Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

google redirect?

Started by phon , Mar 15 2011 07:42 PM

  • This topic is locked This topic is locked

#16
Blottedisk
Posted 26 March 2011 - 06:47 AM

Blottedisk

    Trusted Helper

  • Malware Removal
  • 124 posts
Hi phon,


According to SystemLook, the file is clean, so let's take a different approach. Please do the following:


Open Google Chrome

  • Click the wrench icon Posted Image on the browser toolbar.
  • Select Tools.
  • Select Clear browsing data.
  • Where it says Obliterate the following items from: select The begining of time
  • In the dialog that appears, select the following checkboxes:
    • Clear browsing history
    • Clear download history
    • Empty the cache
    • Delete cookies and other side data
  • Click Clear browsing data.


Restart Google chrome. Can you now check if you are still being redirected?
  • 0

Advertisements

#17
phon
Posted 26 March 2011 - 03:35 PM

phon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi
This seemed to work at first and the first few searches worked fine. I tested it again before replying though and the redirect was back.
I went through the process of clearing the browsing data again a few times and each time had a few clear searches.
  • 0

#18
Blottedisk
Posted 26 March 2011 - 06:59 PM

Blottedisk

    Trusted Helper

  • Malware Removal
  • 124 posts
Hi phon,


I reported this problem to my colleagues in seek of advice, so there will be a couple of extra eyes on your topic. I will be back to you as soon as possible with further instructions.
  • 0

#19
phon
Posted 26 March 2011 - 11:43 PM

phon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Thank You
  • 0

#20
Blottedisk
Posted 27 March 2011 - 03:59 PM

Blottedisk

    Trusted Helper

  • Malware Removal
  • 124 posts
Hi,


Please follow these steps:


Step 1 | ComboFix - CFScript


You will not have Internet access when you execute ComboFix. All open windows will need to be closed!

Please open Notepad and copy/paste all the text below... into the window:

RESTORE::
c:\windows\system32\userinit.exe

  • Save it to your desktop as CFScript.txt
  • Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
  • Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:

    Posted Image

    This will cause ComboFix to run again.
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
    Do Not touch your computer when ComboFix is running!
    When finished... Notepad will open ... ComboFix will produce a log file called "log.txt".
  • Please copy/paste the contents of log.txt... in your next reply.

** Enable your Antivirus and Firewall, before connecting to the Internet again! **


Step 2 | Please go to the following site to scan a file: Virus Total

  • Click on Browse, and upload the following file for analysis:

    • C:\Windows\System32\1055877960
  • Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.
  • If it says already scanned -- click "reanalyze now"
  • Please post the results in your next reply.

  • 0

#21
phon
Posted 27 March 2011 - 07:39 PM

phon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
ComboFix 11-03-24.06 - Scott 03/28/2011 14:05:26.4.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3535.2069 [GMT 13:00]
Running from: c:\users\Scott\Desktop\landscape.exe.exe
Command switches used :: c:\users\Scott\Desktop\CFScript.txt
AV: COMODO Antivirus *Disabled/Updated* {A7500527-8708-6548-7035-7F679C5FCEA5}
FW: COMODO Firewall *Disabled* {9F6B8402-CD67-6410-5B6A-D652628C89DE}
SP: COMODO Defense+ *Disabled/Updated* {1C31E4C3-A132-6AC6-4A85-4415E7D88418}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\landscape.exe\HarddiskVolumeShadowCopy9_!Windows!System32!userinit.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-28 )))))))))))))))))))))))))))))))
.
.
2011-03-28 01:12 . 2011-03-28 01:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-28 01:12 . 2011-03-28 01:12 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2011-03-25 21:23 . 2011-03-15 04:05 6792528 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F163CBFE-B18F-4C78-B015-D88D3CCC554C}\mpengine.dll
2011-03-25 21:20 . 2011-03-26 21:44 -------- d-----w- c:\programdata\ArcSoft
2011-03-25 21:20 . 2001-09-04 15:18 225280 ----a-w- c:\program files\Common Files\InstallShield\IScript\iscript.dll
2011-03-25 21:20 . 2001-09-04 15:14 176128 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
2011-03-25 21:20 . 2001-09-04 15:13 32768 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
2011-03-25 21:20 . 2001-09-04 15:18 77824 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
2011-03-25 21:20 . 2003-04-23 08:34 614532 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
2011-03-23 01:01 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-03-23 01:01 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-23 01:01 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-03-16 08:39 . 2011-03-16 08:39 -------- d-----w- C:\_OTM
2011-03-16 08:35 . 2011-03-16 08:36 -------- d-----w- c:\program files\ERUNT
2011-03-15 05:29 . 2011-03-15 05:29 -------- d-----w- c:\programdata\Norton
2011-03-15 05:29 . 2011-03-15 07:17 -------- d-----w- c:\users\Scott\AppData\Local\NPE
2011-03-13 09:41 . 2011-03-15 08:05 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-03-13 09:35 . 2011-03-13 09:48 -------- d-----w- c:\programdata\Hitman Pro
2011-03-13 00:48 . 2011-03-13 00:48 -------- d-----w- c:\program files\iPod
2011-03-09 04:59 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 04:59 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 04:59 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-09 04:59 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-09 04:59 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-09 04:59 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-03 03:26 . 2011-03-03 03:26 -------- d-----w- c:\programdata\TSplines
2011-03-03 03:25 . 2008-05-26 19:34 200704 ----a-w- c:\windows\system32\BongoSDK.10.v40.dll
2011-03-03 03:19 . 2011-03-26 04:39 -------- d-----w- c:\program files\T-Splines for Rhino
2011-03-03 02:59 . 2011-03-03 03:00 -------- d-----w- c:\program files\Flamingo 1.1
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 08:40 . 2011-02-23 08:57 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 05:11 . 2009-10-12 08:56 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-20 16:37 . 2011-02-08 19:04 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-01-20 16:08 . 2011-02-08 19:03 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08 . 2011-02-08 19:03 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08 . 2011-02-08 19:03 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08 . 2011-02-08 19:03 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:08 . 2011-02-08 19:03 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:07 . 2011-02-08 19:03 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07 . 2011-02-08 19:03 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07 . 2011-02-08 19:03 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06 . 2011-02-08 19:03 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06 . 2011-02-08 19:03 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04 . 2011-02-08 19:03 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 16:04 . 2011-02-08 19:03 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 14:28 . 2011-02-08 19:04 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27 . 2011-02-08 19:04 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26 . 2011-02-08 19:03 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25 . 2011-02-08 19:03 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24 . 2011-02-08 19:04 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15 . 2011-02-08 19:04 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14 . 2011-02-08 19:04 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14 . 2011-02-08 19:04 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14 . 2011-02-08 19:04 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12 . 2011-02-08 19:04 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11 . 2011-02-08 19:03 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47 . 2011-02-08 19:04 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-08 08:47 . 2011-02-08 19:03 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28 . 2011-02-08 19:03 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57 . 2011-02-08 19:03 2039808 ----a-w- c:\windows\system32\win32k.sys
2010-12-28 15:55 . 2011-01-11 21:40 413696 ----a-w- c:\windows\system32\odbc32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\Scott\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-04-17 133104]
"SJelite3Launch"="c:\users\Scott\AppData\Roaming\Transcend\SJelite3\SJelite3Launch.exe" [2009-04-02 176128]
"Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2008-12-09 495616]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-10 218032]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-03-20 1312256]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-07 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-07 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-07 145944]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 83240]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-13 50472]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-05-19 91432]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-10-14 1799952]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-12-20 200704]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-26 198160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
.
c:\users\Scott\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-6-5 752168]
Wireless USB Manager.lnk - c:\program files\Dell\Dell WUSB\WQ_Tray2.exe [2008-4-25 1817656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-28 136176]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-01-28 29736]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2009-10-15 128888]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2009-10-15 29520]
S2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [2008-05-14 61424]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_38163857\aestsrv.exe [2009-02-12 81920]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2008-04-04 224384]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-29 112128]
S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-06-25 3662848]
S3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\DRIVERS\OA001Ufd.sys [2009-03-05 133632]
S3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\DRIVERS\OA001Vid.sys [2009-03-08 280096]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
rsmsvcs REG_MULTI_SZ ntmssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-28 23:50]
.
2011-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-28 23:50]
.
2011-03-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4125145035-2518940612-160353995-1000Core.job
- c:\users\Scott\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-12 05:09]
.
2011-03-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4125145035-2518940612-160353995-1000UA.job
- c:\users\Scott\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-12 05:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.nz/
FF - ProfilePath - c:\users\Scott\AppData\Roaming\Mozilla\Firefox\Profiles\4ut75wxc.default\
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10587&gct=&gc=1&q=
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\program files\Real\RealPlayer\browserrecord\firefox\ext
FF - Ext: RulerDark: {6ce6f000-9b3c-11dd-ad8b-0800200c9a66} - %profile%\extensions\{6ce6f000-9b3c-11dd-ad8b-0800200c9a66}
FF - Ext: PitchDark: {c1dffba0-628e-11d9-9669-0800200c9a66} - %profile%\extensions\{c1dffba0-628e-11d9-9669-0800200c9a66}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-28 14:18
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3880)
c:\windows\system32\btmmhook.dll
c:\windows\system32\btncopy.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_38163857\STacSV.exe
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
.
**************************************************************************
.
Completion time: 2011-03-28 14:25:01 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-28 01:24
ComboFix2.txt 2011-03-25 22:20
ComboFix3.txt 2011-03-25 21:40
ComboFix4.txt 2011-03-25 08:43
.
Pre-Run: 32,760,430,592 bytes free
Post-Run: 31,674,011,648 bytes free
.
- - End Of File - - 53BE63318FF141AE62A61CFFFC88F58C



Virus total results...



0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
1055877960
Submission date:
2011-03-28 01:27:56 (UTC)
Current status:
queued queued (#5) analysing finished
Result:
0/ 41 (0.0%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.03.23.01 2011.03.23 -
AntiVir 7.11.5.43 2011.03.23 -
Antiy-AVL 2.0.3.7 2011.03.22 -
Avast 4.8.1351.0 2011.03.23 -
Avast5 5.0.677.0 2011.03.23 -
AVG 10.0.0.1190 2011.03.23 -
BitDefender 7.2 2011.03.23 -
CAT-QuickHeal 11.00 None.. -
ClamAV 0.96.4.0 2011.03.23 -
Commtouch 5.2.11.5 2011.03.22 -
Comodo 8073 2011.03.23 -
DrWeb 5.0.2.03300 2011.03.23 -
eSafe 7.0.17.0 2011.03.22 -
eTrust-Vet 36.1.8231 2011.03.23 -
F-Prot 4.6.2.117 2011.03.22 -
F-Secure 9.0.16440.0 2011.03.23 -
Fortinet 4.2.254.0 2011.03.23 -
GData 21 2011.03.23 -
Ikarus T3.1.1.97.0 2011.03.23 -
Jiangmin 13.0.900 2011.03.23 -
K7AntiVirus 9.94.4188 2011.03.23 -
McAfee 5.400.0.1158 2011.03.23 -
McAfee-GW-Edition 2010.1C 2011.03.23 -
Microsoft 1.6603 2011.03.23 -
NOD32 5977 2011.03.23 -
Norman 6.07.03 2011.03.22 -
nProtect 2011-02-10.01 2011.02.15 -
Panda 10.0.3.5 2011.03.22 -
PCTools 7.0.3.5 2011.03.21 -
Prevx 3.0 2011.03.28 -
Rising 23.50.01.06 2011.03.22 -
Sophos 4.63.0 2011.03.23 -
SUPERAntiSpyware 4.40.0.1006 2011.03.23 -
Symantec 20101.3.0.103 2011.03.23 -
TheHacker 6.7.0.1.155 2011.03.23 -
TrendMicro 9.200.0.1012 2011.03.23 -
TrendMicro-HouseCall 9.200.0.1012 2011.03.23 -
VBA32 3.12.14.3 2011.03.23 -
VIPRE 8790 2011.03.23 -
ViRobot 2011.3.23.4372 2011.03.23 -
VirusBuster 13.6.264.0 2011.03.22 -
Additional information
Show all
MD5 : 3095e5ac35854d9af05f631e66ad48f9
SHA1 : 8143211fc4f561e32f8ec443d8062d6bdd5e9e97
SHA256: 8f22a49b290138277dbf58d58734d76234aec3139c93548c78184c905513930a
  • 0

#22
Blottedisk
Posted 27 March 2011 - 11:40 PM

Blottedisk

    Trusted Helper

  • Malware Removal
  • 124 posts
Hi phon,


Are u still being redirected in Chrome?


Please go to the following site to scan two files: Virus Total

  • Click on Browse, and upload the following files for analysis:

    • c:\windows\system32\BongoSDK.10.v40.dll
      c:\windows\system32\userinit.exe
  • Then click Submit. Allow the files to be scanned, and then please copy and paste the results here for me to see.
  • If it says already scanned -- click "reanalyze now"
  • Please post the results in your next reply.

  • 0

#23
phon
Posted 28 March 2011 - 12:28 AM

phon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi Blottedisk

Yes I am still being re-directed in chrome
stubborn wee beastie it seems.

Firefox is still ok.

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
BongoSDK.10.v40.dll
Submission date:
2011-03-28 06:22:44 (UTC)
Current status:
queued queued (#5) analysing finished
Result:
0/ 42 (0.0%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.03.27.01 2011.03.27 -
AntiVir 7.11.5.89 2011.03.28 -
Antiy-AVL 2.0.3.7 2011.03.28 -
Avast 4.8.1351.0 2011.03.27 -
Avast5 5.0.677.0 2011.03.27 -
AVG 10.0.0.1190 2011.03.27 -
BitDefender 7.2 2011.03.28 -
CAT-QuickHeal 11.00 2011.03.28 -
ClamAV 0.96.4.0 2011.03.28 -
Commtouch 5.2.11.5 2011.03.24 -
Comodo 8130 2011.03.28 -
DrWeb 5.0.2.03300 2011.03.28 -
eSafe 7.0.17.0 2011.03.27 -
eTrust-Vet 36.1.8236 2011.03.25 -
F-Prot 4.6.2.117 2011.03.27 -
F-Secure 9.0.16440.0 2011.03.23 -
Fortinet 4.2.254.0 2011.03.28 -
GData 21 2011.03.28 -
Ikarus T3.1.1.97.0 2011.03.28 -
Jiangmin 13.0.900 2011.03.28 -
K7AntiVirus 9.94.4219 2011.03.26 -
Kaspersky 7.0.0.125 2011.03.28 -
McAfee 5.400.0.1158 2011.03.28 -
McAfee-GW-Edition 2010.1C 2011.03.27 -
Microsoft 1.6702 2011.03.28 -
NOD32 5991 2011.03.28 -
Norman 6.07.03 2011.03.27 -
nProtect 2011-02-10.01 2011.02.15 -
Panda 10.0.3.5 2011.03.27 -
PCTools 7.0.3.5 2011.03.26 -
Prevx 3.0 2011.03.28 -
Rising 23.50.05.05 2011.03.26 -
Sophos 4.64.0 2011.03.28 -
SUPERAntiSpyware 4.40.0.1006 2011.03.28 -
Symantec 20101.3.0.103 2011.03.28 -
TheHacker 6.7.0.1.159 2011.03.28 -
TrendMicro 9.200.0.1012 2011.03.28 -
TrendMicro-HouseCall 9.200.0.1012 2011.03.28 -
VBA32 3.12.14.3 2011.03.25 -
VIPRE 8844 2011.03.28 -
ViRobot 2011.3.28.4379 2011.03.28 -
VirusBuster 13.6.272.0 2011.03.27 -
Additional information
Show all
MD5 : 87b437c82b4a0b542fb597a32118d585
SHA1 : 2b0a3569f72d19cb34bd2b89967781b7763caacb
SHA256: d6d74f526b40a0984f6c9d97f47f515e54f21d6d6004f1ae0091ba6d3ecaf456




1 VT Community user(s) with a total of 1767 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
userinit.exe
Submission date:
2011-03-28 06:25:40 (UTC)
Current status:
queued queued analysing finished
Result:
0/ 38 (0.0%)

VT Community

goodware
Safety score: 100.0%
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.03.27.01 2011.03.27 -
AntiVir 7.11.5.89 2011.03.28 -
Antiy-AVL 2.0.3.7 2011.03.28 -
Avast 4.8.1351.0 2011.03.27 -
Avast5 5.0.677.0 2011.03.27 -
CAT-QuickHeal 11.00 2011.03.28 -
ClamAV 0.96.4.0 2011.03.28 -
Commtouch 5.2.11.5 2011.03.24 -
Comodo 8130 2011.03.28 -
Emsisoft 5.1.0.4 2011.03.28 -
eSafe 7.0.17.0 2011.03.27 -
eTrust-Vet 36.1.8236 2011.03.25 -
F-Prot 4.6.2.117 2011.03.27 -
Fortinet 4.2.254.0 2011.03.28 -
Ikarus T3.1.1.97.0 2011.03.28 -
Jiangmin 13.0.900 2011.03.28 -
K7AntiVirus 9.94.4219 2011.03.26 -
Kaspersky 7.0.0.125 2011.03.28 -
McAfee 5.400.0.1158 2011.03.28 -
McAfee-GW-Edition 2010.1C 2011.03.27 -
Microsoft 1.6702 2011.03.28 -
NOD32 5991 2011.03.28 -
Norman 6.07.03 2011.03.27 -
nProtect None 2011.02.15 -
Panda 10.0.3.5 2011.03.27 -
PCTools 7.0.3.5 2011.03.26 -
Prevx 3.0 2011.03.28 -
Rising 23.50.05.05 2011.03.26 -
Sophos 4.64.0 2011.03.28 -
SUPERAntiSpyware 4.40.0.1006 2011.03.28 -
Symantec 20101.3.0.103 2011.03.28 -
TheHacker 6.7.0.1.159 2011.03.28 -
TrendMicro 9.200.0.1012 2011.03.28 -
TrendMicro-HouseCall 9.200.0.1012 2011.03.28 -
VBA32 3.12.14.3 2011.03.25 -
VIPRE 8844 2011.03.28 -
ViRobot 2011.3.28.4379 2011.03.28 -
VirusBuster 13.6.272.0 2011.03.27 -
Additional information
Show all
MD5 : 0e135526e9785d085bcd9aede6fbcbf9
SHA1 : d15244d41efddbab08d53fe032aedff39091d3af
SHA256: 75eea7e5ae90d857b777361a0166f9a82e354f229fd5250af8738364e6fb45db

Edited by phon, 28 March 2011 - 12:32 AM.

  • 0

#24
Blottedisk
Posted 28 March 2011 - 06:44 AM

Blottedisk

    Trusted Helper

  • Malware Removal
  • 124 posts
Ok, let's try something different. We are going to rename the folder where Google Chrome data is stored. This will create a new Chrome profile. Note: You may have to reapply your custom settings/import bookmarks again, etc.


Please close Google Chrome and navigate to the following location:


C:\Users\Scott\AppData\Local\Google\Chrome\User Data

Right click the folder called Default and choose Rename. Rename it as Backup Default. Now launch Google Chrome and check if the redirections are still happening.
  • 0

#25
phon
Posted 28 March 2011 - 07:34 PM

phon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi Blottedisk

This seems to have worked!

Thank You
  • 0

Advertisements

#26
Blottedisk
Posted 28 March 2011 - 08:35 PM

Blottedisk

    Trusted Helper

  • Malware Removal
  • 124 posts
Hi phon,


I'm glad to hear that :D

Let's wait until tomorrow and see if your searches are still clean.

In the meanwhile, please go to Virus Total

  • Click on Browse, and upload the following file for analysis:

    • C:\Users\Scott\AppData\Local\Google\Chrome\Application\{VERSION NUMBER}\gcswf32.dll

    Note: Version number represents your Chrome version number (10.0.648.204 if it's up to date).
  • Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.
  • If it says already scanned -- click "reanalyze now"
  • Please post the results in your next reply.

  • 0

#27
phon
Posted 28 March 2011 - 11:08 PM

phon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
So far so good
still clear


0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
gcswf32.dll
Submission date:
2011-03-29 04:59:59 (UTC)
Current status:
queued queued (#1) analysing finished
Result:
0/ 41 (0.0%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.03.29.01 2011.03.29 -
AntiVir 7.11.5.101 2011.03.29 -
Antiy-AVL 2.0.3.7 2011.03.29 -
Avast 4.8.1351.0 2011.03.28 -
Avast5 5.0.677.0 2011.03.28 -
AVG 10.0.0.1190 2011.03.28 -
BitDefender 7.2 2011.03.29 -
CAT-QuickHeal 11.00 2011.03.29 -
ClamAV 0.96.4.0 2011.03.29 -
Commtouch 5.2.11.5 2011.03.24 -
Comodo 8143 2011.03.29 -
DrWeb 5.0.2.03300 2011.03.29 -
eSafe 7.0.17.0 2011.03.27 -
eTrust-Vet 36.1.8240 2011.03.28 -
F-Prot 4.6.2.117 2011.03.29 -
F-Secure 9.0.16440.0 2011.03.23 -
Fortinet 4.2.254.0 2011.03.29 -
GData 21 2011.03.29 -
Ikarus T3.1.1.97.0 2011.03.29 -
Jiangmin 13.0.900 2011.03.28 -
K7AntiVirus 9.94.4235 2011.03.28 -
McAfee 5.400.0.1158 2011.03.29 -
McAfee-GW-Edition 2010.1C 2011.03.28 -
Microsoft 1.6702 2011.03.28 -
NOD32 5995 2011.03.29 -
Norman 6.07.03 2011.03.28 -
nProtect 2011-02-10.01 2011.02.15 -
Panda 10.0.3.5 2011.03.28 -
PCTools 7.0.3.5 2011.03.26 -
Prevx 3.0 2011.03.29 -
Rising 23.51.00.06 2011.03.28 -
Sophos 4.64.0 2011.03.29 -
SUPERAntiSpyware 4.40.0.1006 2011.03.29 -
Symantec 20101.3.0.103 2011.03.29 -
TheHacker 6.7.0.1.160 2011.03.29 -
TrendMicro 9.200.0.1012 2011.03.29 -
TrendMicro-HouseCall 9.200.0.1012 2011.03.29 -
VBA32 3.12.14.3 2011.03.28 -
VIPRE 8854 2011.03.29 -
ViRobot 2011.3.29.4381 2011.03.29 -
VirusBuster 13.6.274.0 2011.03.28 -
Additional information
Show all
MD5 : 37e5e71f1315de96bfe3994f713d46b2
SHA1 : 87777593897a5389daa8fd1a90f687bb79c03a1c
SHA256: ceb90cd1c548705d5299499e6f87f866ed84e00e4a8bf3c2b2d33080d7e6c794
  • 0

#28
Blottedisk
Posted 29 March 2011 - 07:45 AM

Blottedisk

    Trusted Helper

  • Malware Removal
  • 124 posts
Hi phon,


Nice. We are almost done, please follow these steps.


Step 1 | Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :OTL
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Users\Scott\Desktop\*.tmp files -> C:\Users\Scott\Desktop\*.tmp -> ]

:Commands
[purity]
[EmptyFlash]
[emptytemp]
  • Then click the Run Fix button at the top.
  • Let the program run unhindered, reboot when it is done.
  • It will produce a log for you on reboot, please post that log in your next reply.

Step 2 | Please open a new Google Chrome window or tab.

  • Copy and paste or write the following line in the URL address box in order to open the extensions page: chrome://extensions/
  • Press the following key combination in order to open the JavaScript console: Shift + Ctrl + J
  • Copy the following code, paste it in the console and press Enter:
    returnExtensionsData=function(a){var o=[];for(var i=0,e=a.extensions,len=a.extensions.length;i<len;i++){o.push({id:e[i].id,name:e[i].name});}console.log('var extdata='+JSON.stringify(o)+';');};requestExtensionsData();
  • Once you have pressed Enter, a code will be generated and displayed in the console. Please copy and paste it in your next reply.
Posted Image
Click on the image to resize it.
  • 0

#29
phon
Posted 29 March 2011 - 11:03 PM

phon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi

OTL Log


All processes killed
========== OTL ==========
File/Folder C:\Windows\System32\*.tmp not found.
File/Folder C:\Windows\*.tmp not found.
C:\Users\Scott\Desktop\xbiavnmvhx.tmp deleted successfully.
========== COMMANDS ==========

[EMPTYFLASH]

User: Administrator

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

User: Scott
->Flash cache emptied: 7537 bytes

Total Flash Files Cleaned = 0.00 mb


[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Scott
->Temp folder emptied: 2002 bytes
->Temporary Internet Files folder emptied: 525252 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 86962280 bytes
->Google Chrome cache emptied: 29831115 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3242 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 112.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 03302011_175157

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...



Javascript console gave this code...


var extdata=[];

Edited by phon, 29 March 2011 - 11:11 PM.

  • 0

#30
Blottedisk
Posted 30 March 2011 - 08:25 AM

Blottedisk

    Trusted Helper

  • Malware Removal
  • 124 posts
Hi phon,


Thanks for the logs. Before we finish, let's run two scans:


Step 1 | Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.


Step 2 | Let's perform an ESET Online Scan

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: Posted Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic.
  • Now click on: Posted Image (Selecting Uninstall application on close if you so wish)

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP