Bullguard Antivirus Forum Download A Free Copy Of Bullguard Antivirus Software
Free Antivirus Forum - Learn about antivirus, firewalls and personal security Free Antivirus Forum - Learn about antivirus, firewalls and personal security
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
Google redirect virus
   
BullGuard Antivirus Forum > Virus Removal > Removal Help > Google redirect virus  
Forum Quick Jump
 
New Topic Locked Topic Printable version of : Google redirect virus
[ << Previous Thread | Next Thread >> ]

bmazurk
New Member


Date Joined Nov 2008
Total Posts : 5
  		   Posted 11-29-2008 5:06 (GMT +1)    Quote: Google redirect virusAlert an admin about: Google redirect virus
I seem to have acquired a google redirect virus and I am struggling to remove it.  After reading several posts, I've run CCleaner, MalwarebytesAM, and ComboFix.  However, my IE is constantly redirected to seemingly random websites whenever I try to use google's search engine. I'm including my HijackThis log.  Thank you for your help!!
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:21 PM, on 11/28/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\csrss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\agrsmsvc.exe
C:\Acer\ALaunch\ALaunchSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxbkcoms.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\system32\svchost.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Acer\Empowering Technology\eDSMSNfix.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\LXBKbmgr.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\igfxext.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\notepad.exe
C:\Windows\Explorer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\config\systemprofile\Desktop\FIX\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.charter.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [eDSMSNfix] C:\Acer\Empowering Technology\eDSMSNfix.exe
O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer Registration\ACE1.exe" /startup
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [lxbkbmgr.exe] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~4.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~4.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo2.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{164DA131-EB35-41EF-A01E-4A8A6430EE0F}: NameServer = 85.255.112.126;85.255.112.131
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A39E39E-9FA7-4209-9BB9-4F463412AD5D}: NameServer = 85.255.112.126;85.255.112.131
O17 - HKLM\System\CS1\Services\Tcpip\..\{164DA131-EB35-41EF-A01E-4A8A6430EE0F}: NameServer = 85.255.112.126;85.255.112.131
O17 - HKLM\System\CS2\Services\Tcpip\..\{164DA131-EB35-41EF-A01E-4A8A6430EE0F}: NameServer = 85.255.112.126;85.255.112.131
O20 - AppInit_DLLs: eNetHook.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxbk_device -   - C:\Windows\system32\lxbkcoms.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
--
End of file - 11320 bytes
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 14325
  		   Posted 11-29-2008 5:16 (GMT +1)    Quote: Google redirect virusAlert an admin about: Google redirect virus
Hello smile
 
Please post malwarebyte log, along with combofix log.
 
BTW. Are your computer connected to a router ?

Do NOT post your problem in someone elses thread.
A non-profit, volunteer network.

Back to Top
 

bmazurk
New Member


Date Joined Nov 2008
Total Posts : 5
  		   Posted 11-29-2008 3:20 (GMT +1)    Quote: Google redirect virusAlert an admin about: Google redirect virus
Here's the Malwarebytes logfile, I've since removed the infected files that it recommended and the computer seems to be running slightly better.
 
Malwarebytes' Anti-Malware 1.30
Database version: 1433
Windows 6.0.6001 Service Pack 1
11/29/2008 7:44:17 AM
mbam-log-2008-11-29 (07-44-14).txt
Scan type: Full Scan (C:\|)
Objects scanned: 113904
Time elapsed: 41 minute(s), 6 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 9
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{164da131-eb35-41ef-a01e-4a8a6430ee0f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.126;85.255.112.131 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3a39e39e-9fa7-4209-9bb9-4f463412ad5d}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.126;85.255.112.131 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3a39e39e-9fa7-4209-9bb9-4f463412ad5d}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.126;85.255.112.131 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{164da131-eb35-41ef-a01e-4a8a6430ee0f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.126;85.255.112.131 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3a39e39e-9fa7-4209-9bb9-4f463412ad5d}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.126;85.255.112.131 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3a39e39e-9fa7-4209-9bb9-4f463412ad5d}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.126;85.255.112.131 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{164da131-eb35-41ef-a01e-4a8a6430ee0f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.126;85.255.112.131 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{3a39e39e-9fa7-4209-9bb9-4f463412ad5d}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.126;85.255.112.131 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{3a39e39e-9fa7-4209-9bb9-4f463412ad5d}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.126;85.255.112.131 -> No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Here is the ComboFix log:
omboFix 08-11-28.02 - Toby 2008-11-28 21:50:09.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.1.1033.18.1056 [GMT -6:00]
Running from: c:\windows\System32\config\systemprofile\Desktop\FIX\ComboFix.exe
 * Created a new restore point
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\autorun.inf
c:\windows\system32\TDSSwqsc.dat
c:\windows\system32\x64
D:\Autorun.inf
D:\resycled
d:\resycled\boot.com
.
(((((((((((((((((((((((((   Files Created from 2008-10-28 to 2008-11-29  )))))))))))))))))))))))))))))))
.
2008-11-28 20:57 . 2008-11-28 20:57 <DIR> d-------- c:\users\All Users\Malwarebytes
2008-11-28 20:57 . 2008-11-28 20:57 <DIR> d-------- c:\programdata\Malwarebytes
2008-11-28 20:57 . 2008-11-28 21:39 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-28 20:57 . 2008-10-22 16:10 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-11-28 20:57 . 2008-10-22 16:10 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-11-28 19:33 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix
2008-11-25 20:29 . 2008-10-12 16:11 102,664 --a------ c:\windows\System32\drivers\tmcomm.sys
2008-11-25 20:13 . 2008-11-25 20:14 <DIR> d-------- c:\program files\SpywareBlaster
2008-11-25 19:58 . 2008-11-25 19:58 <DIR> d-------- C:\!KillBox
2008-11-25 18:22 . 2008-11-25 18:23 <DIR> d-------- C:\HijackThis
2008-11-25 18:22 . 2008-11-25 18:22 812,344 --a------ C:\HJTInstall.exe
2008-11-25 18:17 . 2008-11-25 18:17 <DIR> d-------- c:\program files\CCleaner
2008-11-25 13:30 . 2003-11-11 14:11 <DIR> d-------- c:\program files\321Studios
2008-11-21 12:19 . 2008-11-21 12:19 <DIR> d-------- c:\users\All Users\acccore
2008-11-21 12:19 . 2008-11-21 12:19 <DIR> d-------- c:\programdata\acccore
2008-11-12 20:59 . 2008-11-12 20:59 <DIR> d-------- c:\program files\Kodak
2008-11-11 21:23 . 2008-09-09 21:40 1,334,272 --a------ c:\windows\System32\msxml6.dll
2008-11-11 21:23 . 2008-09-04 23:14 1,191,936 --a------ c:\windows\System32\msxml3.dll
2008-11-11 21:23 . 2008-08-26 19:05 212,480 --a------ c:\windows\System32\drivers\mrxsmb10.sys
2008-11-07 14:22 . 2008-11-07 14:22 <DIR> d-------- c:\users\All Users\TEMP
2008-11-07 14:22 . 2008-11-07 14:22 <DIR> d-------- c:\programdata\TEMP
2008-11-03 18:55 . 2008-11-03 18:55 <DIR> d-------- c:\users\All Users\AVS4YOU
2008-11-03 18:55 . 2008-11-03 18:55 <DIR> d-------- c:\programdata\AVS4YOU
2008-11-03 18:53 . 2008-11-03 18:55 <DIR> d-------- c:\program files\Common Files\AVSMedia
2008-11-03 18:53 . 2008-11-03 18:55 <DIR> d-------- c:\program files\AVS4YOU
2008-11-03 18:53 . 2002-01-05 16:48 974,848 --a------ c:\windows\System32\mfc70.dll
2008-11-03 18:53 . 2002-01-05 15:40 487,424 --a------ c:\windows\System32\msvcp70.dll
2008-11-03 18:53 . 2002-01-05 03:37 344,064 --a------ c:\windows\System32\msvcr70.dll
2008-11-03 18:53 . 2003-05-21 13:50 24,576 --a------ c:\windows\System32\msxml3a.dll
2008-10-29 16:53 . 2008-08-11 21:39 443,392 --a------ c:\windows\System32\win32spl.dll
2008-10-29 16:53 . 2008-09-17 22:56 147,456 --a------ c:\windows\System32\Faultrep.dll
2008-10-29 16:53 . 2008-09-17 22:56 125,952 --a------ c:\windows\System32\wersvc.dll
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-29 02:57 --------- d-----w c:\programdata\Spybot - Search & Destroy
2008-11-26 02:25 --------- d-----w c:\program files\Launch Manager
2008-11-21 19:17 --------- d-----w c:\program files\AIM6
2008-11-21 18:19 --------- d-----w c:\programdata\Viewpoint
2008-11-21 18:19 --------- d-----w c:\program files\Viewpoint
2008-11-21 18:02 --------- d-----w c:\programdata\AOL Downloads
2008-11-16 18:04 --------- d-----w c:\programdata\Microsoft Help
2008-11-07 22:52 --------- d-----w c:\program files\MP3 Wav Editor
2008-10-23 22:57 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-23 01:46 --------- d-----w c:\program files\Zuma Deluxe
2008-10-23 01:46 --------- d-----w c:\program files\PopCap Games
2008-10-17 14:25 --------- d-----w c:\program files\Windows Mail
2008-10-02 03:49 827,392 ----a-w c:\windows\System32\wininet.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys
2008-06-24 12:14 174 --sha-w c:\program files\desktop.ini
2007-12-18 18:25 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-12-18 18:25 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-12-18 18:25 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2008-03-04 22:16 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Feeds Cache\index.dat
2007-09-21 01:32 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007092020070921\index.dat
2007-10-03 19:07 49,152 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007100320071004\index.dat
2007-12-28 23:29 49,152 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007122820071229\index.dat
2008-03-04 22:18 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008030420080305\index.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-16 815104]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-02-07 464168]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 107112]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2007-01-11 483328]
"eDSMSNfix"="c:\acer\Empowering Technology\eDSMSNfix.exe" [2007-02-08 13312]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-02-02 3383296]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2007-02-02 1261568]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-01-17 151552]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-11-28 134808]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"lxbkbmgr.exe"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2007-04-26 74672]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-10 c:\windows\RtHDVCpl.exe]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-03-28 528384]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=eNetHook.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{2028D769-6545-4992-A33C-DB285537536A}"= UDP:c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\MCE Deluxe Suite.exe:CyberLink MCE Deluxe Suite
"{49172F3C-AA37-493D-A69F-40985C423C24}"= TCP:c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\MCE Deluxe Suite.exe:CyberLink MCE Deluxe Suite
"{652EEB8C-CE2F-4443-94F3-61D1C9779AA6}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{0BCD854A-5C93-4D3D-A8ED-66616CB0D8CF}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C23326F6-8F5D-48BF-A268-A95DC21AF5FC}"= UDP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{7B53F4D4-7E0C-49C1-B31A-0661151E5E2B}"= TCP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{F7747D9F-92B8-44F4-8EE6-3FCE8414A537}"= UDP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{4D22558D-BB8C-41A3-9054-7CA530687BF6}"= TCP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{EABA7BCD-8E4E-4292-8722-43B54974DD7B}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{25D0E2C2-6C9D-47E4-A1A0-2D733AAC6FD4}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{E16E3E6B-B892-400A-A91F-AA0B35A240FF}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{CFCB2597-EC09-487F-B5BB-7823DF4A02C9}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{4BF5AA1C-F5CE-4301-B559-42E6E842AD64}"= UDP:c:\windows\System32\lxbkcoms.exe:Lexmark Communications System
"{0DB11461-DF61-405A-A5BD-46D5708D3B93}"= TCP:c:\windows\System32\lxbkcoms.exe:Lexmark Communications System
"{309404C0-D4D4-4788-A80B-375283FDFBBB}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxbkpswx.exe:Printer Status Window
"{52EDC1DF-8319-4B80-8B3E-F97C1B286FB5}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxbkpswx.exe:Printer Status Window
"{3285946A-F1EE-46C6-AB34-9241702DEDBF}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{F922677E-222E-4484-BA3A-A0E94A8EB77A}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{9ECB80E2-D75A-4423-A6FC-0EBA771B340D}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{65B44A31-2F8B-4D5A-B5CE-36F89C9C38C4}c:\\program files\\aim6\\aim6.exe"= UDP:c:\program files\aim6\aim6.exe:AIM
"UDP Query User{A626B968-DC75-401F-87C2-7D5414D843CB}c:\\program files\\aim6\\aim6.exe"= TCP:c:\program files\aim6\aim6.exe:AIM
"{A9DE5C50-F11F-489D-821B-A5D16843C7C5}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
R2 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [2007-03-28 50688]
R2 lxbk_device;lxbk_device;c:\windows\system32\lxbkcoms.exe -service []
S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\c:\windows\system32\drivers\Ndisprot.sys [2003-11-11 29184]
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
2008-11-25 c:\windows\Tasks\Spybot - Search & Destroy -  Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-08-31 15:46]
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file)
HKCU-Run-Acer Tour Reminder - (no file)
HKCU-Run-Aim6 - (no file)
HKLM-Run-ALaunch - c:\acer\ALaunch\AlaunchClient.exe
HKLM-Run-SetPanel - c:\acer\APanel\APanel.cmd
HKLM-Run-Acer Tour - (no file)
HKLM-Run-eRecoveryService - (no file)
 
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-28 21:57:40
Windows 6.0.6001 Service Pack 1 NTFS
detected NTDLL code modification:
ZwQueryDirectoryFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...

c:\windows\system32\kdyaz.exe 73728 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\eNetHook.dll
- - - - - - - > 'lsass.exe'(700)
c:\windows\system32\eNetHook.dll
.
Completion time: 2008-11-28 22:01:29
ComboFix-quarantined-files.txt  2008-11-29 04:01:22
Pre-Run: 40,515,653,632 bytes free
Post-Run: 40,578,674,688 bytes free
189 --- E O F --- 2008-11-24 16:21:42
Back to Top
 

bmazurk
New Member


Date Joined Nov 2008
Total Posts : 5
  		   Posted 11-29-2008 3:22 (GMT +1)    Quote: Google redirect virusAlert an admin about: Google redirect virus
Oh, and I almost forgot. I connect wiressly to my router thru a secured network, and none of the other computers on the network (they are wired) are having any trouble.
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 14325
  		   Posted 11-29-2008 5:41 (GMT +1)    Quote: Google redirect virusAlert an admin about: Google redirect virus
Ok.
 
 
Open notepad and copy/paste the text in the quotebox below into it:


Quote:
 
Killall::
 
Snapshot::
 
 
File::
c:\windows\system32\kdyaz.exe

Domains::
 
 
Save this as:
CFScript
 
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe

Then post fresh combofix  log.
 
 
Also run a scan with malwarebyte, and let Me know if it find these adr:
85.255.112.126;85.255.112.131 ?

Do NOT post your problem in someone elses thread.
A non-profit, volunteer network.

Back to Top
 

bmazurk
New Member


Date Joined Nov 2008
Total Posts : 5
  		   Posted 11-30-2008 2:17 (GMT +1)    Quote: Google redirect virusAlert an admin about: Google redirect virus
OK, here are the new logs. 
ComboFix 08-11-29.03 - Toby 2008-11-29 19:02:42.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.1.1033.18.945 [GMT -6:00]
Running from: c:\users\Toby\Desktop\ComboFix.exe
Command switches used :: c:\users\Toby\Desktop\CFScript.txt
 * Created a new restore point
FILE ::
c:\windows\system32\kdyaz.exe
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Autorun.inf
c:\windows\system32\kdyaz.exe
c:\windows\system32\TDSSwqsc.dat
.
(((((((((((((((((((((((((   Files Created from 2008-10-28 to 2008-11-30  )))))))))))))))))))))))))))))))
.
2008-11-29 08:51 . 2008-11-29 08:51 <DIR> d-------- c:\users\TEMP\Searches
2008-11-29 08:51 . 2008-11-29 08:51 <DIR> d-------- c:\users\TEMP\Contacts
2008-11-29 08:48 . 2008-11-29 08:51 <DIR> d-------- c:\users\TEMP\AppData
2008-11-29 08:48 . 2008-11-29 09:28 <DIR> d-------- c:\users\TEMP
2008-11-29 08:34 . 2008-11-29 08:34 2 --a------ C:\480179810
2008-11-29 08:25 . 2008-11-29 08:31 <DIR> d-------- c:\program files\RegistryFix7
2008-11-28 20:57 . 2008-11-28 20:57 <DIR> d-------- c:\users\All Users\Malwarebytes
2008-11-28 20:57 . 2008-11-28 20:57 <DIR> d-------- c:\programdata\Malwarebytes
2008-11-28 20:57 . 2008-11-29 07:44 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-28 20:57 . 2008-10-22 16:10 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-11-28 20:57 . 2008-10-22 16:10 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-11-28 19:33 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix
2008-11-25 20:29 . 2008-10-12 16:11 102,664 --a------ c:\windows\System32\drivers\tmcomm.sys
2008-11-25 20:13 . 2008-11-25 20:14 <DIR> d-------- c:\program files\SpywareBlaster
2008-11-25 19:58 . 2008-11-25 19:58 <DIR> d-------- C:\!KillBox
2008-11-25 18:22 . 2008-11-25 18:23 <DIR> d-------- C:\HijackThis
2008-11-25 18:22 . 2008-11-25 18:22 812,344 --a------ C:\HJTInstall.exe
2008-11-25 18:17 . 2008-11-25 18:17 <DIR> d-------- c:\program files\CCleaner
2008-11-25 13:30 . 2003-11-11 14:11 <DIR> d-------- c:\program files\321Studios
2008-11-21 12:19 . 2008-11-21 12:19 <DIR> d-------- c:\users\All Users\acccore
2008-11-21 12:19 . 2008-11-21 12:19 <DIR> d-------- c:\programdata\acccore
2008-11-12 20:59 . 2008-11-12 20:59 <DIR> d-------- c:\program files\Kodak
2008-11-11 21:23 . 2008-09-09 21:40 1,334,272 --a------ c:\windows\System32\msxml6.dll
2008-11-11 21:23 . 2008-09-04 23:14 1,191,936 --a------ c:\windows\System32\msxml3.dll
2008-11-11 21:23 . 2008-08-26 19:05 212,480 --a------ c:\windows\System32\drivers\mrxsmb10.sys
2008-11-07 14:22 . 2008-11-29 08:32 <DIR> d-a------ c:\users\All Users\TEMP
2008-11-07 14:22 . 2008-11-29 08:32 <DIR> d-a------ c:\programdata\TEMP
2008-11-03 18:55 . 2008-11-03 18:55 <DIR> d-------- c:\users\All Users\AVS4YOU
2008-11-03 18:55 . 2008-11-03 18:55 <DIR> d-------- c:\programdata\AVS4YOU
2008-11-03 18:53 . 2008-11-03 18:55 <DIR> d-------- c:\program files\Common Files\AVSMedia
2008-11-03 18:53 . 2008-11-03 18:55 <DIR> d-------- c:\program files\AVS4YOU
2008-11-03 18:53 . 2002-01-05 16:48 974,848 --a------ c:\windows\System32\mfc70.dll
2008-11-03 18:53 . 2002-01-05 15:40 487,424 --a------ c:\windows\System32\msvcp70.dll
2008-11-03 18:53 . 2002-01-05 03:37 344,064 --a------ c:\windows\System32\msvcr70.dll
2008-11-03 18:53 . 2003-05-21 13:50 24,576 --a------ c:\windows\System32\msxml3a.dll
2008-10-29 16:53 . 2008-08-11 21:39 443,392 --a------ c:\windows\System32\win32spl.dll
2008-10-29 16:53 . 2008-09-17 22:56 147,456 --a------ c:\windows\System32\Faultrep.dll
2008-10-29 16:53 . 2008-09-17 22:56 125,952 --a------ c:\windows\System32\wersvc.dll
2008-10-28 10:36 . 2008-08-05 03:49 428,544 --a------ c:\windows\System32\EncDec.dll
2008-10-28 10:36 . 2008-08-05 03:49 293,376 --a------ c:\windows\System32\psisdecd.dll
2008-10-28 10:36 . 2008-08-05 03:48 217,088 --a------ c:\windows\System32\psisrndr.ax
2008-10-28 10:36 . 2008-08-05 03:48 177,664 --a------ c:\windows\System32\mpg2splt.ax
2008-10-28 10:36 . 2008-08-05 03:48 80,896 --a------ c:\windows\System32\MSNP.ax
2008-10-22 19:56 . 2008-11-14 22:08 10 --a------ c:\windows\popcinfo.dat
2008-10-22 19:46 . 2008-10-22 19:46 <DIR> d-------- c:\program files\PopCap Games
2008-10-22 19:44 . 2008-10-22 19:46 <DIR> d-------- c:\program files\Zuma Deluxe
2008-10-16 07:12 . 2008-09-17 23:09 3,601,464 --a------ c:\windows\System32\ntkrnlpa.exe
2008-10-16 07:12 . 2008-09-17 23:09 3,549,240 --a------ c:\windows\System32\ntoskrnl.exe
2008-10-16 07:12 . 2008-09-17 20:16 2,032,640 --a------ c:\windows\System32\win32k.sys
2008-10-16 07:12 . 2008-10-01 19:32 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2008-10-16 07:12 . 2008-10-01 21:49 827,392 --a------ c:\windows\System32\wininet.dll
2008-10-16 07:12 . 2008-08-26 19:06 288,768 --a------ c:\windows\System32\drivers\srv.sys
2008-10-12 16:11 . 2008-11-29 09:27 <DIR> d-------- c:\users\Toby\.housecall6.6
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-29 02:57 --------- d-----w c:\programdata\Spybot - Search & Destroy
2008-11-26 02:25 --------- d-----w c:\program files\Launch Manager
2008-11-21 19:17 --------- d-----w c:\program files\AIM6
2008-11-21 18:19 --------- d-----w c:\programdata\Viewpoint
2008-11-21 18:19 --------- d-----w c:\program files\Viewpoint
2008-11-21 18:02 --------- d-----w c:\programdata\AOL Downloads
2008-11-16 18:04 --------- d-----w c:\programdata\Microsoft Help
2008-11-07 22:52 --------- d-----w c:\program files\MP3 Wav Editor
2008-10-23 22:57 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-17 14:25 --------- d-----w c:\program files\Windows Mail
2008-09-30 22:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-08-02 03:26 36,864 ----a-w c:\windows\System32\cdd.dll
2008-06-24 12:14 174 --sha-w c:\program files\desktop.ini
2007-12-18 18:25 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-12-18 18:25 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-12-18 18:25 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2008-03-04 22:16 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Feeds Cache\index.dat
2007-09-21 01:32 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007092020070921\index.dat
2007-10-03 19:07 49,152 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007100320071004\index.dat
2007-12-28 23:29 49,152 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007122820071229\index.dat
2008-03-04 22:18 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008030420080305\index.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Acer Tour Reminder"="" [BU]
"Aim6"="" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-16 815104]
"ALaunch"="c:\acer\ALaunch\AlaunchClient.exe" [BU]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-02-07 464168]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 107112]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2007-01-11 483328]
"eDSMSNfix"="c:\acer\Empowering Technology\eDSMSNfix.exe" [2007-02-08 13312]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-02-02 3383296]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2007-02-02 1261568]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-01-17 151552]
"SetPanel"="c:\acer\APanel\APanel.cmd" [BU]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-11-28 134808]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"lxbkbmgr.exe"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2007-04-26 74672]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-10 c:\windows\RtHDVCpl.exe]
"Acer Tour"="" [BU]
"eRecoveryService"="" [BU]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-03-28 528384]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=eNetHook.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{2028D769-6545-4992-A33C-DB285537536A}"= UDP:c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\MCE Deluxe Suite.exe:CyberLink MCE Deluxe Suite
"{49172F3C-AA37-493D-A69F-40985C423C24}"= TCP:c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\MCE Deluxe Suite.exe:CyberLink MCE Deluxe Suite
"{652EEB8C-CE2F-4443-94F3-61D1C9779AA6}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{0BCD854A-5C93-4D3D-A8ED-66616CB0D8CF}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C23326F6-8F5D-48BF-A268-A95DC21AF5FC}"= UDP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{7B53F4D4-7E0C-49C1-B31A-0661151E5E2B}"= TCP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{F7747D9F-92B8-44F4-8EE6-3FCE8414A537}"= UDP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{4D22558D-BB8C-41A3-9054-7CA530687BF6}"= TCP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{EABA7BCD-8E4E-4292-8722-43B54974DD7B}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{25D0E2C2-6C9D-47E4-A1A0-2D733AAC6FD4}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{E16E3E6B-B892-400A-A91F-AA0B35A240FF}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{CFCB2597-EC09-487F-B5BB-7823DF4A02C9}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{4BF5AA1C-F5CE-4301-B559-42E6E842AD64}"= UDP:c:\windows\System32\lxbkcoms.exe:Lexmark Communications System
"{0DB11461-DF61-405A-A5BD-46D5708D3B93}"= TCP:c:\windows\System32\lxbkcoms.exe:Lexmark Communications System
"{309404C0-D4D4-4788-A80B-375283FDFBBB}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxbkpswx.exe:Printer Status Window
"{52EDC1DF-8319-4B80-8B3E-F97C1B286FB5}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxbkpswx.exe:Printer Status Window
"{3285946A-F1EE-46C6-AB34-9241702DEDBF}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{F922677E-222E-4484-BA3A-A0E94A8EB77A}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{9ECB80E2-D75A-4423-A6FC-0EBA771B340D}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{65B44A31-2F8B-4D5A-B5CE-36F89C9C38C4}c:\\program files\\aim6\\aim6.exe"= UDP:c:\program files\aim6\aim6.exe:AIM
"UDP Query User{A626B968-DC75-401F-87C2-7D5414D843CB}c:\\program files\\aim6\\aim6.exe"= TCP:c:\program files\aim6\aim6.exe:AIM
"{A9DE5C50-F11F-489D-821B-A5D16843C7C5}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
R2 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [2007-03-28 50688]
R2 lxbk_device;lxbk_device;c:\windows\system32\lxbkcoms.exe -service []
S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\c:\windows\system32\drivers\Ndisprot.sys [2003-11-11 29184]
.
Contents of the 'Scheduled Tasks' folder
2008-11-25 c:\windows\Tasks\Spybot - Search & Destroy -  Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-08-31 15:46]
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file)


**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-29 19:06:13
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(4440)
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\BatchCrypto.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\keyManager.dll
c:\acer\Empowering Technology\EPOWER\SysHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\windows\System32\agrsmsvc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\acer\Empowering Technology\eDataSecurity\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\System32\lxbkcoms.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Launch Manager\QtZgAcer.EXE
c:\program files\Symantec AntiVirus\VPTray.exe
c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
c:\windows\System32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Lexmark X1100 Series\LXBKbmon.exe
c:\acer\Empowering Technology\eNet\eNMTray.exe
c:\acer\Empowering Technology\ePower\ePower_DMC.exe
c:\acer\Empowering Technology\Acer.Empowering.Framework.Supervisor.exe
c:\acer\Empowering Technology\eRecovery\eRAgent.exe
c:\windows\System32\igfxext.exe
c:\windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2008-11-29 19:10:34 - machine was rebooted [Toby]
ComboFix-quarantined-files.txt  2008-11-30 01:09:55
ComboFix2.txt  2008-11-29 04:01:33
Pre-Run: 40,666,955,776 bytes free
Post-Run: 40,532,709,376 bytes free
236 --- E O F --- 2008-11-24 16:21:42
Malwarebytes' Anti-Malware 1.30
Database version: 1433
Windows 6.0.6001 Service Pack 1
11/29/2008 7:15:45 PM
mbam-log-2008-11-29 (19-15-45).txt
Scan type: Quick Scan
Objects scanned: 47612
Time elapsed: 3 minute(s), 33 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
I can do the full scan if you need with Malwarebytes.  Wasn't sure what was best.  The google search engine seems to be working correctly again, hopefully the problem won't return on reboot.
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 14325
  		   Posted 11-30-2008 5:07 (GMT +1)    Quote: Google redirect virusAlert an admin about: Google redirect virus
No need to run a full scan with malwarebyte, all the log´s looks clean smile
 
Uninstall ComboFix

Go to Start->Run, and type in ComboFix /u
Make sure there is a space between ComboFix and /u
Click Enter

This will ->
Uninstall ComboFix. Delete its related folders and files.
Reset your clock settings. Hide file extensions.
Hide the system/hidden files. And resets System Restore again.
 
Also, please read this article by Tony Klein: How I got Infected in the First Place

Do NOT post your problem in someone elses thread.
A non-profit, volunteer network.

Back to Top
 

bmazurk
New Member


Date Joined Nov 2008
Total Posts : 5
  		   Posted 11-30-2008 2:23 (GMT +1)    Quote: Google redirect virusAlert an admin about: Google redirect virus
Thanks for your help!
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 14325
  		   Posted 11-30-2008 5:25 (GMT +1)    Quote: Google redirect virusAlert an admin about: Google redirect virus
My pleasure smile


Since this issue appears to be resolved ... this Topic has been closed.
If you need this topic reopened, please contact Me with the address of the thread.
Thank you !


Do NOT post your problem in someone elses thread.
A non-profit, volunteer network.

Back to Top
 
New Topic Locked Topic Printable version of : Google redirect virus
 
Forum Information
Currently it is Friday, January 09, 2009 12:11 AM (GMT +1)
There are a total of 65.956 posts in 16.184 threads.
In the last 3 days there were 23 new threads and 89 reply posts. View Active Threads
Who's Online
This forum has 27793 registered members. Please welcome our newest member, Roypat01.
48 Guest(s), 1 Registered Member(s) are currently online.  Details
papy1
5 Latest Threads
Help me please! (0)08-01-2009 22:45:39 (middy1234)
Hijack this log file (2)08-01-2009 22:02:29 (Mysticcool)
Hijackthis (0)08-01-2009 21:42:47 (fingers101)
Virus help needed (6)08-01-2009 20:13:44 (msmat999)
Task Manager doesnt work + cant open some websites (4)08-01-2009 20:02:15 (LapinBlanc)


Need Support? Write to: | Forum Help Manual

Download free trial version of Bullguard