Tech Support Forum - View Single Post - Clicking a link in Google is Redirecting me to different websites

sujitsingh · 04-27-2009, 09:46 AM

Dear Sir/Madam;
I am having problem with Google search. When Search result is displayed and link is clicked, it is redirecting me to some other websites.
I am new member and did not see the first steps guide and I am really sorry. So I missed running run DDS and GMER . I ran combofix and hope I haven't messed anything up :(

Here is a log from Combofix.

ComboFix 09-04-25.A3 - ssingh 04/27/2009 10:48.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.254.90 [GMT -4:00]
Running from: c:\documents and settings\ssingh\Desktop\Combofix\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-0-7-83-100008847-100025721-100029747-5498.com
c:\winnt\IE4 Error Log.txt
c:\winnt\system32\drivers\gxvxcoiprlnsbmhfviakibmttusiuyxewvsxe.sys
c:\winnt\system32\gxvxccounter
c:\winnt\system32\gxvxcwyerxdpfmntymojxrmpjxubfxleenbmk.dll
c:\winnt\system32\open.ico
c:\winnt\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS
-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-4-27 )))))))))))))))))))))))))))))))
.

2009-04-27 15:11 . 2009-04-27 15:11 -------- d-----w C:\found.000
2009-04-27 05:45 . 2009-04-06 19:32 15504 ----a-w c:\winnt\system32\drivers\mbam.sys
2009-04-27 05:45 . 2009-04-06 19:32 38496 ----a-w c:\winnt\system32\drivers\mbamswissarmy.sys
2009-04-27 05:45 . 2009-04-27 05:45 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-27 05:45 . 2009-04-27 05:45 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-27 04:53 . 2009-04-27 05:52 -------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-04-27 04:53 . 2009-04-27 04:53 -------- d-----w c:\program files\NortonInstaller
2009-04-27 04:46 . 2009-04-27 04:52 -------- d-----w c:\documents and settings\ssingh\Application Data\GetRightToGo
2009-04-27 04:22 . 2009-04-27 04:22 16384 ----atw c:\winnt\system32\Perflib_Perfdata_440.dat
2009-04-26 19:10 . 2009-04-26 19:14 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-26 19:10 . 2009-04-26 19:11 -------- d---a-w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-26 18:30 . 2008-06-19 20:24 28544 ----a-w c:\winnt\system32\drivers\pavboot.sys
2009-04-26 18:30 . 2009-04-26 18:30 -------- d-----w c:\program files\Panda Security
2009-04-26 17:02 . 2009-04-26 15:46 15688 ----a-w c:\winnt\system32\lsdelete.exe
2009-04-26 15:46 . 2009-04-26 15:45 64160 ----a-w c:\winnt\system32\drivers\Lbd.sys
2009-04-26 15:41 . 2009-04-26 15:41 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-26 15:41 . 2009-04-26 15:41 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-25 05:04 . 2009-04-25 05:04 -------- d-----w c:\documents and settings\ssingh\Application Data\AVGTOOLBAR
2009-04-25 02:07 . 2008-12-11 12:38 159600 ----a-w c:\winnt\system32\drivers\pctgntdi.sys
2009-04-25 02:07 . 2009-04-03 15:18 130936 ----a-w c:\winnt\system32\drivers\PCTCore.sys
2009-04-25 02:07 . 2008-12-18 16:16 73840 ----a-w c:\winnt\system32\drivers\PCTAppEvent.sys
2009-04-25 02:07 . 2009-04-25 02:07 -------- d-----w c:\program files\Common Files\PC Tools
2009-04-25 02:07 . 2008-12-10 15:36 64392 ----a-w c:\winnt\system32\drivers\pctplsg.sys
2009-04-25 02:06 . 2002-05-15 19:16 360448 ----a-w c:\winnt\system32\oleacc.dll
2009-04-25 02:06 . 2002-05-15 19:16 356352 -c--a-w c:\winnt\system32\dllcache\oleaccrc.dll
2009-04-25 02:06 . 2002-05-15 19:16 356352 ----a-w c:\winnt\system32\oleaccrc.dll
2009-04-25 02:06 . 2009-04-25 05:08 -------- d-----w c:\program files\Spyware Doctor
2009-04-25 02:06 . 2009-04-25 02:06 -------- d-----w c:\documents and settings\ssingh\Application Data\PC Tools
2009-04-25 02:06 . 2009-04-25 02:06 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-04-25 02:06 . 2002-05-15 19:16 462848 ----a-w c:\winnt\system32\msaatext.dll
2009-04-24 23:41 . 2009-04-24 23:38 102664 ----a-w c:\winnt\system32\drivers\tmcomm.sys
2009-04-24 23:38 . 2009-04-27 06:00 -------- d-----w c:\documents and settings\ssingh\.housecall6.6
2009-04-24 23:32 . 2009-04-24 23:32 -------- d-----w c:\program files\Trend Micro
2009-04-24 18:10 . 2009-02-20 15:22 65128 ----a-w c:\winnt\system32\drivers\avgntflt.sys
2009-04-24 15:00 . 2009-04-24 15:00 -------- d-----w c:\documents and settings\Default User\Application Data\Yahoo!
2009-04-24 06:24 . 2003-06-19 19:05 12592 ----a-w c:\winnt\system32\drivers\usbscan.sys
2009-04-22 20:15 . 2009-04-07 17:47 20648 ----a-w c:\winnt\system32\novamnp6.dll
2009-04-22 20:15 . 2009-04-07 17:47 19112 ----a-w c:\winnt\system32\novamip6.dll
2009-04-22 20:15 . 2009-03-10 21:16 7533 ----a-w c:\winnt\system32\novap6.ctm
2009-04-22 20:06 . 2009-04-22 20:06 -------- d-----w c:\documents and settings\Default User\Application Data\Softland
2009-04-22 20:04 . 2008-10-13 20:23 7533 ----a-w c:\winnt\system32\dopdf6.ctm
2009-04-22 20:04 . 2009-04-24 06:17 -------- d-----w c:\program files\Softland
2009-04-17 14:38 . 2009-04-27 05:51 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-09 19:16 . 2009-04-09 19:16 32 ----a-w c:\winnt\gca631.INI
2009-04-09 19:15 . 2009-04-09 19:15 -------- d-----w C:\TurboSystemsCo
2009-04-07 22:30 . 2009-04-07 22:41 -------- d-----w c:\documents and settings\ssingh\Local Settings\Application Data\ShippingAssistant

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-27 15:12 . 2009-04-26 17:07 4836 ----a-w C:\aaw7boot.log
2009-04-27 14:00 . 2005-10-03 15:43 494 ----a-w C:\hpfr5550.xml
2009-04-26 15:41 . 2007-03-06 23:50 -------- d-----w c:\program files\Lavasoft
2009-04-25 13:45 . 2005-10-03 16:10 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-25 13:45 . 2009-01-31 16:16 1892 ----a-w C:\InstallHelper.log
2009-04-25 13:44 . 2009-02-19 05:07 -------- d-----w c:\program files\PageBreeze
2009-04-25 05:04 . 2008-07-23 05:06 -------- d---a-w c:\documents and settings\All Users\Application Data\avg8
2009-04-17 15:04 . 2005-10-03 21:42 27200 -c--a-w c:\documents and settings\ssingh\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-17 04:33 . 2007-04-03 15:35 -------- d--h--w c:\documents and settings\ssingh\Application Data\Move Networks
2009-02-19 21:33 . 2009-02-19 21:33 576512 ----a-w c:\winnt\system32\WININET.DLL
2009-02-19 05:17 . 2009-02-19 05:17 129 ----a-w c:\documents and settings\ssingh\Local Settings\Application Data\fusioncache.dat
2009-02-19 05:02 . 2009-02-19 05:02 730 ----a-w C:\odbcconf.log
2009-02-08 16:16 . 1999-12-07 18:00 1644784 ----a-w c:\winnt\system32\WIN32K.SYS
2009-02-04 04:20 . 2009-02-04 04:20 47376 ----a-w c:\winnt\system32\secur32.dll
2009-01-28 15:22 . 2007-10-04 19:15 0 ---ha-w c:\program files\hpothb07.tif
2009-01-28 15:22 . 2007-10-04 19:15 0 ---ha-w c:\program files\hpothb07.dat
2009-01-28 15:19 . 2007-10-04 19:18 487 ---ha-w c:\documents and settings\SYSTEM\hpothb07.dat
2009-01-28 15:19 . 2007-04-09 15:38 503 ---ha-w c:\documents and settings\ssingh\hpothb07.dat
2009-01-28 00:57 . 2007-10-04 19:18 164 ---ha-w c:\documents and settings\All Users\hpothb07.dat
2009-01-28 00:57 . 2007-05-05 17:40 0 ---ha-w c:\documents and settings\Default User\hpothb07.dat
2007-11-20 17:56 . 2007-02-05 21:07 168 ---h--w c:\documents and settings\Administrator\hpothb07.dat
2007-10-08 16:23 . 2007-10-08 16:23 119968 ------w c:\documents and settings\ssingh\HpAiOFWUpdate2_2.exe
2007-10-04 19:17 . 2007-10-04 19:17 209 ---h--w c:\documents and settings\Administrator\Local Settings\Application Data\hpothb07.dat
2006-12-15 16:17 . 2006-12-15 16:17 15216 ------w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2005-09-30 17:40 . 2005-09-30 17:40 271 ---h--w c:\program files\desktop.ini
2005-09-30 17:40 . 2005-09-30 17:40 21952 ---h--w c:\program files\folder.htt
2005-07-14 19:31 . 2006-05-24 17:37 27648 --sha-w c:\winnt\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-12 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-26 516440]
"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2003-06-19 111376]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"aux"= mmdrv.dll
"wave4"= serwvdrv.dll
"wave5"=
"wave6"=
"wave7"=
"wave8"=
"wave9"=
"midi2"=
"midi3"=
"midi4"=
"midi5"=
"midi6"=
"midi7"=
"midi8"=
"midi9"=
"aux1"=
"aux2"=
"aux3"=
"aux4"=
"aux5"=
"aux6"=
"aux7"=
"aux8"=
"aux9"=
"mixer2"=
"mixer3"=
"mixer4"=
"mixer5"=
"mixer6"=
"mixer7"=
"mixer8"=
"mixer9"=
"wave"= serwvdrv.dll
"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\^Criminal Areas of Responsibilities.xls]
path=\Criminal Areas of Responsibilities.xls

[HKLM\~\startupfolder\^Dalai Lama.doc]
path=\Dalai Lama.doc

[HKLM\~\startupfolder\^good karma.pps]
path=\good karma.pps

[HKLM\~\startupfolder\^rabi.pdf]
path=\rabi.pdf

[HKLM\~\startupfolder\^rabi1.pdf]
path=\rabi1.pdf

[HKLM\~\startupfolder\^rabi2.tif]
path=\rabi2.tif

[HKLM\~\startupfolder\^sajal.pdf]
path=\sajal.pdf

[HKLM\~\startupfolder\^sajal1.pdf]
path=\sajal1.pdf

[HKLM\~\startupfolder\^tcby.doc]
path=\tcby.doc

R3 Netopia_iphelp;Netopia WLAN IP Utility; [x]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
R3 Slnt7554;USB Soft Modem Driver;c:\winnt\system32\DRIVERS\SLDRV\slnt7554.sys [2005-05-10 225272]
S0 Lbd;Lbd;c:\winnt\system32\DRIVERS\Lbd.sys [2009-04-26 64160]
S0 pavboot;pavboot;c:\winnt\system32\drivers\pavboot.sys [2008-06-19 28544]
S0 PCTCore;PCTools KDS;c:\winnt\system32\drivers\PCTCore.sys [2009-04-03 130936]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-04-26 953168]
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\DRIVERS\el90xbc5.sys [1999-10-23 61712]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - IPNAT
*NewlyCreated* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder

2009-04-26 c:\winnt\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:44]

2009-04-24 c:\winnt\Tasks\CHKDSK.job
- c:\winnt\system32\CHKDSK.EXE [1999-12-07 02:47]

2009-04-27 c:\winnt\Tasks\Disk Cleanup.job
- c:\winnt\System32\cleanmgr.exe [1999-12-07 18:00]

2008-04-14 c:\winnt\Tasks\FRU Task 2002-12-04 03:40ewlett-Packard2002-12-04 03:40p officejet 6100 series324C9EBEBB389A3CB37E16C7992E8342068F8B15200326203.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-12-04 00:40]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: %SystemRoot%\system32\msafd.dll
Trusted Zone: infomart-usa.com\webmail
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: {38AB0814-B09B-4378-9940-14A19638C3C2} - hxxp://www.auctiva.com/Aurigma/ImageUploader55.cab
FF - ProfilePath - c:\documents and settings\ssingh\Application Data\Mozilla\Firefox\Profiles\zr9ir3tj.default\
FF - plugin: c:\program files\Java\j2re1.4.2_14\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_14\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_14\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_14\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_14\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_14\bin\NPJPI142_14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_14\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-27 11:13
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(208)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(276)
c:\winnt\AppPatch\AcLayers.DLL
c:\winnt\system32\SHDOCVW.DLL
c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
c:\program files\Spybot - Search & Destroy\SDHelper.dll
.
Completion time: 2009-04-27 11:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-27 15:19

Pre-Run: 16,598,347,776 bytes free
Post-Run: 16,770,371,584 bytes free

239 --- E O F --- 2009-04-19 20:08