Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Google Redirect Virus

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Google Redirect Virus

Unread postby jmartin075 » February 2nd, 2010, 9:52 pm

Unfortunately, I have a google ridirct virus. Everytime I do a google search in Internet explorer 8 (not firefox) and click on one of the results I redirected to various advertisement websites. I have windows xp home edition. I have McAffee, Malware Bytes and I downloaded spybot in hopes that it wouldfix the problem but it didn't. None of these antivirus softwares have been effective against this virus. Also, everytime I try to run my computer in safe mode I get a BSOD. That's about it. Any help would be greatly appreciated. Thanks in advance.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:51 PM, on 2/2/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Malwarebytes' Anti-Malware\wnJVbmCvz.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [igfxtray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [igfxhkcmd] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [igfxpers] "C:\WINDOWS\system32\igfxpers.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" /uninstall
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] "C:\PROGRA~1\McAfee\MHN\McENUI.exe" /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\wnJVbmCvz.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [Ggumasamoqix] rundll32.exe "C:\WINDOWS\ogekigatek.dll",Startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKUS\S-1-5-18\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.buy-internet-security10.com (HKLM)
O15 - Trusted Zone: http://*.buy-internetsecurity10.com (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCo ... gctlcm.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 1397117859
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.6.0_07) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/f ... wflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: c:\windows\system32\kiyajeru.dll vuzonida.dll
O21 - SSODL: wakenowow - {8a43992e-ed4b-4d4a-9c95-14f222dae4ba} - c:\windows\system32\kiyajeru.dll (file missing)
O22 - SharedTaskScheduler: tokatiluy - {8a43992e-ed4b-4d4a-9c95-14f222dae4ba} - c:\windows\system32\kiyajeru.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 10809 bytes



Here's my uninstall list.


Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
Adobe Shockwave Player
AIM 6
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft MediaConverter 2
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
Digital Content Portal
Digital Video
Google Earth
Google Update Helper
Google Updater
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
iTunes
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 18
LimeWire 5.1.4
Malwarebytes' Anti-Malware
McAfee SecurityCenter
MCU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.5.7)
MSN
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
Qualxserve Service Agreement
QuickTime
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Sophos Anti-Rootkit 1.5.0
Spybot - Search & Destroy
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
URGE
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebCyberCoach 3.2 Dell
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix - KB895316
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WordPerfect Office 12
XVID Codec Installation
jmartin075
Regular Member
 
Posts: 23
Joined: February 2nd, 2010, 9:39 pm
Advertisement
Register to Remove

Re: Google Redirect Virus

Unread postby melboy » February 6th, 2010, 5:40 pm

Hi and welcome to the MR forums. :)

I'm melboy and I am going to try to help you with your problem. Please take note of the following:

  1. I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  2. The fixes are specific to your problem and should only be used for this issue on this machine.
  3. If you don't know or understand something, please don't hesitate to ask.
  4. Please DO NOT run any other tools or scans whilst I am helping you.
  5. It is important that you reply to this thread. Do not start a new topic.
  6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  7. Absence of symptoms does not mean that everything is clear.


Please take time to read the Malware Removal Forum Guidelines and Rules where the conditions for receiving help at this forum are explained.


Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
Backing up: What, how, where



No Reply Within 3 Days Will Result In Your Topic Being Closed!! If you need more time, please inform me.


With reference to Malware Removal's P2P Programs Policy, please uninstall the following programs before we continue:

LimeWire

When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.
We see no purpose in cleaning your machine if you use P2P programmes, as it is pretty much certain that if you continue to use them then you will get infected again.


  • Click on Start > Control Panel and double click on Add/Remove Programs.
  • Locate LimeWire 5.1.4 and click on the Change/Remove button to uninstall it.
  • Close Add/Remove Programs and Control Panel when done.


DDS

Please disable any anti-malware program that will block scripts from running before running DDS.

Please download DDS from one of the links below and save it to your desktop:

Link1
Link2
Link3

Disable any script blocker, and then double click dds.scr to run the tool. A command window will appear, this is normal.

Image
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop.

Please copy & paste the contents of :
  • DDS.txt
  • Attach.txt
And post them in your next reply.



Gmer

Download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Note: Do not run any programs while Gmer is running.

In your next reply:
  1. DDS.txt
  2. Attach.txt
  3. GMER log
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Google Redirect Virus

Unread postby jmartin075 » February 7th, 2010, 2:14 pm

dds.text



DDS (Ver_09-12-01.01) - NTFSx86
Run by John at 10:27:31.12 on Sun 02/07/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.177 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunes.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Documents and Settings\John\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [Aim6]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] "c:\program files\analog devices\core\smax4pnp.exe"
mRun: [igfxtray] "c:\windows\system32\igfxtray.exe"
mRun: [igfxhkcmd] "c:\windows\system32\hkcmd.exe"
mRun: [igfxpers] "c:\windows\system32\igfxpers.exe"
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [VerizonServicepoint.exe] "c:\program files\verizon\vsp\VerizonServicepoint.exe" /AUTORUN
mRun: [MSKDetectorExe] "c:\program files\mcafee\spamkiller\MSKDetct.exe" /uninstall
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] "c:\progra~1\mcafee\mhn\McENUI.exe" /hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\wnJVbmCvz.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [Ggumasamoqix] rundll32.exe "c:\windows\ogekigatek.dll",Startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
Trusted Zone: buy-internet-security10.com
Trusted Zone: buy-internetsecurity10.com
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCo ... gctlcm.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkID=39204
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/share ... insctl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftup ... 1397117859
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/aut ... s-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/fl ... rashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/aut ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/f ... wflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\kiyajeru.dll vuzonida.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: wakenowow - {8a43992e-ed4b-4d4a-9c95-14f222dae4ba} - c:\windows\system32\kiyajeru.dll
STS: tokatiluy: {8a43992e-ed4b-4d4a-9c95-14f222dae4ba} - c:\windows\system32\kiyajeru.dll
LSA: Notification Packages = scecli krelol.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\john\applic~1\mozilla\firefox\profiles\e3cqc6jo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvirtools.dll
FF - HiddenExtension: XULRunner: {69533912-2A69-4366-99CE-30288553F66E} - c:\documents and settings\john\local settings\application data\{69533912-2A69-4366-99CE-30288553F66E}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-9-28 214664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-9-28 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-9-28 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-9-28 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-9-28 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-9-28 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-9-28 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-9-28 40552]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-29 135664]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-10-19 10664]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1b.tmp --> c:\windows\system32\1B.tmp [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-9-28 34248]
S3 NETR33X;D-Link Air Wireless Adapter(RTL) NT Driver;c:\windows\system32\drivers\NETR33X.sys [2003-11-11 183680]

=============== Created Last 30 ================

2010-02-03 01:41:50 0 d-----w- c:\program files\Trend Micro
2010-02-03 01:18:04 0 ----a-w- c:\windows\Xjahurifucip.bin
2010-02-03 01:17:57 120 ----a-w- c:\windows\Bmovubizebuf.dat
2010-02-03 01:11:22 0 ----a-w- C:\backup.reg
2010-02-03 01:11:13 574 ----a-w- C:\cleanup.bat
2010-02-03 01:11:13 135168 ----a-w- C:\zip.exe
2010-02-03 00:10:41 0 ----a-w- c:\windows\system32\18467.exe
2010-02-02 23:36:20 765952 ----a-w- c:\windows\system32\xvidcore.dll
2010-02-02 23:36:19 77824 ----a-w- c:\windows\system32\xvid.ax
2010-02-02 23:36:19 180224 ----a-w- c:\windows\system32\xvidvfw.dll
2010-02-02 23:34:12 8192 ----a-w- c:\windows\system32\CoachWrp.dll
2010-02-02 23:34:12 44256 ----a-w- c:\windows\system32\drivers\CoachVc.sys
2010-02-02 23:34:12 41984 ----a-w- c:\windows\system32\CoachWia.dll
2010-02-02 23:34:11 46944 ----a-w- c:\windows\system32\drivers\CoachUsb.sys
2010-02-02 23:34:11 16896 ----a-w- c:\windows\system32\CoachDlg.dll
2010-02-02 23:34:11 0 d-----w- c:\windows\Options
2010-02-02 23:34:11 0 d-----w- c:\program files\Digital Video
2010-02-01 23:27:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-01 23:27:35 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-01 20:20:45 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-30 22:55:11 0 d-----w- c:\program files\common files\PC Tools
2010-01-30 16:19:00 3260 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-01-30 16:19:00 31844 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-30 16:19:00 23584 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-01-30 16:19:00 2297376 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-30 16:18:20 1751 ----a-w- C:\rollback.ini
2010-01-30 15:43:07 0 d-----w- c:\program files\common files\ParetoLogic
2010-01-30 15:43:07 0 d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2010-01-29 22:16:55 2 --shatr- c:\windows\winstart.bat
2010-01-29 17:59:38 0 d-----w- c:\program files\MSSOAP
2010-01-29 17:31:55 164 ----a-w- c:\windows\install.dat
2010-01-29 17:08:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-01-29 16:15:27 23552 ----a-w- c:\windows\system32\wdmaud.drv
2010-01-29 16:15:27 23552 ----a-w- c:\windows\system32\dllcache\wdmaud.drv
2010-01-22 00:21:26 0 d-sh--w- c:\windows\system32\winsys
2010-01-12 20:47:58 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2010-02-06 18:43:50 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-06 18:43:50 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-12-21 13:19:18 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-17 22:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-24 23:28:28 63 ----a-w- c:\documents and settings\john\jagex_runescape_preferences2.dat
2009-11-24 23:28:27 38 ----a-w- c:\documents and settings\john\jagex_runescape_preferences.dat
2008-09-03 01:38:47 56 --sh--r- c:\windows\system32\E1136D42D7.sys
2008-09-03 01:38:50 3558 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-08-23 21:34:39 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082320080824\index.dat

============= FINISH: 10:30:17.54 ===============







attach.txt


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 2/5/2006 10:28:00 AM
System Uptime: 2/7/2010 9:44:11 AM (1 hours ago)

Motherboard: Dell Computer Corp. | | 0CF458
Processor: Intel(R) Celeron(R) CPU 2.53GHz | Microprocessor | 2527/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 71 GiB total, 53.981 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 1/29/2010 5:01:45 PM - System Checkpoint
RP2: 1/29/2010 5:25:38 PM - RegRun Virus Scan
RP3: 1/30/2010 10:25:21 AM - Removed Skype™ 3.8
RP4: 1/30/2010 10:43:02 AM - Installed ParetoLogic Anti-Virus PLUS.
RP5: 1/30/2010 5:25:23 PM - Removed ParetoLogic Anti-Virus PLUS.
RP6: 2/1/2010 9:05:31 PM - System Checkpoint
RP7: 2/1/2010 11:14:23 PM - Removed Java(TM) SE Runtime Environment 6 Update 1
RP8: 2/1/2010 11:16:31 PM - Removed Java(TM) 6 Update 7
RP9: 2/1/2010 11:17:51 PM - Removed Java(TM) 6 Update 5
RP10: 2/1/2010 11:19:04 PM - Removed Java(TM) 6 Update 3
RP11: 2/1/2010 11:20:15 PM - Removed Java(TM) 6 Update 2
RP12: 2/1/2010 11:26:02 PM - Removed J2SE Runtime Environment 5.0 Update 9
RP13: 2/1/2010 11:27:27 PM - Removed MyWay Search Assistant
RP14: 2/1/2010 11:28:21 PM - Removed J2SE Runtime Environment 5.0 Update 6
RP15: 2/1/2010 11:30:02 PM - Removed J2SE Runtime Environment 5.0 Update 10
RP16: 2/1/2010 11:33:31 PM - Removed Java 2 Runtime Environment, SE v1.4.2_03
RP17: 2/2/2010 6:34:10 PM - Installed Digital Video
RP18: 2/2/2010 6:36:19 PM - Installed XVID Codec Installation
RP19: 2/2/2010 6:36:57 PM - Installed MediaConverter
RP20: 2/3/2010 7:02:28 PM - System Checkpoint
RP21: 2/6/2010 1:47:01 PM - System Checkpoint

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
Adobe Shockwave Player
AIM 6
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft MediaConverter 2
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
Dell System Restore
Digital Content Portal
Digital Video
Google Earth
Google Update Helper
Google Updater
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
iTunes
J2SE Runtime Environment 5.0 Update 11
Java Auto Updater
Java(TM) 6 Update 18
Malwarebytes' Anti-Malware
McAfee SecurityCenter
MCU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.5.7)
MSN
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
Qualxserve Service Agreement
QuickTime
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
URGE
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebCyberCoach 3.2 Dell
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix - KB895316
Windows Media Player 11
Windows XP Service Pack 3
WordPerfect Office 12
XVID Codec Installation

==== Event Viewer Messages From Past Week ========

2/2/2010 7:24:07 PM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: %%2147952506
2/2/2010 7:24:06 PM, error: Service Control Manager [7024] - The Background Intelligent Transfer Service service terminated with service-specific error 2147952506 (0x8007277A).
2/2/2010 7:22:22 PM, error: Service Control Manager [7034] - The Terminal Services service terminated unexpectedly. It has done this 1 time(s).
2/2/2010 7:22:22 PM, error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
2/2/2010 5:00:02 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
2/2/2010 5:00:02 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
2/1/2010 11:29:01 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.

==== End Of File ===========================




rootkit scan


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-07 13:05:05
Windows 5.1.2600 Service Pack 3
Running: ypzrc4kw.exe; Driver: C:\DOCUME~1\John\LOCALS~1\Temp\fxtdypoc.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB262878A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB2628821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB2628738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB262874C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB2628835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB2628861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB26288CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB26288B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB26287CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB26288FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB262880D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB2628710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB2628724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB262879E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB2628937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB26288A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB262888D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB262884B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB2628923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB262890F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB2628776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB2628762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB2628877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB26287F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB26288E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB26287E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB26287B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat B1157D20

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 82F3C618

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----
jmartin075
Regular Member
 
Posts: 23
Joined: February 2nd, 2010, 9:39 pm

Re: Google Redirect Virus

Unread postby melboy » February 7th, 2010, 6:08 pm

Hi


ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix: Bleeping Computer ComboFix Tutorial

  • You must download it to and run it from your Desktop
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

    To disable McAfee Security Center and its components temporarily so it will not interfere with ComboFix:
    • Open McAfee Security Center.
    • Click on Home on the left pane.
    • Beside Computer & Files, click on the arrow button.
    • Next, click on the arrow button beside Configure at the middle right (NOT the bottom one).
    • You will come to a new page. Please check (click) Off for all the protections. Remember to scroll down.
    • You will be prompted, select Never and just click OK.
    • Note: Don't forget to re-enable it after running Combofix.

  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply
  • Re-enable all the programs that were disabled during the running of ComboFix..


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper



Here is an illustration to assist you:
Image
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Google Redirect Virus

Unread postby jmartin075 » February 8th, 2010, 12:35 am

Thanks for your help so far. Here's the combofix log.


ComboFix 10-02-07.06 - John 02/07/2010 22:47:09.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.247 [GMT -5:00]
Running from: c:\documents and settings\John\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\temp
c:\program files\temp\CLAud.sim
c:\windows\ogekigatek.dll
c:\windows\system32\18467.exe
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\Tasks\egmeqacp.job
c:\windows\Temp\1493575463.dll
c:\windows\Temp\1493575463.dll.dll
c:\windows\Temp\7738676746.dll

c:\windows\system32\Drivers\atapi.sys . . . is infected!!

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2010-01-08 to 2010-02-08 )))))))))))))))))))))))))))))))
.

2010-02-08 04:05 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-02-03 03:48 . 2010-02-03 03:48 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\{69533912-2A69-4366-99CE-30288553F66E}
2010-02-03 01:41 . 2010-02-03 01:41 -------- d-----w- c:\program files\Trend Micro
2010-02-03 01:18 . 2010-02-07 14:47 0 ----a-w- c:\windows\Xjahurifucip.bin
2010-02-03 01:17 . 2010-02-08 03:28 120 ----a-w- c:\windows\Bmovubizebuf.dat
2010-02-03 01:11 . 2010-02-03 01:11 0 ----a-w- C:\backup.reg
2010-02-03 01:11 . 2010-02-03 01:11 574 ----a-w- C:\cleanup.bat
2010-02-03 01:11 . 2010-02-03 01:11 135168 ----a-w- C:\zip.exe
2010-02-02 23:44 . 2010-02-02 23:44 -------- d-----w- c:\documents and settings\John\Application Data\ArcSoft
2010-02-02 23:37 . 2010-02-02 23:37 -------- d-----w- c:\program files\Common Files\ArcSoft
2010-02-02 23:36 . 2010-02-02 23:36 -------- d-----w- c:\program files\ArcSoft
2010-02-02 23:36 . 2006-11-01 19:52 765952 ----a-w- c:\windows\system32\xvidcore.dll
2010-02-02 23:36 . 2006-11-01 19:54 180224 ----a-w- c:\windows\system32\xvidvfw.dll
2010-02-02 23:34 . 2004-02-03 20:09 41984 ----a-w- c:\windows\system32\CoachWia.dll
2010-02-02 23:34 . 2004-01-06 18:10 8192 ----a-w- c:\windows\system32\CoachWrp.dll
2010-02-02 23:34 . 2003-11-03 22:31 44256 ----a-w- c:\windows\system32\drivers\CoachVc.sys
2010-02-02 23:34 . 2010-02-02 23:34 -------- d-----w- c:\windows\Options
2010-02-02 23:34 . 2010-02-02 23:34 -------- d-----w- c:\program files\Digital Video
2010-02-02 23:34 . 2004-01-22 17:41 46944 ----a-w- c:\windows\system32\drivers\CoachUsb.sys
2010-02-02 23:34 . 2003-11-04 22:54 16896 ----a-w- c:\windows\system32\CoachDlg.dll
2010-02-02 23:33 . 2010-02-02 23:33 -------- d-----w- c:\documents and settings\John\Application Data\InstallShield
2010-02-01 23:27 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-01 23:27 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-01 20:20 . 2010-02-01 23:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-30 22:55 . 2010-01-30 23:28 -------- d-----w- c:\program files\Common Files\PC Tools
2010-01-30 16:19 . 2010-01-30 23:29 23584 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-01-30 16:19 . 2010-01-30 23:29 2297376 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-30 15:43 . 2010-01-30 22:27 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-01-30 15:43 . 2010-01-30 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-01-30 15:40 . 2010-01-30 15:40 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\Downloaded Installations
2010-01-29 22:16 . 2010-01-29 22:16 2 --shatr- c:\windows\winstart.bat
2010-01-29 18:02 . 2010-01-29 18:02 127 ----a-w- c:\documents and settings\John\Local Settings\Application Data\fusioncache.dat
2010-01-29 17:59 . 2010-01-29 17:59 -------- d-----w- c:\program files\MSSOAP
2010-01-29 17:31 . 2010-01-29 17:32 164 ----a-w- c:\windows\install.dat
2010-01-29 17:08 . 2010-02-03 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-29 16:15 . 2008-04-14 01:12 23552 ----a-w- c:\windows\system32\wdmaud.drv
2010-01-29 16:15 . 2008-04-14 01:12 23552 ----a-w- c:\windows\system32\dllcache\wdmaud.drv
2010-01-22 00:21 . 2010-01-23 03:58 -------- d-sh--w- c:\windows\system32\winsys
2010-01-12 20:47 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-11 00:21 . 2010-01-11 00:21 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\AdobeUM
2010-01-11 00:20 . 2010-01-11 00:21 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-08 04:11 . 2007-07-07 01:51 -------- d---a-w- c:\documents and settings\All Users\Application Data\temp
2010-02-08 04:01 . 2004-08-04 04:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-07 15:18 . 2008-10-06 00:43 -------- d-----w- c:\documents and settings\John\Application Data\LimeWire
2010-02-07 04:19 . 2006-06-02 20:57 -------- d-----w- c:\program files\Google
2010-02-06 16:06 . 2008-06-23 23:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-02 23:36 . 2005-12-16 05:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-02 04:34 . 2005-12-16 05:31 -------- d-----w- c:\program files\Java
2010-01-30 23:29 . 2010-01-30 16:19 3260 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-01-30 23:29 . 2010-01-30 16:19 31844 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-30 16:27 . 2010-01-30 16:27 125952 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Temp\Update.exe
2010-01-30 15:25 . 2009-01-14 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-01-29 16:35 . 2005-12-16 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-01-29 16:34 . 2005-12-16 05:36 -------- d-----w- c:\program files\Viewpoint
2010-01-29 16:33 . 2009-03-11 21:39 -------- d-----w- c:\documents and settings\John\Application Data\Move Networks
2010-01-29 16:32 . 2005-12-16 05:43 -------- d-----w- c:\program files\Dell
2010-01-27 20:49 . 2010-01-27 20:49 61440 ----a-w- c:\documents and settings\John\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-77897cf8-n\decora-sse.dll
2010-01-27 20:49 . 2010-01-27 20:49 12800 ----a-w- c:\documents and settings\John\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-77897cf8-n\decora-d3d.dll
2010-01-27 20:49 . 2010-01-27 20:49 503808 ----a-w- c:\documents and settings\John\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-423ef17a-n\msvcp71.dll
2010-01-27 20:49 . 2010-01-27 20:49 499712 ----a-w- c:\documents and settings\John\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-423ef17a-n\jmc.dll
2010-01-27 20:49 . 2010-01-27 20:49 348160 ----a-w- c:\documents and settings\John\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-423ef17a-n\msvcr71.dll
2010-01-27 20:49 . 2005-12-16 05:31 -------- d-----w- c:\program files\Common Files\Java
2009-12-21 19:14 . 2004-08-10 18:51 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-19 15:21 . 2005-12-16 05:46 -------- d-----w- c:\program files\McAfee
2009-12-17 22:14 . 2008-12-19 03:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-11 03:58 . 2009-12-11 03:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Sophos
2009-12-05 17:01 . 2009-12-05 17:01 152576 ----a-w- c:\documents and settings\John\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-05 17:01 . 2009-12-05 17:01 79488 ----a-w- c:\documents and settings\John\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-25 16:19 . 2009-12-09 16:29 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-24 23:28 . 2009-11-04 02:30 63 ----a-w- c:\documents and settings\John\jagex_runescape_preferences2.dat
2009-11-24 23:28 . 2009-06-19 16:17 38 ----a-w- c:\documents and settings\John\jagex_runescape_preferences.dat
2009-11-21 15:51 . 2004-08-10 18:50 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-12 23:38 . 2006-04-18 03:54 48416 ----a-w- c:\documents and settings\John\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-09-03 01:38 . 2006-04-18 03:54 56 --sh--r- c:\windows\system32\E1136D42D7.sys
2008-09-03 01:38 . 2006-04-18 03:54 3558 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 2061816]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\wnJVbmCvz.exe" [2010-02-01 1394000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/28/2009 7:05 PM 93320]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/29/2009 12:57 AM 135664]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [10/19/2006 10:11 AM 10664]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1B.tmp --> c:\windows\system32\1B.tmp [?]
S3 NETR33X;D-Link Air Wireless Adapter(RTL) NT Driver;c:\windows\system32\drivers\NETR33X.sys [11/11/2003 5:20 PM 183680]
.
Contents of the 'Scheduled Tasks' folder

2010-01-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2010-02-08 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-23 21:01]

2010-02-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-29 05:56]

2010-02-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-29 05:56]

2006-02-05 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]

2009-09-28 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-28 16:22]

2009-09-28 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-28 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: buy-internet-security10.com
Trusted Zone: buy-internetsecurity10.com
FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\e3cqc6jo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvirtools.dll
FF - HiddenExtension: XULRunner: {69533912-2A69-4366-99CE-30288553F66E} - c:\documents and settings\John\Local Settings\Application Data\{69533912-2A69-4366-99CE-30288553F66E}
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-IPHSend - c:\program files\Common Files\AOL\IPHSend\IPHSend.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
HKLM-Run-Ggumasamoqix - c:\windows\ogekigatek.dll
SharedTaskScheduler-{8a43992e-ed4b-4d4a-9c95-14f222dae4ba} - c:\windows\system32\kiyajeru.dll
SSODL-wakenowow-{8a43992e-ed4b-4d4a-9c95-14f222dae4ba} - c:\windows\system32\kiyajeru.dll
Notify-AtiExtEvent - (no file)
AddRemove-MSNINST - c:\program files\MSN\MsnInstaller\msninst.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-07 23:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82F32618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf86a2f28
\Driver\ACPI -> ACPI.sys @ 0xf8615cb8
\Driver\atapi -> atapi.sys @ 0xf85cd852
IoDeviceObjectType -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf84c6bb0
PacketIndicateHandler -> NDIS.sys @ 0xf84d3a21
SendHandler -> NDIS.sys @ 0xf84b187b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\1B.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(692)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1252)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-02-07 23:26:01 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-08 04:25

Pre-Run: 57,859,223,552 bytes free
Post-Run: 58,240,233,472 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 39297F6923747282BBC0FF7AE91D3617
jmartin075
Regular Member
 
Posts: 23
Joined: February 2nd, 2010, 9:39 pm

Re: Google Redirect Virus

Unread postby melboy » February 8th, 2010, 5:40 pm

Hi


COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File::
    c:\windows\Bmovubizebuf.dat
    c:\windows\Xjahurifucip.bin
    c:\windows\system32\krelol.dll
    c:\windows\system32\vuzonida.dll
    c:\windows\system32\1B.tmp 
    
    Driver:: 
    MEMSWEEP2
    
    Registry::
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "appinit_dlls"="" 
    
    DDS::
    Trusted Zone: buy-internet-security10.com
    
    Firefox::
    FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\e3cqc6jo.default\
    FF - HiddenExtension: XULRunner: {69533912-2A69-4366-99CE-30288553F66E} - c:\documents and settings\John\Local Settings\Application Data\{69533912-2A69-4366-99CE-30288553F66E}
    
    MIA::
    c:\windows\system32\Drivers\atapi.sys
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Refer to the previously given instructions for disabling Mcafee.

    Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



SystemLook

Please download SystemLook by jpshortstuff from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :contents
    C:\cleanup.bat

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt



In your next reply:
  1. Combofix.txt
  2. Systemlook.txt
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Google Redirect Virus

Unread postby jmartin075 » February 9th, 2010, 8:07 pm

Here's the combo fix.


ComboFix 10-02-09.03 - John 02/09/2010 18:26:40.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.232 [GMT -5:00]
Running from: c:\documents and settings\John\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\John\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\Bmovubizebuf.dat"
"c:\windows\system32\1B.tmp"
"c:\windows\system32\krelol.dll"
"c:\windows\system32\vuzonida.dll"
"c:\windows\Xjahurifucip.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\John\Local Settings\Application Data\{69533912-2A69-4366-99CE-30288553F66E}\chrome.manifest
c:\documents and settings\John\Local Settings\Application Data\{69533912-2A69-4366-99CE-30288553F66E}\chrome\content\_cfg.js
c:\documents and settings\John\Local Settings\Application Data\{69533912-2A69-4366-99CE-30288553F66E}\chrome\content\overlay.xul
c:\documents and settings\John\Local Settings\Application Data\{69533912-2A69-4366-99CE-30288553F66E}\install.rdf
c:\windows\Bmovubizebuf.dat
c:\windows\TEMP\2780449174.dll
c:\windows\Xjahurifucip.bin

Infected copy of c:\windows\system32\kernel32.dll was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\kernel32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MEMSWEEP2
-------\Service_MEMSWEEP2


((((((((((((((((((((((((( Files Created from 2010-01-09 to 2010-02-09 )))))))))))))))))))))))))))))))
.

2010-02-08 04:05 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-02-03 01:41 . 2010-02-03 01:41 -------- d-----w- c:\program files\Trend Micro
2010-02-03 01:11 . 2010-02-03 01:11 0 ----a-w- C:\backup.reg
2010-02-03 01:11 . 2010-02-03 01:11 574 ----a-w- C:\cleanup.bat
2010-02-03 01:11 . 2010-02-03 01:11 135168 ----a-w- C:\zip.exe
2010-02-02 23:44 . 2010-02-02 23:44 -------- d-----w- c:\documents and settings\John\Application Data\ArcSoft
2010-02-02 23:37 . 2010-02-02 23:37 -------- d-----w- c:\program files\Common Files\ArcSoft
2010-02-02 23:36 . 2010-02-02 23:36 -------- d-----w- c:\program files\ArcSoft
2010-02-02 23:36 . 2006-11-01 19:52 765952 ----a-w- c:\windows\system32\xvidcore.dll
2010-02-02 23:36 . 2006-11-01 19:54 180224 ----a-w- c:\windows\system32\xvidvfw.dll
2010-02-02 23:34 . 2004-02-03 20:09 41984 ----a-w- c:\windows\system32\CoachWia.dll
2010-02-02 23:34 . 2004-01-06 18:10 8192 ----a-w- c:\windows\system32\CoachWrp.dll
2010-02-02 23:34 . 2003-11-03 22:31 44256 ----a-w- c:\windows\system32\drivers\CoachVc.sys
2010-02-02 23:34 . 2010-02-02 23:34 -------- d-----w- c:\windows\Options
2010-02-02 23:34 . 2010-02-02 23:34 -------- d-----w- c:\program files\Digital Video
2010-02-02 23:34 . 2004-01-22 17:41 46944 ----a-w- c:\windows\system32\drivers\CoachUsb.sys
2010-02-02 23:34 . 2003-11-04 22:54 16896 ----a-w- c:\windows\system32\CoachDlg.dll
2010-02-02 23:33 . 2010-02-02 23:33 -------- d-----w- c:\documents and settings\John\Application Data\InstallShield
2010-02-01 23:27 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-01 23:27 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-01 20:20 . 2010-02-01 23:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-30 22:55 . 2010-01-30 23:28 -------- d-----w- c:\program files\Common Files\PC Tools
2010-01-30 16:19 . 2010-01-30 23:29 23584 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-01-30 16:19 . 2010-01-30 23:29 2297376 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-30 15:43 . 2010-01-30 22:27 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-01-30 15:43 . 2010-01-30 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-01-30 15:40 . 2010-01-30 15:40 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\Downloaded Installations
2010-01-29 22:16 . 2010-01-29 22:16 2 --shatr- c:\windows\winstart.bat
2010-01-29 18:02 . 2010-01-29 18:02 127 ----a-w- c:\documents and settings\John\Local Settings\Application Data\fusioncache.dat
2010-01-29 17:59 . 2010-01-29 17:59 -------- d-----w- c:\program files\MSSOAP
2010-01-29 17:31 . 2010-01-29 17:32 164 ----a-w- c:\windows\install.dat
2010-01-29 17:08 . 2010-02-03 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-29 16:15 . 2008-04-14 01:12 23552 ----a-w- c:\windows\system32\wdmaud.drv
2010-01-29 16:15 . 2008-04-14 01:12 23552 ----a-w- c:\windows\system32\dllcache\wdmaud.drv
2010-01-22 00:21 . 2010-01-23 03:58 -------- d-sh--w- c:\windows\system32\winsys
2010-01-12 20:47 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-11 00:21 . 2010-01-11 00:21 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\AdobeUM
2010-01-11 00:20 . 2010-01-11 00:21 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-09 23:44 . 2007-07-07 01:51 -------- d---a-w- c:\documents and settings\All Users\Application Data\temp
2010-02-09 23:10 . 2008-06-23 23:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-02-08 04:01 . 2004-08-04 04:59 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-02-07 15:18 . 2008-10-06 00:43 -------- d-----w- c:\documents and settings\John\Application Data\LimeWire
2010-02-07 04:19 . 2006-06-02 20:57 -------- d-----w- c:\program files\Google
2010-02-02 23:36 . 2005-12-16 05:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-02 04:34 . 2005-12-16 05:31 -------- d-----w- c:\program files\Java
2010-01-30 23:29 . 2010-01-30 16:19 3260 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-01-30 23:29 . 2010-01-30 16:19 31844 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-30 16:27 . 2010-01-30 16:27 125952 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Temp\Update.exe
2010-01-30 15:25 . 2009-01-14 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-01-29 16:35 . 2005-12-16 05:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-01-29 16:34 . 2005-12-16 05:36 -------- d-----w- c:\program files\Viewpoint
2010-01-29 16:33 . 2009-03-11 21:39 -------- d-----w- c:\documents and settings\John\Application Data\Move Networks
2010-01-29 16:32 . 2005-12-16 05:43 -------- d-----w- c:\program files\Dell
2010-01-27 20:49 . 2010-01-27 20:49 61440 ----a-w- c:\documents and settings\John\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-77897cf8-n\decora-sse.dll
2010-01-27 20:49 . 2010-01-27 20:49 12800 ----a-w- c:\documents and settings\John\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-77897cf8-n\decora-d3d.dll
2010-01-27 20:49 . 2010-01-27 20:49 503808 ----a-w- c:\documents and settings\John\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-423ef17a-n\msvcp71.dll
2010-01-27 20:49 . 2010-01-27 20:49 499712 ----a-w- c:\documents and settings\John\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-423ef17a-n\jmc.dll
2010-01-27 20:49 . 2010-01-27 20:49 348160 ----a-w- c:\documents and settings\John\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-423ef17a-n\msvcr71.dll
2010-01-27 20:49 . 2005-12-16 05:31 -------- d-----w- c:\program files\Common Files\Java
2009-12-21 19:14 . 2004-08-10 18:51 916480 ------w- c:\windows\system32\wininet.dll
2009-12-19 15:21 . 2005-12-16 05:46 -------- d-----w- c:\program files\McAfee
2009-12-17 22:14 . 2008-12-19 03:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-05 17:01 . 2009-12-05 17:01 152576 ----a-w- c:\documents and settings\John\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-05 17:01 . 2009-12-05 17:01 79488 ----a-w- c:\documents and settings\John\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-25 16:19 . 2009-12-09 16:29 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-24 23:28 . 2009-11-04 02:30 63 ----a-w- c:\documents and settings\John\jagex_runescape_preferences2.dat
2009-11-24 23:28 . 2009-06-19 16:17 38 ----a-w- c:\documents and settings\John\jagex_runescape_preferences.dat
2009-11-21 15:51 . 2004-08-10 18:50 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-12 23:38 . 2006-04-18 03:54 48416 ----a-w- c:\documents and settings\John\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-09-03 01:38 . 2006-04-18 03:54 56 --sh--r- c:\windows\system32\E1136D42D7.sys
2008-09-03 01:38 . 2006-04-18 03:54 3558 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 2061816]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\wnJVbmCvz.exe" [2010-02-01 1394000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/28/2009 7:05 PM 93320]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/29/2009 12:57 AM 135664]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [10/19/2006 10:11 AM 10664]
S3 NETR33X;D-Link Air Wireless Adapter(RTL) NT Driver;c:\windows\system32\drivers\NETR33X.sys [11/11/2003 5:20 PM 183680]
.
Contents of the 'Scheduled Tasks' folder

2010-01-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2010-02-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-23 21:01]

2010-02-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-29 05:56]

2010-02-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-29 05:56]

2006-02-05 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]

2009-09-28 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-28 16:22]

2009-09-28 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-28 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: buy-internetsecurity10.com
FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\e3cqc6jo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvirtools.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-09 18:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82F42618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf867bf28
\Driver\ACPI -> ACPI.sys @ 0xf85eecb8
\Driver\atapi -> atapi.sys @ 0xf85a6852
IoDeviceObjectType -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf849fbb0
PacketIndicateHandler -> NDIS.sys @ 0xf84aca21
SendHandler -> NDIS.sys @ 0xf848a87b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(692)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3308)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-02-09 18:58:30 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-09 23:58
ComboFix2.txt 2010-02-08 04:26

Pre-Run: 58,349,686,784 bytes free
Post-Run: 58,319,659,008 bytes free

- - End Of File - - 0F94DDF9DFBB6C17EF7995DC6DCF88AC





System Look


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 19:03 on 09/02/2010 by John (Administrator - Elevation successful)

========== contents ==========

C:\cleanup.bat - Opened succesfully.

@ECHO OFF
cd %systemdrive%\
if exist %systemdrive%\avenger\backup.zip move /y %systemdrive%\avenger\backup.zip "%systemdrive%\avenger\backup-%date:/=.%-%time::=.%.zip"
move /y backup.reg %systemdrive%\avenger\
copy /y avenger.txt %systemdrive%\avenger\
for %%a in (c d e f g h i j k l m n o p q r s t u v w x y z) do if exist %%a:\avenger attrib -r -h -s %%a:\avenger\* /S /D & zip -r -S -q -m -! -P infected "%systemdrive%\avenger\backup.zip" %%a:\avenger\* -x %systemdrive%\avenger\backup*.zip & rmdir %%a:\avenger
del zip.exe
del cleanup.exe
del cleanup.bat


-=End Of File=-
jmartin075
Regular Member
 
Posts: 23
Joined: February 2nd, 2010, 9:39 pm

Re: Google Redirect Virus

Unread postby melboy » February 9th, 2010, 8:26 pm

Hi

Hows the computer running - still being re-directed?


Malwarebytes' Anti-Malware (MBAM)

As you have Malwarebytes' Anti-Malware installed on your computer. Could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform Quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Check all items then click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply.

    The log can also be found here:
    1. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    2. Or via the Logs tab when the application is started.

Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately.
Failure to reboot will prevent MBAM from removing all the malware.



Re-run DDS

Please disable any anti-malware program that will block scripts from running before running DDS.
  • Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, Please copy & paste the contents of :
    • DDS.txt
And post it in your next reply.


In your next reply:
  1. MBAM log
  2. DDS.txt
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Google Redirect Virus

Unread postby jmartin075 » February 9th, 2010, 11:13 pm

Hey thanks for all your help. Thankfully the google redirect is gone. However, after shutting down McAffee and scanning with the last scan you asked me to do, McAffee said it stopped a couple trojans but then my internet explorer was redirected to one of those fake "you are infected" websites and asked me to download something. Immediately after, I scanned with Malwarebytes but nothing came up. Here's dds.txt



DDS (Ver_09-12-01.01) - NTFSx86
Run by John at 22:05:26.65 on Tue 02/09/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.111 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\John\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] "c:\program files\analog devices\core\smax4pnp.exe"
mRun: [igfxtray] "c:\windows\system32\igfxtray.exe"
mRun: [igfxhkcmd] "c:\windows\system32\hkcmd.exe"
mRun: [igfxpers] "c:\windows\system32\igfxpers.exe"
mRun: [VerizonServicepoint.exe] "c:\program files\verizon\vsp\VerizonServicepoint.exe" /AUTORUN
mRun: [MSKDetectorExe] "c:\program files\mcafee\spamkiller\MSKDetct.exe" /uninstall
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] "c:\progra~1\mcafee\mhn\McENUI.exe" /hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\wnJVbmCvz.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
Trusted Zone: buy-internetsecurity10.com
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCo ... gctlcm.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkID=39204
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/share ... insctl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftup ... 1397117859
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/aut ... s-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/fl ... rashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/aut ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/f ... wflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\john\applic~1\mozilla\firefox\profiles\e3cqc6jo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvirtools.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-9-28 214664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-9-28 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-9-28 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-9-28 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-9-28 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-9-28 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-9-28 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-9-28 40552]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-29 135664]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-10-19 10664]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-9-28 34248]
S3 NETR33X;D-Link Air Wireless Adapter(RTL) NT Driver;c:\windows\system32\drivers\NETR33X.sys [2003-11-11 183680]

=============== Created Last 30 ================

2010-02-08 04:05:16 50176 ----a-w- c:\windows\system32\proquota.exe
2010-02-08 03:43:39 0 d-sha-r- C:\cmdcons
2010-02-08 03:40:34 98816 ----a-w- c:\windows\sed.exe
2010-02-08 03:40:34 77312 ----a-w- c:\windows\MBR.exe
2010-02-08 03:40:34 261632 ----a-w- c:\windows\PEV.exe
2010-02-08 03:40:34 161792 ----a-w- c:\windows\SWREG.exe
2010-02-03 01:41:50 0 d-----w- c:\program files\Trend Micro
2010-02-03 01:11:22 0 ----a-w- C:\backup.reg
2010-02-03 01:11:13 574 ----a-w- C:\cleanup.bat
2010-02-03 01:11:13 135168 ----a-w- C:\zip.exe
2010-02-02 23:36:20 765952 ----a-w- c:\windows\system32\xvidcore.dll
2010-02-02 23:36:19 77824 ----a-w- c:\windows\system32\xvid.ax
2010-02-02 23:36:19 180224 ----a-w- c:\windows\system32\xvidvfw.dll
2010-02-02 23:34:12 8192 ----a-w- c:\windows\system32\CoachWrp.dll
2010-02-02 23:34:12 44256 ----a-w- c:\windows\system32\drivers\CoachVc.sys
2010-02-02 23:34:12 41984 ----a-w- c:\windows\system32\CoachWia.dll
2010-02-02 23:34:11 46944 ----a-w- c:\windows\system32\drivers\CoachUsb.sys
2010-02-02 23:34:11 16896 ----a-w- c:\windows\system32\CoachDlg.dll
2010-02-02 23:34:11 0 d-----w- c:\windows\Options
2010-02-02 23:34:11 0 d-----w- c:\program files\Digital Video
2010-02-01 23:27:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-01 23:27:35 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-01 20:20:45 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-30 22:55:11 0 d-----w- c:\program files\common files\PC Tools
2010-01-30 16:19:00 3260 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-01-30 16:19:00 31844 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-30 16:19:00 23584 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-01-30 16:19:00 2297376 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-30 16:18:20 1751 ----a-w- C:\rollback.ini
2010-01-30 15:43:07 0 d-----w- c:\program files\common files\ParetoLogic
2010-01-30 15:43:07 0 d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2010-01-29 22:16:55 2 --shatr- c:\windows\winstart.bat
2010-01-29 17:59:38 0 d-----w- c:\program files\MSSOAP
2010-01-29 17:31:55 164 ----a-w- c:\windows\install.dat
2010-01-29 17:08:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-01-29 16:15:27 23552 ----a-w- c:\windows\system32\wdmaud.drv
2010-01-29 16:15:27 23552 ----a-w- c:\windows\system32\dllcache\wdmaud.drv
2010-01-22 00:21:26 0 d-sh--w- c:\windows\system32\winsys
2010-01-12 20:47:58 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2010-02-08 04:01:48 96512 ------w- c:\windows\system32\drivers\atapi.sys
2009-12-21 13:19:18 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-17 22:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-24 23:28:28 63 ----a-w- c:\documents and settings\john\jagex_runescape_preferences2.dat
2009-11-24 23:28:27 38 ----a-w- c:\documents and settings\john\jagex_runescape_preferences.dat
2008-09-03 01:38:47 56 --sh--r- c:\windows\system32\E1136D42D7.sys
2008-09-03 01:38:50 3558 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-08-23 21:34:39 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082320080824\index.dat

============= FINISH: 22:09:56.46 ===============
jmartin075
Regular Member
 
Posts: 23
Joined: February 2nd, 2010, 9:39 pm

Re: Google Redirect Virus

Unread postby melboy » February 10th, 2010, 9:23 am

Deleted - double post.
Last edited by melboy on February 10th, 2010, 9:26 am, edited 1 time in total.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Google Redirect Virus

Unread postby melboy » February 10th, 2010, 9:25 am

Hi

I scanned with Malwarebytes but nothing came up.
Could you still post the log for me to see please.

Give me an update on how things are running after completing the folowing insructions.


COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File::
    C:\zip.exe
    C:\cleanup.bat
    C:\backup.reg
    
    DDS::
    Trusted Zone: buy-internet-security10.com
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Malwarebytes Anti-Malware (reboot)"=-
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Refer to the previously given instructions for disabling Mcafee.

    Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.




In your next reply:
  1. Combofix.txt
  2. MBAM log
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Google Redirect Virus

Unread postby jmartin075 » February 10th, 2010, 6:09 pm

I'm posting this from another computer. While I was looking at your response from my computer a friend called and I had to run. I tried to put my computer on stand-by but it was taking a while so I left and thought that it would shut down on its own. I came back to my computer twenty minutes later and saw that it just downloaded a windows update and needed to restart. I restarted it and it crashed when Windows started. I tried "last known good configuration" and it crashed. Safe mode crashes it and so does start windows normally. Basically, I can't get on my computer now. Any ideas? Thanks.
jmartin075
Regular Member
 
Posts: 23
Joined: February 2nd, 2010, 9:39 pm

Re: Google Redirect Virus

Unread postby melboy » February 10th, 2010, 6:30 pm

Hi

If I understand correctly from your reply you haven't actually completed the last set of instructions?


At which point when windows is booting does it fail and do you receive any error messages (blue screen etc)?
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Google Redirect Virus

Unread postby jmartin075 » February 10th, 2010, 6:38 pm

Yea, I didn't do the last set of instructions. I get the dell loading screen and then immediately after it finishes it takes me to the screen that says windows didn't start successfully. Then it asks me how I want to start it (safe mode, last known good configuration, etc) and then it crashes. It doesn't even get to the windows loading screen.

Then I get the blue screen and it says:

stop: 0x00000050 (0x80098004, 0x00000001, 0x80515103, 0x00000000)
jmartin075
Regular Member
 
Posts: 23
Joined: February 2nd, 2010, 9:39 pm

Re: Google Redirect Virus

Unread postby jmartin075 » February 10th, 2010, 6:40 pm

It also says:


FAULT_IN_NONPAGED_AREA

There's something before the fault but it's cut off.
jmartin075
Regular Member
 
Posts: 23
Joined: February 2nd, 2010, 9:39 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 484 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware