Google Search Engine Virus

May 5, 2009 at 09:39:52
Specs: Microsoft Windows XP Professional, 1.594 GHz / 255 MB

Hi,

Last night my computer was infected with a virus and now my google search engine redirects my results to ad pages and pop-ups (I’m not computer savy at all so bear with me). I read some of the other posts that were similar to my problem and saved my logfile from HijackThis (even though I have no idea what any of it means). I also downloaded MalwareRemovalBot, did a scan and now a little window pops up in the bottom corner of my screen saying that it’s found 317 detections. I think my problem may be similar to another that was posted about having an older version of Java, so I removed all of the old Java programs and downloaded the new one. I’m really not sure what else to do though because my Ad-Aware and AVG don’t seem to be picking anything up. I’d really appreciate some help,

thanks!


See More: Google Search Engine Virus

Report •


#1
May 5, 2009 at 14:51:49

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


If Malwarebytes installed but will not run navigate to this folder:

C:\Programs Files\Malwarebytes' AntiMalware

Rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again.

Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This

Rename the setup file, HJTInstall.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename HJTInstall.exe to tools.exe> click save.
1. Save " tools.exe" to your desktop.
2. Double click on tools.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report •

#2
May 5, 2009 at 19:53:52

I downloaded Malwarebytes from the 2nd link you gave. It didn't open up after it finished installing and it still won't open even after I've renamed all of the .exe files like you said. I clicked on the uninstall program in the folder to see if maybe I could re-install and try again but it only freezes and it won't properly remove itself.
I ran HijackThis and this is the log:

Logfile of HijackThis v1.97.7
Scan saved at 12:13:38 AM, on 06/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Dave\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MalwareRemovalBot] C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe -boot
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

Sorry if this isn't much of a help.. I really appreciate you looking at this


Report •

#3
May 5, 2009 at 20:17:07

That version of Hijack This didn't come from the provided link..it is about 6 yrs. old.

Go to start> control panel>add/remove programs and uninstall MalwareRemovalBot as it is a rogue product.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to toolb.exe> click save.

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your AVG antivirus, Ad-Aware and any other antispyware that you may have. (to completey turn off AVG click the icon in the systray >exit. Next click the desktop AVG icon> resident shield> uncheck the box to the left of "resident shield active">save changes. Restart the computer and recheck the box before getting on the internet.
2. Run Combofix by double clicking the toolb.exe icon on your desktop and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.


Report •

Related Solutions

#4
May 6, 2009 at 11:27:18

Okay, so I went to add/remove programs and MalwareRemovalBot wasn't there, just Malwarebytes' Anti-Malware so I left it there. Then I went to the link you gave for HijackThis so hopefully I have the right version now.

After I ran Combofix I ran HijackThis as well to get a log. I'm not sure if that's any help to you or not.. and I didn't have HijackThis fix anything. Here's everything:

ComboFix 09-05-05.05 - Dave 06/05/2009 15:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.255.9 [GMT -2.5:30]
Running from: c:\program files\Trend Micro\toolb.exe
AV: AVG 7.5.557 *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\patch.exe
c:\windows\system\msvbvm60.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_007163_.tmp.dll
c:\windows\system32\_007164_.tmp.dll
c:\windows\system32\_007165_.tmp.dll
c:\windows\system32\_007166_.tmp.dll
c:\windows\system32\_007173_.tmp.dll
c:\windows\system32\_007174_.tmp.dll
c:\windows\system32\_007175_.tmp.dll
c:\windows\system32\_007176_.tmp.dll
c:\windows\system32\_007178_.tmp.dll
c:\windows\system32\_007179_.tmp.dll
c:\windows\system32\_007182_.tmp.dll
c:\windows\system32\_007183_.tmp.dll
c:\windows\system32\_007185_.tmp.dll
c:\windows\system32\_007186_.tmp.dll
c:\windows\system32\_007187_.tmp.dll
c:\windows\system32\_007189_.tmp.dll
c:\windows\system32\_007192_.tmp.dll
c:\windows\system32\_007193_.tmp.dll
c:\windows\system32\_007197_.tmp.dll
c:\windows\system32\_007198_.tmp.dll
c:\windows\system32\_007200_.tmp.dll
c:\windows\system32\_007203_.tmp.dll
c:\windows\system32\_007205_.tmp.dll
c:\windows\system32\_007206_.tmp.dll
c:\windows\system32\_007207_.tmp.dll
c:\windows\system32\_007208_.tmp.dll
c:\windows\system32\_007209_.tmp.dll
c:\windows\system32\_007212_.tmp.dll
c:\windows\system32\_007213_.tmp.dll
c:\windows\system32\_007214_.tmp.dll
c:\windows\system32\_007215_.tmp.dll
c:\windows\system32\_007216_.tmp.dll
c:\windows\system32\_007221_.tmp.dll
c:\windows\system32\_007223_.tmp.dll
c:\windows\system32\_007224_.tmp.dll
c:\windows\system32\drivers\UACyevjdkmlmtoqpkl.sys
c:\windows\system32\UACbqewtkcfebdjluj.log
c:\windows\system32\UACdrvohcodddvymxc.log
c:\windows\system32\UACgfndohlitatvilk.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACqgrnoorxsrksiwc.dll
c:\windows\system32\UACsmgvnppjebgvjgw.dll
c:\windows\system32\UACvxexntyjtumrcjr.dll
c:\windows\system32\UACyabuhabocopykls.dll
c:\windows\system32\UACyiwcdulrutseyiq.log
c:\windows\system32\UACytitqlgppafrrbx.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_ISEXENG
-------\Legacy_SVCPROC
-------\Legacy_ZESOFT


((((((((((((((((((((((((( Files Created from 2009-04-06 to 2009-05-06 )))))))))))))))))))))))))))))))
.

2009-05-06 17:12 . 2009-05-06 17:25 -------- d-----w c:\program files\Trend Micro
2009-05-06 02:31 . 2009-04-06 18:02 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-06 02:31 . 2009-04-06 18:02 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-06 02:31 . 2009-05-06 02:31 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-05-06 02:31 . 2009-05-06 02:38 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-05 17:09 . 2009-05-06 02:19 -------- d-----w c:\program files\Malwarebyte that won't delete
2009-05-05 16:17 . 2009-05-05 16:16 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-20 13:58 . 2009-04-20 17:45 -------- d-----w c:\windows\system32\scripting
2009-04-20 13:57 . 2009-04-20 17:44 -------- d-----w c:\windows\l2schemas
2009-04-20 13:57 . 2009-04-20 17:45 -------- d-----w c:\windows\system32\en
2009-04-20 13:35 . 2004-08-04 07:56 325632 ----a-w c:\windows\system32\dllcache\wmm2fxb.dll
2009-04-20 13:34 . 2009-02-09 10:20 473088 ----a-w c:\windows\system32\dllcache\fastprox.dll
2009-04-20 13:33 . 2004-08-04 07:56 34560 ----a-w c:\windows\system32\dllcache\mnmdd.dll
2009-04-20 13:32 . 2004-08-04 07:56 14336 ----a-w c:\windows\system32\dllcache\wship6.dll
2009-04-16 18:16 . 2009-04-16 18:16 -------- d-----w c:\documents and settings\Dave\Application Data\AVG8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-05 16:16 . 2006-03-27 19:48 -------- d-----w c:\program files\Java
2009-03-14 17:01 . 2006-11-01 23:33 -------- d-----w c:\program files\Google
2009-03-06 14:44 . 2003-08-06 04:30 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-02-06 20:35 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 10:20 . 2009-04-20 13:32 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2004-04-17 12:14 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2009-04-20 13:32 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:20 . 2009-04-20 13:32 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:19 . 2009-04-20 13:32 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-06 17:24 . 2009-04-20 13:32 2180480 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2009-04-20 13:32 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2001-08-23 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 16:49 . 2009-04-20 13:32 2057728 ----a-w c:\windows\system32\ntkrnlpa.exe
2007-12-27 00:45 . 2007-12-27 00:44 54330664 ----a-w c:\program files\iTunesSetup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-11-17 3022848]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-05 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\WINDOWS\\system32\\wjview.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kodak\\Digital Display\\KodakDigitalDisplaySoftware.exe"=
"c:\\Program Files\\Kodak\\Digital Display\\OrbKodakLauncher\\DllStartupService.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 KodakDigitalDisplayService;KodakDigitalDisplayService;c:\program files\Kodak\Digital Display\OrbKodakLauncher\DllStartupService.exe [01/08/2008 3:05 PM 98304]
S2 gupdate1c9a4c6765a8b4;Google Update Service (gupdate1c9a4c6765a8b4);c:\program files\Google\Update\GoogleUpdate.exe [14/03/2009 2:27 PM 133104]
S2 SVKP;SVKP;\??\c:\windows\System32\SVKP.sys --> c:\windows\System32\SVKP.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be7d2006-4b61-11db-94f0-0040f44a420b}]
\Shell\AutoRun\command - F:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-05-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:04]

2009-05-06 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 16:57]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)
HKCU-Run-MalwareRemovalBot - c:\program files\MalwareRemovalBot\MalwareRemovalBot.exe
HKCU-RunServicesOnce-washindex - c:\program files\Washer\washidx.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uDefault_Search_URL = hxxp://search.msn.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-06 15:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\WgaTray.exe
.
**************************************************************************
.
Completion time: 2009-05-06 15:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-06 18:09

Pre-Run: 11,244,728,320 bytes free
Post-Run: 11,185,192,960 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

206 --- E O F --- 2009-05-06 05:31

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:46:03 PM, on 06/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Trend Micro\tools.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-2052111302-162531612-725345543-1005\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'kodak')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Google Update Service (gupdate1c9a4c6765a8b4) (gupdate1c9a4c6765a8b4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KodakDigitalDisplayService - Orb Networks, Inc. - C:\Program Files\Kodak\Digital Display\OrbKodakLauncher\DllStartupService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 5079 bytes


Report •

#5
May 6, 2009 at 14:18:21

Looks like that at one time or the other you had Norton antivirus installed on the computer. Since you now have AVG installed you need to remove the remaining Norton files.

Run Hijack This, close all windows and browsers except HIjack This, place a check to the left of the following items and press "fix checked":

O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Exit Hijack This.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.


Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Report •

#6
May 6, 2009 at 20:09:39

I was going to ask about that! I got a popup that said something about Norton so I did a search to find it and when I clicked on one of the icons it said that the program might be corrupt.. okay, thanks. That's deleted now.

Here's the scan report from Kaspersky:
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, May 7, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, May 06, 2009 20:06:02
Records in database: 2138404


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\

Scan statistics
Files scanned 50940
Threat name 6
Infected objects 9
Suspicious objects 0
Duration of the scan 01:54:48

File name Threat name Threats count
C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\28683807 Infected: not-a-virus:AdWare.Win32.180Solutions.ao 1

C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\3AB53BA8.dll Infected: not-a-virus:AdWare.Win32.WinAD.aa 1

C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\41503063.dll Infected: not-a-virus:AdWare.Win32.Gator.1101 1

C:\Documents and Settings\Dave\Local Settings\Application Data\Ares\My Shared Folder\02 - jonas brothers - play my music.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACgfndohlitatvilk.dll.vir Infected: Packed.Win32.Tdss.f 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACqgrnoorxsrksiwc.dll.vir Infected: Packed.Win32.Tdss.f 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACsmgvnppjebgvjgw.dll.vir Infected: Packed.Win32.Tdss.f 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACvxexntyjtumrcjr.dll.vir Infected: Packed.Win32.Tdss.f 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACyabuhabocopykls.dll.vir Infected: Trojan.Win32.TDSS.acbd 1

The selected area was scanned.


Report •

#7
May 6, 2009 at 20:19:40

Navigate to and delete these folders:

C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec

C:\Qoobox

navigate to and delete this file:

C:\Documents and Settings\Dave\Local Settings\Application Data\Ares\My Shared Folder\02 - jonas brothers - play my music.mp3

Go to start> run> type in combofix /u (note the space after combofix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Go to start> control panel> add/remove programs and uninstall these programs:

Hijack This

Malwarebytes

Kaspersky

You should keep AFT Cleaner and run it weekly.


You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

How is the computer operating?


Report •

#8
May 6, 2009 at 20:52:02

That's awesome, thanks a lot! HijackThis isn't in my add/remove programs though.. I think I renamed it when it was installed to 'tools'. Should I still delete it?

It's an old family computer with years of random music, photos and junk on it that needs to be cleaned up so it's pretty slow anyways.. but google seems to be great, there are no popups and the phoney firewall is gone. Thanks!


Report •

#9
May 7, 2009 at 03:33:54

Yes, delete toolb if found. Copy your pictures and important documents to a cd or you will lose them one day.

Glad we could help.


Report •


Ask Question