Tech Support Forum banner
Cancel

Real Headache: Google redirects after TWO formats!

Jump to Latest Follow
Status
Not open for further replies.
1 - 2 of 2 Posts
R

· Registered
Joined
·
1 Posts
Discussion Starter · #1 ·
Hello,

First of all, thanks a lot to those who have the knowledge and help the rest of us.

Here is the real challenge:

I have XP Media Centre running on Acer Aspire 5670. Recently I downloaded and launched one .exe file and then it all started to happen. Initially I could not access my C and D drive and google.co.uk started to redirect (but not google.com). Also it started showing some wierd numbers. For example, when I google "internet marketing", google.co.uk shows Results 1 - 11 of 157103 plus it doesn't show google ads plus it redirects if I click on any link plus it's very slow. At the same time google.com works fine and shows Results 1 - 11 of 156,000,000.

After initial scanning I found trojans such as Trojan.Pakes.bgg and Trojan.Ircbot.Bq.

I reinstalled Windows twice with my Recovery Disk (which includes formatting drive C) and now I can access my hard drives but google.co.uk still does all these wierd things (very slow). Plus I cannot logout from my gmail account (Sorry! Because you were logged into many different Google services, we were not able to finish logging you out)

Below are THREE logs: from Hijackthis, from Combofix and from Fixwareout.

HERE IS THE LOG from Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:42:42, on 2009-05-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
--
End of file - 4186 bytes


HERE IS THE LOG FROM Fixwareout


Username "Radiat" - 2009-05-10 13:41:36 [Fixwareout edited 9/01/2007]
~~~~~ Prerun check
Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"LaunchApp"="Alaunch"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"ADMTray.exe"="\"C:\\Acer\\Empowering Technology\\admtray.exe\""
"eDataSecurity Loader"="C:\\Acer\\Empowering Technology\\eDataSecurity\\eDSloader.exe"
"ntiMUI"="C:\\Program Files\\NewTech Infosystems\\NTI CD & DVD-Maker 7\\ntiMUI.exe"
"RTHDCPL"="RTHDCPL.EXE"
"Alcmtr"="ALCMTR.EXE"
"AzMixerSel"="C:\\Program Files\\Realtek\\InstallShield\\AzMixerSel.exe"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"ePower_DMC"="C:\\Acer\\Empowering Technology\\ePower\\ePower_DMC.exe"
"Acer ePower Management"="C:\\Acer\\Empowering Technology\\ePower\\Acer ePower Management.exe boot"
"LManager"="C:\\PROGRA~1\\LAUNCH~1\\QtZgAcer.EXE"
"eRecoveryService"="C:\\Acer\\Empowering Technology\\eRecovery\\Monitor.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~


HERE IS THE LOG FROM Combofix:


ComboFix 09-05-08.03 - Administrator 2009-05-10 14:44.2 - FAT32x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.849 [GMT 1:00]
Running from: C:\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2009-04-10 to 2009-05-10 )))))))))))))))))))))))))))))))
.
2009-05-10 20:30 . 2009-05-10 20:30 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\Intel
2009-05-10 20:27 . 2005-09-26 15:40 258048 ----a-w c:\windows\system32\Uninstall_eRecovery.exe
2009-05-10 20:25 . 2009-05-10 20:25 -------- d-----w c:\program files\WinPCap
2009-05-10 20:25 . 2006-01-23 11:41 78208 ----a-w c:\windows\system32\drivers\epm-shd.sys
2009-05-10 20:25 . 2006-01-23 11:41 4096 ----a-w c:\windows\system32\drivers\epm-psd.sys
2009-05-10 20:25 . 2009-05-10 20:25 21275 ----a-w c:\windows\system32\drivers\AegisP.sys
2009-05-10 20:23 . 2009-05-10 20:23 -------- d-----w c:\documents and settings\All Users\Application Data\Intel
2009-05-10 20:23 . 2006-04-10 09:09 61440 ----a-w c:\windows\system32\acerGina.dll
2009-05-10 20:23 . 2009-05-10 20:23 -------- d-----w c:\program files\Launch Manager
2009-05-10 20:23 . 2004-12-09 11:04 5120 ----a-w c:\windows\system32\FILTRCOI.DLL
2009-05-10 20:23 . 2004-12-08 13:10 16896 ----a-w c:\windows\system32\drivers\DKbFltr.SYS
2009-05-10 20:23 . 2002-12-19 14:58 49152 ----a-w c:\windows\system32\QtBtLib.dll
2009-05-10 20:21 . 2006-01-20 14:56 53248 ----a-w c:\windows\system32\acpimof.dll
2009-05-10 20:21 . 2006-01-20 14:56 225350 ----a-w c:\windows\system32\Epm-Po.dll
2009-05-10 20:14 . 2003-06-18 03:06 -------- d-----w c:\documents and settings\Radiat\Local Settings\Application Data\ApplicationHistory
2009-05-10 20:14 . 2003-06-18 02:34 -------- d-----w c:\documents and settings\Radiat\Local Settings\Application Data\Microsoft
2009-05-10 20:14 . 2009-05-10 20:14 -------- d-----w c:\documents and settings\Radiat
2009-05-10 20:13 . 2003-09-16 04:04 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\Symantec
2009-05-10 20:13 . 2003-09-16 03:47 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\Acer
2009-05-10 13:36 . 2009-05-10 13:36 -------- d-----w c:\documents and settings\Radiat\Local Settings\Application Data\Adobe
2009-05-10 13:23 . 2009-05-10 13:23 3019457 ----a-r C:\ComboFix.exe
2009-05-10 13:18 . 2009-05-10 13:18 -------- d-----w c:\program files\Trend Micro
2009-05-10 13:18 . 2009-05-09 23:26 812344 ----a-w C:\HJTInstall.exe
2009-05-10 12:43 . 2009-05-10 12:43 -------- d-sh--w C:\Recycled
2009-05-10 12:41 . 2009-05-10 12:41 -------- d-----w C:\fixwareout
2009-05-10 12:04 . 2001-08-17 12:48 12160 ----a-w c:\windows\system32\drivers\mouhid.sys
2009-05-10 12:04 . 2004-08-10 19:00 9600 ----a-w c:\windows\system32\drivers\hidusb.sys
2009-05-10 12:02 . 2004-08-15 23:17 180224 ----a-w c:\windows\ADDITEM.EXE
2009-05-10 12:02 . 2006-07-17 11:30 159821 ----a-w c:\windows\EMEAPAGE.EXE
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-10 20:21 . 2003-06-27 07:38 35792 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-10 20:21 . 2009-05-10 20:14 129 ----a-w c:\documents and settings\Radiat\Local Settings\Application Data\fusioncache.dat
2009-05-10 20:15 . 2009-05-10 20:15 -------- d-----w c:\program files\ATI Technologies
2009-05-10 12:02 . 2004-09-20 22:28 1121 ----a-w c:\windows\HotFix.bat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-11-01 102491]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-01 692315]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-02 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-02 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-02 118784]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 45056]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-24 53248]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-09 352256]
"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-08 3080704]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2006-04-03 471040]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 397312]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-04-04 16120832]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-10 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R1 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2005-10-15 12106]
R2 EpmPsd;Acer EPM Power Scheme Driver;c:\windows\system32\drivers\epm-psd.sys [2009-05-10 4096]
R2 EpmShd;Acer EPM System Hardware Driver;c:\windows\system32\drivers\epm-shd.sys [2009-05-10 78208]
R2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2005-06-30 7296]
R2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2005-01-14 4010]
R3 NdisFilt;OSA NdisFilter Protocol;c:\windows\system32\drivers\NdisFilt.sys [2005-09-13 4392]
S3 AVerE506;AVerE506 service;c:\windows\system32\drivers\AVerE506.sys [2005-08-25 509312]
S3 AVerM115;AVerM115 service;c:\windows\system32\drivers\AVerM115.sys [2005-08-24 692992]
S3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\drivers\lv321av.sys [2005-11-30 1088896]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - INT15.SYS
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aceradvantage.com/stdreg
uInternet Connection Wizard,ShellNext = hxxp://www.aceradvantage.com/stdreg
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-10 14:47
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(896)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(1684)
c:\windows\system32\MSNChatHook.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\MSVCR71.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ATI2EVXX.EXE
c:\program files\INTEL\WIRELESS\BIN\EVTENG.EXE
c:\program files\INTEL\WIRELESS\BIN\S24EVMON.EXE
c:\acer\EMPOWERING TECHNOLOGY\ADMSERV.EXE
c:\windows\SYSTEM32\ATI2EVXX.EXE
c:\windows\EHOME\EHRECVR.EXE
c:\windows\EHOME\EHSCHED.EXE
c:\program files\COMMON FILES\LIGHTSCRIBE\LSSRVC.EXE
c:\program files\INTEL\WIRELESS\BIN\REGSRVC.EXE
c:\windows\EHOME\MCRDSVC.EXE
c:\windows\system32\wscntfy.exe
c:\windows\SYSTEM32\DLLHOST.EXE
c:\windows\eHome\ehmsas.exe
c:\windows\system32\wbem\unsecapp.exe
c:\docume~1\Radiat\LOCALS~1\Temp\RtkBtMnt.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2009-05-10 14:48 - machine was rebooted [Radiat]
ComboFix-quarantined-files.txt 2009-05-10 13:48
Pre-Run: 33 010 024 448 bytes free
Post-Run: 31 929 139 200 bytes free
151
 
amateur

· TSF-Emeritus
Joined
·
15,457 Posts
#2 ·
Hello and welcome to TSF.

Sorry for not being able to have replied to your topic.

As seen in Post #2 of our sticky topic 'NEW INSTRUCTIONS Read this Before Posting For Malware Removal Help'

Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix.
Click to expand...
If you still need help, please start a new thread and post only the logs requested in our pre-posting process outlined below.

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help
 
1 - 2 of 2 Posts
Status
Not open for further replies.
About this Discussion
1 Reply
2 Participants
Last post:
amateur
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows XP Support Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support
Top