Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Google redirect virus

(In Progress)
(!)

treddleman's Avatar
treddleman treddleman is offline
Member with 2 posts.
THREAD STARTER
 
Join Date: Jul 2012
Experience: Beginner
17-Jul-2012, 12:05 PM #1
Google redirect virus
I have ads playing in the background and trying to get them removed. I have run Combofix and here is what the log shows.




ComboFix 12-07-16.01 - Owner 07/17/2012 9:45.2.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3326.1591 [GMT -6:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Owner\AppData\Local\Temp\1.tmp\F_IN_BOX.dll
.
---- Previous Run -------
.
c:\programdata\SPL5D91.tmp
c:\users\Owner\AppData\Local\Conduit\BitTorrent\ggqkf.dll
c:\users\Owner\AppData\Local\Temp\1.tmp\F_IN_BOX.dll
c:\windows\system32\drivers\etc\lmhosts
.
.
((((((((((((((((((((((((( Files Created from 2012-06-17 to 2012-07-17 )))))))))))))))))))))))))))))))
.
.
2012-07-17 15:50 . 2012-07-17 15:50 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-07-17 15:50 . 2012-07-17 15:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-17 15:31 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B960357A-7282-4FE1-8803-17898B4356B2}\mpengine.dll
2012-07-17 15:02 . 2012-07-17 15:02 -------- d-----w- c:\windows\system32\Adobe
2012-07-17 00:57 . 2012-06-13 13:40 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-07-16 23:59 . 2012-07-16 23:59 -------- d-----w- c:\program files\Common Files\Overwolf
2012-07-16 05:41 . 2012-05-31 03:41 6762896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-07-13 00:01 . 2012-07-17 02:10 -------- d-----w- c:\users\Owner\AppData\Local\ClassesB
2012-07-11 06:45 . 2012-06-05 16:47 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2012-07-11 06:45 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-07-11 06:45 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-07-11 06:45 . 2012-06-04 15:26 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-11 06:45 . 2012-06-02 00:04 278528 ----a-w- c:\windows\system32\schannel.dll
2012-07-11 06:45 . 2012-06-02 00:03 204288 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-04 05:41 . 2012-05-13 16:15 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{12098E78-4290-4412-BB6F-F12959A1E060}\gapaengine.dll
2012-06-21 23:40 . 2012-06-21 23:40 768848 ----a-w- c:\windows\system32\msvcr100.dll
2012-06-21 23:40 . 2012-06-21 23:40 421200 ----a-w- c:\windows\system32\msvcp100.dll
2012-06-21 09:37 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-21 09:37 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-21 09:37 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-21 09:37 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-21 09:37 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-21 09:37 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-21 09:37 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-21 09:37 . 2012-06-02 21:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-21 09:37 . 2012-06-02 21:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-17 16:19 . 2012-06-17 16:19 -------- d-----w- c:\users\Owner\AppData\Local\DDMSettings
2012-06-17 16:04 . 2012-06-17 16:04 -------- d-----w- c:\program files\Common Files\DivX Shared
2012-06-17 16:04 . 2012-06-17 16:04 -------- d-----w- c:\program files\DivX
2012-06-17 16:03 . 2012-06-17 16:19 -------- d-----w- c:\programdata\DivX
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-17 15:01 . 2012-04-03 05:57 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-17 15:01 . 2011-08-23 16:59 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-09 17:21 . 2011-08-23 17:00 178688 ----a-w- c:\windows\system32\unrar.dll
2012-05-13 16:15 . 2011-09-08 12:43 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-05-01 14:03 . 2012-06-12 21:17 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-23 16:00 . 2012-06-12 21:17 984064 ----a-w- c:\windows\system32\crypt32.dll
2012-04-23 16:00 . 2012-06-12 21:17 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-04-23 16:00 . 2012-06-12 21:17 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-17 16:44 . 2011-08-23 22:45 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Aim"="c:\program files\AIM\aim.exe" [2011-05-03 4321112]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2012-01-04 6497592]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-06-05 17344176]
"Overwolf"="c:\program files\Overwolf\Overwolf.exe" [2012-06-21 35256]
"Steam"="c:\program files\Steam\Steam.exe" [2012-05-05 1242448]
"ClassesB"="c:\users\Owner\AppData\Local\ClassesB\nhjlzpmt.dll" [2012-07-17 740864]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2011-05-27 2015136]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
.
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK32.EXE [2011-12-23 611144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSv c]
@="Service"
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2012-03-29 04:43 114176 ----a-w- c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 15:01]
.
2012-07-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2182351676-3826189462-1719554592-1000Core.job
- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-04 02:27]
.
2012-07-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2182351676-3826189462-1719554592-1000UA.job
- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-04 02:27]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\6k80n2me.default\
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
.
------- File Associations -------
.
.reg=Regedit.Document
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{88c7f2aa-f93f-432c-8f0e-b7d85967a527} - (no file)
Toolbar-{88c7f2aa-f93f-432c-8f0e-b7d85967a527} - (no file)
Toolbar-Locked - (no file)
HKU-Default-Run-BitTorrent - c:\users\Owner\AppData\Local\Conduit\BitTorrent\ggqkf.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-17 09:52
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ClassesB = rundll32.exe c:\users\Owner\AppData\Local\ClassesB\nhjlzpmt.dll,DEC_Finish?45678DX?X???? ???
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: WDC_WD50 rev.01.0 -> Harddisk0\DR0 ->
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x87A7B4B1]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x87a8293c]; MOV EAX, [0x87a82ab0]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x8225D936] -> \Device\Harddisk0\DR0[0x8706CAC8]
3 CLASSPNP[0x8B3A58B3] -> ntkrnlpa!IofCallDriver[0x8225D936] -> [0x85C08948]
5 acpi[0x807316BC] -> ntkrnlpa!IofCallDriver[0x8225D936] -> [0x85C08C90]
\Driver\nvstor32[0x879EFC38] -> IRP_MJ_CREATE -> 0x87A7B4B1
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\00000058 -> \??\SCSI#Disk&Ven_WDC_WD50&Prod_00AAKS-00A7B#4&6727837&0&010100#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi -> 0x85bc91f8
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5820)
c:\users\Owner\AppData\Local\ClassesB\nhjlzpmt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Belkin\Router Setup and Monitor\BelkinService.exe
c:\windows\System32\rundll32.exe
c:\program files\NVIDIA Corporation\Display\nvtray.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2012-07-17 09:58:18 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-17 15:58
.
Pre-Run: 301,071,380,480 bytes free
Post-Run: 300,927,291,392 bytes free
.
- - End Of File - - 13FEB4427227A0E5C308B385ACBEC5EC
Cheeseball81's Avatar
Computer Specs
Moderator & Malware Removal Specialist with 83,523 posts.
 
Join Date: Mar 2004
Location: Long Island, NY
Experience: Advanced
18-Jul-2012, 05:11 PM #2
Hi and welcome,

Please download aswMBR to your desktop.
  • Right click and Run as Administrator the aswMBR icon to run it.
  • Click the Scan button to start scan.
  • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.


Click the image to enlarge it
__________________
Microsoft MVP - Consumer Security
If we've helped you, please donate to TSG!
treddleman's Avatar
treddleman treddleman is offline
Member with 2 posts.
THREAD STARTER
 
Join Date: Jul 2012
Experience: Beginner
19-Jul-2012, 12:27 AM #3
Replying per email
Here is the information you requested.....



aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-18 21:55:29
-----------------------------
21:55:29.481 OS Version: Windows 6.0.6002 Service Pack 2
21:55:29.482 Number of processors: 4 586 0x203
21:55:29.482 ComputerName: OWNER-PC UserName: Owner
21:55:31.426 Initialize success
21:55:54.930 AVAST engine defs: 12071900
21:55:57.916 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000058
21:55:57.920 Disk 0 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3
21:55:57.947 Disk 0 MBR read successfully
21:55:57.949 Disk 0 MBR scan
21:55:57.955 Disk 0 Windows VISTA default MBR code
21:55:57.965 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476938 MB offset 2048
21:55:57.992 Disk 0 scanning sectors +976771072
21:55:58.076 Disk 0 scanning C:\Windows\system32\drivers
21:56:12.077 Service scanning
21:56:20.277 Service MpKsla25d90d3 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{461B93E4-F041-4AB1-8679-1C4C97EAE9A7}\MpKsla25d90d3.sys **LOCKED** 32
21:56:46.066 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
21:56:54.402 Modules scanning
21:56:57.543 Disk 0 trace - called modules:
21:56:57.557 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x84d581f8]<<
21:56:57.557 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86b75ac8]
21:56:57.558 3 CLASSPNP.SYS[8b3ab8b3] -> nt!IofCallDriver -> [0x8580aa50]
21:56:57.558 5 acpi.sys[807356bc] -> nt!IofCallDriver -> \Device\00000058[0x8580ac90]
21:56:57.558 \Driver\nvstor32[0x85830678] -> IRP_MJ_CREATE -> 0x84d581f8
21:56:59.620 AVAST engine scan C:\Windows
21:57:07.838 AVAST engine scan C:\Windows\system32
22:02:18.546 AVAST engine scan C:\Windows\system32\drivers
22:02:47.325 AVAST engine scan C:\Users\Owner
22:02:57.690 File: C:\Users\Owner\AppData\Local\ClassesB\nhjlzpmt.dll **INFECTED** Win32ownloader-PLX [Trj]
22:13:05.652 AVAST engine scan C:\ProgramData
22:14:27.650 Scan finished successfully
22:25:35.578 Disk 0 MBR has been saved successfully to "C:\Users\Owner\Documents\MBR.dat"
22:25:35.583 The log file has been saved successfully to "C:\Users\Owner\Documents\aswMBR.txt"
Cheeseball81's Avatar
Computer Specs
Moderator & Malware Removal Specialist with 83,523 posts.
 
Join Date: Mar 2004
Location: Long Island, NY
Experience: Advanced
19-Jul-2012, 12:12 PM #4
Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Attach the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑