Support Forum for TrojanHunter anti-malware remover and other products, including freeware

Welcome, Guest. Please Login or Register.

Search

Members

Login

Register

   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   Google redirect virus/spyware/malware

« Previous topic | Next topic »

Pages: 1

Notify of replies

Send Topic

Author

Topic: Google redirect virus/spyware/malware (Read 3484 times)

MarkinVA
Newbie

Posts: 4

Google redirect virus/spyware/malware
« on: Nov 23^rd, 2009, 7:59am »

Quote

Modify

Hi, I have a virus that I can't seem to shake. If I go to google.com and do a search - the search result links take me to other sites/ ads/ etc. I've done many scans with many products and it can't stop it. I disabled my antivirus programs and ran bitdefender(on all drives) and HiJackthis. Results are below. Any help would be appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:37:40 AM, on 11/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Timbuktu Pro\TimbuktuRemoteConsole.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Timbuktu Pro\minitb2.exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\TrojanHunter 5.2\THGuard.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Timbuktu Pro\tb2pro.exe
C:\Program Files\Timbuktu Pro\TNOTIFY.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wmi.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\\minitb2.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [HPCDTray] "C:\Program Files\HP CD-DVD\Umbrella\hpcdtray.exe"
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.2\THGuard.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [PxDotNetLoader] "C:\Program Files\Fidelity Investments\Fidelity Active Trader\System\ATPStartupAssistant.exe"
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Bitmeter2.lnk = C:\Program Files\Codebox\BitMeter\BitMeter2.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.vectorvest.com
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan 8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942. cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wu web_site.cab?1150155175138
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/ muweb_site.cab?1150157001946
O16 - DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} (Domino Web Access 8 Control) - https://gsvaresm05.er.usgs.gov/dwa8W.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E6CFFE00-1494-4B2F-B186-FC0025175982} : NameServer = 65.120.90.202
O18 - Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe

--
End of file - 9540 bytes

BitDefender Online Scanner - Real Time Virus ReportBitDefender Online
Scanner - Real Time Virus Report
Generated at: Mon, Nov 23, 2009 - 08:33:17

Scan Info
Scanned Files266593
Infected Files0

Virus Detected
No virus found.

This summary of the scan process will be used by the BitDefender Antivirus
Lab to create agregate statistics about virus activity around the world.

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 7358

Re: Google redirect virus/spyware/malware
« Reply #1 on: Nov 23^rd, 2009, 9:06am »

Quote

Modify

Welcome to the forum MarkinVA � Cheesy

The only thing in your Hijackthis log that looks like a possibility of causing your problem is Timbuktu Pro. �

http://www.ehow.com/how_5132390_remove-notify-dll-hijacker.html

Ehow states:

Quote:

Notify.dll was originally a component of Timbuktu Pro, a commercial remote access Trojan (RAT) developed by Netopia. This particular RAT is installed for the purpose of user support as well as remote desktop troubleshooting and management, however be aware that this commercial product developed for the purpose of remote administration has been known to be exploited to reroute your confidential information or browser address requests to an installer-specified website. The entire removal process must be completed to effectively remove the program as it is capable of recreating files to repair itself in addition to updating itself by downloading new versions.

There is a removal procedure at the link below if you wish to remove it and see if that resolves your issue of redirections.

http://www.netopia.com/support/software/technotes/timbuktu/win/2000/TP20 00_003.html

BEFORE removing Timbuktu, please go to the link below and follow the instructions for using COMBOFIX.exe to see if this resolves your problem.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Once Combofix has completed and rebooted, please post the Combofix log back here for me to examine. �

Also post a new Hijackthis scan after the Combofix run.

« Last Edit: Nov 23^rd, 2009, 9:12am by siliconman01 »

IP Logged

______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.

MarkinVA
Newbie

Posts: 4

Re: Google redirect virus/spyware/malware
« Reply #2 on: Nov 23^rd, 2009, 9:44am »

Quote

Modify

Before I try anything that you suggest I want to let you know that I do use Timbuktu Pro as my remote access software. Is this a possibility with older releases of Timbuktu? I am at release 8.6 of timbuktu and I just called their tech support and there have been some minor releases but they didn't fix issues like this. So you think I should uninstall Timbuktu and reinstall it? or might there still be some other issue?

Mark

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 7358

Re: Google redirect virus/spyware/malware
« Reply #3 on: Nov 23^rd, 2009, 9:53am »

Quote

Modify

I'm not at all convinced that Timbuktu Pro is the problem. That is why I would like you to run Combofix.exe to see if it finds the problem with something other than Timbuktu Pro.

Your browser does appear to be hijacked...but the Hijackthis log is not positively showing the cause. Combofix is a good tool to identify and remove those hidden malicious critters.

IP Logged

MarkinVA
Newbie

Posts: 4

Re: Google redirect virus/spyware/malware
« Reply #4 on: Nov 23^rd, 2009, 3:55pm »

Quote

Modify

Thanks for your help - I ran combofix - here is the log.

Mark

ComboFix 09-11-22.08 - Mark 11/23/2009 16:12.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.134 [GMT -5:00]
Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\System32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys

.
((((((((((((((((((((((((( Files Created from 2009-10-23 to 2009-11-23 )))))))))))))))))))))))))))))))
.

2009-11-23 11:49 . 2009-11-23 12:21--------d-----w-c:\windows\BDOSCAN8
2009-11-22 23:45 . 2009-11-22 23:4553136----a-w-c:\windows\system32\PxSecure.dll
2009-11-22 23:45 . 2009-11-22 23:4530280----a-w-c:\windows\system32\drivers\pxscan.sys
2009-11-22 23:45 . 2009-11-22 23:4546896----a-w-c:\windows\system32\drivers\pxrts.sys
2009-11-22 23:45 . 2009-11-22 23:4524368----a-w-c:\windows\system32\drivers\pxkbf.sys
2009-11-22 23:44 . 2009-11-22 23:44--------d-----w-c:\program files\Prevx
2009-11-22 23:44 . 2009-11-22 23:53--------d-----w-c:\documents and settings\All Users\Application Data\PrevxCSI
2009-11-22 03:21 . 2009-11-22 03:21--------d-----w-c:\program files\AVG
2009-11-17 12:04 . 2009-11-17 16:18--------d-----w-c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-11-17 12:04 . 2009-11-17 12:04--------d-----w-c:\documents and settings\Mark\Application Data\Yahoo!
2009-11-17 12:04 . 2009-11-17 12:04--------d-----w-c:\program files\Yahoo!
2009-11-17 12:04 . 2009-11-17 12:04--------d-----w-c:\program files\CCleaner
2009-11-17 11:41 . 2009-11-17 11:41--------d-----w-c:\program files\Trend Micro
2009-11-12 14:57 . 2009-11-23 00:28--------d-----w-c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-12 14:57 . 2009-11-12 15:05--------d-----w-c:\program files\Spybot - Search & Destroy
2009-11-10 21:21 . 2009-11-10 21:21--------d-----w-c:\documents and settings\Mark\Application Data\Malwarebytes
2009-11-10 21:21 . 2009-09-10 19:5438224----a-w-c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-10 21:21 . 2009-11-10 21:21--------d-----w-c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-10 21:21 . 2009-09-10 19:5319160----a-w-c:\windows\system32\drivers\mbam.sys
2009-11-10 21:21 . 2009-11-10 21:21--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2009-11-10 04:05 . 2009-11-10 04:05--------d-----w-c:\documents and settings\Mark\Application Data\TrojanHunter
2009-11-10 03:55 . 2009-11-23 13:39--------d-----w-c:\program files\TrojanHunter 5.2
2009-11-10 03:45 . 2009-11-10 03:45--------d-----w-c:\documents and settings\Mark\Application Data\Sammsoft
2009-11-10 03:45 . 2009-11-10 03:45--------d-----w-c:\program files\Advanced Registry Optimizer
2009-11-10 03:33 . 2009-11-17 17:03--------d---a-w-c:\documents and settings\All Users\Application Data\TEMP
2009-11-10 02:40 . 2009-11-10 02:3434102344----a-w-C:\sdsetup_aff1.exe
2009-11-09 10:51 . 2009-11-12 13:49--------d-----w-c:\documents and settings\Mark\Local Settings\Application Data\uayilu
2009-10-27 14:26 . 2009-11-09 22:06--------d-----w-c:\program files\Windows Live Safety Center

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-23 21:30 . 2006-06-12 23:28--------d-----w-c:\program files\Symantec AntiVirus
2009-11-23 00:37 . 2009-08-29 15:55--------d-----w-c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-22 01:35 . 2007-07-02 23:54--------d-----w-c:\program files\Google
2009-11-17 01:03 . 2006-06-13 01:43--------d-----w-c:\program files\Quicken
2009-10-17 22:56 . 2009-10-17 22:56--------d-----w-c:\program files\Flip Video
2009-10-12 14:52 . 2006-06-14 23:39--------d-----w-c:\program files\eSignal
2009-09-11 14:18 . 2001-08-23 12:00136192----a-w-c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2001-08-23 12:0058880----a-w-c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-01-08 19:23832512----a-w-c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 07:5678336----a-w-c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2001-08-23 12:0017408----a-w-c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2001-08-23 12:00247326----a-w-c:\windows\system32\strmdll.dll
2007-08-29 22:12 . 2007-08-29 21:5380--sh--r-c:\windows\system32\E183BFD755.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 700416]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"PxDotNetLoader"="c:\program files\Fidelity Investments\Fidelity Active Trader\System\ATPStartupAssistant.exe" [2008-12-10 42336]
"AROReminder"="c:\program files\Advanced Registry Optimizer\aro.exe" [2008-08-22 2084480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-02-18 67184]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-24 120640]
"TLogonPath"="c:\program files\Timbuktu Pro\\minitb2.exe" [2006-02-22 1028096]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2002-05-09 102455]
"DVDBitSet"="c:\program files\HP CD-DVD\Umbrella\DVDBitSet.exe" [2002-05-01 200704]
"HPCDTray"="c:\program files\HP CD-DVD\Umbrella\hpcdtray.exe" [2001-10-17 69632]
"SansaDispatch"="c:\program files\SanDisk\Sansa Updater\SansaDispatch.exe" [2007-10-22 75584]
"THGuard"="c:\program files\TrojanHunter 5.2\THGuard.exe" [2009-10-12 1063072]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\Mark\Start Menu\Programs\Startup\
palmOne Registration.lnk - c:\program files\palmOne\register.exe [2006-6-29 2367488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Timbuktu Pro]
2006-02-22 19:4881920----a-w-c:\program files\Timbuktu Pro\HOOK32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Timbuktu Pro\\tb2pro.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Timbuktu Pro\\MiniTB2.exe"=
"c:\\Program Files\\Timbuktu Pro\\TB2Scan.exe"=
"c:\\Program Files\\eSignal\\winros.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [11/22/2009 6:45 PM 30280]
R1 Tb2Device;TB2 Remote Control Driver;NetopiaRC\Tb2Device.sys --> NetopiaRC\Tb2Device.sys [?]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]
R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [11/22/2009 6:44 PM 6213584]
R2 FlipShare Service;FlipShare Service;c:\program files\Flip Video\FlipShare\FlipShareService.exe [6/4/2009 4:41 PM 451904]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [9/19/2008 2:03 AM 65536]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [11/22/2009 6:45 PM 46896]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [11/22/2009 6:45 PM 24368]
R3 qic157;qic157;c:\windows\system32\drivers\qic157.sys [6/12/2006 1:44 PM 6016]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/24/2005 4:21 PM 153416]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wmi.org/
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
Trusted Zone: turbotax.com
Trusted Zone: vectorvest.com\www
TCP: {E6CFFE00-1494-4B2F-B186-FC0025175982} = 65.120.90.202
.
- - - - ORPHANS REMOVED - - - -

AddRemove-0PR44WT7-L00K-1T1Z-H3R3-UN1NST4LLTH3_is1 - c:\program files\GlobalTec Solutions
AddRemove-W1Z3F33D-CD0C-4AC4-86B4-X11E5511AA18_is1 - c:\program files\GlobalTec Solutions
AddRemove-Yahoo! Toolbar - c:\progra~1\Yahoo!\Common\UNYT_W~1.EXE

************************************************************************ **

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-23 16:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************************************ **
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72, 00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73, 00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(112)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\lotus\notes\ntmulti.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Timbuktu Pro\tb2launch.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Timbuktu Pro\TimbuktuRemoteConsole.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Timbuktu Pro\minitb2.exe
c:\program files\palmOne\Hotsync.exe
.
************************************************************************ **
.
Completion time: 2009-11-23 16:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-23 21:45

Pre-Run: 118,753,312,768 bytes free
Post-Run: 118,994,948,096 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 35B04611E0975B640E25EF710CDA5D32

IP Logged

MarkinVA
Newbie

Posts: 4

Re: Google redirect virus/spyware/malware
« Reply #5 on: Nov 23^rd, 2009, 4:11pm »

Quote

Modify

Update - It looks like combofix fixed my problem with the google redirect issue. Thanks again for all your help. Let me know if you see anything else in the log. I'll report back in a couple of days and let you know if anything reappears.

Thanks again

Mark

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 7358

Re: Google redirect virus/spyware/malware
« Reply #6 on: Nov 23^rd, 2009, 11:03pm »

Quote

Modify

Excellent, very glad to see Combofix.exe fixed the problem. atapi.sys being infected was most likely the cause.

Would you please send the Combofix quarantine folder to Mischel Internet Security so that Gavin can examine atapi.sys.

- Locate the folder C:\Qoobox
- Zip folder Qoobox
- Send to Gavin at submit@trojanhunter.com
(Please include a link to this forum post. In the subject of the email, please state "Qoobox quarantine folder".)

Then you should remove Combofix from your system.

- Go to START>Run and type in combofix.exe /u
(Note the space before /u )
- Click on OK and let Combofix uninstall itself.

IP Logged

johns123
Guest

Re: Google redirect virus/spyware/malware
« Reply #7 on: Dec 1^st, 2009, 6:41am »

Quote

Modify

Remove

The unwanted ads are responsible by malware, which is malicious code automatically install on your computer by other software. If you faced such problem just vary the best antivirus protection reviews and choose the best.

IP Logged

Pages: 1

Notify of replies

Send Topic


« Previous topic \| Next topic »