Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Virus is altering my google search results
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 07-04-2009, 10:40 PM   #1 (permalink)
Registered User
 
Join Date: Jul 2009
Posts: 4
OS: XP


Virus is altering my google search results
I'm running FF 3.0.11 and IE 7 and I have a virus that is changing my google search results. I get correct results using Google Chrome.

When I open the browser and type in www.google.com and type in a search term, my results on 1st page are messed up. They are going to pages like couponmountain, shopica or toseeka org.

I am running Windows XP.

========================

DDS (Ver_09-06-26.01) - NTFSx86
Run by kenric1 at 21:27:24.20 on Sat 07/04/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1330 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Ati2evxx.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\kenric1\Desktop\gmer.exe
C:\Documents and Settings\kenric1\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = about:blank
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Viewpoint Toolbar BHO: {a7327c09-b521-4edb-8509-7d2660c9ec98} - c:\program files\viewpoint\viewpoint toolbar\3.8.0\ViewBarBHO.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Viewpoint Toolbar: {f8ad5aa5-d966-4667-9daf-2561d68b2012} - c:\program files\common files\viewpoint\toolbar runtime\3.8.0\IEViewBar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {119DBEDA-9C41-4F97-94B4-B6BCD01133CF} - No File
TB: {56CF4856-ECB4-4E46-A897-A378821F97B9} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Google Update] "c:\documents and settings\kenric1\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [TFncKy] TFncKy.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Media Codec Update Service] c:\program files\essentials codec pack\update.exe -silent
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quicken\bagent.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {F4430FE8-2638-42e5-B849-800749B94EED} - c:\program files\partygami\partypokernet\RunPF.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\windows\system32\lsp.dll
DPF: {00000014-9593-4264-8B29-930B3E4EDCCD} - hxxps://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall14.cab
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://eservices.scottsdaleaz.gov/dmc/downloads/mgaxctrl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188165274906
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - hxxp://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-latest.cab
Filter: text/html - {64c51fe7-eba3-4c55-8f21-e5076e1644c9} -
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kenric1\applic~1\mozilla\firefox\profiles\j1hm255j.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/?shva=1#inbox
FF - prefs.js: keyword.URL -
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\kenric1\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-26 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-2-15 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-26 108552]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2009-1-26 33824]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-26 298776]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-31 24652]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 Ast Service;Ast Service;c:\windows\system32\\astsrv.exe --> c:\windows\system32\\AstSrv.exe [?]
S3 FTD2XX;FTD2XX_ADRF.SYS Repeater;c:\windows\system32\drivers\FTD2XX_ADRF.sys [2006-8-7 34639]
S3 iscFlash;iscFlash;c:\docume~1\kenric1\locals~1\temp\isc1ctmp\iscflash.sys [2006-3-4 19328]
S3 scrcap;scrcap;c:\windows\system32\drivers\scrcap.sys --> c:\windows\system32\drivers\scrcap.sys [?]
S3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys --> c:\windows\system32\drivers\sxuptp.sys [?]

=============== Created Last 30 ================

2009-07-03 20:57 <DIR> --d----- c:\docume~1\kenric1\applic~1\Malwarebytes
2009-07-03 20:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-03 20:49 180,224 a------- c:\windows\system32\lsp.dll
2009-06-23 13:26 11,776 a------- c:\windows\system32\drivers\afc.sys
2009-06-18 17:53 3,252 a------- c:\windows\system32\wbem\Outlook_01c9f0785af798cc.mof
2009-06-05 11:26 <DIR> --d----- c:\windows\system32\IOSUBSYS

==================== Find3M ====================

2009-06-11 23:34 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-05 11:38 70,820 a---h--- c:\windows\system32\mlfcache.dat
2009-05-28 22:33 262,144 a------- C:\ntuser.dat
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-03 09:31 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-04-28 21:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-28 21:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-22 19:53 194,560 a------- c:\windows\system32\bzpdf.dll
2009-04-17 05:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 07:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2008-09-01 00:12 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090120080902\index.dat

============= FINISH: 21:28:07.23 ===============
Attached Files
File Type: rar attach.rar (4.2 KB, 1 views)
biophase is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 07-05-2009, 07:42 AM   #2 (permalink)
Analyst, Security Team
 
mas_pogi's Avatar
 
Join Date: Apr 2008
Location: Tokyo, JP
Posts: 1,476
OS: Vista, Linux Mint


Re: Virus is altering my google search results
hi.

Welcome to TSF

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

---------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

--------------------------------------------------------------------------

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. You can find instructions HERE.

    AVG 8.5
    Please open the AVG 8.5 Control Center, by right clicking on the AVG icon on task bar.
    • Click on Open AVG Interface.
    • Double click on Resident Shield
    • Deselect the option to "Enable Resident Shield."
    • Save changes, and exit the application.
    • To re-enable AVG 8.5 later, please select "Enable Resident Shield" again.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Mark
__________________
To accomplish great things, we must not only act, but also dream; not only plan, but also believe.
If I have been helping you and do not reply within 24 hours, please send me a message.
 I'm a member of U.N.I.T.E and A.S.A.P
mas_pogi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-05-2009, 12:34 PM   #3 (permalink)
Registered User
 
Join Date: Jul 2009
Posts: 4
OS: XP


Re: Virus is altering my google search results
Hi Mark,

Here is the log.txt from Combofix.

===================================

ComboFix 09-07-04.09 - kenric1 07/05/2009 11:16.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1287 [GMT -7:00]
Running from: c:\documents and settings\kenric1\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
ADS - WINDOWS: deleted 0 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.\documents\settings
c:\documents and settings\All Users.\documents\settings\46927_2006-05-05_16.42.15.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-05_17.22.15.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-06_09.19.55.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-07_09.42.26.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-08_09.25.25.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-08_13.43.07.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-09_17.22.48.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-10_16.18.28.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-11_08.25.54.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-11_19.26.17.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-12_08.44.16.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-12_09.52.11.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-12_13.29.48.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-12_17.18.01.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-12_23.42.55.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-14_13.15.15.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-14_17.11.02.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-15_13.29.46.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-16_08.24.39.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-19_09.48.44.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-19_13.31.05.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-19_17.02.28.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-20_09.51.37.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-21_14.53.59.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-21_16.54.33.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-21_17.36.53.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-23_07.43.03.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-23_17.15.26.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-24_14.30.03.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-25_22.29.44.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-26_23.57.28.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-27_00.53.31.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-27_07.52.34.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-29_07.24.58.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-29_14.34.58.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-30_17.17.40.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-31_09.13.40.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-31_16.48.12.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-05-31_21.34.04.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-06-02_09.26.57.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-06-03_10.09.29.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-06-06_08.36.26.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-06-06_16.56.10.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-06-06_23.46.25.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-06-07_09.01.36.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-06-08_10.07.28.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-06-08_15.18.54.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-06-09_01.19.42.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-06-09_21.13.38.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-06-10_10.26.51.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-06-12_10.50.01.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-06-13_00.59.08.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-06-13_11.27.38.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-06-15_01.32.01.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-06-16_09.46.09.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-06-16_17.19.18.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-06-16_23.19.35.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-06-17_10.58.26.hl
c:\documents and settings\All Users.\documents\settings\46927_2006-06-17_11.59.20.hl
c:\documents and settings\All Users.\documents\settings\desktop.ini
c:\documents and settings\All Users.\documents\settings\rvnkey_a.dat
c:\documents and settings\All Users.\documents\settings\rvnkey_b.dat
c:\documents and settings\All Users.\documents\settings\rvnkey_f.dat
c:\documents and settings\All Users.\documents\settings\rvnkey_v.dat
c:\documents and settings\All Users.\documents\settings\rvnkeylogh
c:\recycler\S-1-5-21-2369461160-35945199-3371764974-1003
c:\windows\Fonts\acrsec.fon
c:\windows\system32\lsp.dll
c:\windows\system32\mlfcache.dat
C:\WS-SET.EXE

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OREANS32
-------\Service_oreans32


((((((((((((((((((((((((( Files Created from 2009-06-05 to 2009-07-05 )))))))))))))))))))))))))))))))
.

2009-07-05 18:22 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-05 18:22 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-04 10:11 . 2009-07-04 10:11 -------- d-----w- c:\program files\Alwil Software
2009-07-04 03:57 . 2009-07-04 03:57 -------- d-----w- c:\documents and settings\kenric1\Application Data\Malwarebytes
2009-07-04 03:57 . 2009-07-04 03:57 -------- d-----w- c:\docume~1\kenric1\APPLIC~1\Malwarebytes
2009-07-04 03:57 . 2009-07-04 03:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-23 20:26 . 2005-02-23 21:58 11776 ----a-w- c:\windows\system32\drivers\afc.sys
2009-06-05 18:26 . 2009-06-05 18:26 -------- d-----w- c:\windows\system32\IOSUBSYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-05 18:06 . 2006-01-17 00:16 88880 ----a-w- c:\documents and settings\kenric1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-04 19:08 . 2006-06-20 03:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-04 19:05 . 2005-11-05 04:09 -------- d-----w- c:\program files\Common Files\AOL
2009-07-04 18:58 . 2005-11-05 04:10 -------- d-----w- c:\program files\Common Files\Nullsoft
2009-07-04 18:57 . 2007-01-16 07:17 -------- d-----w- c:\program files\LimeWire
2009-07-04 18:53 . 2006-01-17 06:11 -------- d-----w- c:\program files\Common Files\Intuit
2009-07-04 18:49 . 2008-01-05 21:44 -------- d-----w- c:\program files\Poker Grapher
2009-07-04 18:48 . 2006-08-10 21:38 -------- d-----w- c:\program files\Poker Tracker V2
2009-07-04 18:45 . 2009-03-20 22:04 -------- d-----w- c:\program files\Vuze
2009-07-04 18:41 . 2006-06-20 03:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-04 18:37 . 2006-10-06 07:16 -------- d-----w- c:\program files\PokerStars
2009-07-04 18:36 . 2008-02-04 04:55 -------- d-----w- c:\documents and settings\kenric1\Application Data\Move Networks
2009-07-04 18:36 . 2008-02-04 04:55 -------- d-----w- c:\docume~1\kenric1\APPLIC~1\Move Networks
2009-07-04 18:33 . 2005-11-05 02:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-04 18:32 . 2005-11-07 17:42 -------- d-----w- c:\program files\Google
2009-07-04 18:29 . 2006-10-20 04:17 -------- d-----w- c:\program files\Full Tilt Poker
2009-07-04 18:27 . 2007-08-08 18:29 -------- d-----w- c:\program files\CAM350_8.6
2009-07-04 18:27 . 2008-03-11 19:15 -------- d-----w- c:\program files\Cake Poker
2009-07-04 18:22 . 2008-10-25 06:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-04 18:22 . 2006-06-20 02:57 -------- d-----w- c:\program files\Lavasoft
2009-07-04 18:21 . 2007-10-24 15:50 -------- d-----w- c:\program files\1&1
2009-07-04 10:07 . 2007-12-10 01:37 -------- d-----w- c:\documents and settings\kenric1\Application Data\FileZilla
2009-07-04 10:07 . 2007-12-10 01:37 -------- d-----w- c:\docume~1\kenric1\APPLIC~1\FileZilla
2009-07-04 03:21 . 2009-03-20 22:05 -------- d-----w- c:\documents and settings\kenric1\Application Data\Azureus
2009-07-04 03:21 . 2009-03-20 22:05 -------- d-----w- c:\docume~1\kenric1\APPLIC~1\Azureus
2009-06-24 18:31 . 2009-03-19 18:12 -------- d-----w- c:\program files\Equis
2009-06-24 15:09 . 2006-01-29 22:44 -------- d-----w- c:\documents and settings\kenric1\Application Data\ArcSoft
2009-06-24 15:09 . 2006-01-29 22:44 -------- d-----w- c:\docume~1\kenric1\APPLIC~1\ArcSoft
2009-06-23 07:10 . 2008-08-11 23:25 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-18 15:42 . 2007-02-15 07:51 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-12 06:34 . 2009-03-27 06:15 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-06 07:50 . 2005-11-05 04:13 -------- d-----w- c:\program files\Yahoo!
2009-06-05 23:14 . 2006-12-15 02:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-06-05 23:13 . 2006-02-08 03:41 -------- d-----w- c:\documents and settings\kenric1\Application Data\Yahoo!
2009-06-05 23:13 . 2006-02-08 03:41 -------- d-----w- c:\docume~1\kenric1\APPLIC~1\Yahoo!
2009-06-04 07:51 . 2005-11-05 04:05 -------- d-----w- c:\program files\Quicken
2009-06-04 06:27 . 2009-06-04 06:15 -------- d-----w- c:\program files\WinMerge
2009-05-31 18:53 . 2009-05-31 18:53 -------- d-----w- c:\program files\Garmin GPS Plugin
2009-05-31 18:34 . 2009-05-31 18:34 -------- d-----w- c:\documents and settings\kenric1\Application Data\GARMIN
2009-05-31 18:34 . 2009-05-31 18:34 -------- d-----w- c:\docume~1\kenric1\APPLIC~1\GARMIN
2009-05-31 18:34 . 2009-05-31 18:34 -------- d-----w- c:\program files\DIFX
2009-05-31 18:34 . 2009-05-31 18:34 -------- d-----w- c:\program files\Garmin
2009-05-29 05:33 . 2009-05-29 05:33 262144 ----a-w- C:\ntuser.dat
2009-05-18 06:41 . 2009-05-18 06:41 -------- d-----w- c:\documents and settings\kenric1\Application Data\Bullzip
2009-05-18 06:41 . 2009-05-18 06:41 -------- d-----w- c:\docume~1\kenric1\APPLIC~1\Bullzip
2009-05-18 06:36 . 2009-05-18 06:36 -------- d-----w- c:\program files\Bullzip
2009-05-07 15:32 . 2005-11-05 00:52 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-03 16:31 . 2009-03-27 06:15 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-03 16:31 . 2009-03-27 06:15 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-04-29 04:56 . 2005-11-05 00:53 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2005-11-05 00:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-23 02:53 . 2009-05-18 06:36 194560 ----a-w- c:\windows\system32\bzpdf.dll
2009-04-17 12:26 . 2005-11-05 00:53 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2005-11-05 00:53 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-21 1207080]
"Google Update"="c:\documents and settings\kenric1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-08 133104]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-10 73728]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 688218]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-07-15 1077322]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-01 122940]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-06-10 196608]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-06-10 217088]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-06-01 282624]
"TFncKy"="TFncKy.exe" [BU]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2005-11-10 15473664]
"NDSTray.exe"="NDSTray.exe" [BU]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2005-10-15 88203]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-10-2 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-03 16:31 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
Trusted 0e3e

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/26/2009 11:15 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/26/2009 11:15 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/26/2009 11:15 PM 298776]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/31/2008 9:33 PM 24652]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 Ast Service;Ast Service;c:\windows\system32\\AstSrv.exe --> c:\windows\system32\\AstSrv.exe [?]
S3 FTD2XX;FTD2XX_ADRF.SYS Repeater;c:\windows\system32\drivers\FTD2XX_ADRF.sys [8/7/2006 12:56 PM 34639]
S3 iscFlash;iscFlash;\??\c:\docume~1\kenric1\LOCALS~1\Temp\isc1Ctmp\iscflash.sys --> c:\docume~1\kenric1\LOCALS~1\Temp\isc1Ctmp\iscflash.sys [?]
S3 scrcap;scrcap;c:\windows\system32\DRIVERS\scrcap.sys --> c:\windows\system32\DRIVERS\scrcap.sys [?]
S3 sxuptp;SXUPTP Driver;c:\windows\system32\DRIVERS\sxuptp.sys --> c:\windows\system32\DRIVERS\sxuptp.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-07-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776574225-2921150394-3902323158-1006Core.job
- c:\documents and settings\kenric1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-08 06:38]

2009-07-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776574225-2921150394-3902323158-1006UA.job
- c:\documents and settings\kenric1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-08 06:38]

2009-07-05 c:\windows\Tasks\User_Feed_Synchronization-{6790CF5C-B080-4ABF-9D4F-529B83151E12}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 18:58]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
HKLM-Run-Media Codec Update Service - c:\program files\Essentials Codec Pack\update.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = about:blank
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
FF - ProfilePath - c:\docume~1\kenric1\APPLIC~1\Mozilla\Firefox\Profiles\j1hm255j.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/?shva=1#inbox
FF - prefs.js: keyword.URL -
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\kenric1\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-05 11:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3628)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\acs.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\windows\system32\TPSBattM.exe
c:\progra~1\MICROS~4\rapimgr.exe
.
**************************************************************************
.
Completion time: 2009-07-05 11:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-05 18:30

Pre-Run: 21,569,576,960 bytes free
Post-Run: 23,639,523,328 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

301 --- E O F --- 2009-06-10 10:12
biophase is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-06-2009, 09:37 AM   #4 (permalink)
Analyst, Security Team
 
mas_pogi's Avatar
 
Join Date: Apr 2008
Location: Tokyo, JP
Posts: 1,476
OS: Vista, Linux Mint


Re: Virus is altering my google search results
hi.

Good job. Lets continue..

Please uninstall the following. Using windows ADD/REMOVE program at the control panel.

Foistware
Viewpoint Toolbar
Viewpoint Media Player

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

Please also delete this folder.
c:\program files\Viewpoint


Outdated java runtimes: (Older versions have vulnerabilities that malicious sites can use to exploit and infect your system)

J2SE Runtime Environment 5.0 Update 4
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7

Your Java is out of date.

Java(TM) 6 Update 13 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.


*did you install this one? Otherwise, uninstall it.

AutoUpdate

------------------------------------------------------------------------

Run ESET Online Scan

*Close any open programs
*Turn off the real time scanner of any existing antivirus program while performing the online scan. You can find the instructions You can find instructions HERE.

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.

-------------------------------------------------------------------------

These indicate some settings have been changed

These are "Change the way Security Center Alerts Me" in Control Panel > Security Center.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

This means they are turned off. If that's your choice, that's fine, otherwise tick the boxes to turn the notifications back on.

--------------------------------------------------------------------------

How's your computer now?


In your reply, please post


ESET scan result
Answer to my questions

Mark


Mark
__________________
To accomplish great things, we must not only act, but also dream; not only plan, but also believe.
If I have been helping you and do not reply within 24 hours, please send me a message.
 I'm a member of U.N.I.T.E and A.S.A.P
mas_pogi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-06-2009, 03:05 PM   #5 (permalink)
Registered User
 
Join Date: Jul 2009
Posts: 4
OS: XP


Re: Virus is altering my google search results
Please uninstall the following. Using windows ADD/REMOVE program at the control panel.

Foistware
Viewpoint Toolbar ----------- DONE
Viewpoint Media Player ----------- DONE

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

Please also delete this folder.
c:\program files\Viewpoint ----------- DONE

Outdated java runtimes: (Older versions have vulnerabilities that malicious sites can use to exploit and infect your system)

J2SE Runtime Environment 5.0 Update 4 ----------- DONE
Java(TM) 6 Update 2 ----------- DONE
Java(TM) 6 Update 3 ----------- DONE
Java(TM) 6 Update 5 ----------- DONE
Java(TM) 6 Update 7 ----------- DONE

Your Java is out of date. --------- I already have Java 6 Update 13 installed

Java(TM) 6 Update 13 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.

*did you install this one? Otherwise, uninstall it.

AutoUpdate --------- COULD NOT FIND IT IN MY CONTROL PANEL ADD/REMOVE PROGRAMS. Can you be more specific with the file name and location?

These indicate some settings have been changed

These are "Change the way Security Center Alerts Me" in Control Panel > Security Center.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

This means they are turned off. If that's your choice, that's fine, otherwise tick the boxes to turn the notifications back on.

Not sure. I turned off MS Security Center before I ran my scans so that could be what changed.

--------------------------------------------------------------------------

How's your computer now?

Google searches work correctly now.


THANKS!!


=========================
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5886
# api_version=3.0.2
# EOSSerial=2a23fa52de1bc749b01d0f47d5c369b2
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-07-06 05:20:31
# local_time=2009-07-06 10:20:31 (-0700, US Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1026 37 83 100 7410389062500
# scanned=164374
# found=0
# cleaned=0
# scan_time=4688
biophase is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-06-2009, 04:11 PM   #6 (permalink)
Analyst, Security Team
 
mas_pogi's Avatar
 
Join Date: Apr 2008
Location: Tokyo, JP
Posts: 1,476
OS: Vista, Linux Mint


Re: Virus is altering my google search results
hi.

Quote:
I already have Java 6 Update 13 installed
Latest now is Java 6 Update 14 =)

Quote:
COULD NOT FIND IT IN MY CONTROL PANEL ADD/REMOVE PROGRAMS. Can you be more specific with the file name and location?
That's ok.

Apart from that, your logs are clean.


Congratulations! You now appear clean!

We Need to Clean Up Our Mess
  1. Uninstall ComboFix
    Remove Combofix now that we're done with it.
    • Click on your Start Menu, then Run....
    • Now copy and paste this one in the runbox. Then HIT enter.

      Code:
      ComboFix /u


    Uninstalling ComboFix will do the following:
    1. Delete ComboFix and its components from your computer.
    2. Delete other tools commonly used during the malware removal process.
    3. Resets clock settings to standard format.
    4. Re-hides file extensions and hidden/system files.
    5. Clears System Restore cache and creates new restore point.

  2. Please also delete the DDS.scr located at your desktop.
-----------------------------------------------
Recommendations
Below are some recommendations to lower your chances of (re)infection.
  1. Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.

  2. Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file

  3. Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.

  4. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

  5. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.

  6. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.

Please respond to this thread one more time so we can mark this thread as resolved.

Maraming salamat.

Mark
__________________
To accomplish great things, we must not only act, but also dream; not only plan, but also believe.
If I have been helping you and do not reply within 24 hours, please send me a message.
 I'm a member of U.N.I.T.E and A.S.A.P
mas_pogi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-06-2009, 05:09 PM   #7 (permalink)
Registered User
 
Join Date: Jul 2009
Posts: 4
OS: XP


Re: Virus is altering my google search results
Thanks Mark All done!

BTW, when I try to update Java it says I have the latest version.
biophase is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-07-2009, 08:39 AM   #8 (permalink)
Analyst, Security Team
 
mas_pogi's Avatar
 
Join Date: Apr 2008
Location: Tokyo, JP
Posts: 1,476
OS: Vista, Linux Mint


Re: Virus is altering my google search results
hi

Quote:
Originally Posted by biophase View Post
Thanks Mark All done!

BTW, when I try to update Java it says I have the latest version.
That is okay.

You are most welcome.

Mark
__________________
To accomplish great things, we must not only act, but also dream; not only plan, but also believe.
If I have been helping you and do not reply within 24 hours, please send me a message.
 I'm a member of U.N.I.T.E and A.S.A.P
mas_pogi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-09-2009, 07:32 AM   #9 (permalink)
Analyst, Security Team
 
mas_pogi's Avatar
 
Join Date: Apr 2008
Location: Tokyo, JP
Posts: 1,476
OS: Vista, Linux Mint


Re: Virus is altering my google search results
hi.

Surf safely.

Since the problem appears to be resolved, it will now be archived.


Mark
__________________
To accomplish great things, we must not only act, but also dream; not only plan, but also believe.
If I have been helping you and do not reply within 24 hours, please send me a message.
 I'm a member of U.N.I.T.E and A.S.A.P
mas_pogi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 05:55 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85