1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Google redirect virus

Discussion in 'Virus & Other Malware Removal' started by treddleman, Jul 17, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. treddleman

    treddleman Thread Starter

    Joined:
    Jul 17, 2012
    Messages:
    2
    I have ads playing in the background and trying to get them removed. I have run Combofix and here is what the log shows.




    ComboFix 12-07-16.01 - Owner 07/17/2012 9:45.2.4 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3326.1591 [GMT -6:00]
    Running from: c:\users\Owner\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Owner\AppData\Local\Temp\1.tmp\F_IN_BOX.dll
    .
    ---- Previous Run -------
    .
    c:\programdata\SPL5D91.tmp
    c:\users\Owner\AppData\Local\Conduit\BitTorrent\ggqkf.dll
    c:\users\Owner\AppData\Local\Temp\1.tmp\F_IN_BOX.dll
    c:\windows\system32\drivers\etc\lmhosts
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-17 to 2012-07-17 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-17 15:50 . 2012-07-17 15:50 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
    2012-07-17 15:50 . 2012-07-17 15:50 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-07-17 15:31 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B960357A-7282-4FE1-8803-17898B4356B2}\mpengine.dll
    2012-07-17 15:02 . 2012-07-17 15:02 -------- d-----w- c:\windows\system32\Adobe
    2012-07-17 00:57 . 2012-06-13 13:40 2047488 ----a-w- c:\windows\system32\win32k.sys
    2012-07-16 23:59 . 2012-07-16 23:59 -------- d-----w- c:\program files\Common Files\Overwolf
    2012-07-16 05:41 . 2012-05-31 03:41 6762896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-07-13 00:01 . 2012-07-17 02:10 -------- d-----w- c:\users\Owner\AppData\Local\ClassesB
    2012-07-11 06:45 . 2012-06-05 16:47 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
    2012-07-11 06:45 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\system32\msxml6.dll
    2012-07-11 06:45 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\system32\msxml3.dll
    2012-07-11 06:45 . 2012-06-04 15:26 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-07-11 06:45 . 2012-06-02 00:04 278528 ----a-w- c:\windows\system32\schannel.dll
    2012-07-11 06:45 . 2012-06-02 00:03 204288 ----a-w- c:\windows\system32\ncrypt.dll
    2012-07-04 05:41 . 2012-05-13 16:15 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{12098E78-4290-4412-BB6F-F12959A1E060}\gapaengine.dll
    2012-06-21 23:40 . 2012-06-21 23:40 768848 ----a-w- c:\windows\system32\msvcr100.dll
    2012-06-21 23:40 . 2012-06-21 23:40 421200 ----a-w- c:\windows\system32\msvcp100.dll
    2012-06-21 09:37 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-21 09:37 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
    2012-06-21 09:37 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-21 09:37 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-21 09:37 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
    2012-06-21 09:37 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-21 09:37 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-21 09:37 . 2012-06-02 21:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-21 09:37 . 2012-06-02 21:12 33792 ----a-w- c:\windows\system32\wuapp.exe
    2012-06-17 16:19 . 2012-06-17 16:19 -------- d-----w- c:\users\Owner\AppData\Local\DDMSettings
    2012-06-17 16:04 . 2012-06-17 16:04 -------- d-----w- c:\program files\Common Files\DivX Shared
    2012-06-17 16:04 . 2012-06-17 16:04 -------- d-----w- c:\program files\DivX
    2012-06-17 16:03 . 2012-06-17 16:19 -------- d-----w- c:\programdata\DivX
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-17 15:01 . 2012-04-03 05:57 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-07-17 15:01 . 2011-08-23 16:59 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-06-09 17:21 . 2011-08-23 17:00 178688 ----a-w- c:\windows\system32\unrar.dll
    2012-05-13 16:15 . 2011-09-08 12:43 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
    2012-05-01 14:03 . 2012-06-12 21:17 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-04-23 16:00 . 2012-06-12 21:17 984064 ----a-w- c:\windows\system32\crypt32.dll
    2012-04-23 16:00 . 2012-06-12 21:17 98304 ----a-w- c:\windows\system32\cryptnet.dll
    2012-04-23 16:00 . 2012-06-12 21:17 133120 ----a-w- c:\windows\system32\cryptsvc.dll
    2012-06-17 16:44 . 2011-08-23 22:45 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "Aim"="c:\program files\AIM\aim.exe" [2011-05-03 4321112]
    "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2012-01-04 6497592]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-06-05 17344176]
    "Overwolf"="c:\program files\Overwolf\Overwolf.exe" [2012-06-21 35256]
    "Steam"="c:\program files\Steam\Steam.exe" [2012-05-05 1242448]
    "ClassesB"="c:\users\Owner\AppData\Local\ClassesB\nhjlzpmt.dll" [2012-07-17 740864]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2011-05-27 2015136]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
    .
    c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK32.EXE [2011-12-23 611144]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
    2012-03-29 04:43 114176 ----a-w- c:\windows\System32\advpack.dll
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-17 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 15:01]
    .
    2012-07-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2182351676-3826189462-1719554592-1000Core.job
    - c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-04 02:27]
    .
    2012-07-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2182351676-3826189462-1719554592-1000UA.job
    - c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-04 02:27]
    .
    .
    ------- Supplementary Scan -------
    .
    TCP: DhcpNameServer = 192.168.2.1
    FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\6k80n2me.default\
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    .
    .
    ------- File Associations -------
    .
    .reg=Regedit.Document
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{88c7f2aa-f93f-432c-8f0e-b7d85967a527} - (no file)
    Toolbar-{88c7f2aa-f93f-432c-8f0e-b7d85967a527} - (no file)
    Toolbar-Locked - (no file)
    HKU-Default-Run-BitTorrent - c:\users\Owner\AppData\Local\Conduit\BitTorrent\ggqkf.dll
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-07-17 09:52
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    ClassesB = rundll32.exe c:\users\Owner\AppData\Local\ClassesB\nhjlzpmt.dll,DEC_Finish?45678DX?X???????
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 6.0.6002 Disk: WDC_WD50 rev.01.0 -> Harddisk0\DR0 ->
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x87A7B4B1]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x87a8293c]; MOV EAX, [0x87a82ab0]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x8225D936] -> \Device\Harddisk0\DR0[0x8706CAC8]
    3 CLASSPNP[0x8B3A58B3] -> ntkrnlpa!IofCallDriver[0x8225D936] -> [0x85C08948]
    5 acpi[0x807316BC] -> ntkrnlpa!IofCallDriver[0x8225D936] -> [0x85C08C90]
    \Driver\nvstor32[0x879EFC38] -> IRP_MJ_CREATE -> 0x87A7B4B1
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
    detected disk devices:
    \Device\00000058 -> \??\SCSI#Disk&Ven_WDC_WD50&Prod_00AAKS-00A7B#4&6727837&0&010100#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi -> 0x85bc91f8
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(5820)
    c:\users\Owner\AppData\Local\ClassesB\nhjlzpmt.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvvsvc.exe
    c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    c:\program files\Microsoft Security Client\MsMpEng.exe
    c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
    c:\windows\system32\nvvsvc.exe
    c:\program files\Belkin\Router Setup and Monitor\BelkinService.exe
    c:\windows\System32\rundll32.exe
    c:\program files\NVIDIA Corporation\Display\nvtray.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
    c:\windows\servicing\TrustedInstaller.exe
    .
    **************************************************************************
    .
    Completion time: 2012-07-17 09:58:18 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-07-17 15:58
    .
    Pre-Run: 301,071,380,480 bytes free
    Post-Run: 300,927,291,392 bytes free
    .
    - - End Of File - - 13FEB4427227A0E5C308B385ACBEC5EC
     
  2. Cheeseball81

    Cheeseball81 Moderator Malware Specialist

    Joined:
    Mar 3, 2004
    Messages:
    83,940
    Hi and welcome,

    Please download aswMBR to your desktop.

    • Right click and Run as Administrator the aswMBR icon to run it.
    • Click the Scan button to start scan.
    • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

    [​IMG]
    Click the image to enlarge it
     
  3. treddleman

    treddleman Thread Starter

    Joined:
    Jul 17, 2012
    Messages:
    2
    Here is the information you requested.....



    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-07-18 21:55:29
    -----------------------------
    21:55:29.481 OS Version: Windows 6.0.6002 Service Pack 2
    21:55:29.482 Number of processors: 4 586 0x203
    21:55:29.482 ComputerName: OWNER-PC UserName: Owner
    21:55:31.426 Initialize success
    21:55:54.930 AVAST engine defs: 12071900
    21:55:57.916 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000058
    21:55:57.920 Disk 0 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3
    21:55:57.947 Disk 0 MBR read successfully
    21:55:57.949 Disk 0 MBR scan
    21:55:57.955 Disk 0 Windows VISTA default MBR code
    21:55:57.965 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476938 MB offset 2048
    21:55:57.992 Disk 0 scanning sectors +976771072
    21:55:58.076 Disk 0 scanning C:\Windows\system32\drivers
    21:56:12.077 Service scanning
    21:56:20.277 Service MpKsla25d90d3 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{461B93E4-F041-4AB1-8679-1C4C97EAE9A7}\MpKsla25d90d3.sys **LOCKED** 32
    21:56:46.066 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
    21:56:54.402 Modules scanning
    21:56:57.543 Disk 0 trace - called modules:
    21:56:57.557 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x84d581f8]<<
    21:56:57.557 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86b75ac8]
    21:56:57.558 3 CLASSPNP.SYS[8b3ab8b3] -> nt!IofCallDriver -> [0x8580aa50]
    21:56:57.558 5 acpi.sys[807356bc] -> nt!IofCallDriver -> \Device\00000058[0x8580ac90]
    21:56:57.558 \Driver\nvstor32[0x85830678] -> IRP_MJ_CREATE -> 0x84d581f8
    21:56:59.620 AVAST engine scan C:\Windows
    21:57:07.838 AVAST engine scan C:\Windows\system32
    22:02:18.546 AVAST engine scan C:\Windows\system32\drivers
    22:02:47.325 AVAST engine scan C:\Users\Owner
    22:02:57.690 File: C:\Users\Owner\AppData\Local\ClassesB\nhjlzpmt.dll **INFECTED** Win32:Downloader-PLX [Trj]
    22:13:05.652 AVAST engine scan C:\ProgramData
    22:14:27.650 Scan finished successfully
    22:25:35.578 Disk 0 MBR has been saved successfully to "C:\Users\Owner\Documents\MBR.dat"
    22:25:35.583 The log file has been saved successfully to "C:\Users\Owner\Documents\aswMBR.txt"
     
  4. Cheeseball81

    Cheeseball81 Moderator Malware Specialist

    Joined:
    Mar 3, 2004
    Messages:
    83,940
    Please download TDSSKiller.zip
    • Extract it to your desktop
    • Double click TDSSKiller.exe
    • when the window opens, click on Change Parameters
    • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
    • click OK
    • Press Start Scan
      • Only if Malicious objects are found then ensure Cure is selected
      • Then click Continue > Reboot now
    • Attach the log in your next reply
      • A copy of the log will be saved automatically to the root of the drive (typically C:\)
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1061436