TechSpot

I need help... Google redirect

By NeeNo
Jun 26, 2010
Topic Status:
Not open for further replies.
  1. So for some time now I have been getting quite annoyed by this "Google redirect".. I did a little research and found im not the only one... My search led me here to this forum...




    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Administrator at 9:22:30.98 on Fri 06/25/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1446 [GMT -5:00]

    AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Sygate\SPF\smc.exe
    svchost.exe
    svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
    c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
    C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\Citrix\ICA Client\concentr.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\Program Files\Citrix\ICA Client\wfcrun32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\Program Files\Windows Live\Contacts\wlcomm.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Winamp\winamp.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\Administrator\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie_rsearch.html
    uDefault_Page_URL = hxxp://www.google.com
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    mSearchAssistant = hxxp://www.google.com/ie_rsearch.html
    mWinlogon: SfcDisable=-99 (0xffffff9d)
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
    mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
    mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
    mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
    mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam10\QuickCam10.exe" /hide
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
    mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
    mRun: [QuickFinder Scheduler] "c:\program files\corel\wordperfect office x4\programs\QFSCHD140.EXE"
    dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
    StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    uPolicies-explorer: NoResolveTrack = 1 (0x1)
    uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
    uPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
    uPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
    mPolicies-explorer: StartMenuFavorites = 0 (0x0)
    mPolicies-explorer: Start_ShowMyComputer = 1 (0x1)
    mPolicies-explorer: Start_ShowMyDocs = 1 (0x1)
    mPolicies-explorer: Start_ShowMyMusic = 0 (0x0)
    mPolicies-explorer: Start_ShowRun = 1 (0x1)
    mPolicies-explorer: Start_ShowSearch = 0 (0x0)
    mPolicies-system: DisableCAD = 1 (0x1)
    mPolicies-system: EnableLUA = 0 (0x0)
    dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
    dPolicies-explorer: NoResolveTrack = 1 (0x1)
    dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
    dPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
    dPolicies-explorer: NoActiveDesktop = 1 (0x1)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
    IE: Open with WordPerfect - c:\program files\corel\wordperfect office x4\programs\WPLauncher.hta
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
    DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    AppInit_DLLs: prio.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\7u0tvsku.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-5-1 164048]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-5-1 19024]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-1 40384]
    R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-1 40384]
    R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-1 40384]
    S4 vsdatant;vsdatant; [x]

    =============== Created Last 30 ================

    2010-06-25 14:17:56 0 ----a-w- c:\documents and settings\administrator\defogger_reenable
    2010-06-24 14:34:16 0 d-----w- c:\program files\common files\Protexis
    2010-06-24 14:33:06 506 ----a-w- c:\windows\system32\mapisvc.inf
    2010-06-24 14:31:29 0 d-----w- c:\program files\common files\Borland Shared
    2010-06-24 14:29:20 0 d-----w- c:\program files\common files\Corel
    2010-06-24 14:27:52 0 d-----w- c:\program files\Corel
    2010-06-17 04:05:53 8 --sh--r- c:\docume~1\alluse~1\applic~1\40B9929C64.sys
    2010-06-17 04:05:53 2516 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
    2010-06-17 03:51:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Corel
    2010-06-17 03:50:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Borland
    2010-06-08 00:15:18 0 d-----w- c:\program files\LCP
    2010-06-07 04:23:37 503290 ----a-w- c:\windows\umcat_01.db
    2010-05-31 20:22:01 0 ----a-w- c:\windows\Twunk003.MTX
    2010-05-31 20:22:00 3 ----a-w- c:\windows\Twain001.Mtx
    2010-05-31 20:22:00 0 ----a-w- c:\windows\Twunk002.MTX
    2010-05-28 18:24:50 0 d-----w- c:\program files\face rec
    2010-05-28 18:24:06 0 d-----w- c:\program files\s3
    2010-05-28 18:24:06 0 d-----w- c:\program files\s2
    2010-05-28 18:24:06 0 d-----w- c:\program files\s1

    ==================== Find3M ====================

    2010-06-06 21:23:33 6238943 ----a-w- c:\program files\TheEnchantedCaveBored.swf
    2010-04-29 20:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-29 20:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

    ============= FINISH: 9:23:02.75 ===============

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    "Google Redirect" has become a catch-all phrase for whenever someone doesn't get the page they want loaded. Sometimes, a security program will block a web page because it is dangerous. So it would be helpful if you gave me a more specific description of your 'redirect.

    It appears that you may have a Rootkit, so I will ask you to run the two following programs:

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    =============================================

    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Leave both logs in your next reply.

    Why are there No restore point in system.?

    Please disable or uninstall RegSupreme Pro. We do not recommend using a Registry cleaner. IF you decide not to remove it, please disable it while I am helping you. Do not make any Registry changes or run any other cleaning programs or scans while I am helping you.

    Also, please disable or uninstall the file sharing program Vuze. If you keep it, don't use it while cleaning.
  3. NeeNo

    NeeNo Newcomer, in training Topic Starter


    My situation is this... A few weeks ago i was watching a streamed video on a website... Where the video usually is was a message asking me to update my flash player... not thinking much of it I clicked the button... BIG mistake... I had the worst virus I had ever seen... My friend and I tackled this for a good 6 hours before getting my computer back to running condition... since then ... Whenever I use the Google search engine , when i click on the link to a site of my choice it will tell me I am being redirected and then loads a site different from the one I chose.
    Occasionally It will let me pass... Occasionally I have to open the link in a new tab / page... but most of the time I have to manually type in (or copy/paste) the link in to the address bar.... hope that clears the air...



    Running CF right now
  4. NeeNo

    NeeNo Newcomer, in training Topic Starter

    Ok so I ran ComboFix... the log is attached..

    I attempted to run the online scan but got this message...
    Can not get update. Is proxy configured?

    Attached Files:

  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    FileLook::
    c:\program files\s3
    c:\program files\s2
    c:\program files\s1
    
    Folder::
    c:\documents and settings\All Users\Application Data\Norton
    c:\program files\Common Files\Symantec Shared
    	
    Registry::
    
    RegLock::
    [HKEY_USERS\S-1-5-21-1715567821-682003330-1644491937-500\Software\Microsoft\Internet Explorer\User Preferences]
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]
    
    Driver::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ===============================================
    Run Kaspersky Online Scanner in Internet Explorer

    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
    • Click Accept and the web scanner will begin to load
    • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
    • You will be prompted to install an ActiveX component from Kaspersky, click Install
    • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT and then Scan Settings
    • In the scan settings make that the following are selected:
      [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
      [o] Scan Options: Scan Archives> Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      [o] Select My Computer
    • The program will start to scan your system.
    • Once the scan is complete, click on the Save as Text button and save the file to your desktop
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.
    ====================
    Please include logs in next repky.

    Advise you uninstall Azureus
  6. NeeNo

    NeeNo Newcomer, in training Topic Starter

    Thanx for helping... heres the two logs

    Attached Files:

  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    My apology for this delay- my router went out Thursday night and I just got the replacement this afternoon- trying to get caught up. Okay, Kaspersky found it.

    Download TDSSKiller. Extract the zipped file to your desktop.

    Go to Start ->Run. Type/Copy and Paste the following text into the prompt:
    Code:
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v
    • This will have the program write a detailed log
    • The screen will resemble this black screen:
    [​IMG]
    • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
    • After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list..
    • You should get a screen like this:
    [​IMG]
    • A log file named report.txt should have been created and saved to the root directory (usually C:\report.txt).
    • Follow the prompts and attach the report to your next reply.

    Let's see how this goes.
  8. NeeNo

    NeeNo Newcomer, in training Topic Starter

    ok i did the scan... heres the log

    Attached Files:

  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, I'm going to have you move the files from Kaspersky. But the nature of the malware found> not-a-virus:pSWTool.Win32.PWDump.k means that you system is not secure. This malware is classified as A hacktool that could be used by attackers to break into a system..

    Another infecting process was RiskTool.Win32.HideWindows. This malware may have give an image like this:
    [​IMG]
    It is classified as a is a Trojan that attempts to connect to the Internet to download other Malware. Once it is downloaded, it will cause a chain of other malicious file downloads.

    You will also need to empty the Java cache:
    Contorl Panel> Java> Temoporary internet files> Settings> click on Delete> I recommend that you do not allow any 'space' to keep these files.
    We will remove the entries, but that does not mean that you are safe or that damage hasn't already been done:
    ================================================
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	
      
      :Services
      
      :Reg
      
      :Files  
      C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\44\5473416c-19c42576	
      C:\Program Files\LCP\Data\pwdump2\samdump.dll	
      C:\Program Files\LCP\Data\pwdump2-orig\samdump.dll	
      C:\Program Files\LCP\Data\pwdump3\pwservice.exe	
      C:\Program Files\LCP\Data\pwdump3e\pwservice.exe	
      C:\WINDOWS\system32\cmdow.exe	
      RegLock::
      [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ======================================
    The TDSS Rootkit entry was found in a System Volume files. This is the restore point. It is not active in the system now and I will have you drop the old restore points and create a new one at the end. In the meantime, do use the System Restore feature.

    I found a patch that was installed which was adware:
    c:\windows\Installer\$PatchCache$\Managed\00002119E20000000000000000F01FEC\12.0.4518\SMARTTAGINSTALL.EXE on 10/26/2006

    I recommend that you uninstall c:\program files\Vuze File sharing
    You're running a program named filterpipelineprintproc.dll (Print Filter Pipeline Proxy)

    Most of us do not recommend Registry Cleaners and I recommend that you uninstall RegCure
  10. NeeNo

    NeeNo Newcomer, in training Topic Starter

    ok I did this


    Am I to do this now??? how do I do it???

    ???


    I have also done this


    I dont know what this stuff is

    the log you asked for is attached

    Attached Files:

  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I'm going to stop asking questions and giving information! I think it confuses people more than if I just have them do something!

    Regarding System Restore: I was just attempting to assure you that the file wasn't active in the system. I will have you drop the old restore points when clean. You do not need to do anything about it now.

    Because of the type of malware on the system, I am going to advise that you reformat and reinstall.
    Before you add everything back to the system, please check what it does and if you want/need it.

    You will ind excellent reformat/reinstall instructions here:
    http://www.tech-101.com/tutorials/356-tutorial-windows-install-repair-xp-vista.html
     
  12. NeeNo

    NeeNo Newcomer, in training Topic Starter

    ok this might take me a bit... ive lost my disk
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.