Google is redirecting after I got a trojan

March 15, 2010 at 21:05:38
Specs: Windows XP SP3
Hi,

I got infected with one of those fake antivirus programs that try to get you to buy them. It was called "Antivirus Soft". Long story short, I was able to run malwarebytes and I got rid of it.

The problem is, now google is redirecting me to advertisements. It only happens a bit more than half the time.

I am pretty good with computers and if you can tell me what is wrong I should be able to fix it. I just need to know how it is being redirected. It could be that my internet is being routed through a proxy, which is worrisome, but I'm not sure if that's it.


See More: Google is redirecting after I got a trojan

Report •


#1
March 15, 2010 at 21:43:43
try running superantispyware or combofix. viruses may still be hidden malwarebytes is good but it doesn't find everything i will supply a link in a minute just try to stay online and i will help

Report •

#2
March 15, 2010 at 21:46:23
here is the one for combofix. beware make SURE all protection is off. this will disconnect u from internet when u use it and don't click on it because it might hang http://download.bleepingcomputer.co...

Report •

#3
March 15, 2010 at 21:49:54
here is the one for superantispyware which in my opinion finds things that other antiviruses don't. restart the computer in safe mode (tap F8 repeatedly) then run it please post a log i am curious about this.
http://www.superantispyware.com/

Report •

Related Solutions

#4
March 16, 2010 at 16:09:11
I am about to run combofix, I will run superantispyware after. Why should I boot to safe mode before running superantispyware?

Report •

#5
March 16, 2010 at 16:42:13
something someone told me it doesn't matter just when i thought i was infected some dude on here told me to do it.

Report •

#6
March 17, 2010 at 13:31:53
uh can u follow up bc i am kinda worried u said u would run it and u havn't posted in awhile just want to no if it found anything and that ur problem is fixed

Report •

#7
March 17, 2010 at 21:50:52
Yeah, combofix got rid of the problem. Malwarebytes hadn't removed all parts of the virus. Here is the log:

ComboFix 10-03-16.03 - Alex 03/16/2010 16:51:23.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.300 [GMT -7:00]
Running from: c:\documents and settings\Alex\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Alex\Local Settings\Application Data\{EB19EF02-624A-44E7-BA12-004D77C40ED3}
c:\documents and settings\Alex\Local Settings\Application Data\{EB19EF02-624A-44E7-BA12-004D77C40ED3}\chrome.manifest
c:\documents and settings\Alex\Local Settings\Application Data\{EB19EF02-624A-44E7-BA12-004D77C40ED3}\chrome\content\_cfg.js
c:\documents and settings\Alex\Local Settings\Application Data\{EB19EF02-624A-44E7-BA12-004D77C40ED3}\chrome\content\overlay.xul
c:\documents and settings\Alex\Local Settings\Application Data\{EB19EF02-624A-44E7-BA12-004D77C40ED3}\install.rdf
c:\documents and settings\Alex\Local Settings\Application Data\uwtkxj
c:\documents and settings\Alex\Local Settings\Application Data\uwtkxj\exbdsftav.exe
c:\program files\Cheat Engine\dbk32.sys
c:\windows\explorer.exe.tmp
c:\windows\ivoxuzayahe.dll
c:\windows\system32\crt.dat
c:\windows\system32\drivers\fad.sys
c:\windows\system32\drivers\nd.sys
c:\windows\system32\kbddta.dll
c:\windows\system32\kbvdt.dll

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2010-02-17 to 2010-03-17 )))))))))))))))))))))))))))))))
.

2010-03-15 04:26 . 2010-03-15 04:26 -------- d-----w- C:\downloads
2010-03-04 03:23 . 2010-03-04 03:23 -------- d-----w- c:\program files\LucasArts
2010-03-02 00:43 . 2010-03-02 00:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-02-19 01:30 . 2010-02-19 01:30 -------- d-----w- c:\windows\Downloaded Installations
2010-02-18 01:50 . 2010-02-18 01:59 -------- d-----w- c:\program files\Mr QuestionMan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-17 00:25 . 2009-04-05 03:28 -------- d-----w- c:\documents and settings\Alex\Application Data\Orbit
2010-03-17 00:25 . 2008-12-10 12:12 -------- d-----w- c:\documents and settings\Alex\Application Data\uTorrent
2010-03-17 00:15 . 2009-10-29 22:23 -------- d-----w- c:\program files\Cheat Engine
2010-03-16 03:42 . 2009-09-19 19:14 120 ----a-w- c:\windows\Evoqaquzuwo.dat
2010-03-15 23:25 . 2009-09-19 19:14 0 ----a-w- c:\windows\Sdisifumakula.bin
2010-03-15 23:24 . 2008-12-10 12:13 -------- d-----w- c:\program files\uTorrent
2010-03-15 04:28 . 2009-09-19 19:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-04 03:23 . 2004-09-01 04:58 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-22 01:27 . 2009-08-24 17:23 -------- d-----w- c:\documents and settings\Alex\Application Data\Apple Computer
2010-02-19 00:57 . 2009-08-08 22:55 -------- d-----w- c:\documents and settings\Alex\Application Data\gtk-2.0
2010-02-04 16:07 . 2010-02-04 16:06 -------- d-----w- c:\program files\iTunes
2010-02-04 16:06 . 2010-02-04 16:06 -------- d-----w- c:\program files\iPod
2010-02-04 16:06 . 2009-08-24 17:21 -------- d-----w- c:\program files\Common Files\Apple
2010-02-03 02:26 . 2010-02-03 02:26 50624 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-29 01:08 . 2008-12-04 06:55 -------- d-----w- c:\documents and settings\Alex\Application Data\Audacity
2010-01-18 22:59 . 2010-01-18 22:59 -------- d-----w- c:\program files\Elaborate Bytes
2010-01-18 17:13 . 2009-04-05 03:28 -------- d-----w- c:\program files\Orbitdownloader
2010-01-07 23:07 . 2009-09-19 19:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 23:07 . 2009-09-19 19:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50 . 2004-06-09 14:58 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2006-06-23 19:33 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-17 22:25 . 2009-12-17 22:25 26024 ----a-w- c:\windows\system32\drivers\ElbyCDIO.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\utorrent.exe" [2010-03-15 319792]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2003-11-21 70816]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-28 323584]
"Norton Ghost 9.0"="c:\program files\Symantec\Norton Ghost\Agent\GhostTray.exe" [2004-07-29 1122304]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2007-04-19 7700480]
"nwiz"="nwiz.exe" [2007-04-19 1626112]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2007-04-19 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^Alex^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\Alex\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Alex^Start Menu^Programs^Startup^Wallpaper Changer.lnk]
path=c:\documents and settings\Alex\Start Menu\Programs\Startup\Wallpaper Changer.lnk
backup=c:\windows\pss\Wallpaper Changer.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoSizer]
2009-08-07 04:21 131072 ----a-w- c:\program files\AutoSizer\AutoSizer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2004-04-11 16:43 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2004-02-10 16:51 118784 ----a-w- c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2004-02-10 16:55 155648 ----a-w- c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2004-04-19 19:45 53248 ----a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 06:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
2003-11-21 21:04 70840 ----a-w- c:\program files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer Red Alert(tm) II\\RA2\\gamemd.exe"=
"c:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer Renegade(tm)\\Renegade\\Game.exe"=
"c:\\Program Files\\EA Games\\Command & Conquer The First Decade\\Command & Conquer(tm) Tiberian Sun(tm)\\SUN\\Game.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"51360:TCP"= 51360:TCP:SPF Port 51360 TCP

R0 PQV2i;PQV2i;c:\windows\SYSTEM32\DRIVERS\PQV2i.sys [7/29/2004 3:33 AM 138780]
R1 PQIMount;PQIMount;c:\windows\SYSTEM32\DRIVERS\PQIMount.sys [7/29/2004 4:13 AM 46779]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [10/29/2009 1:27 PM 1074568]
.
Contents of the 'Scheduled Tasks' folder

2010-03-06 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2003-11-21 21:04]

2009-08-08 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-09-01 21:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
TCP: {F5F2549A-80D9-4B33-8E87-C644D6A89F9F} = 68.87.69.150,68.87.85.102
FF - ProfilePath - c:\documents and settings\Alex\Application Data\Mozilla\Firefox\Profiles\lmctln9j.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabXpcom.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Wbijaqiteji - c:\windows\ivoxuzayahe.dll
MSConfigStartUp-defender32 - c:\docume~1\Alex\LOCALS~1\Temp\defender32.exe
MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe
MSConfigStartUp-PCMService - c:\program files\Dell\Media Experience\PCMService.exe
MSConfigStartUp-Sonic RecordNow! - c:\program files\Messenger\msmsgs.exe
MSConfigStartUp-xpprotect - c:\documents and settings\Alex\XP Deluxe Protector\xpdeluxe.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-16 17:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???????????x???x???????????x???????????x???x????????????????????????????????????????D?w????????????7??w????x???x??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2037325283-968986240-3094189935-1008\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:1d,56,f3,61,39,ca,6c,cb,f6,b9,fc,be,a2,fb,ca,94,62,c7,1c,ba,e4,f4,e4,
0c,66,8a,64,e1,2f,93,9b,09,dc,d8,db,24,db,06,81,6a,e2,cf,8a,03,23,2f,c9,a3,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d

[HKEY_USERS\S-1-5-21-2037325283-968986240-3094189935-1008\Software\SecuROM\License information*]
"datasecu"=hex:ca,9e,6f,b4,e6,ab,f4,7b,1d,83,3a,37,68,f2,24,b2,35,21,11,31,f3,
43,21,ef,75,de,e8,72,12,6c,4d,84,c5,3c,25,a3,d1,fc,09,80,13,6f,39,cc,6f,e1,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2744)
c:\windows\system32\WININET.dll
c:\progra~1\COMMON~1\SYMANT~1\ANTISPAM\asOEHook.dll
c:\program files\RocketDock\RocketDock.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\System32\GEARSec.exe
c:\windows\System32\nvsvc32.exe
c:\windows\System32\wdfmgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Orbitdownloader\orbitdm.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-03-16 17:33:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-17 00:33

Pre-Run: 27,135,209,472 bytes free
Post-Run: 27,531,481,088 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - CC2550FB45DE975A11ACC97D5049E2A8


Report •

#8
March 17, 2010 at 23:33:05
did it fix ur problem?

Report •

#9
March 18, 2010 at 16:22:51
Yes, it did.

Report •

Ask Question