Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Google redirect infection

  • This topic is locked This topic is locked
2 replies to this topic

#1 Anthony2816


  • Members
  • 1 posts
  • Local time:03:26 PM

Posted 03 October 2009 - 10:14 AM

I got it, too, a couple of days ago. Two main symptoms: First, it now takes me around 7 minutes to boot to the Windows XP desktop instead of the usual 2.5 minutes. Second, my Google search results are being hijacked. Also this morning, for the first time, I got error boxes popping up during boot for every startup program, referencing ikosetxy\tdlwsp.dll, which I believe is a rootkit, although I couldn't find such a file on my drive.

I'm running XP SP3, Avast! antivirus, ZoneAlarm Pro firewall, MalwareBytes Anti Malware, and Spybot Search and Destroy. None of these show any problems on scan.

I read through some other threads, but after trying a suggestion there (RootRepeal, which rebooted my computer when I told it to scan), I figured it might be safer to get expert help instead of messing about on my own. Thanks in advance!

Here's my HiJack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:35 AM, on 10/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\system tools\Avast4\aswUpdSv.exe
C:\system tools\Avast4\ashServ.exe
C:\internet\Access Remote PC 4.7.3\rpcsetup.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\system tools\nVidia tuning tool\nTune\nTuneService.exe
C:\System tools\StartUp Organizer\so.exe
C:\system tools\ZoneAlarm\zlclient.exe
C:\system tools\Daemon Tools\daemon.exe
C:\System tools\ScreenshotCaptor\ScreenshotCaptor.exe
C:\internet\Access Remote PC 4.7.3\rpcsetup.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\system tools\Spybot - Search & Destroy\TeaTimer.exe
C:\System tools\Ditto\Ditto.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\System tools\1st Clock\1stClock.exe
C:\System tools\Process Explorer\procexp.exe
C:\System tools\PureText\PureText.exe
C:\System tools\SpeedFan\speedfan.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\System startup files\MagicDsk.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\System tools\Samurize\Client.exe
C:\system tools\Avast4\ashMaiSv.exe
C:\system tools\Avast4\ashWebSv.exe
C:\System tools\Logitech\MouseWare\system\em_exec.exe
C:\System tools\PowerDesk\PDExplo.exe
C:\Internet\Mozilla Firefox\firefox.exe
C:\Internet\Mozilla Thunderbird\thunderbird.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:12080
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\SYSTEM~2\SPYBOT~1\SDHelper.dll
O2 - BHO: SearchGT - {684B7DF7-51DE-4852-ACF8-7BA3934D9BD1} - C:\system tools\SearchGT\SearchGTShell.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: AdShield.AdShield - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\internet\AdShield\AdShield.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe"
O4 - HKLM\..\Run: [StartUp Organizer] C:\System tools\StartUp Organizer\so.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\system tools\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\system tools\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\SYSTEM~2\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\system tools\Daemon Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [C:\internet\NetMeter\NetMeter.exe] C:\internet\NetMeter\NetMeter.exe
O4 - HKCU\..\Run: [Screenshot Captor] "C:\System tools\ScreenshotCaptor\ScreenshotCaptor.exe" /autorun
O4 - HKCU\..\Run: [Access Remote PC 4.7.3] "C:\internet\Access Remote PC 4.7.3\rpcsetup.exe" /server /silent
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\system tools\nVidia tuning tool\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Rainlendar2] "C:\Program Files\Rainlendar2\Rainlendar2.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\system tools\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Ditto] C:\System tools\Ditto\Ditto.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Global Startup: 1st Clock.lnk = C:\System tools\1st Clock\1stClock.exe
O4 - Global Startup: Process Explorer.lnk = C:\System tools\Process Explorer\procexp.exe
O4 - Global Startup: Shortcut to PureText.lnk = C:\System tools\PureText\PureText.exe
O4 - Global Startup: Shortcut to speedfan.lnk = C:\System tools\SpeedFan\speedfan.exe
O4 - Global Startup: Shortcut to StartUp.lnk = C:\System startup files\StartUp.bat
O4 - Global Startup: Shortcut to UltraMon Wallpaper Auto Changer.lnk = C:\System tools\UltraMon\UltraMon Wallpaper Auto Changer 2.vbs
O4 - Global Startup: UltraMon.lnk = ?
O4 - Global Startup: WordWeb Pro.lnk = C:\References\WordWeb\wweb32.exe
O8 - Extra context menu item: &Maintain Block List... - C:\internet\AdShield\maintain.htm
O8 - Extra context menu item: Add to &Block List... - C:\internet\AdShield\suppress.htm
O8 - Extra context menu item: Add to &Exclude List... - C:\internet\AdShield\restrict.htm
O8 - Extra context menu item: AdShield Option &Settings... - C:\internet\AdShield\settings.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: New &NetMark - C:\internet\NetMarks Manager\OpenNM.htm
O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\9366x\Application Data\Mozilla\Firefox\Profiles\qddgz9yh.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\9366x\Application Data\Mozilla\Firefox\Profiles\qddgz9yh.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SYSTEM~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\SYSTEM~2\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: AdShield - {4FB6C25E-7B37-4c93-B592-16ECD8D18361} - C:\internet\AdShield\AdShield.dll (HKCU)
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\Internet\NEOTRA~1\NTXtoolbar.htm (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{42633584-254E-45FE-8C94-48FBE88096B9}: NameServer =,
O23 - Service: Access Remote PC Service 4.7.3 - Access Remote PC (www.access-remote-pc.com) - C:\internet\Access Remote PC 4.7.3\rpcsetup.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\system tools\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\system tools\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\system tools\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\system tools\Avast4\ashWebSv.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: FGKEY - WinAbilityŽ Corporation - C:\SYSTEM~2\Folder Guard NT\FGKEY.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\system tools\nVidia tuning tool\nTune\nTuneService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

End of file - 9366 bytes

Edited by Anthony2816, 03 October 2009 - 11:04 AM.

BC AdBot (Login to Remove)


#2 thewall


  • Malware Response Team
  • 6,425 posts
  • Gender:Male
  • Location:Florida
  • Local time:06:26 PM

Posted 06 October 2009 - 08:54 AM

Hello Anthony2816 :( Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.

I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

Please perform the following:

Visit the following page and then follow the instructions for downloading and running ComboFix


Please do not post any logs as an attachment unless asked to do so.


If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 thewall


  • Malware Response Team
  • 6,425 posts
  • Gender:Male
  • Location:Florida
  • Local time:06:26 PM

Posted 11 October 2009 - 10:26 AM

Due to the lack of feedback This Topic is closed.

Should you need it reopened, please contact my by PM. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users