also @ TechSpot: Google, Samsung unveil Chromebook, Chromebox with Chrome OS 19

TechSpot
Register now for a live online demo to see how the Office 365 suite of tools
- professional email, calendars, video conferencing, and file sharing -

[Active] Google redirect virus

Discussion in 'Virus and Malware Removal' started by lemika, Dec 8, 2011.

Page 3 of 3

  1. lemika Newcomer, in training

    Edit: Lengthy SnapShot entries have been reviewed and deleted by Bobbye

    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2012-01-05 01:20 1514152 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-05 1514152]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-05 1514152]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-09-26 17353352]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-12-28 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2012-01-05 1391272]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-09-23 258512]
    "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
    "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]
    "IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]
    "PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
    "BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-02-10 745472]
    "ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [1/10/2012 1:40 PM 36000]
    R1 uzeyodq1;AVZ-RK Kernel Driver;c:\windows\system32\drivers\uzeyodq1.sys [3/17/2010 8:54 AM 11264]
    R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/10/2012 1:40 PM 86224]
    R2 AntiVirWebService;Avira Web Protection;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [1/10/2012 1:40 PM 463824]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/28/2011 11:52 AM 136176]
    S2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe --> c:\windows\system32\HPSIsvc.exe [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/28/2011 11:52 AM 136176]
    S3 HP1210FAX;HP1210MFP FAX;c:\windows\system32\drivers\HPM1210FAX.sys [1/10/2012 2:22 PM 13824]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 mvusbews;USB EWS Device;c:\windows\system32\drivers\mvusbews.sys [1/10/2012 2:22 PM 17408]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-17 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
    .
    2012-01-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-12-28 16:52]
    .
    2012-01-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-12-28 16:52]
    .
    2012-01-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1123561945-1417001333-1003Core.job
    - c:\documents and settings\Saban\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-03 13:08]
    .
    2012-01-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1123561945-1417001333-1003UA.job
    - c:\documents and settings\Saban\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-03 13:08]
    .
    2012-01-23 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
    - c:\program files\Ask.com\UpdateTask.exe [2012-01-05 01:20]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\documents and settings\Saban\Application Data\Mozilla\Firefox\Profiles\l22j95ne.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2790392&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine -
    FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2790392&SearchSource=13
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype Click to Call: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Avira SearchFree Toolbar plus Web Protection: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
    FF - Ext: Avira SearchFree Toolbar plus Web Protection: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
    FF - Ext: Avira SearchFree Toolbar plus Web Protection: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
    FF - Ext: Avira SearchFree Toolbar plus Web Protection: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
    FF - Ext: Avira SearchFree Toolbar plus Web Protection: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
    FF - Ext: Avira SearchFree Toolbar plus Web Protection: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-HP LaserJet Professional M1130-M1210 MFP Series - c:\program files\HP\HP LaserJet M1210 MFP Series\Uninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-01-23 12:54
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(744)
    c:\program files\Avira\AntiVir Desktop\avsda.dll
    .
    - - - - - - - > 'explorer.exe'(1296)
    c:\windows\system32\WININET.dll
    c:\progra~1\WINDOW~2\wmpband.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\program files\Microsoft Office\Office10\msohev.dll
    c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Brother\ControlCenter3\brccMCtl.exe
    c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    c:\windows\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
    c:\program files\Brother\Brmfcmon\BrMfcmon.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    .
    **************************************************************************
    .
    Completion time: 2012-01-23 13:03:26 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-01-23 18:03
    ComboFix2.txt 2012-01-09 22:22
    ComboFix3.txt 2011-12-29 21:44
    ComboFix4.txt 2011-12-28 14:55
    ComboFix5.txt 2012-01-23 17:29
    .
    Pre-Run: 11,864,403,968 bytes free
    Post-Run: 13,217,267,712 bytes free
    .
    - - End Of File - - 5B675161D09E9863771E403AFDB1FA36
    lemika, Jan 23, 2012
    #41

  2. lemika Newcomer, in training

    Hello! I have sent you the log in 3 parts since its too long.
    I cannot find PC Tools Security or sdCoreService
    lemika, Jan 23, 2012
    #42

  3. Bobbye Helper on the Fringe

    3 weeks ago, you got the AskToolbar and Ask.com on the system. I set up removals for all entries I founds and also instructed you to uninstall all entries in Add/Remove Programs for Ask anything- toolbar, updater, .com
    ---------------------
    Additionally I told you to uninstall all of the following:
    Go to Add/Remove Programs and uninstall the following, if found:
    When finished, use Windows Explorer to access Computer> Local Drive> Programs> Look for program folder for each of the programs you uninstalled and do a right click> Delete on each.
    ---------------------
    I also instructed you to remove this Scheduled Tasks: Remove this Scheduled Tasks:

    • Please open Firefox> Tools> Add ons> Extensions> Remove the following:
      Ext: Conduit Engine
      Ext: BitTorrentBar Community Toolbar
      Ext: Support.com Toolbar: (this is another entry from ask.com)       -

      Not there are more Ask entries to be removed in Firefox:: Tools> Options> Extensions and/or plug-ins> Delete ALL of the following.
      FF - Ext: Avira SearchFree Toolbar plus Web Protection: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
      FF - Ext: Avira SearchFree Toolbar plus Web Protection: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
      FF - Ext: Avira SearchFree Toolbar plus Web Protection: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
      FF - Ext: Avira SearchFree Toolbar plus Web Protection: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
      FF - Ext: Avira SearchFree Toolbar plus Web Protection: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
      FF - Ext: Avira SearchFree Toolbar plus Web Protection: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
      FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
      FF - Ext: BitTorrentBar Community Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - %profile%\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}
      FF - Ext: Support.com Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
      ---------------------------------
      I instructed you to updated and run Mbam again, making it q Full Scan this time. There was no log.

      You installed Ask.com again on 1/12
      =========================================
      It appears that you have not copied all of the script and run it through Combofix- not once but 3 times
      ========================================
      If you do all of the above, update and run Combofix once more. It will be last time I write script for you to run in Combofix.


      .
    Bobbye, Jan 23, 2012
    #43

  4. lemika Newcomer, in training

    I ran Malwarebytes yesterday and was sure I have sent you the results. but there is not post. i was probably disturbed by someone.
    I rerun it. here is the log

    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.23.04

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Saban :: YELENA [administrator]

    1/24/2012 1:56:01 PM
    mbam-log-2012-01-24 (13-56-01).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 224824
    Time elapsed: 1 hour(s), 46 minute(s), 8 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
    lemika, Jan 24, 2012
    #44

  5. lemika Newcomer, in training

    As for Ask I did everything you told me except for removing it from Computer> Local Drive> Programs. it says that the programm is used by someone else. I did remove it last time but it was reinstalled when I downloaded Avira.
    lemika, Jan 24, 2012
    #45

  6. lemika Newcomer, in training

    Hey! i found th emalwarebytes log from yesterday
    here it is

    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.23.04

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Saban :: YELENA [administrator]

    1/23/2012 2:51:40 PM
    mbam-log-2012-01-23 (14-51-40).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 219335
    Time elapsed: 2 hour(s), 11 minute(s), 31 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\System Volume Information\_restore{987B1B85-12D5-430C-923E-7A4B948FE860}\RP406\A0083724.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.

    (end)
    lemika, Jan 24, 2012
    #46

  7. lemika Newcomer, in training

    ESET found no threats
    lemika, Jan 25, 2012
    #47

  8. Bobbye Helper on the Fringe

    Check all the download screens well for pre-checked toolbars and browser helper objects. The Ask entries are very frequent and the current one even installs an auto-updater! These things are a lot easier to prevent that they are to get rid of!

    Come to think of this, Broni brought this up and has stopped recommending Avira because of it. I think he now has Comodo instead. I'll check on that.

    Are there any malware problems remaining- clean Mbam and Eset.?
    Bobbye, Jan 25, 2012
    #48

  9. lemika Newcomer, in training

    I did not know that Ask entries are that bad. so should I uninstall Avira and download Comodo instead?
    by the way, i used Ask instead of Google. at least it did not redirect me all the time :)

    Eset is clean. I am not sure about MBAM, but the problem is still there. it looks like it is easier to have someone reinstall Windows
    lemika, Jan 26, 2012
    #49

  10. lemika Newcomer, in training

    Hey! i have a question. I do not have anyone to ask it so I thought you may help me with it. we have Netgear at work and as my boss said he can track websites we are visiting. can he track websites I am visiting on my Iphone if I use Wifi at work?
    Thank u in advance :)
    lemika, Jan 26, 2012
    #50
Page 3 of 3