Google Redirect Virus--help!

Computing.Net > Forums > Security and Virus > Google Redirect Virus--help!

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Google Redirect Virus--help!

Name: Tess
Date: September 26, 2008 at 07:30:02 Pacific
OS: MS Win XP Pro Ver. 2002 S
CPU/Ram: Pentium 4 2.8 GHz 0.99 GB
Product: IBM

Comment:

I seem to have the Google redirect virus. I've read previous posts on this and have tried to self-diagnose but to no avail because, well, I have no idea what I'm doing. I hope you can help me get rid of this thing because I use Google every day for work.
I did read about running MBAM and Hijack This, which I just did, and I do have those log files if you would like them.
Hope you can help me!

Sponsored Link

Ads by Google

Response Number 1

Name: jabuck
Date: September 26, 2008 at 14:24:41 Pacific

Reply:

Please post you Malwarebytes and Hijack This logs.

Response Number 2

Name: Tess
Date: September 26, 2008 at 14:45:37 Pacific

Reply:

Here they are:

Malwarebytes' Anti-Malware 1.28
Database version: 1134
Windows 5.1.2600 Service Pack 3
26/09/2008 9:49:59 AM
mbam-log-2008-09-26 (09-49-59).txt
Scan type: Quick Scan
Objects scanned: 66253
Time elapsed: 9 minute(s), 50 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 16
Registry Data Items Infected: 14
Folders Infected: 13
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhcghej0e981 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\x123.x123mgr (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\x123.x123mgr.1 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\e405.e405mgr (Trojan.Zlob) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search\searchassistant (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\searchassistant (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\search page (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\search bar (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\searchmigrateddefaulturl (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\default_search_url (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\searchurl (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\default_search_url (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\search page (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\search bar (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\searchmigrateddefaulturl (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\searchurl (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Hijack.Search) -> Bad: (http://internetsearchservice.com/ie6.html) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Hijack.Search) -> Bad: (http://internetsearchservice.com/ie6.html) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
Folders Infected:
C:\WINDOWS\system32\604262 (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tess\Application Data\rhcghej0e981 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tess\Application Data\rhcghej0e981\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tess\Application Data\rhcghej0e981\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tess\Application Data\rhcghej0e981\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tess\Application Data\rhcghej0e981\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tess\Application Data\rhcghej0e981\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tess\Application Data\rhcghej0e981\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tess\Application Data\rhcghej0e981\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tess\Application Data\rhcghej0e981\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tess\Application Data\rhcghej0e981\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tess\Application Data\rhcghej0e981\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
Files Infected:
C:\Documents and Settings\Tess\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tess\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tess\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tess\Local Settings\Temp\.tt3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tess\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:30 AM, on 26/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\ICO.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tess\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: 604262 helper - {4F006697-FB04-4B67-86BB-0DCA9C0514B4} - C:\WINDOWS\system32\604262\604262.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.exe
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 4996 bytes

Response Number 3

Name: jabuck
Date: September 26, 2008 at 15:08:36 Pacific

Reply:

Please download ComboFix to the desktop from one of the following links:
Link1
Link 2
Link 3
Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
In your case to run Combofix do the following:
1. Go offline turn off your AVG antivirus, and any antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.

Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.

Response Number 4

Name: Tess
Date: September 26, 2008 at 16:42:19 Pacific

Reply:

Here's the Combofix log:

ComboFix 08-09-26.01 - Tess 2008-09-26 18:58:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.671 [GMT -4:00]
Running from: C:\Documents and Settings\Tess\Desktop\ComboFix.exe
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((( Files Created from 2008-08-26 to 2008-09-26 )))))))))))))))))))))))))))))))
.
2008-09-26 09:17 . 2008-09-26 09:19 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-26 09:17 . 2008-09-26 09:17 <DIR> d-------- C:\Documents and Settings\Tess\Application Data\Malwarebytes
2008-09-26 09:17 . 2008-09-26 09:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-26 09:17 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-26 09:17 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-25 15:41 . 2008-09-25 15:41 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-25 15:41 . 2008-09-25 15:41 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-25 15:41 . 2008-09-25 15:41 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-25 14:53 . 2008-04-13 20:12 1,306,624 --------- C:\WINDOWS\system32\msxml6.dll
2008-09-25 14:52 . 2008-04-13 20:11 650,752 --------- C:\WINDOWS\system32\dot3ui.dll
2008-09-25 14:36 . 2008-07-18 22:09 25,800 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-09-25 08:09 . 2008-09-25 08:09 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-09-25 08:08 . 2008-09-26 09:25 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-09-25 08:08 . 2008-09-25 08:08 <DIR> d-------- C:\Program Files\AVG
2008-09-25 08:08 . 2008-09-25 08:08 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-09-25 08:08 . 2008-09-25 08:08 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-09-25 08:08 . 2008-09-25 08:08 12,936 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-09-17 13:32 . 2008-09-17 13:32 <DIR> d-------- C:\Documents and Settings\Tess\Application Data\Viewpoint
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-25 20:09 --------- d-----w C:\Documents and Settings\Tess\Application Data\Skype
2008-09-25 19:58 --------- d-----w C:\Documents and Settings\Tess\Application Data\skypePM
2008-09-25 12:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-09-05 22:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-08-18 19:23 51,716 ----a-w C:\WINDOWS\system32\pdf995mon.dll
2008-08-18 19:23 249,856 ----a-w C:\WINDOWS\system32\pdfmona.dll
2008-08-18 01:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-17 20:12 48,367,896 ----a-w C:\avg_free_stf_en_8_138a1332.exe
2008-07-27 21:15 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-19 02:08 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:08 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 114,688 2006-12-06 01:49:20 C:\HighCriteria\TotalRecorder\bak\TotRecSched.exe
----a-w 57,344 2003-04-21 05:38:12 C:\Program Files\Lexmark X6100 Series\bak\lxbfbmgr.exe
----a-w 57,344 2003-04-21 05:38:12 C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-07-10 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-07-10 114688]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 169984]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-25 1235736]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2002-10-16 1622016]
"Lexmark X6100 Series"="C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-04-21 57344]
"BluetoothAuthenticationAgent"="irprops.cpl" [2008-04-13 C:\WINDOWS\system32\irprops.cpl]
"Mouse Suite 98 Daemon"="ICO.EXE" [2002-03-14 C:\WINDOWS\system32\ico.exe]
C:\Documents and Settings\Daria&Evan\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2/5/2008 11:45:11 PM 225280]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave"= DrvTrNTm.dll
"mixer"= DrvTrNTm.dll
"aux2"= sysaudio.sys
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
--a------ 2004-08-16 17:45 45056 C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus G]
--a------ 2004-09-14 15:16 1212416 C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages]
--a------ 2003-09-30 12:05 536576 C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphclhej0e981]
C:\WINDOWS\system32\lphclhej0e981.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 20:12 1695232 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhcghej0e981]
C:\Program Files\rhcghej0e981\rhcghej0e981.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UC_Start]
--a------ 2003-03-17 18:27 32768 C:\IBMTOOLS\Updater\ucstartup.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hot Key Kbd Daemon]
SKDAEMON.EXE [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Support.com\\Bin\\tgcmd.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-09-25 12936]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-25 97928]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-09-25 76040]
R3 TotRec7;Total Recorder WDM audio driver;C:\WINDOWS\system32\drivers\TotRec7.sys [2008-04-17 119448]
R4 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-25 231704]
S2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-25 875288]
S3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys [2003-01-10 16384]
S3 pelps2m;PS/2 Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\pelps2m.sys [2003-01-21 18048]
S3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys [2003-02-11 9216]
*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.ca/
R0 -: HKCU-Main,SearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
R0 -: HKCU-Main,Default_Search_URL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
R0 -: HKLM-Main,Search Bar = 687474703a2f2f7777772e676f6f676c652e636f6d2f
R0 -: HKLM-Main,SearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
R1 -: HKLM-Internet Explorer,SearchURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-26 19:00:58
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-09-26 19:02:32
ComboFix-quarantined-files.txt 2008-09-26 23:02:28
Pre-Run: 19,700,736,000 bytes free
Post-Run: 20,252,938,240 bytes free
151

Response Number 5

Name: jabuck
Date: September 26, 2008 at 20:39:53 Pacific

Reply:

Please download FindAWF from this link:
FindAWF

Save the file to the Desktop
Double-click the FindAWF icon.
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.
When done, a text file, Find AWF report is produced.
Please provide Find AWF report in your reply.

google redirect virus browser redirect virus GOOGLE REDIRECT	google redirect virus google redirect virus google redirecting
See More

Response Number 6

Name: Tess
Date: September 27, 2008 at 06:06:55 Pacific

Reply:

Here's the Find AWF report:

Find AWF report by noahdfear ©2006
Version 1.40
The current date is: 27/09/2008
The current time is: 9:04:18.70

bak folders found
~~~~~~~~~~~

Directory of C:\HIGHCR~1\TOTALR~1\BAK
05/12/2006 09:49 PM 114,688 TotRecSched.exe
1 File(s) 114,688 bytes
Directory of C:\PROGRA~1\LEXMAR~1\BAK
21/04/2003 01:38 AM 57,344 lxbfbmgr.exe
1 File(s) 57,344 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
114688 Dec 5 2006 "C:\HighCriteria\TotalRecorder\bak\TotRecSched.exe"
131736 Apr 17 2008 "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
57344 Apr 21 2003 "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
57344 Apr 21 2003 "C:\Program Files\Lexmark X6100 Series\bak\lxbfbmgr.exe"

end of report

Response Number 7

Name: jabuck
Date: September 27, 2008 at 09:27:56 Pacific

Reply:

Open Notepad and copy/paste everything between the X"s into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Folder::
C:\HighCriteria\TotalRecorder\bak
C:\Program Files\Lexmark X6100 Series\bak

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".
Post a new Combofix log following the previous directions.

Response Number 8

Name: Tess
Date: September 27, 2008 at 09:38:18 Pacific

Reply:

I've dragged & dropped CFScript.txt into the red Combofix icon on my desktop, and it's telling me that there's a new version of Combofix available and would I like to update? I don't know--should I update Combofix in the middle of this procedure? Combofix won't go any further until I answer its question...

Response Number 9

Name: jabuck
Date: September 27, 2008 at 10:22:56 Pacific

Reply:

Yes, update it then continue.

Response Number 10

Name: Tess
Date: September 27, 2008 at 10:38:19 Pacific

Reply:

Here's the latest Combofix report:
ComboFix 08-09-26.06 - Tess 2008-09-27 13:33:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.662 [GMT -4:00]
Running from: C:\Documents and Settings\Tess\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tess\Desktop\CFScript.txt
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\HighCriteria\TotalRecorder\bak
C:\HighCriteria\TotalRecorder\bak\TotRecSched.exe
C:\Program Files\Lexmark X6100 Series\bak
C:\Program Files\Lexmark X6100 Series\bak\lxbfbmgr.exe
.
((((((((((((((((((((((((( Files Created from 2008-08-27 to 2008-09-27 )))))))))))))))))))))))))))))))
.
2008-09-26 09:17 . 2008-09-26 09:19 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-26 09:17 . 2008-09-26 09:17 <DIR> d-------- C:\Documents and Settings\Tess\Application Data\Malwarebytes
2008-09-26 09:17 . 2008-09-26 09:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-26 09:17 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-26 09:17 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-25 15:41 . 2008-09-25 15:41 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-25 15:41 . 2008-09-25 15:41 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-25 15:41 . 2008-09-25 15:41 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-25 14:53 . 2008-04-13 20:12 1,306,624 --------- C:\WINDOWS\system32\msxml6.dll
2008-09-25 14:52 . 2008-04-13 20:11 650,752 --------- C:\WINDOWS\system32\dot3ui.dll
2008-09-25 14:36 . 2008-07-18 22:09 25,800 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-09-25 08:09 . 2008-09-25 08:09 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-09-25 08:08 . 2008-09-27 13:32 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-09-25 08:08 . 2008-09-25 08:08 <DIR> d-------- C:\Program Files\AVG
2008-09-25 08:08 . 2008-09-25 08:08 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-09-25 08:08 . 2008-09-25 08:08 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-09-25 08:08 . 2008-09-25 08:08 12,936 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-09-17 13:32 . 2008-09-17 13:32 <DIR> d-------- C:\Documents and Settings\Tess\Application Data\Viewpoint
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-27 17:33 --------- d-----w C:\Program Files\Lexmark X6100 Series
2008-09-25 20:09 --------- d-----w C:\Documents and Settings\Tess\Application Data\Skype
2008-09-25 19:58 --------- d-----w C:\Documents and Settings\Tess\Application Data\skypePM
2008-09-25 12:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-09-05 22:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2008-08-18 19:23 51,716 ----a-w C:\WINDOWS\system32\pdf995mon.dll
2008-08-18 19:23 249,856 ----a-w C:\WINDOWS\system32\pdfmona.dll
2008-08-18 01:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-17 20:12 48,367,896 ----a-w C:\avg_free_stf_en_8_138a1332.exe
2008-07-27 21:15 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-19 02:08 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:08 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-07-10 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-07-10 114688]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 169984]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-25 1235736]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2002-10-16 1622016]
"Lexmark X6100 Series"="C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-04-21 57344]
"BluetoothAuthenticationAgent"="irprops.cpl" [2008-04-13 C:\WINDOWS\system32\irprops.cpl]
"Mouse Suite 98 Daemon"="ICO.EXE" [2002-03-14 C:\WINDOWS\system32\ico.exe]
C:\Documents and Settings\Daria&Evan\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2/5/2008 11:45:11 PM 225280]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave"= DrvTrNTm.dll
"mixer"= DrvTrNTm.dll
"aux2"= sysaudio.sys
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
--a------ 2004-08-16 17:45 45056 C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus G]
--a------ 2004-09-14 15:16 1212416 C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages]
--a------ 2003-09-30 12:05 536576 C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 20:12 1695232 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UC_Start]
--a------ 2003-03-17 18:27 32768 C:\IBMTOOLS\Updater\ucstartup.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Support.com\\Bin\\tgcmd.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-09-25 12936]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-25 97928]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-25 875288]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-25 231704]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-09-25 76040]
R3 TotRec7;Total Recorder WDM audio driver;C:\WINDOWS\system32\drivers\TotRec7.sys [2008-04-17 119448]
S3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys [2003-01-10 16384]
S3 pelps2m;PS/2 Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\pelps2m.sys [2003-01-21 18048]
S3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys [2003-02-11 9216]
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-lphclhej0e981 - C:\WINDOWS\system32\lphclhej0e981.exe
MSConfigStartUp-SMrhcghej0e981 - C:\Program Files\rhcghej0e981\rhcghej0e981.exe
MSConfigStartUp-Hot Key Kbd Daemon - SKDAEMON.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-27 13:34:41
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-09-27 13:36:09
ComboFix-quarantined-files.txt 2008-09-27 17:35:58
ComboFix2.txt 2008-09-26 23:02:34
Pre-Run: 20,630,712,320 bytes free
Post-Run: 20,663,341,056 bytes free
142

Response Number 11

Name: jabuck
Date: September 27, 2008 at 11:54:15 Pacific

Reply:

Looks much better.
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner
Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

Response Number 12

Name: Tess
Date: September 27, 2008 at 13:08:17 Pacific

Reply:

Ran the ATF Cleaner. Tried to run Kaspersky, but it says, "You need to install Java version 1.5 or later to run Kaspersky Online Scanner 7.0."
Now what? Do you have a Java link for me?

Response Number 13

Name: jabuck
Date: September 27, 2008 at 17:11:11 Pacific

Reply:

Here you go.
Download the latest version of java from this link Java
Click on the JRE 6 Update 7 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.

Response Number 14

Name: Tess
Date: September 27, 2008 at 18:17:36 Pacific

Reply:

Got Java installed, I think. Downloaded Kaspersky files, but there is no "Next" button to click and there are no scan settings to set. I can only choose from Information, Update, Scan, Scan Report and Support on the left-hand side, and Help and Settings at the bottom of the screen, none of which talk about the scan settings you mentioned. Any ideas on how I can get to those settings?
In the meantime, I just selected "My Computer" to scan, which it's doing now, but I have no idea what settings it's using...

Response Number 15

Name: jabuck
Date: September 27, 2008 at 18:35:55 Pacific

Reply:

That should work, may need to update my database.

Response Number 16

Name: Tess
Date: September 27, 2008 at 19:23:10 Pacific

Reply:

Okay, good. Here's the Kaspersky log:
----------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, September 27, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, September 28, 2008 01:46:00
Records in database: 1266952
----------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
Scan statistics:
Files scanned: 48058
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 00:58:03

File name / Threat name / Threats count
C:\IBMTOOLS\APPS\RRPC\RRPC\superinstall.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 2
The selected area was scanned.

Response Number 17

Name: jabuck
Date: September 27, 2008 at 21:07:31 Pacific

Reply:

That file can be ignored, it is a false positive.
Go to start> run> type in combofix /u then press enter. Give it a minute. This will uninstall Combofix.
You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster
Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.
Your log is clean, how is the computer operating?

Response Number 18

Name: Tess
Date: September 28, 2008 at 06:06:45 Pacific

Reply:

Uninstalled Combofix.
Installed Spywareblaster.
Hate to say this, but Google is not fixed. A search of "Martha Stewart" just listed "Martha Stewart Living" in the title of the first result, with sears.ca as the URL. And the second result was titled "Martha Stewart - Wikipedia, the free encyclopedia" in the title, with www.cheapflights.com as the URL. So the search results continue to look legitimate, but the URLs are all unrelated.
Help!
Here's a screenshot:

Response Number 19

Name: Tess
Date: September 28, 2008 at 06:43:40 Pacific

Reply:

Okay, no screenshot. Can't get it to post.

Response Number 20

Name: jabuck
Date: September 28, 2008 at 09:46:13 Pacific

Reply:

Lets reset your hosts file and see if that helps.
Please download HostsXpert from the following link:
HostsXpert
Extract the HostsXpert.zip by doing the following:Right-click HostsXpert.zip and select extract all – Follow the wizard and extract it to your DesktopClick Finish. Double-click the HostsXpert folder and then double-click HostsXpert.exe. Click “ Restore MS Hosts File” and press OK.Exit the program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself.

Response Number 21

Name: Tess
Date: September 28, 2008 at 19:29:33 Pacific

Reply:

Ran HostsXpert. Still not working.

Response Number 22

Name: jabuck
Date: September 28, 2008 at 19:45:35 Pacific

Reply:

Ok, please post a new Malwarebytes and Hijack This log so we can see what has changed. Make sure to update Malwarebytes.

Sponsored Link

Ads by Google

Micro AV Virus

Trojan.Peed.Gen virus

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Google Redirect Virus--help!

Google Redirect Virus Help

Summary

www.computing.net/answers/security/google-redirect-virus-help/25976.html

Google Redirect Virus, Help!

Summary

www.computing.net/answers/security/google-redirect-virus-help/26263.html

Google Redirect Virus - Help Please!

Summary

www.computing.net/answers/security/google-redirect-virus-help-please/26846.html

From the Geek Dictionary
Shut up - Demanding way to ask for silence in voice chat channel.

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 6 Days.
Discuss in The Lounge
Poll History

Recent Posts
W2000 Reinstall Is Now My E Drive

driver need for win 7

AM2+ DDR3 Motherboard?

Playing DVD from Laptop to TV

SoundMAX -- PLEASE HELP.

All Awaiting Reply

Tom's News
Woman Tracks Down Club Attacker on Facebook

Geolocation Functions Come to Twitter

New Craigslist Trend: Trade Sex for Rent?

Law Firm Investigates MS Over Xbox Live Bans

Amazon Charges $25 for Palm Pixi and $80 for Pre

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE