Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect


  • This topic is locked This topic is locked
20 replies to this topic

#1 mikegru

mikegru

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 30 March 2012 - 01:33 PM

Good Day,

I can access google.com and request a search, however when the search results are displayed, and I try to reach the link, the screen either is redirected to a different website, or right back to the google.com page. I've tried AVG and Malwarebytes for removal of the virus, but neither worked. Downloaded Combofix, but am wary of using it unsupervised. Would appreciate your help.

Thank you
Mike

BC AdBot (Login to Remove)

 


#2 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:08:57 AM

Posted 03 April 2012 - 05:05 PM

Hello mikegru ,

My name is ratman and and I will be helping you with your computer problems.

Before we begin, I would like to make a few things clear so that we can fix your problem as efficiently as possible:

  • Be sure to follow all my instructions carefully! If there is anything you don't understand, don't hesitate to ask.
  • Please do not do anything or perform other steps unless I have asked you to do so.
  • Please make sure you post all logs I ask you to, and make sure that the entire log gets posted.

====================================================================================

Please take note:
  • If you have since resolved the original problem you were having, I would appreciate you letting me know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
  • If you are unsure about any of these characteristics just post what you can and I will guide you.


Please tell me if you have your original Windows CD/DVD available.
<li>If you are unable to perform the steps I have recommended please try one more time and if unsuccessful alert us of such and I will design an alternate means of obtaining the necessary information.
<li>If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
<li>Upon completing the steps below I will review your topic an do my best to resolve your issues.
<li>If you have already posted a DDS log, please do so again, as your situation may have changed.
<li>Use the 'Add Reply' and add the new log to this thread.


I need to see some up to date information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


I also need a new log from the GMER anti-rootkit Scanner.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log




In your next reply, please copy/paste the contents of the following:
  • DDS.txt
  • Attach.txt
  • GMER.Log

regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#3 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 05 April 2012 - 11:36 AM

Hi, Thanks for your reply.

Sorry, I don't have the original Wiondows CD rom

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by user at 10:07:28 on 2012-04-05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.266 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Panda Cloud Antivirus *Enabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\soundman.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\BookingBuilder\BBLoader.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\VERIZONDM\bin\sprtcmd.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Winpopup LAN Messenger\WinPopup.exe
C:\Program Files\Messenger\msmsgs.exe
C:\wspan\swgw\FilterAgent.exe
C:\WINDOWS\system32\DllHost.exe
svchost.exe
C:\Program Files\BookingBuilder\BBComm.EXE
C:\WINDOWS\system32\dlcfcoms.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\VERIZONDM\bin\sprtsvc.exe
C:\Program Files\VERIZONDM\bin\tgsrvc.exe
c:\wspan\swgw\hpm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\BookingBuilder\LMGDSFNC.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://gopublic.wspan.com/index.aspx
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: BookingBuilder Browser Control: {b2c9a858-a8be-426c-b1c7-7fd258b28caa} - c:\program files\bookingbuilder\LMIECTR2.dll
BHO: IEHlprObj Class: {ce7c3cf0-4b15-11d1-abed-709549c10000} - c:\wspan\gores\IEHelper.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Winpopup LAN Messenger] "c:\program files\winpopup lan messenger\WinPopup.exe" RUNCURRENT
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [BookingBuilder GDS Interface] c:\program files\bookingbuilder\LMGDSInt.EXE
uRun: [BookingBuilder Loader] c:\program files\bookingbuilder\BBLoader.EXE
mRun: [SoundMan] soundman.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0\bin\jusched.exe
mRun: [BookingBuilder GDS Interface] c:\program files\bookingbuilder\LMGDSInt.EXE
mRun: [BookingBuilder Loader] c:\program files\bookingbuilder\BBLoader.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [DLCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCFtime.dll,_RunDLLEntry@16
mRun: [VERIZONDM] "c:\program files\verizondm\bin\sprtcmd.exe" /P VERIZONDM
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bookin~1.lnk - c:\program files\bookingbuilder\BBDesktop.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\worlds~1.lnk - c:\wspan\swgw\FilterAgent.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {53F0FA27-1273-4afc-81D0-CB233010B05C} - c:\program files\bookingbuilder\BBIETlBr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: worldspan.com
Trusted Zone: wspan.com
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://24.49.183.54/activex/AxisCamControl.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} - hxxps://gopublic.wspan.com/secure/dlls/Comdlg32.cab
TCP: DhcpNameServer = 216.199.127.67 216.199.0.132
TCP: Interfaces\{F62181D9-4716-4BFA-A54A-50CBE709849F} : DhcpNameServer = 216.199.127.67 216.199.0.132
TCP: Interfaces\{F7B89DC3-8DC6-4221-B23F-26AC7FA95CBA} : DhcpNameServer = 192.168.0.16 192.168.0.13
Hosts: 93.113.196.118 www.google.com
Hosts: 93.113.196.119 www.bing.com
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-11-16 64512]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2011-11-23 130312]
R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\common files\acronis\cdp\afcdpsrv.exe [2012-4-4 2326920]
R2 BBComm;BookingBuilder Communication Service;c:\program files\bookingbuilder\BBComm.EXE [2010-2-22 77824]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-3-30 652360]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2011-4-28 140608]
R2 PSINAFLT;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2012-1-5 144008]
R2 PSINFILE;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2011-4-28 97096]
R2 PSINPROC;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2011-4-28 111688]
R2 PSINPROT;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2011-11-30 112648]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\verizondm\bin\sprtsvc.exe [2011-2-1 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\verizondm\bin\tgsrvc.exe [2011-2-1 185640]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2012-4-4 159168]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-3-30 20464]
S0 tdrpman251;Acronis Try&Decide and Restore Points filter (build 251);c:\windows\system32\drivers\tdrpm251.sys [2012-4-4 902432]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-16 135664]
S2 HPM;Worldspan HPM;c:\wspan\swgw\Hpm.exe [2009-11-13 114688]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-16 135664]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-11-3 2152152]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-11-3 15232]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
.
=============== Created Last 30 ================
.
2012-04-04 16:52:29 -------- d-----w- c:\documents and settings\user\application data\Panda Security
2012-04-04 16:50:35 -------- d-----w- c:\program files\Panda Security
2012-04-04 16:50:35 -------- d-----w- c:\documents and settings\all users\application data\Panda Security
2012-04-04 16:49:36 -------- d-----w- C:\temp
2012-04-04 16:35:32 159168 ----a-w- c:\windows\system32\drivers\afcdp.sys
2012-04-04 16:35:23 902432 ----a-w- c:\windows\system32\drivers\tdrpm251.sys
2012-04-04 16:35:18 570016 ----a-w- c:\windows\system32\drivers\timntr.sys
2012-04-04 16:35:11 157248 ----a-w- c:\windows\system32\drivers\snapman.sys
2012-03-30 16:06:13 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
.
==================== Find3M ====================
.
.
============= FINISH: 10:09:01.92 ===============


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-04-05 12:33:35
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD400BB-00CAA1 rev.17.07W17
Running: gmer.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\fxtdypow.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF787F87E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF787FBFE]
SSDT \SystemRoot\system32\DRIVERS\PSINProc.sys (PSINProc Filter Driver for XP32/Panda Security, S.L.) ZwTerminateProcess [0xEF985416]

---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\user\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


Thanks for taking a look at this - I will be away from this computer until Tuesday April 9, so please note I won't be able to reply to your reply until then.

Attached Files



#4 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:08:57 AM

Posted 06 April 2012 - 08:14 AM

Hi,

Could you please run a scan with ComboFix and copy/paste the contents of it's log in your next reply.

I will be away from this computer until Tuesday April 9, so please note I won't be able to reply to your reply until then.

Thanks for letting me know.
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#5 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:08:57 AM

Posted 09 April 2012 - 10:02 AM

Hello mikegru ,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#6 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 10 April 2012 - 08:32 AM

Are there any instructions to rinning Combofix? There are warnings when I started the program, and I want to make sure I run it properly. Thanks - Mike

#7 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:08:57 AM

Posted 10 April 2012 - 09:06 AM

Hello mike ,

Please download ComboFix from the followingl location:* IMPORTANT !!! Save ComboFix.exe to your Desktop.
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on Combofix icon Posted Image & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

====================================================================================

In your next reply, please copy/paste the contents of the following:
  • C:\Combofix.txt

regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#8 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 10 April 2012 - 10:26 AM

ComboFix 12-04-10.01 - user 04/10/2012 11:05:27.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.578 [GMT -4:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgmfapx.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgmfarx.dll
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgntdumpx.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgrunasx.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\compat.ini
c:\documents and settings\All Users\Application Data\TEMP\AVG\htmlayout.dll
c:\documents and settings\All Users\Application Data\TEMP\AVG\incavi.avm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_cz.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_da.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_es.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_fr.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ge.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_hu.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_id.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_in.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_it.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_jp.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ko.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ms.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_nl.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pb.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pl.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pt.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ru.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sc.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sk.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sp.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_tr.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_us.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zh.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zt.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaconf.txt
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfacz.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfada.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaes.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfafr.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfage.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfahu.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaid.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfain.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfait.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfajp.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfako.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfams.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfanl.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapb.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapl.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapt.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaru.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfasc.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfask.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfasp.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfatr.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaus.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfavera.txt
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaverx.txt
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfazh.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfazt.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.ini
c:\documents and settings\All Users\SPL183.tmp
c:\documents and settings\user\WINDOWS
.
.
((((((((((((((((((((((((( Files Created from 2012-03-10 to 2012-04-10 )))))))))))))))))))))))))))))))
.
.
2012-04-04 16:52 . 2012-04-04 16:52 -------- d-----w- c:\documents and settings\user\Application Data\Panda Security
2012-04-04 16:50 . 2012-04-04 16:50 -------- d-----w- c:\program files\Panda Security
2012-04-04 16:50 . 2012-04-04 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security
2012-04-04 16:49 . 2012-04-04 16:50 -------- d-----w- C:\temp
2012-04-04 16:35 . 2012-04-04 16:35 159168 ----a-w- c:\windows\system32\drivers\afcdp.sys
2012-04-04 16:35 . 2012-04-04 16:35 902432 ----a-w- c:\windows\system32\drivers\tdrpm251.sys
2012-04-04 16:35 . 2012-04-04 16:35 570016 ----a-w- c:\windows\system32\drivers\timntr.sys
2012-04-04 16:35 . 2012-04-04 16:35 157248 ----a-w- c:\windows\system32\drivers\snapman.sys
2012-04-04 16:34 . 2012-04-04 16:35 -------- d-----w- c:\program files\Common Files\Acronis
2012-04-04 16:34 . 2012-04-04 16:34 -------- d-----w- c:\program files\Acronis
2012-03-30 16:58 . 2012-03-30 17:00 -------- d-----w- c:\documents and settings\Administrator.MIKEG.000
2012-03-30 16:06 . 2011-12-10 19:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-13 39408]
"Winpopup LAN Messenger"="c:\program files\Winpopup LAN Messenger\WinPopup.exe" [2008-05-01 1663044]
"BookingBuilder GDS Interface"="c:\program files\BookingBuilder\LMGDSInt.EXE" [2010-03-12 718232]
"BookingBuilder Loader"="c:\program files\BookingBuilder\BBLoader.EXE" [2010-03-12 36864]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="soundman.exe" [2001-05-29 124416]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0\bin\jusched.exe" [2010-02-17 36972]
"BookingBuilder GDS Interface"="c:\program files\BookingBuilder\LMGDSInt.EXE" [2010-03-12 718232]
"BookingBuilder Loader"="c:\program files\BookingBuilder\BBLoader.EXE" [2010-03-12 36864]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"DLCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2006-10-20 73728]
"VERIZONDM"="c:\program files\VERIZONDM\bin\sprtcmd.exe" [2011-02-01 206120]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-09-12 5048488]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-09-12 357384]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2011-04-28 439616]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BookingBuilder Desktop.lnk - c:\program files\BookingBuilder\BBDesktop.exe [2010-4-13 3298712]
Worldspan Filter Agent.lnk - c:\wspan\swgw\FilterAgent.exe [2009-11-13 127044]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\Program Files\\Winpopup LAN Messenger\\WinPopup.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\WINDOWS\\system32\\dlcfcoms.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/16/2011 5:04 PM 64512]
R0 tdrpman251;Acronis Try&Decide and Restore Points filter (build 251);c:\windows\system32\drivers\tdrpm251.sys [4/4/2012 12:35 PM 902432]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [11/23/2011 9:59 AM 130312]
R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [4/4/2012 12:35 PM 2326920]
R2 BBComm;BookingBuilder Communication Service;c:\program files\BookingBuilder\BBComm.EXE [2/22/2010 6:01 AM 77824]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/30/2012 12:06 PM 652360]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [4/28/2011 12:58 PM 140608]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [1/5/2012 1:10 PM 144008]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [4/28/2011 12:57 PM 97096]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [4/28/2011 12:57 PM 111688]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [11/30/2011 6:37 PM 112648]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [2/1/2011 5:54 AM 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [2/1/2011 5:54 AM 185640]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [4/4/2012 12:35 PM 159168]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/30/2012 12:06 PM 20464]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/16/2010 4:10 PM 135664]
S2 HPM;Worldspan HPM;c:\wspan\swgw\Hpm.exe [11/13/2009 12:56 PM 114688]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/16/2010 4:10 PM 135664]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [11/3/2011 1:06 PM 2152152]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [11/3/2011 1:06 PM 15232]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 5:10 PM 32512]
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-11-03 17:06]
.
2012-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 20:09]
.
2012-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 20:09]
.
.
------- Supplementary Scan -------
.
uStart Page = https://gopublic.wspan.com/index.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{53F0FA27-1273-4afc-81D0-CB233010B05C} - c:\program files\BookingBuilder\BBIETlBr.exe
Trusted Zone: worldspan.com
Trusted Zone: wspan.com
TCP: DhcpNameServer = 216.199.127.67 216.199.0.132
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-10 11:15
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-04-10 11:18:09
ComboFix-quarantined-files.txt 2012-04-10 15:18
.
Pre-Run: 11,890,044,928 bytes free
Post-Run: 12,750,807,040 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - A82399DA54312D16E189C9C7C8573F81

#9 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:08:57 AM

Posted 10 April 2012 - 10:41 AM

Hello mike ,

I'd like you to run a scan with aswMBR
Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

====================================================================================

In your next reply, please copy/paste the contents of the following:
  • aswMBR Log


How is your machine running now?
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#10 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 10 April 2012 - 10:42 AM

I just tried Google again, and at least for the few times I tried, am not being redirected

#11 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 10 April 2012 - 11:09 AM

Here is the log file. Google seems to be working fine now - thanks!

Oops ... forgot the file ....

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-10 12:05:50
-----------------------------
12:05:50.338 OS Version: Windows 5.1.2600 Service Pack 3
12:05:50.338 Number of processors: 1 586 0x801
12:05:50.338 ComputerName: MIKEG UserName: user
12:05:50.809 Initialize success
12:06:30.836 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
12:06:30.836 Disk 0 Vendor: WDC_WD400BB-00CAA1 17.07W17 Size: 38166MB BusType: 3
12:06:30.856 Disk 0 MBR read successfully
12:06:30.856 Disk 0 MBR scan
12:06:30.856 Disk 0 Windows XP default MBR code
12:06:30.866 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38154 MB offset 63
12:06:30.866 Disk 0 scanning sectors +78140160
12:06:30.936 Disk 0 scanning C:\WINDOWS\system32\drivers
12:06:38.427 Service scanning
12:06:51.165 Modules scanning
12:06:58.886 Disk 0 trace - called modules:
12:06:58.906 ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys viaidexp.sys PCIIDEX.SYS
12:06:58.906 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x867caab8]
12:06:58.906 3 CLASSPNP.SYS[f786ffd7] -> nt!IofCallDriver -> \Device\0000005f[0x867e4f18]
12:06:59.247 5 ACPI.sys[f77e6620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x867cb940]
12:06:59.257 Scan finished successfully
12:07:23.211 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\user\Desktop\MBR.dat"
12:07:23.221 The log file has been saved successfully to "C:\Documents and Settings\user\Desktop\aswMBR.txt"

#12 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:08:57 AM

Posted 10 April 2012 - 11:13 AM

Hi Mike,

Things are looking better.

I'd like to run a scan with Malwarebytes (please ensure virus definitions are up to date) and post it's log in your next reply.
regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#13 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 10 April 2012 - 11:43 AM

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.04.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
user :: MIKEG [administrator]

Protection: Enabled

4/10/2012 12:33:28 PM
mbam-log-2012-04-10 (12-33-28).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 225114
Time elapsed: 8 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#14 ratman

ratman

    Bleepin' gnawing at it!


  • Malware Response Team
  • 1,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:08:57 AM

Posted 10 April 2012 - 11:53 AM

Hello mikegru ,

Still looking good.

You have an outdated version of Java installed which needs to be replaced.

Use Add/Remove programs to uninstall J2SE Runtime Environment 5.0

Additional instructions can be found here if needed

=========================================================

We need to bring your Java up to date.

  • Update your Java version here:

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.
=================================================================================

I'd like us to scan your machine with ESET OnlineScan
  • Right click on the following link and open ESET OnlineScan in a new window.ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


In your next reply, please copy/paste the contents of the following:
  • ESETScan
How is your machine running now? Do you have any outstanding issues?

regards, ratman

a proud member of:
Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM

If I have helped and you would like to show your appreciation you may Posted Image to the cause.



#15 mikegru

mikegru
  • Topic Starter

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 10 April 2012 - 02:12 PM

Google seems to be working properly now, and as far as other issues, I think we're good. I have a new PC here ready to take over for this dinosaur, and since we're loading everything from this machine to the new one, we wanted to make sure we didn't copy any bad stuff to the new PC. How do the logs look to you? Thanks so much for your help.

Mike




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users