Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Google Redirect Virus (Green World)


  • Please log in to reply

#1
black66

black66

    New Member

  • Member
  • Pip
  • 1 posts
Hello-
I suffer from the same Google Redirect Virus located in this thread: http://www.geekstogo...ts-t255391.html
In an effort to remain organized and not cause confusion I created a separate thread for myself.
I just ran the latest version of Malwarebytes which did not find anything.
I just ran the latest version of ComboFix. Any help on whatever steps I need to take next would be greatly appreciated. Thanks so much.

ComboFix log:

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\Installer\1bc4c.msi
c:\windows\run.log
c:\windows\system32\iyodapay.ini
c:\windows\system32\uniq.tll

----- BITS: Possible infected sites -----

hxxp://activead04
Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :^)
.
((((((((((((((((((((((((( Files Created from 2009-09-13 to 2009-10-13 )))))))))))))))))))))))))))))))
.

2009-10-13 05:41 . 2009-10-13 05:41 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-06 00:53 . 2009-03-13 02:50 -------- d-----w- c:\documents and settings\ablack\Application Data\Skype
2009-09-19 15:46 . 2009-05-06 19:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-15 16:38 . 2009-05-06 18:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 19:50 . 2009-09-13 18:58 -------- d-----w- c:\documents and settings\ablack\Application Data\Move Networks
2009-09-13 19:19 . 2008-09-24 03:25 46056 ----a-w- c:\documents and settings\ablack\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-10 21:54 . 2009-05-06 18:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-05-06 18:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-27 03:43 . 2007-05-18 18:51 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-25 23:23 . 2007-05-18 22:10 -------- d-----w- c:\program files\Java
2009-08-20 16:05 . 2009-08-20 16:05 -------- d-----w- c:\documents and settings\ablack\Application Data\Apple Computer
2009-08-20 01:29 . 2009-08-20 01:29 71 ----a-w- c:\documents and settings\ablack\Application DatadMb.dat
2009-08-20 01:29 . 2008-09-24 16:03 -------- d-----w- c:\documents and settings\ablack\Application Data\U3
2009-07-25 12:23 . 2009-03-09 05:15 411368 ----a-w- c:\windows\system32\deploytk.dll
2008-11-24 23:39 . 2008-11-24 23:39 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-11-24 23:39 . 2008-11-24 23:39 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-11-24 23:40 . 2008-11-24 23:40 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2009-02-05 18:09 . 2009-02-05 18:09 48640 --sha-w- c:\windows\system32\fobamito.dll.tmp
2009-05-05 18:14 . 2009-02-05 18:14 51712 --sha-w- c:\windows\system32\hevolofo.exe
2009-02-05 18:09 . 2009-02-05 18:09 48640 --sha-w- c:\windows\system32\petonuho.dll.tmp
2009-02-05 18:09 . 2009-02-05 18:09 48640 --sha-w- c:\windows\system32\pinivake.dll.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0A94B116-4504-4e26-AB05-E61E474AA38B}"= "c:\program files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL" [2007-10-05 61440]

[HKEY_CLASSES_ROOT\clsid\{0a94b116-4504-4e26-ab05-e61e474aa38b}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-15 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-19 1998576]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"SpySweeperEnterprise"="c:\program files\Webroot\Enterprise\Spy Sweeper\\SpySweeperUI.exe" [2007-01-15 403520]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-02 1392640]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"ftpqueue"="c:\program files\WS_FTP Pro\ftpqueue.exe" [2007-06-13 249856]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-07-30 286720]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-25 282624]

c:\documents and settings\lshaw\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-3 113664]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-8-29 299008]
Trillian.lnk - c:\program files\Trillian\trillian.exe [2007-12-11 1873280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-3 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2007-5-18 1445904]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-16 19:05 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 74480]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 6:34 AM 115952]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/22/2008 11:30 AM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/5/2009 3:57 PM 101936]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
S3 PD1030VID;Creative WebCam Pro;c:\windows\system32\drivers\p1030vid.sys [3/12/2009 7:38 PM 167673]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrvI7
.
.
------- Supplementary Scan -------
.
mSearchAssistant = hxxp://www.google.com/ie
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {03A13D5D-2C8E-4C1A-970D-D6D07A4FE3D0} - hxxps://atlas.atlassolutions.com/dl/AtlasCtrl.cab
DPF: {3D29D4FC-1A26-4082-81B8-4F0746FCA4D2} - hxxp://qos.doubleclick.net/browsersettingscommon/Settings.cab
DPF: {A49ED895-1261-11D4-98A2-00D0B73B3B21} - hxxps://hbx.hitbox.com/ui/export/XLWrapper.cab
FF - ProfilePath - c:\documents and settings\ablack\Application Data\Mozilla\Firefox\Profiles\4id2bp4i.default\
FF - prefs.js: browser.startup.homepage - www.funnyordie.com
FF - plugin: c:\documents and settings\ablack\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\ablack\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-Aim6 - (no file)
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9c.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-13 14:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1260)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WRLogonNtf.DLL

- - - - - - - > 'explorer.exe'(5396)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WS_FTP Pro\nsftpch.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\WS_FTP Pro\ftpsched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
c:\program files\Webroot\Enterprise\Spy Sweeper\SPYSWEEPER.EXE
c:\windows\system32\sessmgr.exe
c:\program files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2009-10-13 14:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-13 21:06

Pre-Run: 15,796,027,392 bytes free
Post-Run: 19,401,613,312 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

199 --- E O F --- 2008-09-26 19:31
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP