Google Redirect Virus Help

June 6, 2010 at 19:40:49
Specs: Windows XP
I have the Google Redirect Virus and cant get
rid of it. The virus is also on the laptop well
the symptoms are. My pc and the laptop are
on a wireless network. I need help. I ran Avast
free and nothing showed up. I also ran
HiJackThis and saved a log here it is:

edited by moderator: remove un-requested log


See More: Google Redirect Virus Help

Report •


#1
June 6, 2010 at 19:45:47
I am also using Google Chrome.

Report •

#2
June 6, 2010 at 21:27:23
hello trang85,

I can see that you have a pretty bad infection and would like to help you clean it out......

First I needed to be able to read your HJT log better.I formated it and read it at the same time, your pretty loaded.

Please download ComboFix from this location:
http://download.bleepingcomputer.co...

Make sure you save it to your desktop!! no where else.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with this tool.

Double click on combofix.exe and follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, which your not, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.



Report •

#3
June 7, 2010 at 05:11:33
ComboFix 10-06-06.04 - Dylan Trang 06/07/2010 7:48.1.1 -
x86
Microsoft Windows XP Home Edition
5.1.2600.3.1252.1.1033.18.255.124 [GMT -4:00]
Running from: c:\documents and settings\Dylan
Trang\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated)
{7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\explorer(2).exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\ELopoXyb.ini
c:\windows\system32\ELopoXyb.ini2
c:\windows\system32\mcrh.tmp
c:\windows\system32\service
c:\windows\system32\service\04022009_TIS17_SfFniAU.log
c:\windows\system32\service\07012009_TIS17_SfFniAU.log

.
((((((((((((((((((((((((( Files Created from 2010-05-07 to 2010-06-
07 )))))))))))))))))))))))))))))))
.

2010-06-07 02:28 . 2010-06-07 02:28 388096 ----a-r-
c:\documents and settings\Dylan Trang\Application
Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-
12FCBA4883D7}\HiJackThis.exe
2010-06-06 23:45 . 2010-05-21 18:14 221568 ------w-
c:\windows\system32\MpSigStub.exe
2010-06-06 23:43 . 2010-06-06 23:43 -------- d-----w-
c:\program files\Windows Defender
2010-05-31 21:38 . 2010-05-31 21:38 -------- d-----w-
c:\program files\Groove Games
2010-05-28 21:23 . 2010-05-06 20:33 19024 ----a-w-
c:\windows\system32\drivers\aswFsBlk.sys
2010-05-28 21:23 . 2010-05-06 20:39 164048 ----a-w-
c:\windows\system32\drivers\aswSP.sys
2010-05-28 21:23 . 2010-05-06 20:34 23376 ----a-w-
c:\windows\system32\drivers\aswRdr.sys
2010-05-28 21:23 . 2010-05-06 20:39 46672 ----a-w-
c:\windows\system32\drivers\aswTdi.sys
2010-05-28 21:23 . 2010-05-06 20:33 100432 ----a-w-
c:\windows\system32\drivers\aswmon2.sys
2010-05-28 21:23 . 2010-05-06 20:33 94800 ----a-w-
c:\windows\system32\drivers\aswmon.sys
2010-05-28 21:23 . 2010-05-06 20:33 28880 ----a-w-
c:\windows\system32\drivers\aavmker4.sys
2010-05-28 21:22 . 2010-05-06 20:59 38848 ----a-w-
c:\windows\system32\avastSS.scr
2010-05-28 21:22 . 2010-05-06 20:59 165032 ----a-w-
c:\windows\system32\aswBoot.exe
2010-05-28 21:22 . 2010-05-28 21:22 -------- d-----w-
c:\program files\Alwil Software
2010-05-28 21:22 . 2010-05-28 21:22 -------- d-----w-
c:\documents and settings\All Users\Application Data\Alwil
Software
2010-05-27 20:41 . 2010-05-27 20:41 -------- d-----w-
c:\documents and settings\All Users\Application
Data\SUPERAntiSpyware.com
2010-05-27 20:40 . 2010-05-27 20:40 -------- d-----w-
c:\program files\SUPERAntiSpyware
2010-05-26 19:38 . 2010-05-26 19:38 440848 ----a-w-
c:\windows\system32\espUninst.dll
2010-05-26 19:38 . 2010-06-01 23:15 -------- d-----w-
c:\program files\Faronics
2010-05-26 19:38 . 2010-05-26 19:38 76304 ----a-w-
c:\windows\system32\LskHook.dll
2010-05-26 19:38 . 2010-05-26 19:38 440848 ----a-w-
c:\windows\system32\ptbUninst.dll
2010-05-26 19:38 . 2010-05-26 19:38 440848 ----a-w-
c:\windows\system32\jpnUninst.dll
2010-05-26 19:38 . 2010-05-26 19:38 440848 ----a-w-
c:\windows\system32\itaUninst.dll
2010-05-26 19:38 . 2010-05-26 19:38 440848 ----a-w-
c:\windows\system32\fraUninst.dll
2010-05-26 19:38 . 2010-05-26 19:38 440848 ----a-w-
c:\windows\system32\deuUninst.dll
2010-05-25 20:16 . 2010-05-25 20:16 -------- d-----w-
c:\program files\Pivot Stickfigure Animator
2010-05-23 14:21 . 2010-05-23 14:21 63488 ----a-w-
c:\documents and settings\Dylan Trang\Application
Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\
SD10006.dll
2010-05-21 22:55 . 2010-06-06 23:59 -------- d-----w-
c:\program files\S.W.A.T. 4
2010-05-20 23:04 . 2010-05-20 23:04 -------- d-----w-
c:\documents and settings\Dylan Trang\Local
Settings\Application Data\WMTools Downloaded Files
2010-05-20 22:54 . 2006-10-22 19:06 208896 ----a-w-
c:\windows\system32\NVUNINST.EXE
2010-05-20 22:52 . 2010-05-20 22:52 -------- d-----w-
C:\NVIDIA
2010-05-20 19:34 . 2010-05-21 23:26 -------- d-----w-
c:\program files\Microsoft Works
2010-05-20 19:30 . 2010-05-20 19:30 -------- d-----w-
c:\documents and settings\Dylan Trang\Local
Settings\Application Data\Microsoft Help
2010-05-20 19:29 . 2010-05-23 12:23 -------- d-----w-
c:\documents and settings\All Users\Application
Data\Microsoft Help
2010-05-20 19:28 . 2010-05-20 19:28 -------- d-----r-
C:\MSOCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-04 00:20 . 2010-04-07 20:44 439816 ----a-w-
c:\documents and settings\Dylan Trang\Application
Data\Real\Update\setup3.10\setup.exe
2010-05-31 21:24 . 2009-09-23 21:20 141123 ----a-w-
c:\windows\hpoins14.dat
2010-05-28 20:58 . 2009-10-28 19:53 -------- d-----w-
c:\documents and settings\All Users\Application Data\avg9
2010-05-27 20:29 . 2008-09-04 19:33 32152 ----a-w-
c:\documents and settings\Dylan Trang\Local
Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-26 19:16 . 2008-09-03 18:57 -------- d-----w-
c:\program files\Google
2010-05-23 14:20 . 2009-12-06 17:09 117760 ----a-w-
c:\documents and settings\Dylan Trang\Application
Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\
UIREPAIR.DLL
2010-05-20 21:37 . 2008-09-06 00:59 -------- d--h--w-
c:\program files\InstallShield Installation Information
2010-05-16 17:18 . 2008-09-06 00:57 -------- d-----w-
c:\program files\Common Files\InstallShield
2010-03-11 12:38 . 2002-09-03 17:12 832512 ----a-w-
c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2009-03-23 23:52 78336 ----a-w-
c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2002-09-03 16:29 17408 ----a-w-
c:\windows\system32\corpol.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL"
[2003-10-06 49152]


Also Internet Explorer showed up on my desktop after the
ComboFix scan even though i had it unistalled. Is that
normal?


Report •

Related Solutions

#4
June 7, 2010 at 05:16:46
Forgot...I'm still being redirected

Report •

#5
June 7, 2010 at 05:52:23
this is the combo fix from the laptop

ComboFix 10-06-06.04 - Chau Trang 06/07/2010 8:39.1.2 -
x86
Microsoft Windows 7 Professional
6.1.7600.0.1252.1.1033.18.3062.2091 [GMT -4:00]
Running from: c:\users\Chau Trang\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\%appdata%

.
((((((((((((((((((((((((( Files Created from 2010-05-07 to 2010-06-
07 )))))))))))))))))))))))))))))))
.

2010-06-07 12:43 . 2010-06-07 12:45 -------- d-----w-
c:\users\Chau Trang\AppData\Local\temp
2010-06-07 12:43 . 2010-06-07 12:43 -------- d-----w-
c:\users\Default\AppData\Local\temp
2010-06-07 12:24 . 2010-06-07 12:24 -------- d-----w-
C:\$AVG
2010-06-03 19:48 . 2010-06-03 19:48 29512 ----a-w-
c:\programdata\avg9\update\backup\avgmfx86.sys
2010-06-03 19:48 . 2010-06-03 19:48 242896 ----a-w-
c:\programdata\avg9\update\backup\avgtdix.sys
2010-06-03 10:56 . 2010-06-03 10:56 -------- d-----w-
c:\windows\system32\Wat
2010-06-03 10:54 . 2009-09-10 05:52 257024 ----a-w-
c:\windows\system32\msv1_0.dll
2010-06-03 10:50 . 2010-01-18 23:29 85504 ----a-w-
c:\windows\system32\secproc_ssp_isv.dll
2010-06-03 10:50 . 2010-01-18 23:29 85504 ----a-w-
c:\windows\system32\secproc_ssp.dll
2010-06-03 10:50 . 2010-01-18 23:29 365568 ----a-w-
c:\windows\system32\secproc_isv.dll
2010-06-03 10:50 . 2010-01-18 23:29 369152 ----a-w-
c:\windows\system32\secproc.dll
2010-06-03 10:50 . 2010-01-18 23:28 324608 ----a-w-
c:\windows\system32\RMActivate_isv.exe
2010-06-03 10:50 . 2010-01-18 23:28 277504 ----a-w-
c:\windows\system32\RMActivate_ssp_isv.exe
2010-06-03 10:50 . 2010-01-18 23:28 320512 ----a-w-
c:\windows\system32\RMActivate.exe
2010-06-03 10:50 . 2010-01-18 23:28 280064 ----a-w-
c:\windows\system32\RMActivate_ssp.exe
2010-06-03 10:50 . 2010-04-23 07:13 2048 ----a-w-
c:\windows\system32\tzres.dll
2010-06-03 10:50 . 2010-02-27 07:32 221696 ----a-w-
c:\windows\system32\drivers\mrxsmb10.sys
2010-06-03 10:50 . 2010-02-27 07:32 95744 ----a-w-
c:\windows\system32\drivers\mrxsmb20.sys
2010-06-03 10:50 . 2010-02-27 07:32 123392 ----a-w-
c:\windows\system32\drivers\mrxsmb.sys
2010-06-03 03:05 . 2010-06-02 23:13 -------- d-----w-
c:\windows\Panther
2010-06-03 00:42 . 2010-06-07 12:44 -------- d-----w-
c:\users\Chau Trang\AppData\Roaming\skypePM
2010-06-03 00:39 . 2010-06-07 12:44 -------- d-----w-
c:\users\Chau Trang\AppData\Roaming\Skype
2010-06-03 00:39 . 2010-06-03 00:39 -------- d-----r-
c:\program files\Skype
2010-06-03 00:39 . 2010-06-03 00:39 -------- d-----w-
c:\program files\Common Files\Skype
2010-06-03 00:39 . 2010-06-03 00:39 -------- d-----w-
c:\programdata\Skype
2010-06-03 00:27 . 2010-06-04 01:02 -------- d-----w-
c:\users\Chau Trang\AppData\Local\Yahoo
2010-06-03 00:26 . 2010-06-03 00:26 -------- d-----w-
c:\users\Chau Trang\AppData\Local\Yahoo!
2010-06-03 00:26 . 2010-06-03 10:50 -------- d-----w-
c:\programdata\Yahoo! Companion
2010-06-03 00:26 . 2010-06-03 00:27 -------- d-----w-
c:\users\Chau Trang\AppData\Roaming\Yahoo!
2010-06-03 00:25 . 2010-06-03 00:26 -------- d-----w-
c:\programdata\Yahoo!
2010-06-03 00:25 . 2010-04-20 20:45 607472 ----a-w-
c:\programdata\Yahoo!\YUpdater\yupdater.exe
2010-06-03 00:25 . 2010-06-03 00:26 -------- d-----w-
c:\program files\Yahoo!
2010-06-02 23:38 . 2010-06-02 23:38 -------- d-----w-
c:\windows\system32\Macromed
2010-06-02 23:34 . 2010-06-02 23:35 -------- d-----w-
c:\users\Chau Trang\AppData\Local\Google
2010-06-02 23:34 . 2010-06-02 23:34 -------- d-----w-
c:\users\Chau Trang\AppData\Local\Deployment
2010-06-02 23:34 . 2010-06-02 23:34 57560 ----a-w-
c:\users\Chau
Trang\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-02 23:34 . 2010-06-02 23:34 -------- d-----w-
c:\users\Chau Trang\AppData\Local\Apps
2010-06-02 23:29 . 2010-06-02 23:29 12464 ----a-w-
c:\windows\system32\avgrsstx.dll
2010-06-02 23:29 . 2010-06-03 19:47 242896 ----a-w-
c:\windows\system32\drivers\avgtdix.sys
2010-06-02 23:29 . 2010-06-02 23:29 216200 ----a-w-
c:\windows\system32\drivers\avgldx86.sys
2010-06-02 23:29 . 2010-06-03 19:47 29584 ----a-w-
c:\windows\system32\drivers\avgmfx86.sys
2010-06-02 23:29 . 2010-06-07 11:00 -------- d-----w-
c:\windows\system32\drivers\Avg
2010-06-02 23:29 . 2010-06-02 23:30 -------- d-----w-
c:\programdata\AVG Security Toolbar
2010-06-02 23:27 . 2010-06-02 23:27 -------- d-----w-
c:\program files\AVG
2010-06-02 23:27 . 2010-06-02 23:27 -------- d-----w-
c:\programdata\avg9
2010-06-02 23:26 . 2010-06-03 00:39 -------- d-sh--w-
c:\windows\Installer
2010-06-02 23:21 . 2010-06-07 11:00 -------- d-----w-
c:\windows\system32\wbem\Performance
2010-06-02 23:15 . 2009-12-29 06:55 172032 ----a-w-
c:\windows\system32\wintrust.dll
2010-06-02 23:15 . 2010-01-09 06:52 132608 ----a-w-
c:\windows\system32\cabview.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-04 20:21 . 2010-06-04 20:21 0 ---ha-w-
c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.W
df
2010-06-03 10:56 . 2009-07-14 02:37 -------- d-----w-
c:\program files\Windows Mail
2010-06-03 00:42 . 2010-06-03 00:42 56 ---ha-w-
c:\programdata\ezsidmv.dat
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r-
c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w-
c:\windows\winsxs\x86_microsoft-windows-mail-
app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108
c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program
files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-
5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper
Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 14:25 2117704 ----a-w- c:\program
files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"=
"c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-
19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-
9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"=
"c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-
19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-
9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run]
"Google Update"="c:\users\Chau
Trang\AppData\Local\Google\Update\GoogleUpdate.exe"
[2010-06-02 136176]
"Messenger
(Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.
exe" [2010-04-29 5248312]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-
05-13 26192168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-09
36864]
"TkBellExe"="c:\program files\Common
Files\Real\Update_OB\realsched.exe" [2010-06-03 202256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curren
tversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\drivers32]
"aux1"=wdmaud.drv

R1 SABKUTIL;SABKUTIL;c:\program
files\SUPERAntiSpyware\SABKUTIL.sys [x]
R3 AVG Security Toolbar Service;AVG Security Toolbar
Service;c:\program
files\AVG\AVG9\Toolbar\ToolbarBroker.exe [2010-04-19
430152]
R3 WatAdminSvc;Windows Activation Technologies
Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-
06-03 1343400]
S1 AvgLdx86;AVG Free AVI Loader Driver
x86;c:\windows\system32\Drivers\avgldx86.sys [2010-06-02
216200]
S1 AvgTdiX;AVG Free Network
Redirector;c:\windows\system32\Drivers\avgtdix.sys [2010-06-
03 242896]
S1 vwififlt;Virtual WiFi Filter
Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13
48128]
S2 avg9emc;AVG Free E-mail Scanner;c:\program
files\AVG\AVG9\avgemc.exe [2010-06-02 916760]
S2 avg9wd;AVG Free WatchDog;c:\program
files\AVG\AVG9\avgwdsvc.exe [2010-06-02 308064]
S3
SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VST
AZL3.SYS [2009-07-13 207360]
S3
SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTD
PV3.SYS [2009-07-13 980992]
S3
SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\V
STCNXT3.SYS [2009-07-13 661504]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon
Ethernet
Controller;c:\windows\system32\DRIVERS\yk62x86.sys
[2009-07-13 311296]

.
Contents of the 'Scheduled Tasks' folder

2010-06-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-
21-644416711-1843446377-1922569793-1001Core.job
- c:\users\Chau
Trang\AppData\Local\Google\Update\GoogleUpdate.exe
[2010-06-02 23:34]

2010-06-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-
21-644416711-1843446377-1922569793-1001UA.job
- c:\users\Chau
Trang\AppData\Local\Google\Update\GoogleUpdate.exe
[2010-06-02 23:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} -
{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program
files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-
E255E237B77C} - c:\program
files\AVG\AVG9\Toolbar\IEToolbar.dll
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\C
lass\{4D36E96D-E325-11CE-BFC1-
08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\P
CW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\taskhost.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\conhost.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
***********************************************************************
***
.
Completion time: 2010-06-07 08:48:38 - machine was
rebooted
ComboFix-quarantined-files.txt 2010-06-07 12:48

Pre-Run: 235,077,808,128 bytes free
Post-Run: 235,148,464,128 bytes free

- - End Of File - - C54F9329951B8AC5FC9FE3DF25DD6F97


Report •

#6
June 7, 2010 at 05:53:58
Google redirect virus,w ich is infact a browser hijacker virus leads your web links and search queries to unwanted websites. You can fix a google redirect virus by install a program named UnHack Me tool, or to remove this virus manually, see the instructions within this link
http://darfuns.com/remove-google-se...

Happy Virus Free Computing(.net)
Virus Removal tutorials and Softwares


Report •

#7
June 7, 2010 at 06:35:13
Can the virus be spread through a network? Does my laptop have the virus too or is it only on my pc and i delete it will be gone? Also on my laptop(Win7) i couldnt save the HiJackThis log for some reason.

Report •

#8
June 7, 2010 at 09:49:01
some one had suggested the below to me and I got cleaned up in two days, havnt had a problem since!!!

http://www.websafety001.webs.com

cheers


Report •

#9
June 7, 2010 at 11:46:02
I just used MalWareBytes
heres the log:


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4176

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

6/7/2010 2:35:12 PM
mbam-log-2010-06-07 (14-35-12).txt

Scan type: Full scan (C:\|)
Objects scanned: 225918
Time elapsed: 40 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-
895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted
successfully.
HKEY_USERS\S-1-5-
18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{
494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) ->
Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Evidence Eliminator
(Rogue.EvidenceEliminator) -> Quarantined and deleted
successfully.

Files Infected:
C:\Program Files\Evidence Eliminator\INSTALL.LOG
(Rogue.EvidenceEliminator) -> Quarantined and deleted
successfully.


Report •

#10
June 8, 2010 at 03:48:42
i ran an Avast boot scan and it didnt find anything :(

Report •

#11
June 8, 2010 at 10:31:43
please run this tool

http://en.kioskea.net/download/down...


Report •

#12
June 8, 2010 at 13:46:21
i didnt know what to do so all i ran was the search


SmitFraudFix v2.424

Scan done at 16:41:32.10, Tue 06/08/2010
Run from C:\Documents and Settings\Dylan Trang\My
Documents\Downloads\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common
Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program
Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Dylan Trang\My
Documents\Downloads\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»»
C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and
Settings\Dylan Trang


»»»»»»»»»»»»»»»»»»»»»»»»
C:\DOCUME~1\DYLANT~1\LOCALS~1\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and
Settings\Dylan Trang\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»»
C:\DOCUME~1\DYLANT~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows]


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

»»»»»»»»»»»»»»»»»»»»»»»» RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: ZyXEL G-220 v2 Wireless USB Adapter - Packet
Scheduler Miniport
DNS Server Search Order: 192.168.0.1

Description: ZyXEL G-220 v2 Wireless USB Adapter - Packet
Scheduler Miniport
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4F9CEA64-E81A-
408D-B434-519058B3B1D4}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{8BA6C9B6-253D-
445D-9B81-0E4438A15876}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4F9CEA64-E81A-
408D-B434-519058B3B1D4}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8BA6C9B6-253D-
445D-9B81-0E4438A15876}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{13FD1A31-6265-
4355-9463-B1BE1958B09C}:
DhcpNameServer=93.188.164.133,93.188.161.248
HKLM\SYSTEM\CS2\Services\Tcpip\..\{4F9CEA64-E81A-
408D-B434-519058B3B1D4}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{8BA6C9B6-253D-
445D-9B81-0E4438A15876}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters:
DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters:
DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters:
DhcpNameServer=192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


Report •

#13
June 8, 2010 at 13:48:37
yea also before i was getting random pop ups by clicking links
not from search engines but now its gone i think

i reseted my modem and router that might have done it
but it didnt get rid of the redirect virus :(


Report •

#14
June 8, 2010 at 14:54:33
it came back *sad*
it also leads to the same sites as the redirect virus

Report •

#15
June 8, 2010 at 16:38:41
Step 1: Run OTL (You can download it below)

http://ottools.noahdfear.net/OTL.exe

Run a custom fix with the following code pasted in: (Between
the asterisks) Once installed, at the bottom of the OTL screen
you will see a custom fix box. Pasted the following in it.

********************************************************

:OTL
O4 – HKLM..\Run: [NWEReboot] File not found

:Files
C:\Windows\System32\pb.sys
C:\Windows\System32\drivers\atapi.sys|C:\Windows\System
32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys
/replace

:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

********************************************************

Step 2: Run ComboFix again

! Note, make sure you disable all your anti-virus before doing
this.
Combofix is a powerful tool, and has unpredictable results
when used in the wrong circumstances.
Best way to disable anti-virus is by disabling their associated
services.

Step 3: Update malwarebytes and run a quick scan.

Step 4: Download TdssKiller

http://support.kaspersky.com/viruse...
qid=208280684

Run it. This program may or may not be able to deal with the
TDSS variant you’re tackling. It doesn’t matter anymore, by
this point we should have eradicated it.
The point of running this is to see if it can find the backdoor or
not.

Post all of the logs back here!!


Report •

#16
June 9, 2010 at 12:25:55
All processes killed
========== OTL ==========
========== FILES ==========
File\Folder C:\Windows\System32\pb.sys not found.
File\Folder
C:\Windows\System32\drivers\atapi.sys|C:\Windows\System
not found.
File\Folder
32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys
not found.
Invalid replace specification:
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temporary Internet Files folder emptied: 32768 bytes

User: All Users

User: Chau Trang
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Chau Trang.TRANGS
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Chau Trang.TRANGS.000
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Dylan Trang
->Temp folder emptied: 7038297 bytes
->Temporary Internet Files folder emptied: 14946471 bytes
->Java cache emptied: 27879 bytes
->Google Chrome cache emptied: 348442524 bytes
->Flash cache emptied: 4394 bytes

User: Guess
->Temp folder emptied: 534 bytes
->Temporary Internet Files folder emptied: 587181 bytes

User: Hung Trang
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 373795 bytes
->Google Chrome cache emptied: 6099312 bytes
->Flash cache emptied: 78909 bytes

User: Kelvin Trang
->Temporary Internet Files folder emptied: 7680565 bytes
->Flash cache emptied: 405 bytes

User: Kelvin Trang.TRANGS
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes
->Google Chrome cache emptied: 7633123 bytes
->Flash cache emptied: 2607 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 6494 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2832913 bytes
%systemroot%\System32\dllcache .tmp files removed: 0
bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 46059 bytes
%systemroot%\system32\config\systemprofile\Local
Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local
Settings\Temporary Internet Files folder emptied: 68176 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 378.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Chau Trang

User: Chau Trang.TRANGS

User: Chau Trang.TRANGS.000

User: Default User

User: Dylan Trang
->Flash cache emptied: 0 bytes

User: Guess

User: Hung Trang
->Flash cache emptied: 0 bytes

User: Kelvin Trang
->Flash cache emptied: 0 bytes

User: Kelvin Trang.TRANGS
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.5.3 log created on
06082010_194544

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt
scheduled to be moved on reboot.

Registry entries deleted on Reboot...

ComboFix 10-06-08.02 - Dylan Trang 06/08/2010
19:57:33.2.1 - x86
Microsoft Windows XP Home Edition
5.1.2600.3.1252.1.1033.18.255.99 [GMT -4:00]
Running from: c:\documents and settings\Dylan
Trang\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated)
{7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\linkinfo(2).dll
c:\windows\system32\linkinfo(3).dll
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2010-05-09 to 2010-06-
09 )))))))))))))))))))))))))))))))
.

2010-06-08 23:45 . 2010-06-08 23:45 -------- d-----w-
C:\_OTL
2010-06-08 22:13 . 2010-06-08 22:13 2 --shatr-
c:\windows\winstart.bat
2010-06-07 20:25 . 2010-06-07 20:25 -------- d-----w-
c:\windows\Sun
2010-06-07 20:20 . 2010-06-07 20:20 503808 ----a-w-
c:\documents and settings\Dylan Trang\Application
Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-
594c501a-n\msvcp71.dll
2010-06-07 20:20 . 2010-06-07 20:20 499712 ----a-w-
c:\documents and settings\Dylan Trang\Application
Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-
594c501a-n\jmc.dll
2010-06-07 20:20 . 2010-06-07 20:20 348160 ----a-w-
c:\documents and settings\Dylan Trang\Application
Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-
594c501a-n\msvcr71.dll
2010-06-07 20:20 . 2010-06-07 20:20 61440 ----a-w-
c:\documents and settings\Dylan Trang\Application
Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-
65e20263-n\decora-sse.dll
2010-06-07 20:20 . 2010-06-07 20:20 12800 ----a-w-
c:\documents and settings\Dylan Trang\Application
Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-
65e20263-n\decora-d3d.dll
2010-06-07 20:19 . 2010-06-07 20:19 411368 ----a-w-
c:\windows\system32\deployJava1.dll
2010-06-07 17:52 . 2010-06-07 17:52 -------- d-----w-
c:\documents and settings\Dylan Trang\Application
Data\Malwarebytes
2010-06-07 17:51 . 2010-04-29 19:39 38224 ----a-w-
c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-07 17:51 . 2010-06-07 17:51 -------- d-----w-
c:\documents and settings\All Users\Application
Data\Malwarebytes
2010-06-07 17:51 . 2010-06-07 17:51 -------- d-----w-
c:\program files\Malwarebytes' Anti-Malware
2010-06-07 17:51 . 2010-04-29 19:39 20952 ----a-w-
c:\windows\system32\drivers\mbam.sys
2010-06-07 02:28 . 2010-06-07 02:28 388096 ----a-r-
c:\documents and settings\Dylan Trang\Application
Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-
12FCBA4883D7}\HiJackThis.exe
2010-06-06 23:45 . 2010-05-21 18:14 221568 ------w-
c:\windows\system32\MpSigStub.exe
2010-06-06 23:43 . 2010-06-06 23:43 -------- d-----w-
c:\program files\Windows Defender
2010-05-31 21:38 . 2010-05-31 21:38 -------- d-----w-
c:\program files\Groove Games
2010-05-28 21:23 . 2010-05-06 20:33 19024 ----a-w-
c:\windows\system32\drivers\aswFsBlk.sys
2010-05-28 21:23 . 2010-05-06 20:39 164048 ----a-w-
c:\windows\system32\drivers\aswSP.sys
2010-05-28 21:23 . 2010-05-06 20:34 23376 ----a-w-
c:\windows\system32\drivers\aswRdr.sys
2010-05-28 21:23 . 2010-05-06 20:39 46672 ----a-w-
c:\windows\system32\drivers\aswTdi.sys
2010-05-28 21:23 . 2010-05-06 20:33 100432 ----a-w-
c:\windows\system32\drivers\aswmon2.sys
2010-05-28 21:23 . 2010-05-06 20:33 94800 ----a-w-
c:\windows\system32\drivers\aswmon.sys
2010-05-28 21:23 . 2010-05-06 20:33 28880 ----a-w-
c:\windows\system32\drivers\aavmker4.sys
2010-05-28 21:22 . 2010-05-06 20:59 38848 ----a-w-
c:\windows\system32\avastSS.scr
2010-05-28 21:22 . 2010-05-06 20:59 165032 ----a-w-
c:\windows\system32\aswBoot.exe
2010-05-28 21:22 . 2010-05-28 21:22 -------- d-----w-
c:\program files\Alwil Software
2010-05-28 21:22 . 2010-05-28 21:22 -------- d-----w-
c:\documents and settings\All Users\Application Data\Alwil
Software
2010-05-27 20:41 . 2010-05-27 20:41 -------- d-----w-
c:\documents and settings\All Users\Application
Data\SUPERAntiSpyware.com
2010-05-27 20:40 . 2010-05-27 20:40 -------- d-----w-
c:\program files\SUPERAntiSpyware
2010-05-26 19:38 . 2010-05-26 19:38 440848 ----a-w-
c:\windows\system32\espUninst.dll
2010-05-26 19:38 . 2010-06-01 23:15 -------- d-----w-
c:\program files\Faronics
2010-05-26 19:38 . 2010-05-26 19:38 76304 ----a-w-
c:\windows\system32\LskHook.dll
2010-05-26 19:38 . 2010-05-26 19:38 440848 ----a-w-
c:\windows\system32\ptbUninst.dll
2010-05-26 19:38 . 2010-05-26 19:38 440848 ----a-w-
c:\windows\system32\jpnUninst.dll
2010-05-26 19:38 . 2010-05-26 19:38 440848 ----a-w-
c:\windows\system32\itaUninst.dll
2010-05-26 19:38 . 2010-05-26 19:38 440848 ----a-w-
c:\windows\system32\fraUninst.dll
2010-05-26 19:38 . 2010-05-26 19:38 440848 ----a-w-
c:\windows\system32\deuUninst.dll
2010-05-25 20:16 . 2010-05-25 20:16 -------- d-----w-
c:\program files\Pivot Stickfigure Animator
2010-05-23 14:21 . 2010-06-07 14:52 63488 ----a-w-
c:\documents and settings\Dylan Trang\Application
Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\
SD10006.dll
2010-05-21 22:55 . 2010-06-06 23:59 -------- d-----w-
c:\program files\S.W.A.T. 4
2010-05-20 23:04 . 2010-05-20 23:04 -------- d-----w-
c:\documents and settings\Dylan Trang\Local
Settings\Application Data\WMTools Downloaded Files
2010-05-20 22:54 . 2006-10-22 19:06 208896 ----a-w-
c:\windows\system32\NVUNINST.EXE
2010-05-20 22:52 . 2010-05-20 22:52 -------- d-----w-
C:\NVIDIA
2010-05-20 19:34 . 2010-05-21 23:26 -------- d-----w-
c:\program files\Microsoft Works
2010-05-20 19:30 . 2010-05-20 19:30 -------- d-----w-
c:\documents and settings\Dylan Trang\Local
Settings\Application Data\Microsoft Help
2010-05-20 19:29 . 2010-06-08 20:11 -------- d-----w-
c:\documents and settings\All Users\Application
Data\Microsoft Help
2010-05-20 19:28 . 2010-05-20 19:28 -------- d-----r-
C:\MSOCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-07 14:52 . 2009-12-06 17:09 117760 ----a-w-
c:\documents and settings\Dylan Trang\Application
Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\
UIREPAIR.DLL
2010-06-04 00:20 . 2010-04-07 20:44 439816 ----a-w-
c:\documents and settings\Dylan Trang\Application
Data\Real\Update\setup3.10\setup.exe
2010-05-31 21:24 . 2009-09-23 21:20 141123 ----a-w-
c:\windows\hpoins14.dat
2010-05-28 20:58 . 2009-10-28 19:53 -------- d-----w-
c:\documents and settings\All Users\Application Data\avg9
2010-05-27 20:29 . 2008-09-04 19:33 32152 ----a-w-
c:\documents and settings\Dylan Trang\Local
Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-26 19:16 . 2008-09-03 18:57 -------- d-----w-
c:\program files\Google
2010-05-20 21:37 . 2008-09-06 00:59 -------- d--h--w-
c:\program files\InstallShield Installation Information
2010-05-16 17:18 . 2008-09-06 00:57 -------- d-----w-
c:\program files\Common Files\InstallShield
2010-05-04 17:20 . 2002-09-03 17:12 832512 ----a-w-
c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2009-03-23 23:52 78336 ----a-w-
c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2002-09-03 16:29 17408 ----a-w-
c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2002-09-03 17:11 1851264 ----a-w-
c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2002-09-03 16:27 285696 ----a-w-
c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL"
[2003-10-06 49152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\T
INTSETP.EXE" [2002-09-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTS
ETP.EXE" [2002-09-03 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-
06 5058560]
"TkBellExe"="c:\program files\Common
Files\Real\Update_OB\realsched.exe" [2009-09-27 198160]
"Adobe Reader Speed Launcher"="c:\program
files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04
36272]
"Adobe ARM"="c:\program files\Common
Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"nwiz"="nwiz.exe" [2003-10-06 741376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2003-
10-06 49152]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-
05-06 2815192]
"Windows Defender"="c:\program files\Windows
Defender\MSASCui.exe" [2006-11-03 866584]

c:\documents and settings\All Users\Start
Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital
Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[hkey_local_machine\software\microsoft\windows\currentversi
on\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=
"c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-
05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program
files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\HP Software Update]
2007-03-12 01:34 49152 ----a-w- c:\program
files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\SUPERAntiSpyware]
2010-05-18 17:26 2397424 ----a-w- c:\program
files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curren
tversion\run-]
"TkBellExe"="c:\program files\Common
Files\Real\Update_OB\realsched.exe" -osboot
"Adobe Reader Speed Launcher"="c:\program
files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"nwiz"=nwiz.exe /install
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE"
/Spoil /RemAdvDef /Migration32
"MSPY2002"=c:\windows\system32\IME\PINTLGNT\ImScInst
.exe /SYNC

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\sta
ndardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program
Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows
Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Microsoft
Office\\Office12\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\Dylan Trang\\Desktop\\Unreal
tournemnt\\System\\UnrealTournament.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program
Files\\SUPERAntiSpyware\\SUPERANTISPYWARE.EXE"=
"c:\\Program Files\\SUPERAntiSpyware\\RUNSAS.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\sta
ndardprofile\GloballyOpenPorts\List]
"10682:TCP"= 10682:TCP:BitComet 10682 TCP
"10682:UDP"= 10682:UDP:BitComet 10682 UDP

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys
[5/28/2010 5:23 PM 164048]
R1 SASDIFSV;SASDIFSV;c:\program
files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM
12872]
R1 SASKUTIL;SASKUTIL;c:\program
files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41
PM 67656]
R2
aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.
sys [5/28/2010 5:23 PM 19024]
R2 WinDefend;Windows Defender;c:\program files\Windows
Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 ZG760_XP;ZyXEL 802.11g XG762 1211
Driver;c:\windows\system32\drivers\WlanGZXP.sys
[2/10/2010 3:19 PM 402944]
S2 gupdate1c9ae8c76a734b6;Google Update Service
(gupdate1c9ae8c76a734b6);c:\program
files\Google\Update\GoogleUpdate.exe [3/26/2009 11:31 PM
133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active
setup\installed components\{A509B1FF-37FF-4bFF-8CFF-
4F3A747040FF}]
2010-05-04 17:20 124928 ----a-w-
c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-06-08
c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-
27 03:30]

2010-06-08
c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-
27 03:30]

2010-06-08 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-
11-03 23:20]

2010-06-08 c:\windows\Tasks\User_Feed_Synchronization-
{67116312-7886-4D53-90F2-0ACC39610689}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 22:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearchMigratedDefaultURL =
hxxp://www.google.com/search?
q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-
US&ie=utf8&oe=utf8
mSearch Bar =
hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http:
//www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?
q=%s
IE: E&xport to Microsoft Excel -
c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google
Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF
0C6D236BF8.dll/cmsidewiki.html
DPF: DirectAnimation Java Classes -
file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java -
file://c:\windows\Java\classes\xmldso.cab
.

***********************************************************************
***

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware
detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-08 20:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

***********************************************************************
***
.
--------------------- DLLs Loaded Under Running Processes --------
-------------

- - - - - - - > 'winlogon.exe'(800)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2010-06-08 20:08:20
ComboFix-quarantined-files.txt 2010-06-09 00:08
ComboFix2.txt 2010-06-07 12:05

Pre-Run: 99,207,376,896 bytes free
Post-Run: 99,170,545,664 bytes free

- - End Of File - - FEAA504524D9F80571B897915EC6F964

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4182

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

6/8/2010 8:19:29 PM
mbam-log-2010-06-08 (20-19-29).txt

Scan type: Quick scan
Objects scanned: 174520
Time elapsed: 8 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


TDSSKiller didnt find anything


Report •

#17
June 9, 2010 at 12:51:11
1.)
Your going to have to manually replace your
atapi.sys file, do you have a installation cd? If so,
insert the disk and do a manual search in the
c:\windows\system32\drivers directory. Copy the file and drop
it in the c:\windows\system32\drivers directory on your
system.

If you do not have a system disk we will have to use another
method.


Report •

#18
June 9, 2010 at 13:23:49
I dont think i have one
is this the one?
it says Reinstallation CD Microsoft Windows XP Home Edition
Including Service Pack 1

Report •

#19
June 9, 2010 at 13:28:17
yes thats it!
Put in the disk and do not run it, what you want to do is to access the dick from My Computer and right click on the installation disk icon. Then choose to explore. Go look for the file as stated above.
How is your machine running anyway?

Report •

#20
June 9, 2010 at 16:17:42
My machine is running fine. Ill do what you said asap. Do i delete the atapi file already in the folder or if i drop it in it will replace it automatically?

Report •

#21
June 9, 2010 at 16:55:50
I don't believe the file is there to begin with, it should be but
OTL never found it. Anyway you should manually check first.
The answer for your question, would be that yes, it would ask
you if you would like to replace it, but one never knows for
sure.. Therefore, check first, remove the old and then finally
paste in the new one.

I have a few last steps for you:


If I had you use ComboFix, uninstall ComboFix
(This uninstall will only work as written if you installed
ComboFix on your Desktop like I requested.)

Click START then RUN and enter the below
into the run box and then click OK.
Note: the quotes are required
"%userprofile%\Desktop\combofix" /uninstall

Note: The space between the combofix" and the
/uninstall, it must be there.

This will uninstall ComboFix and also reset hidden files and
folders settings back to Windows defaults.

Any other miscellaneous tools I may have had you install or
download can be uninstalled and deleted.

Go to add/remove programs and uninstall HijackThis.

If you are running Win 7, Vista, Windows XP or Windows
ME,
do the below:

Disable System Restore which will flush your
Restore Points.

Then reboot and Enable System Restore to
create a new clean Restore Point.


Report •

#22
June 9, 2010 at 17:38:23
I need help with replacing the atapi.sys
I booted up the disc and explored couldnt find it since there
wasnt a driver directory so i went to search and found atapi
but it was different the file type was SY_file and was in caps
like this ATAPI and was a smaller size than the one currently
on my desktop. atapi on my desktop is a system file and the
it said to be a IDE/ATAPI port driver.

Why do i need to flush my restore points? I was thinking of
restoring my computer to like April(yea i know >_>) if i
couldnt fix it. I will be gone until the 13th or 14th of June. I
wont be able to do things for now. I will have my laptop with
me and try to run some things to fix it.

My computers are running very smoothly i dont see any
changes in speed or anything just some annoying virus that is
on it. I might be thinking of letting it alone...since im getting
all worked up over something that isnt really big. Also to wait
out and see if the updates that come in the future can get rid
of it. One last thing my SuperAntiSpyware scan found like a
backdoor virus like 3 days ago and got rid of it.


Report •

#23
June 9, 2010 at 17:56:27
You would only be flushing your restore points if you were
clean, which in a prior post your stated, that is why I gave you
those last instructions.. If you want to restore your computer
that is a good thing, often, this will take care of many issues,
provided it was at a time when you were not infected. Why
exactly, if your computer is running "smoothly" would you
think there is a virus on it..

If there is a virus on it, it will continue replicating until your
bogged down again..
If you still want help in getting clean or with the atapi file let
me know..


Report •

#24
June 10, 2010 at 03:27:05
I will try to do the atapi file when i get back. Would i have to
replace the atapi file on my laptop too?

Report •

#25
June 10, 2010 at 12:00:12
umm...well you know since im not home im on a different
network and its wired right now and nothing is happening no
redirects nothing...is it my network that may be causing the
redirects? modem or router? this is strange...

Report •

#26
June 10, 2010 at 14:25:35
Interesting! I have some instructions for you but I will wait till you
home, I am going to have to research what your saying, very very
interesting!

Report •

#27
June 13, 2010 at 13:37:28
I am now home. I turned off everything when i left so the router
and modems are reseted. It still happens.

Report •

#28
June 13, 2010 at 15:28:05
It seems that somehow my system restore was turned off...now i
have no restore points...well i can reload OS not much stuff on
my desktop anyway

Report •

#29
June 13, 2010 at 16:10:41
Try changing your DNS servers with OpenDNS (www.opendns.com),
http://en.wikipedia.org/wiki/OpenDNS for IP Addresses

Or, if you'd rather not sign up for an account, you could try doing it without signing up for one...

Do the following to change your DNS servers in Windows XP (I recommend doing this in Safe Mode):

Step 1) Right click on your Wireless Connection in XP.

Step 2) Click on Open Network Connections.

Step 3) Right click on your Wireless Connection (I.E. Wireless Connection 2) and go to Properties.

Step 4) Scroll down to Internet Protocol (RCP/IP) and click the Properties box,

Step 5) At the bottom check the radio button that says "Use the following DNS Server addresses".

Step 6) For Preferred DNS Server type in "208 67 222 222",
and for Alternate DNS Server type in "208 67 220 220".

Step 7) Reboot.

Helpful tips before getting started: http://www.computing.net/howtos/sho...


Report •

#30
June 13, 2010 at 17:03:27
I think it stopped...ill wait a little longer...

Report •

#31
June 13, 2010 at 17:07:04
Please post back if it didn't fix anything.

Helpful tips before getting started: http://www.computing.net/howtos/sho...


Report •

#32
June 13, 2010 at 17:12:01
Right now nothing is happening everything is fine. How should i
do it for Windows 7?

Report •

#33
Report •

#34
June 13, 2010 at 17:36:08
Yea i know how to do just keep forgetting if its Protocol 4 or 6. I
am learning about computers right now. Well thank you.
Nothing has happened for the past 30 minutes.

Report •

#35
June 13, 2010 at 18:10:05
Excellent, and I'm pretty sure it's Protocol 4. I think 6 is still in development/a loooooong ways away from actually being used, I think. I could be wrong on that, but I'm pretty sure it's 4.

Helpful tips before getting started: http://www.computing.net/howtos/sho...


Report •

#36
June 13, 2010 at 21:04:09
Remove the google redirect virus, read the following removal guide article. http://www.securitysofts.com/Intern...

After clean the google redirect virus.
To make sure that you are running clean, make sure that you have an up to date antivirus. Such as Kaspersky Internet Security 2011. Stay Clean.

Good Luck.


Report •

#37
June 14, 2010 at 08:30:39
^You know its gone right? Something was wrong with the DNS
server i think..

Report •


Ask Question