Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirector Issue


  • Please log in to reply
5 replies to this topic

#1 James_McFadden

James_McFadden

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 23 March 2009 - 02:47 AM

When I click on a link while Google searching, I am occasionally redirected to an ad site. If I go back, and click again, the link works fine. From using Google to investigate, I guess this is a virus of sorts (does it do anything else besides redirect?). Any help figuring out how to remove it would be most appreciated (there seemed to be several ways to go about doing it from my research online). Thanks for your help!

DDS file pasted below, attach file attached.

DDS (Ver_09-03-16.01) - NTFSx86
Run by James McFadden at 2:34:45.89 on Mon 03/23/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.164 [GMT -5:00]

AV: avast! antivirus 4.8.1335 [VPS 090322-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Documents and Settings\James McFadden\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\James McFadden\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Google Update] "c:\documents and settings\james mcfadden\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Kvaruyuqidefayoq] rundll32.exe "c:\windows\ucahinal.dll",e
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRunOnce: [RunNarrator] Narrator.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://active.macromedia.com/flash/cabs/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jamesm~1\applic~1\mozilla\firefox\profiles\223qlquv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\documents and settings\james mcfadden\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {3C789D53-7525-4E5F-AE20-9F3A2805AE9E} - c:\documents and settings\james mcfadden\local settings\application data\{3C789D53-7525-4E5F-AE20-9F3A2805AE9E}

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-1 114768]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-1 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2005-1-14 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2005-1-14 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2005-2-22 352920]
R3 ev19x8mp;Creative SB AudioPCI Audio Driver (WDM);c:\windows\system32\drivers\ev19x8mp.sys [2006-9-19 522268]
S3 bDMusicb;bDMusicb;\??\c:\docume~1\jamesm~1\locals~1\temp\bdmusicb.sys --> c:\docume~1\jamesm~1\locals~1\temp\bDMusicb.sys [?]

=============== Created Last 30 ================

2009-03-23 02:02 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-23 01:51 <DIR> --d----- c:\program files\Trend Micro
2009-02-22 23:43 <DIR> --d----- c:\program files\MSECache

==================== Find3M ====================

2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 06:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2008-09-30 16:57 56,504 a------- c:\docume~1\jamesm~1\applic~1\GDIPFONTCACHEV1.DAT
2005-07-15 00:30 13,141 a------- c:\documents and settings\james mcfadden\ZGUICFGW.DAT

============= FINISH: 2:35:40.37 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:04 PM

Posted 24 March 2009 - 05:05 PM

Hello James and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please read this tutorial carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbup2:

If you have any questions along the way, STOP and ask them before proceeding !!

If ComboFix does run it's full circle, the please try to install Avira Antivir as well, update and run a full system scan.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 James_McFadden

James_McFadden
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 24 March 2009 - 07:52 PM

Thanks for the reply.

Okay, here is the Goored log file:

GooredFix v1.92 by jpshortstuff
Log created at 19:11 on 24/03/2009 running Option #2 (James McFadden)
Firefox version 3.0.7 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3C789D53-7525-4E5F-AE20-9F3A2805AE9E}"="C:\Documents and Settings\James McFadden\Local Settings\Application Data\{3C789D53-7525-4E5F-AE20-9F3A2805AE9E}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\James McFadden\Local Settings\Application Data\{3C789D53-7525-4E5F-AE20-9F3A2805AE9E}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"


And here is the ComboFix log file:

ComboFix 09-03-23.01 - James McFadden 2009-03-24 19:23:56.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.248 [GMT -5:00]
Running from: c:\documents and settings\James McFadden\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090323-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-02-25 to 2009-03-25 )))))))))))))))))))))))))))))))
.

2009-03-23 02:02 . 2009-03-23 02:01 410,984 --a------ c:\windows\SYSTEM32\deploytk.dll
2009-03-23 01:51 . 2009-03-23 01:51 <DIR> d-------- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-23 15:00 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-23 07:01 --------- d-----w c:\program files\Java
2009-03-20 01:25 --------- d-----w c:\program files\Viewpoint
2009-03-20 01:25 --------- d-----w c:\documents and settings\James McFadden\Application Data\Viewpoint
2009-03-20 01:25 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-20 00:43 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-16 05:41 --------- d-----w c:\program files\MSECache
2009-02-23 05:32 --------- d-----w c:\documents and settings\James McFadden\Application Data\OpenOffice.org2
2009-02-14 19:54 --------- d-----w c:\program files\Zultrax
2009-02-09 11:13 1,846,784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2009-02-02 03:18 --------- d-----w c:\documents and settings\James McFadden\Application Data\gtk-2.0
2008-11-13 00:32 56,504 ----a-w c:\documents and settings\Cheryl's Account\Application Data\GDIPFONTCACHEV1.DAT
2008-09-30 21:57 56,504 ----a-w c:\documents and settings\James McFadden\Application Data\GDIPFONTCACHEV1.DAT
2005-07-15 05:30 13,141 ----a-w c:\documents and settings\James McFadden\ZGUICFGW.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\James McFadden\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-14 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-17 81920]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"Kvaruyuqidefayoq"="c:\windows\ucahinal.dll" [2008-12-05 133632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-23 148888]
"nwiz"="nwiz.exe" [2007-09-17 c:\windows\SYSTEM32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\SYSTEM32\narrator.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^James McFadden^Start Menu^Programs^Startup^E3TV Tray App.lnk]
path=c:\documents and settings\James McFadden\Start Menu\Programs\Startup\E3TV Tray App.lnk
backup=c:\windows\pss\E3TV Tray App.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^James McFadden^Start Menu^Programs^Startup^Sid Registration.lnk]
path=c:\documents and settings\James McFadden\Start Menu\Programs\Startup\Sid Registration.lnk
backup=c:\windows\pss\Sid Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-07-22 20:42 116040 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-10-14 22:04 133104 c:\documents and settings\James McFadden\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 10:47 289064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-11 05:19 69632 c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"Ventrilo"=2 (0x2)
"Bonjour Service"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Valve\\Steam\\Steam.exe"=
"c:\\Valve\\Steam\\SteamApps\\forwardista\\source dedicated server\\srcds.exe"=
"c:\\Valve\\Steam\\SteamApps\\forwardista\\condition zero\\hl.exe"=
"c:\\Valve\\Steam\\SteamApps\\forwardista\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Sierra On-Line\\SIGSPat.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Valve\\Steam\\SteamApps\\forwardista\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Valve\\Steam\\SteamApps\\forwardista\\half-life 2\\hl2.exe"=
"c:\\Valve\\Steam\\SteamApps\\forwardista\\lostcoast\\hl2.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Zultrax\\Zultrax.Exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Valve\\Steam\\SteamApps\\forwardista\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Valve\\Condition Zero\\czero.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\GIMP-2.0\\lib\\gimp\\2.0\\plug-ins\\script-fu.exe"=

R1 aswSP;avast! Self Protection;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [2008-04-01 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [2008-04-01 20560]
R3 ev19x8mp;Creative SB AudioPCI Audio Driver (WDM);c:\windows\SYSTEM32\DRIVERS\ev19x8mp.sys [2006-09-19 522268]
S3 bDMusicb;bDMusicb;\??\c:\docume~1\JAMESM~1\LOCALS~1\Temp\bDMusicb.sys --> c:\docume~1\JAMESM~1\LOCALS~1\Temp\bDMusicb.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-03-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-585831088-4255682277-1955949752-1006.job
- c:\documents and settings\James McFadden\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-14 22:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\James McFadden\Application Data\Mozilla\Firefox\Profiles\223qlquv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\documents and settings\James McFadden\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-24 19:25:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-24 19:27:11
ComboFix-quarantined-files.txt 2009-03-25 00:26:48

Pre-Run: 36,329,619,456 bytes free
Post-Run: 36,323,291,136 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
157 --- E O F --- 2009-03-21 07:42:52

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:04 PM

Posted 25 March 2009 - 11:12 AM

Hello James,

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:File::
c:\docume~1\JAMESM~1\LOCALS~1\Temp\bDMusicb.sys
Driver::
bDMusicb
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kvaruyuqidefayoq"=-

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh DDS log.

Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 James_McFadden

James_McFadden
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 01 April 2009 - 01:36 AM

Ah, I thought I'd get an e-mail when this was updated. (or maybe it was redirected to the spam folder). Anyhow, the problem was still sort of occurring, although Google itself was flagging the sites as shady. Anyhow, I ran Combofix as instructed and here is what I got (Oh yeah, thanks for the response!):

ComboFix 09-03-31.01 - James McFadden 2009-04-01 0:55:14.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.297 [GMT -5:00]
Running from: c:\documents and settings\James McFadden\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\James McFadden\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090330-0] *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\docume~1\jamesm~1\LOCALS~1\Temp\bDMusicb.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BDMUSICB
-------\Service_bDMusicb


((((((((((((((((((((((((( Files Created from 2009-03-01 to 2009-04-01 )))))))))))))))))))))))))))))))
.

2009-03-25 21:20 . 2009-03-25 21:20 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-03-23 02:02 . 2009-03-23 02:01 410,984 --a------ c:\windows\SYSTEM32\deploytk.dll
2009-03-23 01:51 . 2009-03-23 01:51 <DIR> d-------- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-01 05:36 --------- d-----w c:\documents and settings\James McFadden\Application Data\OpenOffice.org2
2009-03-23 15:00 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-23 07:01 --------- d-----w c:\program files\Java
2009-03-20 01:25 --------- d-----w c:\program files\Viewpoint
2009-03-20 01:25 --------- d-----w c:\documents and settings\James McFadden\Application Data\Viewpoint
2009-03-20 01:25 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-20 00:43 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-16 05:41 --------- d-----w c:\program files\MSECache
2009-02-14 19:54 --------- d-----w c:\program files\Zultrax
2009-02-02 03:18 --------- d-----w c:\documents and settings\James McFadden\Application Data\gtk-2.0
2008-11-13 00:32 56,504 ----a-w c:\documents and settings\Cheryl's Account\Application Data\GDIPFONTCACHEV1.DAT
2008-09-30 21:57 56,504 ----a-w c:\documents and settings\James McFadden\Application Data\GDIPFONTCACHEV1.DAT
2005-07-15 05:30 13,141 ----a-w c:\documents and settings\James McFadden\ZGUICFGW.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-03-24_19.25.51.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-16 19:01:08 452,488 ----a-w c:\windows\Downloaded Program Files\wlscBase.dll
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-04-01 06:00:50 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_14c.dat
+ 2009-04-01 06:00:36 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_55c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\James McFadden\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-14 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-17 81920]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-23 148888]
"nwiz"="nwiz.exe" [2007-09-17 c:\windows\SYSTEM32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\SYSTEM32\narrator.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^James McFadden^Start Menu^Programs^Startup^E3TV Tray App.lnk]
path=c:\documents and settings\James McFadden\Start Menu\Programs\Startup\E3TV Tray App.lnk
backup=c:\windows\pss\E3TV Tray App.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^James McFadden^Start Menu^Programs^Startup^Sid Registration.lnk]
path=c:\documents and settings\James McFadden\Start Menu\Programs\Startup\Sid Registration.lnk
backup=c:\windows\pss\Sid Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-07-22 20:42 116040 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-10-14 22:04 133104 c:\documents and settings\James McFadden\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 10:47 289064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-11 05:19 69632 c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"Ventrilo"=2 (0x2)
"Bonjour Service"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Valve\\Steam\\Steam.exe"=
"c:\\Valve\\Steam\\SteamApps\\forwardista\\source dedicated server\\srcds.exe"=
"c:\\Valve\\Steam\\SteamApps\\forwardista\\condition zero\\hl.exe"=
"c:\\Valve\\Steam\\SteamApps\\forwardista\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Sierra On-Line\\SIGSPat.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Valve\\Steam\\SteamApps\\forwardista\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Valve\\Steam\\SteamApps\\forwardista\\half-life 2\\hl2.exe"=
"c:\\Valve\\Steam\\SteamApps\\forwardista\\lostcoast\\hl2.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Zultrax\\Zultrax.Exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Valve\\Steam\\SteamApps\\forwardista\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Valve\\Condition Zero\\czero.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\GIMP-2.0\\lib\\gimp\\2.0\\plug-ins\\script-fu.exe"=

R1 aswSP;avast! Self Protection;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [2008-04-01 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [2008-04-01 20560]
R3 ev19x8mp;Creative SB AudioPCI Audio Driver (WDM);c:\windows\SYSTEM32\DRIVERS\ev19x8mp.sys [2006-09-19 522268]
.
Contents of the 'Scheduled Tasks' folder

2009-04-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-585831088-4255682277-1955949752-1006.job
- c:\documents and settings\James McFadden\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-14 22:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\James McFadden\Application Data\Mozilla\Firefox\Profiles\223qlquv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\documents and settings\James McFadden\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-01 01:13:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\SYSTEM32\rundll32.exe
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-01 1:16:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-01 06:16:04
ComboFix2.txt 2009-03-25 00:27:12

Pre-Run: 35,998,392,320 bytes free
Post-Run: 35,904,221,184 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
179 --- E O F --- 2009-03-21 07:42:52

Edited by James_McFadden, 01 April 2009 - 01:36 AM.


#6 James_McFadden

James_McFadden
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 24 April 2009 - 12:40 AM

Sorry to be a pain, but it seems like the issue is still occurring. I'm repeatedly run anti-spyware and anti-virus software to no avail. Any additional help would be appreciated.

Thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users