005 ENU (KB970892)
Global Star Software
Google Earth
Google Earth Plug-in
Google Talk (remove only)
Google Update Helper
H&R Block Deluxe + Efile + State 2009
Handy Free Clock 1.5
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Photo Imaging Software
HP Photo Printing Software
HP Share-to-Web
ICS Viewer 6.0
Intel(R) Extreme Graphics 2 Driver
Intellisync® for Yahoo!
iTunes
Java(TM) 6 Update 7
Kaspersky Online Scanner
KONICA MINOLTA PagePro 1400W
LandSafe - Calyx Integration 5.1
Learn2 Player (Uninstall Only)
Lizardtech Express View Browser Plug-in
LoanToolBox
Malwarebytes' Anti-Malware
MeridianLink Site Security Certificate
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2005
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2000 SR-1 Professional
Microsoft Office 2003 Web Components
Microsoft Office Accounting 2007
Microsoft Office Accounting 2007
Microsoft Office Accounting ADP Payroll Addin
Microsoft Office Accounting Equifax Addin
Microsoft Office Accounting Fixed Asset Manager
Microsoft Office Accounting PayPal Addin
Microsoft Office FrontPage 2003
Microsoft Office Live Meeting 2005
Microsoft Office OneNote 2003
Microsoft Office Professional Edition 2003
Microsoft Office Project Professional 2003
Microsoft Office Small Business Connectivity Components
Microsoft Office Visio Professional 2003
Microsoft Office Visio Viewer 2007
Microsoft Picture It! Premium 10
Microsoft SharedView
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (ACT7)
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Desktop Engine (EMMSDE)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Streets and Trips 2004
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Works
Microsoft WSE 2.0 SP3 Runtime
Monopoly
MortgageCoach
Mozilla Firefox (3.0)
MP3 Rocket
MSVCRT
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
Musicnotes Player V1.23.2
Napster
Napster Burn Engine
Napster for Windows Media Player
Nero BurnRights
Nero OEM
Palm
Pdf995 (installed by TaxCut)
PdfEdit995 (installed by TaxCut)
Point
Point 6.2
PowerDVD
QuickTime
RamBooster
RCA Detective 1.0.0.96
RCA easyRip 2.1.7.0
RCA EasyRip™ 1.4.2.0
RealPlayer
Recovery Software Suite Gateway
ScreenPrint Platinum 4.9 Trial
ScrewDrivers Client v4
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Segoe UI
Sibelius Scorch (ActiveX Only)
Sibelius Scorch Plugin
Skype™ 4.1
SoftK56 Data Fax
SonicWALL Global VPN Client
Spyware Doctor 6.0
Synaptics Pointing Device Driver
TaxCut Illinois 2007
TaxCut Illinois 2008
TaxCut Premium + State + Efile 2007
TaxCut Premium + State + Efile 2008
The Rosetta Stone 2000
TrueCrypt
TuneRaft 3.0.7
Uniblue RegistryBooster 2
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
VPN Client
WAV to MP3 Encoder
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinZip
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Software Update
Yahoo! Toolbar
raynorth
Member+
 
Posts: 15
Joined: July 1st, 2010, 11:34 am
Advertisement
Register to Remove

Re: Google Hijacked!

Unread postby Airscape » July 4th, 2010, 6:16 am

Hello raynorth... welcome to the forum.
My name is Airscape and I'll be helping you with your malware issues.
The logs can take a while to research. Please be patient with me.

Take note of the following before we begin:
  • Post to this thread only and please stick to it until you are given an All Clean. Absence of symptoms does not mean that your computer is clean.
  • The instructions I give are for This computer only and should not be used on any other pc.
  • Do NOT run any tools/scans unless I instruct you to.
  • Try not to install/uninstall any programs while we work. This will add extra time researching your logs.
  • If you have found assistance elsewhere and no longer require our help, please say so, and this topic will be closed.
  • If you have any problems, please stop and ask before proceeding with any fixes.
  • ALL USERS OF THIS FORUM MUST READ THIS FIRST

Note: As I'm still in training here at MRU everything I post must be checked by an expert first. So there may be a slight delay in between posts.

Important:
Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

In light of this it would be wise for you to back up any important files and folders that you don't want to lose before we start.
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Google Hijacked!

Unread postby raynorth » July 4th, 2010, 6:02 pm

Thanks for the reply. I'll wait to hear from you.
raynorth
Member+
 
Posts: 15
Joined: July 1st, 2010, 11:34 am

Re: Google Hijacked!

Unread postby Airscape » July 5th, 2010, 4:16 pm

Hi,

Please tell me, is this pc used for business purposes?

Let me know if the Google redirects still happen after this scan:

TDSSKiller
  • Please Download TDSSKiller.zip and save it on your desktop.
  • Extract (unzip) its contents on your Desktop.
  • Important!: only run this fix once.
  • Double-click the file tdsskiller.exe to run it.
  • If prompted to restart the pc, please do so.
  • a log file should be created at C:\TDSSKiller 2.1.1 Dec 20 2009 02:40:02
  • To find the log click Start > Computer > C:.
  • Please post the contents of that log in your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The version of HijackThis you have installed is out of date.
Please follow these steps to update it, then post back with the contents of both logs produced:

Random's System Information Tool (RSIT)
  • Please download RSIT by random/random from here and save it to your desktop.
  • Double-click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open.
  • Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Note: both logs can be found in the C:\rsit folder if you lose them.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logs/information to post in next reply:
  • TDSSKiller log
  • RSIT logs (log.txt and info.txt)
  • How is the pc running?
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Google Hijacked!

Unread postby raynorth » July 7th, 2010, 5:39 pm

I tried the TDSSKiller program and it found one program to get rid of. It required a reboot and would clean it on reboot. When I rebooted, my computer locked and kept rebooting. I saved it by restoring to last good config. How should I proceed?

I've attached the log file you requested, but stopped there.
You do not have the required permissions to view the files attached to this post.
raynorth
Member+
 
Posts: 15
Joined: July 1st, 2010, 11:34 am

Re: Google Hijacked!

Unread postby Airscape » July 8th, 2010, 10:50 am

OK, please do this first to avoid any problems:

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please go here and download ERUNT.
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • Use the default install settings but say no to the portion that asks you to add ERUNT to the Start-Up folder. You can enable this option later if you wish.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK
  • Then click on YES to create the folder.

Note: To restore the registry in the event of problems after running any fixes.
Navigate to and click this file (C:\windows\ERDNT\ERDNT.exe) then restart the pc.

--------------------------------------

Then please try running RSIT and post back with both logs (log.txt and info.txt)

Also you forgot to answer my question re if this pc is used for business purposes?
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Google Hijacked!

Unread postby raynorth » July 8th, 2010, 12:18 pm

This PC is no longer used for business, though in years past when I was self employed I did.

I have not rerun TDSSKiller

I have attached the requested files. Thanks.
You do not have the required permissions to view the files attached to this post.
raynorth
Member+
 
Posts: 15
Joined: July 1st, 2010, 11:34 am

Re: Google Hijacked!

Unread postby Airscape » July 9th, 2010, 9:54 am

Hi again,

Please copy/paste all logs into the reply, don't use attachments. Thanks

Have you had Spybot search and destroy installed recently?

Have you paid for Spywaredoctor?


Uninstall programs
Click Start > Control Panel > Add/Remove Programs
Click on the Programs listed below in red and click Remove etc:

Ask Toolbar

Note: Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into keeping the program.

Reboot (Restart) the computer

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware and click the Update tab >> then Check for Updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post this log in your next reply.
  • If prompted to restart the computer, please do so.
If you receive an (Error Loading) error on reboot, please reboot a second time.
It is normal for this error to occur once and does not need to be reported unless it returns on future reboots.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ESET Online Scanner
Note: Use Internet Explorer for this scan.
  • Go to this link and click on ESET Online scanner.
  • At the EULA screen, accept the terms of use, and click Start.
  • Install the Active X control when prompted.
  • UNcheck Remove found threats. <--- Important. Don't remove anything yet.
  • Click Start and it will download files then run a scan, please be patient.
  • When complete, click the finish button.
  • A log will be created at C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Please copy/paste that log into your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logs/information to post in next reply:
  • Answers to questions.
  • MBAM log
  • ESET log
  • How is the pc running?
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Google Hijacked!

Unread postby raynorth » July 9th, 2010, 6:17 pm

I have not installed Spybot recently. I did have it a while back, but uninstalled when prompted to for my security suite.

I have not paid for Spywaredoctor. Just did the scan.

Ask Toolbar was not listed in Add/Remove programs list.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4296

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/9/2010 11:58:30 AM
mbam-log-2010-07-09 (11-58-30).txt

Scan type: Quick scan
Objects scanned: 188817
Time elapsed: 49 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Y0NDAQIK\ws[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=528de40e95010044a3aedb1021c0097c
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-09 08:04:53
# local_time=2010-07-09 03:04:53 (-0600, Central Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1536 16777215 100 0 10790967 10790967 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=4864 16777175 100 0 9574797 9574797 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=179647
# found=6
# cleaned=0
# scan_time=10374
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0A4KAG0S\katherine-heigl-wardrobe-malfunction-video-photo-gallery[1].txt HTML/ScrInject.B.Gen virus 00000000000000000000000000000000 I
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0JKGF13X\178[1].htm JS/Exploit.Agent.NBB trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\N035BCWJ\shutter-reloaded[1].js JS/TrojanDownloader.HackLoad.AA trojan 00000000000000000000000000000000 I
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\V0NOIHR2\katherine-jenkins-wardrobe-malfunction-photos-video[1].txt HTML/ScrInject.B.Gen virus 00000000000000000000000000000000 I
C:\Program Files\WMA to Mp3\free-wma-mp3-converter.exe probably a variant of Win32/PSW.Agent trojan 00000000000000000000000000000000 I
C:\Program Files\WMA to Mp3\Free WMA to MP3 Converter\readmedia.dll probably a variant of Win32/PSW.Agent trojan 00000000000000000000000000000000 I


PC has been running slow. Web pages take a while to load and seems like resources are being used in the background which I cannot see on Windows Task Manager.
raynorth
Member+
 
Posts: 15
Joined: July 1st, 2010, 11:34 am

Re: Google Hijacked!

Unread postby Airscape » July 10th, 2010, 11:42 am

Hi,

OK. You can remove Spywaredoctor via Add/Remove Programs, as it wont remove anything unless you pay.


TFC(Temp File Cleaner)
  • Please download TFC to your desktop.
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • Click the Start button in bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted.
It should not take longer than a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Upload a file
Go to VirusTotal or Jotti
Click the browse button next to the white box.
Copy/paste the following file and path into the file name box:

C:\Program Files\WMA to Mp3\free-wma-mp3-converter.exe

Click Open.
Click Send/Submit, and the file will be scanned for malware.
After a while, a window will open, with details of what the scans found.
Note details of any viruses found, and post the results/links in your next reply.

Note: If the file has been scanned before, please reanaylse the file if asked.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ComboFix
Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe ---- use Internet Explorer for this link -> right click and select "save target as"


**IMPORTANT !!! Save ComboFix.exe to your Desktop**

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Note: If you lose connection to the internet after running Combofix, restart the computer and try again.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logs/information to post in next reply:
  • Jotti/VirusTotal results
  • C:\ComboFix.txt
  • How is the pc running?
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Google Hijacked!

Unread postby raynorth » July 11th, 2010, 1:38 am

I have uninstalled SpywareDoctor
I have run the Temp Files clean

Here is the VirusTotal
Antivirus Version Last Update Result
a-squared 5.0.0.31 2010.07.10 -
AhnLab-V3 2010.07.10.00 2010.07.09 -
AntiVir 8.2.4.10 2010.07.09 -
Antiy-AVL 2.0.3.7 2010.07.09 -
Authentium 5.2.0.5 2010.07.10 -
Avast 4.8.1351.0 2010.07.10 -
Avast5 5.0.332.0 2010.07.10 -
AVG 9.0.0.836 2010.07.11 -
BitDefender 7.2 2010.07.11 Trojan.Generic.1644710
CAT-QuickHeal 11.00 2010.07.10 -
ClamAV 0.96.0.3-git 2010.07.11 -
Comodo 5389 2010.07.11 -
DrWeb 5.0.2.03300 2010.07.10 -
eSafe 7.0.17.0 2010.07.08 -
eTrust-Vet 36.1.7696 2010.07.10 -
F-Prot 4.6.1.107 2010.07.10 -
F-Secure 9.0.15370.0 2010.07.11 Trojan.Generic.1644710
Fortinet 4.1.143.0 2010.07.10 -
GData 21 2010.07.11 Trojan.Generic.1644710
Ikarus T3.1.1.84.0 2010.07.10 -
Jiangmin 13.0.900 2010.07.10 -
Kaspersky 7.0.0.125 2010.07.11 -
McAfee 5.400.0.1158 2010.07.11 -
McAfee-GW-Edition 2010.1 2010.07.05 -
Microsoft 1.5902 2010.07.11 -
NOD32 5268 2010.07.11 probably a variant of Win32/PSW.Agent
Norman 6.05.11 2010.07.10 -
nProtect 2010-07-10.01 2010.07.10 -
Panda 10.0.2.7 2010.07.10 Suspicious file
PCTools 7.0.3.5 2010.07.11 Trojan-PWS.OnlineGames.generic.A!ct
Prevx 3.0 2010.07.11 Medium Risk Malware
Rising 22.55.04.04 2010.07.09 -
Sophos 4.55.0 2010.07.11 -
Sunbelt 6566 2010.07.10 -
Symantec 20101.1.0.89 2010.07.11 -
TheHacker 6.5.2.1.311 2010.07.11 -
TrendMicro 9.120.0.1004 2010.07.11 -
TrendMicro-HouseCall 9.120.0.1004 2010.07.11 -
VBA32 3.12.12.6 2010.07.09 -
ViRobot 2010.6.29.3912 2010.07.10 -
VirusBuster 5.0.27.0 2010.07.10 -
Additional information
File size: 946119 bytes
MD5...: 28218493f238d857bdec17e68cd095d8
SHA1..: 3128cd4d35e1154b4e179dee8c1460608076f7ed
SHA256: 31a936cbe38de7bfb2b90f502c241d29b3cb0501c63b3ca0d6cf0a5c6e3ae3c2
ssdeep: 24576:7I39ddqQjzwHFlo9CqTBzzMt7hgebVKo0Ld8:76ddlzwHFETBvMXVbv4e

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x97f0
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x8f14 0x9000 6.58 19aec1c1a4ef2fb9fe30b219ab07ddb2
DATA 0xa000 0x248 0x400 2.72 6344b5e22b5b2675be150744885e2671
BSS 0xb000 0xe34 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0xc000 0x942 0xa00 4.42 563cb4ae07a81b0403d850851e368293
.tls 0xd000 0x8 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0xe000 0x18 0x200 0.20 d293bf8d4ebe9826d58e1d27c25fe4b6
.reloc 0xf000 0x880 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x10000 0x2800 0x2800 4.34 defdec19a56ead17ff300a0e9312ba56

( 8 imports )
> kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
> user32.dll: MessageBoxA
> oleaut32.dll: VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
> kernel32.dll: WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
> user32.dll: TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
> comctl32.dll: InitCommonControls
> advapi32.dll: AdjustTokenPrivileges

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.1%)
Win16/32 Executable Delphi generic (9.3%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
sigcheck:
publisher....: Jodix Technologies Ltd.
copyright....:
product......: n/a
description..: Free WMA to MP3 Converter Setup
original name: n/a
internal name: n/a
file version.:
comments.....: This installation was built with Inno Setup: http://www.innosetup.com
signers......: -
signing date.: -
verified.....: Unsigned

<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=8B98308CC79A78216F930E779283AA00B269EDCA' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=8B98308CC79A78216F930E779283AA00B269EDCA</a>


I can't see how to disable my CA Internet Security Suite for ComboFix. I did not see it in the list from the link in your message. Can you help with that?
raynorth
Member+
 
Posts: 15
Joined: July 1st, 2010, 11:34 am

Re: Google Hijacked!

Unread postby Airscape » July 11th, 2010, 1:54 pm

OK this should work:

Right click on the CA AV icon in the task bar. Cursor down to "CA Anti Virus" and then left click on "Snooze Anti Virus Protection".
Set the length of time, you want it to remain inctive, in the menu that pops up and then left click on "Snooze".

I don't use their Firewall, but I imagine it's much the same procedure.


Then continue on with running Combofix.
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Google Hijacked!

Unread postby raynorth » July 11th, 2010, 11:50 pm

I tried to snooze my anti virus and it still did no allow Combofix to run. It still said CA Anti Virus and CA Anti Virus Plus were still active. Since my firewall never would install from my security suite anyway I uninstalled the security suite so I could run ComboFix and reinstall the suite later. After uninstall, I got first a message that said "Incompatible OS. ComboFix only works for workstations with Windows 2000 and XP. I have XP. Then got another error again saying CA Anti Virus was still active (though no the CA Anti Virus Plus). It seems I have a CA problem on my machine that is hampering this malware removal process. How should I proceed?
raynorth
Member+
 
Posts: 15
Joined: July 1st, 2010, 11:34 am

Re: Google Hijacked!

Unread postby Airscape » July 12th, 2010, 7:42 pm

Hi raynorth.


Backup the Registry:

Please navigate to Start >> All Programs >> ERUNT >> ERUNT.

  • Click on OK within the pop-up menu.
  • In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry
    • Current user registry
  • Next click on OK
  • When the Question pop-up appears click on Yes
  • After a short duration the Registry backup is complete! popup will appear
  • Now click on OK. A backup has been created.

Note: To restore the registry in the event of problems after running any fixes.
Navigate to and click this file (C:\windows\ERDNT\ERDNT.exe) then restart the pc.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please do the following then see if Combofix will run. If you uninstalled CA temporarily it should be ok for now.
If Combofix still doesn't work after doing the below try renaming it to CF.com and try again.

DeFogger
Please download DeFogger to your desktop.
  • Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
  • Do not re-enable these drivers until otherwise instructed.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download/Run Rkill
Please download Rkill from Here, Here,Here, or Here and save to the desktop.
  • Double click on Rkill to run it.
  • A command window will open then disappear upon completion, this is normal.
  • Please leave Rkill on the Desktop until otherwise advised.
Note: If your security software warns about Rkill, please ignore and allow the download to continue.


Don't restart the pc yet, then run Combofix as described earlier and post the log. Thanks.
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Google Hijacked!

Unread postby raynorth » July 12th, 2010, 11:56 pm

I ran the 2 programs and then ComboFix. I again got the CA Anti Virus is still active, but it does not show in the Add/Remove list in control panel, or in the system tray. What exactly should I be renaming to CF.com, CA Anti Virus or ComboFix? If you mean Anti Virus, Where is the file so I can change it's name?

Since I have already uninstalled CA AntiVirus, can I just let ComboFix run? Or should I contact CA and try to completely clear CA off my maching and start fresh?
raynorth
Member+
 
Posts: 15
Joined: July 1st, 2010, 11:34 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 466 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware