TechSpot

Google Redirects

By Dougiebabe2003
Aug 8, 2011
  1. Hi there,

    I work in IT at a uni and a student has brought his laptop to me with the problem of having Google redirects.

    I have run Malwarebytes and his AVG AV but problem still exists.

    This is made more difficult by the fact his laptop language is in Spanish and I cannot install the English MUI as the language limit has been exceeded...

    Attached are the malwarebytes log and gmer log, DDS would load up the CMD screen but wouldn't give out any reports, I have disabled AVG completely while I ran the scan but still didn't give any reports.

    Malwarebytes' Anti-Malware 1.51.1.1800
    www.malwarebytes.org

    Versión de la Base de Datos: 7384

    Windows 6.0.6001 Service Pack 1
    Internet Explorer 7.0.6001.18000

    05/08/2011 21:02:16
    mbam-log-2011-08-05 (21-02-16).txt

    Tipos de Análisis: Análisis Completo (C:\|D:\|F:\|)
    Objetos examinados: 375244
    Tiempo transcurrido: 2 hora(s), 48 minuto(s), 54 segundo(s)

    Procesos en Memoria Infectados: 0
    Módulos de Memoria Infectados: 0
    Claves del Registro Infectadas: 4
    Valores del Registro Infectados: 0
    Elementos de Datos del Registro Infectados: 0
    Carpetas Infectadas: 0
    Archivos Infectados: 5

    Procesos en Memoria Infectados:
    (No se han detectado elementos maliciosos)

    Módulos de Memoria Infectados:
    (No se han detectado elementos maliciosos)

    Claves del Registro Infectadas:
    HKEY_CURRENT_USER\SOFTWARE\8DDYX0ZBPZ (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\ZU6RKI1ONY (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

    Valores del Registro Infectados:
    (No se han detectado elementos maliciosos)

    Elementos de Datos del Registro Infectados:
    (No se han detectado elementos maliciosos)

    Carpetas Infectadas:
    (No se han detectado elementos maliciosos)

    Archivos Infectados:
    c:\Users\pedro gómez\documents\pedro-cebas\D-CEBAS\pedro lab\Software\sas jmp software depot\JMP\Extra\iconrefresh.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    c:\Users\pedro gómez\documents\pedro-cebas\D-CEBAS\pedro lab\Software\sas jmp software depot\jmp8client\Extra\iconrefresh.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
    c:\Windows\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
    c:\Windows\Tasks\{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job (Trojan.FraudPack) -> Quarantined and deleted successfully.


    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-08-08 11:50:58
    Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 FUJITSU_ rev.8909
    Running: vt962i96.exe; Driver: C:\Users\PEDROG~1\AppData\Local\Temp\uwxcyfob.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Administrador de filtros del sistema de archivos de Microsoft/Microsoft Corporation)
    AttachedDevice \FileSystem\fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
    AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
    AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Motor en tiempo de ejecución del marco de controlador en modo kernel/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Motor en tiempo de ejecución del marco de controlador en modo kernel/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----


    Any help is much appreciated.

    Regards,

    Doug
     
  2. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  3. Dougiebabe2003

    Dougiebabe2003 TS Rookie Topic Starter

    Hi Broni,

    Have done the above but DDS would not give me any log files, just ran in the CMD window and then quit.

    Checking updates it doesn't have SP2 but then when I try to do that it throws up an error. (0x80070490)

    I'm trying to correct the above problem and get the service pack installed but will still need help with the virus/malware if possible.

    Regards,

    Doug
     
  4. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    My rules clearly say:
    Make sure you obey posted rules.

    =============================================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    Click the "Scan" button to start scan:
    [​IMG]

    On completion of the scan click "Save log", save it to your desktop and post in your next reply:
    [​IMG]

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    =============================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  5. Dougiebabe2003

    Dougiebabe2003 TS Rookie Topic Starter

    Hi Broni,

    Because of the way the Uni works and I work 9-5 they have someone else in over night who seems to have worked on the laptop but not left any info on what he has done... I do apologize for this but unfortunately that is the way the uni is run.

    The internet seems to have stopped working on the laptop as well but I think this has happened since using the app remover and running the scan programs.

    I have followed your instructions though, removed AVG, run both scans and the log files will be pasted in.

    I only did the update as following the instructions in the 7 part step guide:

    Keeping up with system updates:

    The following updates should be current. If they are not, your system may be vulnerable. Please update as needed:

    Microsoft Download Site You should get All updates marked Critical and the current SP updates: Windows XP SP3, Vista SP2.


    Here's the log files:

    aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
    Run date: 2011-08-10 12:12:18
    -----------------------------
    12:12:18.687 OS Version: Windows 6.0.6001 Service Pack 1
    12:12:18.687 Number of processors: 2 586 0x170A
    12:12:18.703 ComputerName: PEDROGÓMEZ UserName:
    12:12:21.370 Initialze error 0
    12:13:33.185 AVAST engine defs: 11081000
    12:15:38.734 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
    12:15:38.734 Disk 0 Vendor: FUJITSU_ 8909 Size: 305245MB BusType: 3
    12:15:38.749 Disk 0 MBR read successfully
    12:15:38.749 Disk 0 MBR scan
    12:15:38.765 Disk 0 Windows VISTA default MBR code
    12:15:38.765 Disk 0 scanning sectors +625141760
    12:15:38.812 Disk 0 scanning C:\windows\system32\drivers
    12:15:38.812 Service scanning
    12:15:39.701 Modules scanning
    12:15:40.325 Disk 0 trace - called modules:
    12:15:40.341 ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll acpi.sys iastor.sys
    12:15:40.341 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87055648]
    12:15:40.341 3 CLASSPNP.SYS[82613745] -> nt!IofCallDriver -> [0x87055c48]
    12:15:40.356 5 hpdskflt.sys[8b3c9f92] -> nt!IofCallDriver -> [0x85b681f8]
    12:15:40.356 7 acpi.sys[806916a0] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x85bc5028]
    12:15:40.450 AVAST engine scan C:\windows
    12:15:40.465 AVAST engine scan C:\windows\system32
    12:15:40.465 AVAST engine scan C:\windows\system32\drivers
    12:15:40.481 AVAST engine scan C:\Users\Pedro Gómez
    12:15:40.481 AVAST engine scan C:\ProgramData
    12:15:40.481 Scan finished successfully
    12:15:57.017 Disk 0 MBR has been saved successfully to "G:\MBR.dat"
    12:15:57.033 The log file has been saved successfully to "G:\aswMBR.txt"



    ComboFix 11-08-10.01 - Pedro Gómez 10/08/2011 14:08:22.1.2 - x86
    Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.34.3082.18.3035.1992 [GMT 1:00]
    Running from: c:\users\Pedro Gómez\Desktop\ComboFi.exe
    AV: Antivirus de Trend Micro OfficeScan *Enabled/Updated* {48929DFC-7A52-A34F-8351-C4DBEDBD9C50}
    FW: Trend Micro Personal Firewall *Enabled* {70A91CD9-303D-A217-A80E-6DEE136EDB2B}
    SP: Antispyware de Trend Micro OfficeScan *Enabled/Updated* {F3F37C18-5C68-ACC1-B9E1-FFA9963AD6ED}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\Install.exe
    c:\windows\system32\drivers\RKHit.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_RKHIT
    -------\Service_RkHit
    -------\Service_usnjsvc
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-10 to 2011-08-10 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-10 13:13 . 2011-08-10 13:13 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-08-10 10:32 . 2011-08-10 10:32 -------- d-----w- c:\program files\iPod
    2011-08-10 10:32 . 2011-08-10 10:33 -------- d-----w- c:\program files\iTunes
    2011-08-10 10:18 . 2011-08-10 10:18 -------- d-----w- c:\program files\Apple Software Update
    2011-08-10 10:14 . 2011-08-10 10:14 -------- d-----w- c:\programdata\HP Product Assistant
    2011-08-09 19:08 . 2011-07-06 14:56 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2011-08-09 16:46 . 2011-08-10 10:16 -------- d-----w- c:\users\Pedro Gómez\AppData\Roaming\HpUpdate
    2011-08-09 15:58 . 2011-08-09 15:58 -------- d-----w- c:\users\Pedro Gómez\AppData\Local\Solid State Networks
    2011-08-09 12:56 . 2011-08-09 12:56 -------- d-----w- c:\windows\CheckSur
    2011-08-06 17:56 . 2011-08-06 17:56 -------- d-----w- c:\windows\system32\EventProviders
    2011-08-06 17:56 . 2011-08-06 18:13 -------- d-----w- C:\d6d6cfd83b6ec7052bab0ee67a26eb
    2011-08-05 14:09 . 2011-08-05 14:09 -------- d-----w- c:\users\Pedro Gómez\AppData\Roaming\Malwarebytes
    2011-08-05 14:09 . 2011-07-06 18:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-08-05 14:09 . 2011-08-05 14:09 -------- d-----w- c:\programdata\Malwarebytes
    2011-08-05 14:09 . 2011-08-05 14:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-08-05 14:09 . 2011-07-06 18:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-05 13:30 . 2011-08-05 20:46 -------- d-----w- c:\program files\PCSafeDoctor
    2011-08-04 19:30 . 2011-08-04 19:30 0 ---ha-w- c:\users\Pedro Gómez\AppData\Local\BIT9215.tmp
    2011-08-04 16:58 . 2011-08-04 16:58 -------- d-----w- C:\$AVG
    2011-08-04 15:16 . 2011-08-10 11:40 -------- d-----w- c:\windows\system32\drivers\AVG
    2011-08-03 14:00 . 2011-08-03 14:00 -------- d-----w- c:\programdata\boost_interprocess
    2011-08-03 13:42 . 2011-08-03 13:42 -------- d-----w- c:\windows\Sun
    2011-08-03 13:40 . 2011-07-13 03:39 6881616 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D79A60AB-3D70-4F7D-B588-E30E9ECE19B1}\mpengine.dll
    2011-08-03 13:35 . 2011-08-03 13:35 65536 --sha-r- c:\windows\system32\ir32_326.dll
    2011-08-03 13:09 . 2011-08-03 13:09 -------- d-----w- c:\users\Pedro Gómez\AppData\Local\Ilivid Player
    2011-08-03 09:14 . 2011-08-03 09:14 -------- d-----w- c:\users\Pedro Gómez\AppData\Local\PackageAware
    2011-08-02 10:13 . 2011-08-02 10:13 -------- d-----w- c:\users\Pedro Gómez\AppData\Roaming\MEGA5_5110426
    2011-08-02 10:12 . 2011-08-02 10:12 -------- d-----w- c:\program files\MEGA5
    2011-07-27 09:52 . 2011-07-27 09:52 -------- d-----w- c:\users\Pedro Gómez\AppData\Roaming\PeerNetworking
    2011-07-13 17:56 . 2011-06-02 12:59 2042368 ----a-w- c:\windows\system32\win32k.sys
    2011-07-13 17:56 . 2011-05-02 12:00 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2011-07-13 17:56 . 2011-04-20 14:47 375808 ----a-w- c:\windows\system32\winsrv.dll
    2011-07-13 17:56 . 2011-04-20 14:44 49152 ----a-w- c:\windows\system32\csrsrv.dll
    2011-07-12 10:20 . 2011-07-12 10:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
    2011-07-12 10:20 . 2011-07-12 10:20 73064 ----a-w- c:\windows\system32\dnssd.dll
    2011-07-12 10:20 . 2011-07-12 10:20 50536 ----a-w- c:\windows\system32\jdns_sd.dll
    2011-07-12 10:20 . 2011-07-12 10:20 178536 ----a-w- c:\windows\system32\dnssdX.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-08-04 19:30 . 2011-08-04 19:30 0 ---ha-w- c:\users\Pedro Gómez\AppData\Local\BIT9215.tmp
    2011-08-04 19:30 . 2011-08-04 19:30 0 ---ha-w- c:\users\Pedro Gómez\AppData\Local\BIT9215.tmp
    2011-07-05 17:37 . 2011-07-05 17:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-07-05 17:37 . 2011-07-05 17:37 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2011-05-24 18:14 . 2009-11-02 09:28 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-05-13 17:57 . 2011-05-13 17:57 14392 ----a-w- c:\windows\system32\HPMDPCoInst12.dll
    2011-05-13 17:57 . 2008-08-27 16:52 25656 ----a-w- c:\windows\system32\drivers\hpdskflt.sys
    2011-05-13 17:57 . 2008-08-27 16:52 26168 ----a-w- c:\windows\system32\hpservice.exe
    2011-05-13 17:57 . 2008-08-07 09:33 16952 ----a-w- c:\windows\system32\accelerometerdll.DLL
    2011-05-13 17:57 . 2011-05-13 17:57 35896 ----a-w- c:\windows\system32\drivers\Accelerometer.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-12-16 186904]
    "accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-11-27 298536]
    "PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2009-02-11 355896]
    "CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2009-01-28 24848]
    "PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2008-08-08 319000]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-06-04 1791272]
    "WirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-03-10 506936]
    "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-12-04 75016]
    "File Sanitizer"="c:\program files\Hewlett-Packard\File Sanitizer\CoreShredder.exe" [2009-01-14 11223040]
    "QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-02-18 177720]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-03 61440]
    "HPCam_Menu"="c:\program files\Hewlett-Packard\HP Webcam\MUITransfer\MUIStartMenu.exe" [2009-02-25 218408]
    "WatchDog"="c:\program files\InterVideo\DVD8SESD\DVDCheck.exe" [2009-03-04 200848]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
    "Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-05-18 1314816]
    "pcsafedoctor.exe"="c:\program files\PCSafeDoctor\pcsafedoctor.exe" [2011-07-29 2052608]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-9-18 110592]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
    Inicio r*pido de Adobe Acrobat.lnk - c:\windows\Installer\{AC76BA86-1034-4700-7760-000000000002}\SC_Acrobat.exe [2009-11-12 25214]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
    2008-08-06 13:23 69632 ----a-w- c:\windows\System32\DeviceNP.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\System32\APSHook.dll c:\windows\System32\APSHook.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
    @="Service"
    .
    R2 0061031253173103mcinstcleanup;McAfee Application Installer Cleanup (0061031253173103);c:\users\PEDROG~1\AppData\Local\Temp\006103~1.EXE [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Servicio Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-11 133104]
    R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet: NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
    R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-12-04 222512]
    R3 DAMDrv;DAMDrv;c:\windows\system32\DRIVERS\DAMDrv.sys [2008-08-06 32256]
    R3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [2008-08-06 349432]
    R3 gupdatem;Servicio de Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-11 133104]
    R3 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe [2009-02-11 45056]
    R3 netr73;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [x]
    R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2008-04-08 1112560]
    R3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2008-06-27 335872]
    R3 VM650FVM11;UMAX AstraSlim Scanner ProdID x0104;c:\windows\system32\Drivers\USB650C.sys [x]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S0 SafeBoot;SafeBoot; [x]
    S0 SbAlg;SbAlg; [x]
    S0 SbFsLock;SbFsLock; [x]
    S1 RsvLock;RsvLock; [x]
    S2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [2007-11-27 185896]
    S2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe [2008-01-21 21504]
    S2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe [2008-01-21 21504]
    S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2008-10-03 1185016]
    S2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2008-10-01 256544]
    S2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\Hewlett-Packard\File Sanitizer\HPFSService.exe [2009-01-14 77824]
    S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2011-05-13 26168]
    S2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2008-08-08 777240]
    S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-17 11032]
    S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2009-02-23 3715072]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    Bioscrypt REG_MULTI_SZ ASBroker ASChannel
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2009-01-09 14:28 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-11 19:46]
    .
    2011-08-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-11 19:46]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.searchqu.com/406
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=es_es&c=92&bd=all&pf=cmnb
    uInternet Settings,ProxyOverride = *.local
    IE: Convertir a PDF de Adobe - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convertir a PDF existente - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convertir destino de vínculo a PDF existente - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convertir destino de vínculo en archivo PDF de Adobe - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convertir selección a archivo PDF existente - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convertir selección a PDF de Adobe - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convertir vínculos seleccionados a PDF de Adobe - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convertir vínculos seleccionados a PDF existente - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: E&xportar a Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
    FF - ProfilePath - c:\users\Pedro Gómez\AppData\Roaming\Mozilla\Firefox\Profiles\oujbb230.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch
    FF - prefs.js: browser.search.selectedEngine - Search Results
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
    FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=101&systemid=406&q=
    FF - prefs.js: network.proxy.ftp - ftp.ncbi.nih.gov
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
    FF - Ext: softonic.com4 Community Toolbar: {0974848a-b5bc-49f2-9778-307742b4a55d} - %profile%\extensions\{0974848a-b5bc-49f2-9778-307742b4a55d}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{0974848a-b5bc-49f2-9778-307742b4a55d} - (no file)
    Toolbar-10 - (no file)
    HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
    SafeBoot-WudfPf
    SafeBoot-WudfRd
    AddRemove-Agere Systems Soft Modem - c:\windows\agrsmdel
    AddRemove-OfficeScanNT - c:\program files\Trend Micro\OfficeScan Client\ntrmv.exe
    .
    .
    .
    **************************************************************************
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files:
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pdfcDispatcher]
    "ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(3468)
    c:\program files\Hewlett-Packard\IAM\Bin\ItClient.dll
    c:\program files\Hewlett-Packard\File Sanitizer\HPPMDesktopIcon.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\AEADISRV.EXE
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\ActivIdentity\ActivClient\acevents.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
    c:\windows\system32\WUDFHost.exe
    c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    c:\windows\servicing\TrustedInstaller.exe
    c:\program files\Hewlett-Packard\IAM\Bin\AsGHost.exe
    c:\windows\system32\conime.exe
    c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
    c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
    .
    **************************************************************************
    .
    Completion time: 2011-08-10 14:22:24 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-08-10 13:22
    .
    Pre-Run: 191,047,643,136 bytes libres
    Post-Run: 191,003,873,280 bytes libres
    .
    - - End Of File - - 3C9813CAFA9F8796C02773E16238C510


    Hope these help and again, any help is much appreciated.

    Doug
     
  6. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Thank you for turning my attention to it.
    That section shouldn't be there and the manual will be edited soon.

    ================================================================

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\users\Pedro Gómez\AppData\Local\BIT9215.tmp
    c:\windows\system32\ir32_326.dll
    c:\users\Pedro Gómez\AppData\Local\BIT9215.tmp
    
    
    Folder::
    C:\$AVG
    c:\windows\system32\drivers\AVG
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...