BleepingComputer.com: google keeps redirecting

Google keeps redirecting to various sites, predominantly some internet payday site. Also, my computer bleeps a lot and there was even some phantom music at one point. Would appreciate if you could look at the logs and tell me what to do.

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

• Do not run any other tool untill instructed to do so!
  
• please Do not Attach logs or put in code boxes.
  
• Tell me about any problems that have occurred during the fix.
  
• Tell me of any other symptoms you may be having as these can help also.
  
• Do not run anything while running a fix.
  
• Do not run any other tool untill instructed to do so!

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.

Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following


• Log from Combofix
  
• let me know of any problems you may have had
  
• How is the computer doing now?

Gringo

Still beeping..but google doesn't redirect

ComboFix 12-02-02.02 - Patricia Hanna 02/02/2012 23:59:40.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.430 [GMT 0:00]
Running from: c:\documents and settings\Patricia Hanna\Desktop\ComboFix.exe
AV: AVG Anti-Virus 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\acasaaa.tmp
c:\documents and settings\All Users\Application Data\ipbsaaa.tmp
c:\documents and settings\All Users\Application Data\ldgsaaa.tmp
c:\documents and settings\All Users\Application Data\moyraaa.tmp
c:\documents and settings\All Users\Application Data\ndgsaaa.tmp
c:\documents and settings\All Users\Application Data\noyraaa.tmp
c:\documents and settings\All Users\Application Data\ooyraaa.tmp
c:\documents and settings\All Users\Application Data\poyraaa.tmp
c:\documents and settings\All Users\Application Data\uqhsaaa.tmp
c:\documents and settings\All Users\Application Data\vqhsaaa.tmp
c:\documents and settings\All Users\Application Data\wbasaaa.tmp
c:\documents and settings\All Users\Application Data\wqhsaaa.tmp
c:\documents and settings\All Users\Application Data\xbasaaa.tmp
c:\documents and settings\All Users\Application Data\xqhsaaa.tmp
c:\documents and settings\All Users\Application Data\ybasaaa.tmp
c:\documents and settings\All Users\Application Data\yqhsaaa.tmp
c:\documents and settings\All Users\Application Data\zbasaaa.tmp
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
c:\windows\system32\svchost.exe . . . is infected!!
.
c:\windows\explorer.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2012-01-03 to 2012-02-03 )))))))))))))))))))))))))))))))
.
.
2012-02-02 22:57 . 2012-02-02 22:57 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2012-01-25 01:50 . 2012-01-25 01:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2012-01-25 01:46 . 2012-01-25 01:46 -------- d-----w- c:\program files\CCleaner
2012-01-25 01:45 . 2012-01-25 01:45 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2012-01-25 01:44 . 2012-01-25 01:46 -------- d-----w- c:\documents and settings\Patricia Hanna\Local Settings\Application Data\Google
2012-01-25 01:44 . 2012-01-25 01:46 -------- d-----w- c:\program files\Google
2012-01-24 18:58 . 2012-02-01 16:14 -------- d-----w- c:\documents and settings\Patricia Hanna\Local Settings\Application Data\Temp
2012-01-24 18:58 . 2012-01-24 18:58 -------- d-----w- c:\documents and settings\Patricia Hanna\Local Settings\Application Data\Facebook
2012-01-24 15:47 . 2012-01-24 15:47 -------- d-----w- c:\program files\Microsoft Silverlight
2012-01-21 11:03 . 2012-01-21 11:03 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2012-01-20 15:56 . 2012-01-24 02:38 -------- d-----w- c:\documents and settings\All Users\Application Data\F4D55F02000435DB0003EE0ED151FC84
2012-01-20 15:54 . 2012-01-20 15:54 -------- d-----w- c:\windows\Sun
2012-01-18 21:23 . 2012-01-18 21:23 -------- d-----w- C:\$AVG
2012-01-18 21:13 . 2012-01-18 21:13 -------- d-----w- c:\documents and settings\Patricia Hanna\Application Data\AVG2012
2012-01-18 21:03 . 2012-02-02 23:46 -------- d-----w- c:\windows\system32\drivers\AVG
2012-01-18 21:03 . 2012-01-18 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2012-01-18 21:03 . 2012-01-18 21:03 -------- d-----w- c:\program files\AVG
2012-01-18 21:00 . 2012-01-18 21:00 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2012-01-18 21:00 . 2012-02-02 23:46 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-01-18 19:26 . 2012-01-18 19:26 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-01-18 19:22 . 2012-01-18 19:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-01-10 12:00 . 2012-01-10 12:00 -------- d-----w- c:\documents and settings\All Users\Application Data\VirtualizedApplications
2012-01-10 09:54 . 2012-01-10 09:54 -------- d-----r- C:\MSOCache
2012-01-10 09:49 . 2012-01-10 09:49 -------- d-----w- c:\documents and settings\Patricia Hanna\Local Settings\Application Data\SoftGrid Client
2012-01-10 09:49 . 2012-01-21 12:39 -------- d-----w- c:\documents and settings\Patricia Hanna\Application Data\SoftGrid Client
2012-01-10 09:48 . 2012-01-10 09:48 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\{90140011-0061-0409-0000-0000000FF1CE}
2012-01-10 09:48 . 2012-02-02 18:40 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SoftGrid Client
2012-01-10 09:46 . 2012-01-12 16:57 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\SoftGrid Client
2012-01-10 09:46 . 2012-01-12 16:57 -------- d-----w- c:\program files\Microsoft Application Virtualization Client
2012-01-10 09:46 . 2012-01-10 09:46 -------- d-----w- c:\documents and settings\All Users\Microsoft
2012-01-10 09:45 . 2012-01-10 09:49 -------- d-----w- c:\documents and settings\Patricia Hanna\Application Data\TP
2012-01-09 03:11 . 2012-01-09 03:11 -------- d-----w- c:\program files\Pro Imaging Powertoys
2012-01-09 03:11 . 2012-01-09 03:11 -------- d-----w- c:\program files\Common Files\Nikon
2012-01-09 03:09 . 2012-01-09 03:09 -------- d-----w- c:\windows\Downloaded Installations
2012-01-09 03:05 . 2012-01-15 17:06 -------- d-----w- c:\documents and settings\Patricia Hanna\Local Settings\Application Data\ApplicationHistory
2012-01-09 03:03 . 2012-01-09 03:04 -------- d-----w- c:\windows\system32\URTTemp
2012-01-04 16:06 . 2012-01-25 01:55 -------- d-----w- c:\documents and settings\Patricia Hanna\Application Data\Skype
2012-01-04 16:06 . 2012-01-04 16:07 -------- d-----r- c:\program files\Skype
2012-01-04 16:06 . 2012-01-04 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-27 20:21 . 2011-12-27 20:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-25 21:57 . 2008-11-11 22:11 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2008-11-11 22:11 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2008-11-11 22:11 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2008-11-11 22:11 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2008-11-11 22:11 152064 ----a-w- c:\windows\system32\schannel.dll
2011-12-21 07:42 . 2011-12-27 19:22 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-04-14 . 34A2D64FAF0AF7938CA2302E23956EF3 . 545280 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
[-] 2008-04-14 . 80267C3BB1D4517461CE8C164D9E2A61 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
.
[-] 2008-04-14 . A370C9BC401FCCF4CDF5DF5D5C340894 . 1058816 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="c:\documents and settings\Patricia Hanna\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" [2012-01-24 137536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0\bin\jusched.exe" [2008-11-11 36972]
"RTHDCPL"="RTHDCPL.EXE" [2008-08-26 16851456]
"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2007-12-21 659456]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-10-20 2768896]
"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-4-1 568176]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Documents and Settings\\Patricia Hanna\\Local Settings\\Application Data\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [11/07/2011 01:14 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [13/09/2011 06:30 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [07/10/2011 06:23 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [11/07/2011 01:14 295248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [02/08/2011 06:09 192776]
R2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [20/10/2010 15:23 821664]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [11/11/2008 23:36 4300]
R2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [14/09/2010 05:46 508264]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [11/07/2011 01:14 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [11/07/2011 01:14 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [04/10/2011 06:21 16720]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [15/01/2008 03:01 30208]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [02/12/2009 22:23 581480]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [02/12/2009 22:23 209640]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [02/12/2009 22:23 20584]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [02/12/2009 22:23 18280]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [14/09/2010 05:46 219496]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [11/11/2008 23:40 238464]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [12/10/2011 06:25 4433248]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [25/01/2012 01:45 136176]
S2 SNM WLAN Service;SNM WLAN Service;c:\program files\Samsung\Samsung Network Manager\SNMWLANService.exe [30/10/2006 22:29 36864]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [25/01/2012 01:45 136176]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 21:37 4640000]
S3 SUEPD;SUE NDIS Protocol Driver;c:\windows\system32\drivers\SUE_PD.sys [30/10/2006 22:29 19840]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-24 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4086129420-4222282718-1801512598-1005Core.job
- c:\documents and settings\Patricia Hanna\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2012-01-24 18:58]
.
2012-02-01 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-4086129420-4222282718-1801512598-1005UA.job
- c:\documents and settings\Patricia Hanna\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2012-01-24 18:58]
.
2012-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-25 01:44]
.
2012-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-25 01:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ie/
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: DhcpNameServer = 89.101.160.5 89.101.160.4
FF - ProfilePath - c:\documents and settings\Patricia Hanna\Application Data\Mozilla\Firefox\Profiles\nlaarnfg.default\
FF - prefs.js: browser.startup.homepage - www.google.ie
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-03 00:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,84,6c,db,cd,0e,60,95,4d,b1,af,c6,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,84,6c,db,cd,0e,60,95,4d,b1,af,c6,\
.
Completion time: 2012-02-03 00:10:17
ComboFix-quarantined-files.txt 2012-02-03 00:10
ComboFix2.txt 2012-01-25 02:53
.
Pre-Run: 67,192,324,096 bytes free
Post-Run: 67,361,865,728 bytes free
.
- - End Of File - - 7EA1977932323D022FD5A19A35C64503

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:

:filefind
explorer.ex*
svchost.ex*
winlogon.ex*

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

SystemLook 30.07.11 by jpshortstuff
Log created at 15:09 on 03/02/2012 by Patricia Hanna
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.ex*"
C:\WINDOWS\explorer.exe --a---- 1058816 bytes [22:11 11/11/2008] [12:00 14/04/2008] A370C9BC401FCCF4CDF5DF5D5C340894
C:\WINDOWS\I386\EXPLORER.EX_ ------- 356615 bytes [22:09 11/11/2008] [12:00 14/04/2008] D7B59A7EC9CB1429FDCEC84A22228555
C:\WINDOWS\Prefetch\EXPLORER.EXE-02121B1A.pf --a---- 98858 bytes [23:35 11/11/2008] [15:07 03/02/2012] 4D39126FDFA1AFD25F47248A424F0697

Searching for "svchost.ex*"
C:\WINDOWS\I386\SVCHOST.EX_ ------- 7276 bytes [22:10 11/11/2008] [12:00 14/04/2008] D54450099E0666AAE89D76BD248AF6CC
C:\WINDOWS\system32\svchost.exe --a---- 39936 bytes [22:11 11/11/2008] [12:00 14/04/2008] 80267C3BB1D4517461CE8C164D9E2A61

Searching for "winlogon.ex*"
C:\WINDOWS\I386\WINLOGON.EX_ ------- 265069 bytes [22:11 11/11/2008] [12:00 14/04/2008] 063EF1A46C58A731F78AE5AF47070D65
C:\WINDOWS\system32\winlogon.exe --a---- 545280 bytes [22:11 11/11/2008] [12:00 14/04/2008] 34A2D64FAF0AF7938CA2302E23956EF3

-= EOF =-

Create and Run Batch File

Open Notepad and copy/paste the entire contents of the codebox below, into Notepad:

@echo off
cd c:\
expand c:\windows\i386\winlogon.ex_ c:\windows\system32\dllcache\winlogon.exe
expand c:\windows\i386\svchost.ex_ c:\windows\system32\dllcache\svchost.exe
expand c:\windows\i386\explorer.ex_ c:\windows\system32\dllcache\explorer.exe
del %0

Save this as expand.bat Choose to Save type as - All Files and where to save - Desktop - then close the Notepad file.
It should look like this: <--vista
It should look like this: <--XP
Double-click on expand.bat to run it.

when that is complete rerun system look for me


Gringo

I did that and ran it but i'm not sure if it's done anything. Also, did you want me to restart after because thats what I did..the computer still beeps and "xpnetdiag.exe - Application Error" comes up every now and again.

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:

:filefind
explorer.ex*
svchost.ex*
winlogon.ex*

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

SystemLook 30.07.11 by jpshortstuff
Log created at 14:31 on 05/02/2012 by Patricia Hanna
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.ex*"
C:\WINDOWS\explorer.exe --a---- 1058816 bytes [22:11 11/11/2008] [12:00 14/04/2008] A370C9BC401FCCF4CDF5DF5D5C340894
C:\WINDOWS\I386\EXPLORER.EX_ ------- 356615 bytes [22:09 11/11/2008] [12:00 14/04/2008] D7B59A7EC9CB1429FDCEC84A22228555
C:\WINDOWS\Prefetch\EXPLORER.EXE-02121B1A.pf --a---- 82936 bytes [23:35 11/11/2008] [14:30 05/02/2012] F88EFF5A357F827E866F776D9DBE35C8

Searching for "svchost.ex*"
C:\WINDOWS\I386\SVCHOST.EX_ ------- 7276 bytes [22:10 11/11/2008] [12:00 14/04/2008] D54450099E0666AAE89D76BD248AF6CC
C:\WINDOWS\system32\svchost.exe --a---- 39936 bytes [22:11 11/11/2008] [12:00 14/04/2008] 80267C3BB1D4517461CE8C164D9E2A61

Searching for "winlogon.ex*"
C:\WINDOWS\I386\WINLOGON.EX_ ------- 265069 bytes [22:11 11/11/2008] [12:00 14/04/2008] 063EF1A46C58A731F78AE5AF47070D65
C:\WINDOWS\system32\winlogon.exe --a---- 545280 bytes [22:11 11/11/2008] [12:00 14/04/2008] 34A2D64FAF0AF7938CA2302E23956EF3

-= EOF =-

Hello


I want you to open a command prompt


click on start --> run --> type CMD


In the window that opens I want you to copy and paste each of these lines one at a time and press enter after each line

cd c:\

expand c:\windows\i386\winlogon.ex_ c:\windows\system32\dllcache\winlogon.exe

expand c:\windows\i386\svchost.ex_ c:\windows\system32\dllcache\svchost.exe

expand c:\windows\i386\explorer.ex_ c:\windows\system32\dllcache\explorer.exe


rerun system look when this is complete


gringo

SystemLook 30.07.11 by jpshortstuff
Log created at 13:51 on 06/02/2012 by Patricia Hanna
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.ex*"
C:\WINDOWS\explorer.exe --a---- 1058816 bytes [22:11 11/11/2008] [12:00 14/04/2008] A370C9BC401FCCF4CDF5DF5D5C340894
C:\WINDOWS\I386\EXPLORER.EX_ ------- 356615 bytes [22:09 11/11/2008] [12:00 14/04/2008] D7B59A7EC9CB1429FDCEC84A22228555
C:\WINDOWS\Prefetch\EXPLORER.EXE-02121B1A.pf --a---- 79122 bytes [23:35 11/11/2008] [13:34 06/02/2012] BBCC3D7C61668229390170E9E3EA2C63

Searching for "svchost.ex*"
C:\WINDOWS\I386\SVCHOST.EX_ ------- 7276 bytes [22:10 11/11/2008] [12:00 14/04/2008] D54450099E0666AAE89D76BD248AF6CC
C:\WINDOWS\system32\svchost.exe --a---- 39936 bytes [22:11 11/11/2008] [12:00 14/04/2008] 80267C3BB1D4517461CE8C164D9E2A61

Searching for "winlogon.ex*"
C:\WINDOWS\I386\WINLOGON.EX_ ------- 265069 bytes [22:11 11/11/2008] [12:00 14/04/2008] 063EF1A46C58A731F78AE5AF47070D65
C:\WINDOWS\system32\winlogon.exe --a---- 545280 bytes [22:11 11/11/2008] [12:00 14/04/2008] 34A2D64FAF0AF7938CA2302E23956EF3

-= EOF =-

thanks for your help so far gringo

Hello


I have changed this a little - lets see if it works this time

Create and Run Batch File

Open Notepad and copy/paste the entire contents of the codebox below, into Notepad:

@echo off
cd c:\
expand c:\windows\i386\winlogon.ex_ c:\winlogon.exe
expand c:\windows\i386\svchost.ex_ c:\svchost.exe
expand c:\windows\i386\explorer.ex_ c:\explorer.exe
del %0

Save this as expand.bat Choose to Save type as - All Files and where to save - Desktop - then close the Notepad file.
It should look like this: <--vista
It should look like this: <--XP
Double-click on expand.bat to run it.

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:

:filefind
explorer.ex*
svchost.ex*
winlogon.ex*

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

when that is complete rerun system look for me


Gringo

SystemLook 30.07.11 by jpshortstuff
Log created at 23:34 on 07/02/2012 by Patricia Hanna
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.ex*"
C:\explorer.exe --a---- 1033728 bytes [23:34 07/02/2012] [05:42 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
C:\WINDOWS\explorer.exe --a---- 1058816 bytes [22:11 11/11/2008] [12:00 14/04/2008] A370C9BC401FCCF4CDF5DF5D5C340894
C:\WINDOWS\I386\EXPLORER.EX_ ------- 356615 bytes [22:09 11/11/2008] [12:00 14/04/2008] D7B59A7EC9CB1429FDCEC84A22228555
C:\WINDOWS\Prefetch\EXPLORER.EXE-02121B1A.pf --a---- 79122 bytes [23:35 11/11/2008] [13:34 06/02/2012] BBCC3D7C61668229390170E9E3EA2C63

Searching for "svchost.ex*"
C:\svchost.exe --a---- 14336 bytes [23:34 07/02/2012] [05:42 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\I386\SVCHOST.EX_ ------- 7276 bytes [22:10 11/11/2008] [12:00 14/04/2008] D54450099E0666AAE89D76BD248AF6CC
C:\WINDOWS\system32\svchost.exe --a---- 39936 bytes [22:11 11/11/2008] [12:00 14/04/2008] 80267C3BB1D4517461CE8C164D9E2A61

Searching for "winlogon.ex*"
C:\winlogon.exe --a---- 507904 bytes [23:34 07/02/2012] [05:42 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\I386\WINLOGON.EX_ ------- 265069 bytes [22:11 11/11/2008] [12:00 14/04/2008] 063EF1A46C58A731F78AE5AF47070D65
C:\WINDOWS\system32\winlogon.exe --a---- 545280 bytes [22:11 11/11/2008] [12:00 14/04/2008] 34A2D64FAF0AF7938CA2302E23956EF3

-= EOF =-

Blitzblank.

Download BlitzBlank and save it to your desktop. Open Blitzblank.exe

• Click OK at the warning (and take note of it, this is a VERY powerful tool!).
  
  
• Click the Script tab and copy/paste the following text there:

CopyFile:
C:\explorer.exe C:\WINDOWS\explorer.exe
C:\winlogon.exe C:\WINDOWS\system32\winlogon.exe
C:\svchost.exe C:\WINDOWS\system32\svchost.exe
C:\explorer.exe C:\WINDOWS\system32\dllcache\explorer.exe
C:\winlogon.exe C:\WINDOWS\system32\dllcache\winlogon.exe
C:\svchost.exe C:\WINDOWS\system32\dllcache\svchost.exe

• Click Execute Now. Your computer will need to reboot in order to replace the files.
  
  
• When done, post me the report created by Blitzblank. you can find it at the root of the drive Normaly C:\

BlitzBlank 1.0.0.32

File/Registry Modification Engine native application
CopyFileOnReboot: sourceFile = "\??\c:\explorer.exe", destinationFile = "\??\c:\windows\explorer.exe"CopyFileOnReboot: sourceFile = "\??\c:\winlogon.exe", destinationFile = "\??\c:\windows\system32\winlogon.exe"CopyFileOnReboot: sourceFile = "\??\c:\svchost.exe", destinationFile = "\??\c:\windows\system32\svchost.exe"CopyFileOnReboot: sourceFile = "\??\c:\explorer.exe", destinationFile = "\??\c:\windows\system32\dllcache\explorer.exe"CopyFileOnReboot: sourceFile = "\??\c:\winlogon.exe", destinationFile = "\??\c:\windows\system32\dllcache\winlogon.exe"CopyFileOnReboot: sourceFile = "\??\c:\svchost.exe", destinationFile = "\??\c:\windows\system32\dllcache\svchost.exe"