TechSpot

Google results are getting redirected to junk sites

By kman1982
Jul 12, 2011
  1. My google searches are redirected to junk sites.
    I followed UPDATED 7-step Viruses/Spyware/Malware Preliminary Removal Instructions

    Here are my results

    Malwarebytes Anti-Malware log

    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 7092

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 6.0.2900.2180

    7/12/2011 6:42:56 PM
    mbam-log-2011-07-12 (18-42-56).txt

    Scan type: Quick scan
    Objects scanned: 191514
    Time elapsed: 19 minute(s), 31 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    GMER log

    GMER 1.0.15.15640 - http://www.gmer.net
    Rootkit quick scan 2011-07-12 18:47:10
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 FUJITSU_MHZ2080BH_G2 rev.00850009
    Running: 9c7f8std.exe; Driver: C:\DOCUME~1\admin\LOCALS~1\Temp\uxtdrpob.sys


    ---- System - GMER 1.0.15 ----

    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9EB3D70]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9EB3D84]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9EB3DB0]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9EB3E06]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9EB3D5C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9EB3D34]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9EB3D48]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9EB3D9A]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9EB3DDC]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9EB3DC6]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9EB3E30]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9EB3E1C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9EB3DF0]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

    ---- EOF - GMER 1.0.15 ----

    DDS.txt
    .
    DDS (Ver_2011-06-23.01) - NTFSx86
    Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_23
    Run by admin at 18:48:56 on 2011-07-12
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1220 [GMT -4:00]
    .
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    C:\WINDOWS\system32\mfevtps.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Documents and Settings\admin\My Documents\Downloads\9c7f8std.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.ask.com?o=15007&l=dis
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Connection Wizard,ShellNext = hxxp://www.ask.com/?o=15007&l=dis
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110530185540.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Sopcast Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: Sopcast Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{B83729B1-3DFC-452B-A4DF-0F7AFE7CE7D1} : DhcpNameServer = 192.168.1.1
    Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\admin\application data\mozilla\firefox\profiles\yk9vqbm2.default\
    FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
    FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.51204.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-9-14 459728]
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-9-14 89368]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-12-27 88176]
    R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-9-14 214904]
    R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-9-14 214904]
    R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-9-14 214904]
    R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-9-14 165000]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-9-14 159832]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-9-14 148520]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-9-14 57432]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-9-14 179248]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-9-14 59288]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-9-14 337912]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-9-14 83688]
    S0 cadowbk;cadowbk;c:\windows\system32\drivers\txmy.sys --> c:\windows\system32\drivers\txmy.sys [?]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-9-14 83688]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-9-14 85984]
    S4 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2011-3-19 401920]
    S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-28 136176]
    S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-11-28 136176]
    .
    =============== Created Last 30 ================
    .
    2011-06-29 12:07:19 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
    2011-06-29 12:07:18 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
    2011-06-21 02:24:31 -------- d-----w- c:\documents and settings\admin\application data\ICAClient
    2011-06-21 02:19:57 -------- d-----w- c:\documents and settings\admin\local settings\application data\AskToolbar
    2011-06-18 01:30:37 -------- d-----w- c:\documents and settings\admin\local settings\application data\Adobe
    .
    ==================== Find3M ====================
    .
    2011-06-04 14:39:21 90112 ----a-w- c:\windows\DUMP50bf.tmp
    2011-06-04 04:05:08 0 ----a-w- c:\windows\Rqodog.bin
    2011-05-29 13:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-29 13:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    .
    ============= FINISH: 18:50:21.71 ===============

    Attach.txt

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-23.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 12/27/2009 1:03:18 PM
    System Uptime: 7/11/2011 10:18:59 PM (20 hours ago)
    .
    Motherboard: Dell Inc. | | 0NF743
    Processor: Intel(R) Core(TM)2 CPU T5600 @ 1.83GHz | Microprocessor | 987/166mhz
    Processor: Intel(R) Core(TM)2 CPU T5600 @ 1.83GHz | Microprocessor | 987/166mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 74 GiB total, 4.971 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: 1394 Net Adapter
    Device ID: V1394\NIC1394\21791D61324FC000
    Manufacturer: Microsoft
    Name: 1394 Net Adapter
    PNP Device ID: V1394\NIC1394\21791D61324FC000
    Service: NIC1394
    .
    ==== System Restore Points ===================
    .
    RP300: 7/2/2011 12:58:24 PM - System Checkpoint
    RP301: 7/2/2011 4:40:48 PM - System Checkpoint
    RP302: 7/3/2011 7:04:16 PM - System Checkpoint
    RP303: 7/4/2011 7:15:45 PM - System Checkpoint
    RP304: 7/6/2011 11:13:56 PM - System Checkpoint
    RP305: 7/8/2011 5:52:14 PM - System Checkpoint
    RP306: 7/10/2011 9:21:44 PM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    µTorrent
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.5
    Amazon Games & Software Downloader
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Ask Toolbar
    Big Kahuna Reef
    Bonjour
    Broadcom 440x 10/100 Integrated Controller
    CCleaner
    Citrix XenApp Web Plugin
    Conexant HDA D110 MDC V.92 Modem
    Dell Mobile Broadband Card Utility
    Dell Wireless WLAN Card
    DivX Converter
    DivX Plus DirectShow Filters
    DivX Setup
    DivX Version Checker
    ExtractNow
    Family Tree Maker 2010
    Google Talk (remove only)
    Google Talk Plugin
    Google Update Helper
    GoToMeeting 4.5.0.457
    GPL MPEG-1/2 DirectShow Decoder Filter
    High Definition Audio Driver Package - KB888111
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Windows XP (KB954550-v5)
    Intel(R) Graphics Media Accelerator Driver
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 23
    Magic ISO Maker v5.5 (build 0276)
    Malwarebytes' Anti-Malware version 1.51.0.1200
    McAfee AntiVirus Plus
    McAfee Security Scan Plus
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Primary Interoperability Assemblies 2005
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft WSE 3.0
    Mozilla Firefox 5.0 (x86 en-US)
    MSXML 6.0 Parser (KB933579)
    Picasa 3
    Primo
    QuickTime
    Runtime
    Scrapbook Flair
    SigmaTel Audio
    Skype web features
    Skype™ 4.1
    Sonic UDF Reader
    SopCast 3.2.9
    Trojan Killer 2.0
    Update for Microsoft Office Word 2007 (KB974631)
    VC80CRTRedist - 8.0.50727.4053
    VLC media player 1.0.3
    WebFldrs XP
    Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
    Windows Imaging Component
    Windows Installer 3.1 (KB893803)
    Windows Media Encoder 9 Series
    WinRAR archiver
    Yahoo! Messenger
    Yahoo! Software Update
    .
    ==== Event Viewer Messages From Past Week ========
    .
    7/7/2011 10:57:15 PM, error: ipnathlp [30013] - The DHCP allocator has disabled itself on IP address 192.168.1.7, since the IP address is outside the 192.168.0.0/255.255.255.0 scope from which addresses are being allocated to DHCP clients. To enable the DHCP allocator on this IP address, please change the scope to include the IP address, or change the IP address to fall within the scope.
    7/6/2011 7:07:00 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service gupdate with arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}
    7/6/2011 6:24:16 PM, error: ipnathlp [32003] - The Network Address Translator (NAT) was unable to request an operation of the kernel-mode translation module. This may indicate misconfiguration, insufficient resources, or an internal error. The data is the error code.
    .
    ==== End Of File ===========================
     
  2. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ==================================================================

    Which browser is getting redirected?
    Did you try different browser?

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    Click the "Scan" button to start scan:
    [​IMG]

    On completion of the scan click "Save log", save it to your desktop and post in your next reply:
    [​IMG]

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    =================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  3. kman1982

    kman1982 TS Rookie Topic Starter

    Which browser is getting redirected?
    Did you try different browser?

    it happens in Firefox. I have tried others too with same issue

    MBR.dat


    aswMBR version 0.9.7.707 Copyright(c) 2011 AVAST Software
    Run date: 2011-07-13 00:42:51
    -----------------------------
    00:42:51.843 OS Version: Windows 5.1.2600 Service Pack 2
    00:42:51.843 Number of processors: 2 586 0xF06
    00:42:51.875 ComputerName: RAMYA UserName: admin
    00:42:52.609 Initialize success
    00:42:59.125 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    00:42:59.125 Disk 0 Vendor: FUJITSU_MHZ2080BH_G2 00850009 Size: 76319MB BusType: 3
    00:43:01.140 Disk 0 MBR read successfully
    00:43:01.140 Disk 0 MBR scan
    00:43:01.156 Disk 0 Windows XP default MBR code
    00:43:03.156 Disk 0 scanning sectors +156280320
    00:43:03.234 Disk 0 scanning C:\WINDOWS\system32\drivers
    00:43:21.203 Service scanning
    00:43:22.796 Disk 0 trace - called modules:
    00:43:22.828 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
    00:43:22.828 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89e4c758]
    00:43:22.828 3 CLASSPNP.SYS[ba10905b] -> nt!IofCallDriver -> \Device\00000081[0x89d9f3b8]
    00:43:22.828 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x89de9940]
    00:43:22.828 Scan finished successfully
    00:43:59.390 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\admin\My Documents\MBR.dat"
    00:43:59.421 The log file has been saved successfully to "C:\Documents and Settings\admin\My Documents\aswMBR.txt"

    "C:\ComboFix.txt"

    ComboFix 11-07-12.09 - admin 07/13/2011 0:49.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1396 [GMT -4:00]
    Running from: c:\documents and settings\admin\My Documents\Downloads\ComboFix.exe
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\admin\Application Data\439E9A70CCEC25604FF87337E36A741C
    c:\documents and settings\admin\Application Data\439E9A70CCEC25604FF87337E36A741C\enemies-names.txt
    c:\documents and settings\admin\Application Data\439E9A70CCEC25604FF87337E36A741C\local.ini
    c:\documents and settings\admin\Application Data\439E9A70CCEC25604FF87337E36A741C\lsrslt.ini
    c:\documents and settings\admin\Application Data\Adobe\plugs
    c:\documents and settings\admin\Application Data\Adobe\shed
    c:\documents and settings\admin\g2mdlhlpx.exe
    c:\documents and settings\admin\Local Settings\Application Data\{111F1D62-D550-4942-9FE2-43F14AFEC611}
    c:\documents and settings\admin\Local Settings\Application Data\{111F1D62-D550-4942-9FE2-43F14AFEC611}\chrome.manifest
    c:\documents and settings\admin\Local Settings\Application Data\{111F1D62-D550-4942-9FE2-43F14AFEC611}\chrome\content\_cfg.js
    c:\documents and settings\admin\Local Settings\Application Data\{111F1D62-D550-4942-9FE2-43F14AFEC611}\chrome\content\overlay.xul
    c:\documents and settings\admin\Local Settings\Application Data\{111F1D62-D550-4942-9FE2-43F14AFEC611}\install.rdf
    C:\winclaster
    c:\winclaster\config.bin
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-06-13 to 2011-07-13 )))))))))))))))))))))))))))))))
    .
    .
    2011-07-13 04:30 . 2011-07-13 04:30 -------- d-----w- c:\documents and settings\Guest\Application Data\ICAClient
    2011-07-13 04:30 . 2011-07-13 04:30 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Citrix
    2011-07-13 03:52 . 2011-07-13 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
    2011-07-13 03:51 . 2011-07-13 03:51 -------- d-----w- c:\documents and settings\admin\Local Settings\Application Data\Citrix
    2011-07-13 03:49 . 2011-07-13 03:50 -------- d-----w- c:\documents and settings\admin\Application Data\Download Manager
    2011-07-13 03:38 . 2011-07-13 03:39 -------- d-----w- c:\documents and settings\admin\Citrix
    2011-07-10 20:32 . 2011-07-10 20:32 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Adobe
    2011-07-08 02:57 . 2011-07-08 02:57 -------- d-----w- c:\documents and settings\Guest\Application Data\Malwarebytes
    2011-06-29 12:07 . 2011-06-29 12:07 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
    2011-06-29 12:07 . 2011-06-29 12:07 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
    2011-06-21 02:24 . 2011-06-21 02:27 -------- d-----w- c:\documents and settings\admin\Application Data\ICAClient
    2011-06-21 02:19 . 2011-06-21 02:22 -------- d-----w- c:\documents and settings\admin\Local Settings\Application Data\AskToolbar
    2011-06-19 12:32 . 2011-07-10 16:10 -------- d-----w- c:\documents and settings\Guest\Application Data\DivX
    2011-06-18 01:30 . 2011-06-18 01:30 -------- d-----w- c:\documents and settings\admin\Local Settings\Application Data\Adobe
    2011-06-16 03:26 . 2011-06-16 03:26 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Mozilla
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-06-04 14:39 . 2009-12-27 11:33 90112 ----a-w- c:\windows\DUMP50bf.tmp
    2011-05-29 13:11 . 2010-12-04 03:24 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-29 13:11 . 2010-12-04 03:24 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-27 17:44 . 2011-04-27 17:44 157184 --sha-r- c:\documents and settings\Guest\Application Data\dmviewe.dll
    2010-10-12 20:33 . 2010-10-12 20:33 124344 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
    2010-10-12 22:15 . 2010-10-12 22:15 13240 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
    2010-10-12 20:37 . 2010-10-12 20:37 70592 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
    2010-10-12 20:35 . 2010-10-12 20:35 91576 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
    2010-10-12 20:34 . 2010-10-12 20:34 22464 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
    2010-10-12 20:32 . 2010-10-12 20:32 255416 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
    2010-10-12 20:35 . 2010-10-12 20:35 31672 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
    2010-10-12 20:34 . 2010-10-12 20:34 40384 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
    2010-07-14 16:42 . 2010-07-14 16:42 898480 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
    2010-10-12 20:37 . 2010-10-12 20:37 24000 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
    2011-06-29 12:07 . 2011-03-24 21:38 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2011-04-14 18:01 . 2010-11-06 13:27 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-01 1487240]
    .
    [HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2011-02-01 23:17 1487240 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-01 1487240]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-01 1487240]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-05-02 1306216]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-06-13 127036]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-10-12 304568]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AmazonGSDownloaderTray]
    2009-10-23 17:31 326144 ----a-w- c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
    2011-03-21 18:56 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
    2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2011-01-25 20:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
    2007-05-10 15:22 405504 ----a-w- c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "YahooAUService"=2 (0x2)
    "ose"=3 (0x3)
    "JavaQuickStarterService"=2 (0x2)
    "iPod Service"=3 (0x3)
    "idsvc"=3 (0x3)
    "gusvc"=3 (0x3)
    "gupdate"=2 (0x2)
    "Bonjour Service"=2 (0x2)
    "Apple Mobile Device"=2 (0x2)
    "Amazon Download Agent"=3 (0x3)
    "gupdatem"=3 (0x3)
    "odserv"=3 (0x3)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
    "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
    .
    R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [7/14/2010 12:51 PM 65584]
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [9/14/2010 3:29 PM 89368]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/27/2009 3:24 PM 88176]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [9/14/2010 3:29 PM 214904]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [9/14/2010 3:29 PM 214904]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [9/14/2010 3:30 PM 159832]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [9/14/2010 3:29 PM 148520]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [9/14/2010 3:29 PM 57432]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [9/14/2010 3:29 PM 337912]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [9/14/2010 3:29 PM 83688]
    S0 cadowbk;cadowbk;c:\windows\system32\drivers\txmy.sys --> c:\windows\system32\drivers\txmy.sys [?]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [9/14/2010 3:29 PM 83688]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [9/14/2010 3:29 PM 85984]
    S4 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [3/19/2011 8:18 PM 401920]
    S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/28/2010 8:25 PM 136176]
    S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/28/2010 8:25 PM 136176]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - ASWMBR
    *Deregistered* - aswMBR
    *Deregistered* - mfeavfk01
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-07-12 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
    .
    2011-07-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-11-29 00:25]
    .
    2011-07-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-11-29 00:25]
    .
    2011-07-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776561741-1409082233-725345543-500Core.job
    - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-27 19:47]
    .
    2011-07-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776561741-1409082233-725345543-500UA.job
    - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-27 19:47]
    .
    2011-07-13 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
    - c:\program files\Ask.com\UpdateTask.exe [2011-02-01 23:17]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.ask.com?o=15007&l=dis
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Connection Wizard,ShellNext = hxxp://www.ask.com/?o=15007&l=dis
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\yk9vqbm2.default\
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-07-13 00:58
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1312)
    c:\windows\System32\BCMLogon.dll
    c:\windows\system32\igfxdev.dll
    .
    - - - - - - - > 'winlogon.exe'(2532)
    c:\windows\System32\BCMLogon.dll
    c:\windows\system32\igfxdev.dll
    .
    Completion time: 2011-07-13 01:01:23
    ComboFix-quarantined-files.txt 2011-07-13 05:01
    .
    Pre-Run: 5,134,659,584 bytes free
    Post-Run: 10,372,141,056 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    .
    - - End Of File - - 58A6C744721611F1B224C9EB5F906B22
     
  4. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Why did you refuse recovery console installation?

    Is the redirection still present after Combofix?

    Uninstall Ask Toolbar, typical foistware.

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\drivers\txmy.sys
    
    
    Driver::
    cadowbk
    
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000000
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000000
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"=dword:00000001
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  5. kman1982

    kman1982 TS Rookie Topic Starter

    ComboFix 11-07-12.09 - admin 07/13/2011 22:20:39.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1415 [GMT -4:00]
    Running from: c:\documents and settings\admin\My Documents\Downloads\ComboFix.exe
    Command switches used :: c:\documents and settings\admin\Desktop\CFScript.txt
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    FILE ::
    "c:\windows\system32\drivers\txmy.sys"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_cadowbk
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-06-14 to 2011-07-14 )))))))))))))))))))))))))))))))
    .
    .
    2011-07-13 04:30 . 2011-07-13 04:30 -------- d-----w- c:\documents and settings\Guest\Application Data\ICAClient
    2011-07-13 04:30 . 2011-07-13 04:30 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Citrix
    2011-07-13 03:52 . 2011-07-13 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
    2011-07-13 03:51 . 2011-07-13 03:51 -------- d-----w- c:\documents and settings\admin\Local Settings\Application Data\Citrix
    2011-07-13 03:49 . 2011-07-13 03:50 -------- d-----w- c:\documents and settings\admin\Application Data\Download Manager
    2011-07-13 03:38 . 2011-07-13 03:39 -------- d-----w- c:\documents and settings\admin\Citrix
    2011-07-10 20:32 . 2011-07-10 20:32 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Adobe
    2011-07-08 02:57 . 2011-07-08 02:57 -------- d-----w- c:\documents and settings\Guest\Application Data\Malwarebytes
    2011-06-29 12:07 . 2011-06-29 12:07 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
    2011-06-29 12:07 . 2011-06-29 12:07 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
    2011-06-21 02:24 . 2011-06-21 02:27 -------- d-----w- c:\documents and settings\admin\Application Data\ICAClient
    2011-06-21 02:19 . 2011-06-21 02:22 -------- d-----w- c:\documents and settings\admin\Local Settings\Application Data\AskToolbar
    2011-06-19 12:32 . 2011-07-10 16:10 -------- d-----w- c:\documents and settings\Guest\Application Data\DivX
    2011-06-18 01:30 . 2011-06-18 01:30 -------- d-----w- c:\documents and settings\admin\Local Settings\Application Data\Adobe
    2011-06-16 03:26 . 2011-06-16 03:26 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Mozilla
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-06-04 14:39 . 2009-12-27 11:33 90112 ----a-w- c:\windows\DUMP50bf.tmp
    2011-05-29 13:11 . 2010-12-04 03:24 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-29 13:11 . 2010-12-04 03:24 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-27 17:44 . 2011-04-27 17:44 157184 --sha-r- c:\documents and settings\Guest\Application Data\dmviewe.dll
    2010-10-12 20:33 . 2010-10-12 20:33 124344 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
    2010-10-12 22:15 . 2010-10-12 22:15 13240 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
    2010-10-12 20:37 . 2010-10-12 20:37 70592 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
    2010-10-12 20:35 . 2010-10-12 20:35 91576 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
    2010-10-12 20:34 . 2010-10-12 20:34 22464 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
    2010-10-12 20:32 . 2010-10-12 20:32 255416 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
    2010-10-12 20:35 . 2010-10-12 20:35 31672 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
    2010-10-12 20:34 . 2010-10-12 20:34 40384 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
    2010-07-14 16:42 . 2010-07-14 16:42 898480 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
    2010-10-12 20:37 . 2010-10-12 20:37 24000 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
    2011-06-29 12:07 . 2011-03-24 21:38 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2011-04-14 18:01 . 2010-11-06 13:27 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-07-13_04.58.43 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2004-08-04 01:07 . 2011-07-13 03:57 71404 c:\windows\system32\perfc009.dat
    + 2004-08-04 01:07 . 2011-07-13 05:16 71404 c:\windows\system32\perfc009.dat
    + 2004-08-04 01:07 . 2011-07-13 05:16 441252 c:\windows\system32\perfh009.dat
    - 2004-08-04 01:07 . 2011-07-13 03:57 441252 c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-01 1487240]
    .
    [HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2011-02-01 23:17 1487240 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-01 1487240]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-01 1487240]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-05-02 1306216]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-06-13 127036]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-10-12 304568]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AmazonGSDownloaderTray]
    2009-10-23 17:31 326144 ----a-w- c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
    2011-03-21 18:56 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
    2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2011-01-25 20:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
    2007-05-10 15:22 405504 ----a-w- c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "YahooAUService"=2 (0x2)
    "ose"=3 (0x3)
    "JavaQuickStarterService"=2 (0x2)
    "iPod Service"=3 (0x3)
    "idsvc"=3 (0x3)
    "gusvc"=3 (0x3)
    "gupdate"=2 (0x2)
    "Bonjour Service"=2 (0x2)
    "Apple Mobile Device"=2 (0x2)
    "Amazon Download Agent"=3 (0x3)
    "gupdatem"=3 (0x3)
    "odserv"=3 (0x3)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
    "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
    .
    R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [7/14/2010 12:51 PM 65584]
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [9/14/2010 3:29 PM 89368]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/27/2009 3:24 PM 88176]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [9/14/2010 3:29 PM 214904]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [9/14/2010 3:29 PM 214904]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [9/14/2010 3:30 PM 159832]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [9/14/2010 3:29 PM 148520]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [9/14/2010 3:29 PM 57432]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [9/14/2010 3:29 PM 337912]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [9/14/2010 3:29 PM 83688]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [9/14/2010 3:29 PM 83688]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [9/14/2010 3:29 PM 85984]
    S4 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [3/19/2011 8:18 PM 401920]
    S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/28/2010 8:25 PM 136176]
    S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/28/2010 8:25 PM 136176]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-07-12 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
    .
    2011-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-11-29 00:25]
    .
    2011-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-11-29 00:25]
    .
    2011-07-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776561741-1409082233-725345543-500Core.job
    - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-27 19:47]
    .
    2011-07-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776561741-1409082233-725345543-500UA.job
    - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-27 19:47]
    .
    2011-07-14 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
    - c:\program files\Ask.com\UpdateTask.exe [2011-02-01 23:17]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.ask.com?o=15007&l=dis
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Connection Wizard,ShellNext = hxxp://www.ask.com/?o=15007&l=dis
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\yk9vqbm2.default\
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-07-13 22:31
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1312)
    c:\windows\System32\BCMLogon.dll
    .
    - - - - - - - > 'explorer.exe'(2800)
    c:\progra~1\mcafee\SITEAD~1\saHook.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\System32\WLTRYSVC.EXE
    c:\windows\System32\bcmwltry.exe
    c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\Citrix\ICA Client\wfcrun32.exe
    c:\progra~1\mcafee\VIRUSS~1\mcvsshld.exe
    c:\progra~1\mcafee.com\agent\mcupdate.exe
    c:\progra~1\mcafee\VIRUSS~1\mcvsmap.exe
    .
    **************************************************************************
    .
    Completion time: 2011-07-13 22:36:11 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-07-14 02:36
    ComboFix2.txt 2011-07-13 05:01
    .
    Pre-Run: 10,653,966,336 bytes free
    Post-Run: 10,346,000,384 bytes free
    .
    - - End Of File - - E11E900223108186588261EA3A3B23AF
     
  6. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    I can't proceed until you answer my question:
    Why did you refuse recovery console installation?
     
  7. kman1982

    kman1982 TS Rookie Topic Starter

    Apologies. Missed it again.

    I have removed Ask toolbar.

    Now google links seem to work fine. Thanks a lot for your help. Will update you again in a weeks time, how things are.

    Thanks again
     
  8. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    I'm glad to hear good news, but...

    1. You still didn't answer my question.
    2. A quote from rules I posted at the very beginning:
     
  9. kman1982

    kman1982 TS Rookie Topic Starter

    Apologies again.
    is there anything else you want me to do?
     
  10. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Yes. I want you to re-run Combofix and ALLOW Recovery Console installation.
    Then post new log.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...