Google redirect

[orangeloerie]

Hi there,
Thank you for offering this free service.
As requested, here are the logs - DDS below and the others attached.
I look forward to your reply.
Many thanks!


DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 14:21:43.20 on 20/02/2009
Internet Explorer: 8.0.6001.18372
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.254.103 [GMT 0:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated)
FW: Symantec Endpoint Protection *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\BT Auto Backup\VaultClientSRV.exe
C:\Program Files\BT Auto Backup\VaultClientUpgrade.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dslagent.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\BT Auto Backup\VaultClientTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.everyclick.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: CPrintEnhancer Object: {ae84a6aa-a333-4b92-b276-c11e2212e4fe} - c:\program files\hp\smart web printing\SmartWebPrinting.dll
BHO: Toolbar Helper: {d44bbb61-e17f-4ae6-a502-8d7e0b29e616} - c:\windows\system32\s1940.dll
TB: Stumble&Upon: {22d003ce-6952-46c5-80b9-d19b479620ab} - c:\windows\system32\s1940.dll
TB: {5AA06644-BC46-4220-A460-47A6EB47C96D} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [OM_Monitor] c:\program files\olympus\olympus master\Monitor.exe -NoStart
uRun: [RegistryCleanerProMFCT] c:\program files\registrycleanerpro\StartApp.exe
mRun: [DSLAGENTEXE] dslagent.exe USB
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [TrayStartup] c:\program files\bt auto backup\VaultClientTray.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: StumbleUpon: &Blog This - c:\windows\system32\s1940.dll/blogimage
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
Trusted Zone: stumbleupon.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} - hxxp://esupport.epson-europe.com/ePC/activex/EpsonSetup.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/authorware/awswaxd.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/WebfettiInitialSetup1.0.0.15-3.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.truprint.co.uk/TruprintActivia.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-24-0.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://cache.hyves.nl/statics/Aurigma/ImageUploader4.cab
DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} - hxxp://support.epson-europe.com/selftest/Prg/ESTPTest.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {AC1B32E1-9638-434D-8F6C-65CBBE444C1A} - hxxp://download.isvinternet.com/public/htmlwrapper/assemblysoft3.cab
DPF: {CAFEEFAC-0014-0002-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} - hxxp://static.photobox.co.uk/sg/common/uploader.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392]
R2 ddnt;ddnt;c:\windows\system32\drivers\ddnt.sys [2005-6-7 8544]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-17 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090219.048\NAVENG.SYS [2009-2-20 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090219.048\NAVEX15.SYS [2009-2-20 876144]
S2 gafwload;BT Voyager ADSL Modem Loader;c:\windows\system32\drivers\gafwload.sys [2005-6-7 27147]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]

=============== Created Last 30 ================

2009-02-20 13:35 <DIR> --dsh--- c:\documents and settings\owner\IECompatCache
2009-02-20 12:59 0 a------- c:\windows\system32\MSVolume.dll
2009-02-20 12:59 <DIR> --d----- c:\program files\RegistryCleanerPro
2009-02-20 12:33 <DIR> --d----- c:\program files\Registry OK
2009-02-20 12:17 <DIR> --dsh--- c:\documents and settings\owner\IETldCache
2009-02-20 12:04 <DIR> -cd-h--- c:\windows\ie8
2009-02-20 12:00 79,360 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-02-18 16:05 0 a------- C:\p3.bat
2009-02-16 19:03 91,968 a------- c:\windows\system32\drivers\SysPlant.sys
2009-02-16 19:00 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2009-02-16 19:00 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-16 18:52 <DIR> --d----- c:\program files\Symantec
2009-02-16 18:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-02-05 07:58 <DIR> --d----- c:\windows\ie8updates

==================== Find3M ====================

2009-02-16 19:02 10,563 ac------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-16 19:02 805 ac------ c:\windows\system32\drivers\SYMEVENT.INF
2009-02-05 07:41 130,971 ac------ c:\windows\hpoins12.dat
2009-01-20 20:44 149,760 a------- c:\windows\system32\drivers\WpsHelper.sys
2009-01-15 02:05 911,872 a------- c:\windows\system32\wininet.dll
2009-01-15 02:05 43,008 a------- c:\windows\system32\licmgr10.dll
2009-01-15 02:04 18,944 a------- c:\windows\system32\corpol.dll
2009-01-15 02:03 420,352 a------- c:\windows\system32\vbscript.dll
2009-01-15 02:03 72,704 a------- c:\windows\system32\admparse.dll
2009-01-15 02:03 71,680 a------- c:\windows\system32\iesetup.dll
2009-01-15 02:01 34,304 a------- c:\windows\system32\imgutil.dll
2009-01-15 02:00 48,128 a------- c:\windows\system32\mshtmler.dll
2009-01-15 02:00 45,568 a------- c:\windows\system32\mshta.exe
2009-01-15 01:50 156,160 a------- c:\windows\system32\msls31.dll
2008-07-18 12:43 22,856 ac------ c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2003-08-25 09:40 15 ac------ c:\program files\affiliate.ini

============= FINISH: 14:23:07.34 ===============

[Angelfire777]

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[orangeloerie]

Hi Angelfire 777,
Thanks for your advice. Unfortunately, I cannot seem to run ComboFix on my pc. I downloaded it and followed the advice about disabling antivirus software and firewalls. However, when I clicked on the exe programme, the ComboFix programme seemed to start up but then simply did nothing. Do you have any advice?
Many thanks!

[Angelfire777]

Try renaming it to afix.exe then re-run it.

[orangeloerie]

Hi again,
Thanks for the tip. Unfortunately it didn't work again, even after changing the file name. Do you have any other ways around this?
Thanks!

[Angelfire777]

Please reboot to safe mode then try running it from there.

to enter safe mode:

Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.

[orangeloerie]

Hi again,
Tried safemode but it still won't work. When I click on the icon to run the exe programme, a little horizontal bar appears with the heading ComboFix. This fills up from left to right as if it's loading the programme, but then after that nothing more happens and the programme doesn't actually run. Do you need me to run ComboFix to be able to help me solve my Google problem or is there another way around this? Thanks again for your time and help.

[orangeloerie]

Hi again,
Just a quick message to say I just tried using Google again and it seems to be working as normal now. Very strange. But I'm concerned that there could still be spyware lurking somewhere. Should I do anything else to check, or should I leave it at that now?
Thanks!

[Angelfire777]

There are other tools available to help but I'm just curious as to why it won't continue running. Please check if C:\bug.txt exists and if it exists, post the contents here.

After that, we'll start cleaning your machine using other means. Btw, when you meant 'google redirect', I assume you mean your google searches are being redirected to somewhere else?

[orangeloerie]

Hi, thanks, yes, my Google searches were being redirected to sites like CouponMountain etc. However, everything seems to be running fine now so I think I'm ok. Thanks for your help!

[Angelfire777]

Ok, if you don't want to follow up anymore..

Please check out miekiemoes' "How to Prevent Malware"

Happy safe surfing!

Note: Please reply to this thread one last time so I could mark it as resolved.