Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected with Google Redirect virus

  • This topic is locked This topic is locked
45 replies to this topic

#1 roweysvn


  • Members
  • 23 posts
  • Local time:03:54 AM

Posted 16 October 2012 - 07:26 PM

Hi team

I've got a client's PC (Windows XP 32Bit) that I believe is infected with a Google redirection virus. Everything else appears to be ok, but when clicking on Google search results, I'm sent to pages filled with ads etc.

I've run through a few guides on this website, I've tried the TDSSKiller from Kapersky as well as Malwarebytes, SUPERAnti Spyware and the ESET Online Scanner to no avail (Malwarebytes and SUPERAnti Spyware picked up on malicious files and removed them but the problem still exists).

I've also removed IE 8, and then removed IE from the computer, rebooted and added IE6 back onto the PC and the problem still exists. I flushed the Java temporary files, and even uninstalled Java, I've also flushed the DNS cache, temporary internet files and checked for static DNS and proxy (none of which exist).

This is the only computer on the domain that is having this trouble so I doubt it would be a router/firewall issue.

Some basic specs on the PC.

HP Desktop running Windows XP SP3. Symantec Endpoint Protection is the AV Suite being used and Internet Explorer 8 was the browser being used (though currently it's just IE 6 while I troubleshoot)

Here is the DDS.txt log -- I have also attached the attach.txt, ark.txt and hijackthis.txt logs to this post

DDS (Ver_2012-10-14.05) - NTFS_x86
Internet Explorer: 6.0.2900.5512
Run by Administrator at 9:59:39 on 2012-10-17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1977.1047 [GMT 10:00]
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Enabled*
============== Running Processes ================
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\TeamViewer\Version7\TeamViewer_Desktop.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\program files\teamviewer\version7\TeamViewer.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\Program Files\TeamViewer\Version7\tv_w32.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Card2Anywhere\Card2Anywhere.exe
C:\Program Files\Kyocera\FileUtility\NsCatCom.exe
C:\Program Files\Magswipe\CaspadMSRApp.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com.au/
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - <orphaned>
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\card2a~1.lnk - c:\program files\card2anywhere\Card2Anywhere.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Common Drive Mapping.bat
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Opera Login.url
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\scanne~1.lnk - c:\program files\kyocera\fileutility\NsCatCom.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\shortc~1.lnk - c:\program files\magswipe\CaspadMSRApp.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Tourdesk Mapping.bat
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vingca~1.lnk - c:\vision\vision.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: legalnoticecaption = Radisson Gold Coast
mPolicies-System: legalnoticetext = ======================================================
This company-supplied technology you are about to use is owned by Radisson Gold Coast and has been provided for
business purposes. Incidental, personal use of company-supplied technologies is permitted as long as such use
does not adversely impact the employee's work or general business operations. You should never use these technologies
in a way that would be construed as inappropriate, unlawful, or unprofessional. Users of company-supplied technologies
should have no expectations of privacy. Unless restricted or limited by law, all data residing on this company supplied
technology is the property of the company and is subject to the company's review whenever the company deems necessary.
Unauthorised changes to company-supplied technologies are prohibited. By using this comapny-supplied technology,
you consent to all of the above.
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {4E1318B0-53F0-4274-99FB-F5621625340D} - hxxp://rdgoldw2k302/installOperaPrintCtrl.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1259224651899
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DAAC8ECF-DB09-4821-8126-E2C9499A20BA} - hxxp://rdgoldw2k302/installregterm.exe
TCP: NameServer =
TCP: Interfaces\{1F7300B8-E106-479E-8E99-94F8B8CC5D0B} : DHCPNameServer =
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
============= SERVICES / DRIVERS ===============
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-12 214024]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-3-22 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-3-22 108392]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-10-16 399432]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-10-16 676936]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-18 11032]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2011-3-22 1839776]
R2 TeamViewer7;TeamViewer 7;c:\program files\teamviewer\version7\TeamViewer_Service.exe [2012-9-1 2759080]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2009-11-12 2066968]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2009-11-12 149600]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-8-16 106656]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-12-19 44800]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-10-16 22856]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20121016.002\NAVENG.SYS [2012-10-17 92704]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20121016.002\NAVEX15.SYS [2012-10-17 1601184]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-13 250808]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2011-3-22 23888]
S3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\mfeavfk.sys [2009-11-12 79816]
S3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\mfebopk.sys [2009-11-12 35272]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\mferkdk.sys [2009-11-12 34248]
S3 SCMSDKUSBI;STC-II SDK Device;c:\windows\system32\drivers\scmsdk.sys [2011-11-24 30964]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
=============== Created Last 30 ================
2012-10-16 23:05:02 81920 ------w- c:\windows\system32\dllcache\ieencode.dll
2012-10-16 23:05:00 532480 ------w- c:\windows\system32\dllcache\mstime.dll
2012-10-16 23:05:00 251904 ------w- c:\windows\system32\dllcache\iepeers.dll
2012-10-16 23:04:59 449536 ------w- c:\windows\system32\dllcache\mshtmled.dll
2012-10-16 23:04:58 37888 ------w- c:\windows\system32\dllcache\url.dll
2012-10-16 23:04:56 667136 ------w- c:\windows\system32\dllcache\wininet.dll
2012-10-16 23:04:52 633344 ------w- c:\windows\system32\dllcache\urlmon.dll
2012-10-16 23:04:49 1025024 ------w- c:\windows\system32\dllcache\browseui.dll
2012-10-16 23:04:48 1510400 ------w- c:\windows\system32\dllcache\shdocvw.dll
2012-10-16 23:04:45 3088896 ------w- c:\windows\system32\dllcache\mshtml.dll
2012-10-16 23:04:42 852480 ------w- c:\windows\system32\dllcache\vgx.dll
2012-10-16 05:57:36 512000 ------w- c:\windows\system32\dllcache\jscript.dll
2012-10-16 05:57:35 434176 ------w- c:\windows\system32\dllcache\vbscript.dll
2012-10-16 05:43:46 -------- d-----w- C:\MGtools
2012-10-16 05:43:32 1682615 ----a-w- C:\MGtools.exe
2012-10-16 04:53:10 -------- d-sh--w- c:\documents and settings\administrator.rdgold\IECompatCache
2012-10-16 04:02:51 -------- d-----w- c:\program files\ESET
2012-10-16 03:56:31 -------- d-----w- c:\documents and settings\administrator.rdgold\application data\Windows Search
2012-10-16 03:31:29 -------- d-sha-r- C:\cmdcons
2012-10-16 03:13:40 98816 ----a-w- c:\windows\sed.exe
2012-10-16 03:13:40 256000 ----a-w- c:\windows\PEV.exe
2012-10-16 03:13:40 208896 ----a-w- c:\windows\MBR.exe
2012-10-16 03:06:27 -------- d-----w- c:\program files\CCleaner
2012-10-16 01:10:00 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-16 00:56:16 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-10-16 00:56:16 -------- d-----w- c:\windows\system32\wbem\Repository
2012-10-16 00:55:44 -------- d-----w- c:\program files\Aimersoft
2012-10-15 03:30:57 -------- d-----w- c:\program files\Enigma Software Group
2012-10-15 02:00:33 -------- d-----w- c:\documents and settings\administrator.rdgold\application data\SUPERAntiSpyware.com
2012-10-15 02:00:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-10-15 02:00:13 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-10-15 00:44:14 -------- d-----w- c:\documents and settings\administrator.rdgold\application data\Malwarebytes
2012-10-15 00:44:04 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-10-15 00:44:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-10-15 00:33:22 -------- d-----w- c:\program files\TeamViewer
2012-10-10 23:09:47 98304 --sha-r- c:\windows\system32\vss_ps0.dll
2012-10-10 23:09:47 98304 --sha-r- c:\windows\system32\olecli323.dll
2012-10-10 09:49:23 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2012-10-10 09:49:23 32128 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
==================== Find3M ====================
2012-10-16 04:48:29 174056 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2012-10-09 08:14:19 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-09 08:14:19 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-30 20:29:36 81920 ----a-w- c:\windows\system32\ieencode.dll
2012-08-30 20:29:36 667136 ----a-w- c:\windows\system32\wininet.dll
2012-08-30 20:29:36 61952 ----a-w- c:\windows\system32\tdc.ocx
2012-08-28 13:00:25 369664 ----a-w- c:\windows\system32\html.iec
2012-08-24 13:53:22 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:33:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58:09 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
============= FINISH: 10:00:37.55 ===============

Attached Files

Edited by roweysvn, 16 October 2012 - 09:57 PM.

BC AdBot (Login to Remove)


#2 nasdaq


  • Malware Response Team
  • 40,528 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:54 PM

Posted 18 October 2012 - 10:35 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Close any open browsers, and all other programs working. Make sure you save your file if working on a document.
  • Do not install any other programs until this if fixed.[/b]
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[Rn].txt (n is a number).

Please post the logs and let me know if the problem persists.

#3 roweysvn

  • Topic Starter

  • Members
  • 23 posts
  • Local time:03:54 AM

Posted 22 October 2012 - 10:46 PM


Sorry for the slow response, I haven't been able to continue troubleshooting till today.

I followed the suggestions you made and the problem still occurs. I have attached the logs as requested

Thanks in advance

Attached Files

#4 nasdaq


  • Malware Response Team
  • 40,528 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:54 PM

Posted 23 October 2012 - 09:10 AM

Get the latest version of the Adobe Reader.
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.

Remove the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Everything that was found will be deleted.
  • Follow the prompts to reboot the computer. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[Sn].txt (n is a number)..

The redirection can come from Add-ons or Extensions.

bad ones that I know of.
Extension version 1.29
XUL Cache 1.0
safe browsing 2.0.14
feedly xt 10.2.437
JavaString Helper
Translate This!

Default Extension 1.0 in chrome.
Source: http://productforums.google.com/forum/#!category-topic/chrome/report-a-problem-and-get-troubleshooting-help/eAMUtQjr3t8

Please let me know what problem persists with this computer.

#5 roweysvn

  • Topic Starter

  • Members
  • 23 posts
  • Local time:03:54 AM

Posted 24 October 2012 - 01:02 AM

Hi Nasdaq,

Thanks for your reply

I've followed your recommendations and the log file is attached.

Unfortunately the problem still exists. The version of Adobe Reader that is being used is for a specific program so rather than updating, I removed Adobe Reader completely and the problem still remains. I've also disabled all add ons and this hasn't seemed to help either

The list of addons that are currently installed (all disabled though) are as follows:

Not Available
Windows Messenger
Diagnose Connection Problem

Microsoft Corporation:
Windows Media Player

Micros Systems Inc:
OperaPrintControl Object

Adobe Systems Incorporated:
Shockwave Flash Object

Control Name is not available:
JiniitiatorCheck Object

Also for what it's worth I've just installed FireFox and Chrome and the issue is happening with both browsers.

Thanks again for your assistance.

Edited by roweysvn, 24 October 2012 - 01:14 AM.

#6 nasdaq


  • Malware Response Team
  • 40,528 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:54 PM

Posted 24 October 2012 - 08:28 AM

Try these fixes one at a time. If the problem persists do the next one.

Go Posted Image > run box and type cmd and hit OK
ipconfig /flushdns <-- (The space between g and / is needed) press the Enter key.

repeat with
ipconfig /renew

Then type Exit, hit the Enter key

Launch Notepad, and copy/paste all the blue instructions below to it.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save


[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]

Then, disconnect from the Internet!
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.

If still no joy, then your router may be infected. (If applicable.)

How to Reset a Router Back to the Factory Default Settings

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)


Reset for Linksys, Netgear, D-Link and Belkin Routers

How to Secure Your Wireless Router

How To Set Up a Network Router

Keep me posted.

#7 nasdaq


  • Malware Response Team
  • 40,528 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:54 PM

Posted 30 October 2012 - 10:08 AM

If all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall

To remove AdwCleaner.

Please double click on adwcleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

Delete the other tools we used.

Surf Safely, and Think Prevention!

#8 roweysvn

  • Topic Starter

  • Members
  • 23 posts
  • Local time:03:54 AM

Posted 30 October 2012 - 09:29 PM

Hi there

Thanks for your reply, we've tried all the suggestions aside from the router reset as it's in a corporate environment and we're unable to reset the router at this time, still no luck with the registry changes you mentioned though.

Do you have any other suggestions? Our next step is to format the PC and start again.



#9 nasdaq


  • Malware Response Team
  • 40,528 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:54 PM

Posted 31 October 2012 - 08:25 AM

If other using the router are not redirected then it's not the router.

We might get lucky.

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • alternate download link 2
    • Make sure you are connected to the Internet.
    • Double-click on Download_mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:[list]
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with the Malwarebytes Anti-Malware log once it's complete.


>>> Download to your Desktop GooredFix by jpshortstuff from here or here
Ensure all Firefox windows are closed and right-click on GooredFix.exe and select Run As Administrator. Click Yes when prompted to run the scan.
GooredFix will check for infections, and then a log will appear and can also be found on your desktop, called GooredFix.txt.
Please copy and paste the contents of this log in your next reply.

p.s. On a Vista or Windows 7 computer right-click and select Run As Administrator.

#10 nasdaq


  • Malware Response Team
  • 40,528 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:54 PM

Posted 06 November 2012 - 08:59 AM

Are you still with me?

#11 roweysvn

  • Topic Starter

  • Members
  • 23 posts
  • Local time:03:54 AM

Posted 11 November 2012 - 08:20 PM

Hi nasdaq, thanks for your replies. I've been away on leave for the past 10 days and have returned to work today. I'll have an opportunity to test this out tomorrow when I go on site to this particular client and will see how this goes.


#12 roweysvn

  • Topic Starter

  • Members
  • 23 posts
  • Local time:03:54 AM

Posted 12 November 2012 - 08:39 PM


Malwarebytes Anti-Malware

Database version: v2012.11.13.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: RGCD6 [administrator]

13/11/2012 11:17:37 AM
mbam-log-2012-11-13 (11-17-37).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 495582
Time elapsed: 18 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Documents and Settings\macw\Application Data\Otzi\yhyv.exe (Trojan.Agent.EDDGen) -> Quarantined and deleted successfully.
C:\Documents and Settings\macw\Local Settings\Temp\tmp0f061318.exe (Trojan.Agent) -> Quarantined and deleted successfully.


#13 roweysvn

  • Topic Starter

  • Members
  • 23 posts
  • Local time:03:54 AM

Posted 12 November 2012 - 08:48 PM

Just FYI the problem still exists even after running GooredFix.exe

GooredFix Log

GooredFix by jpshortstuff (
Log created at 11:49 on 13/11/2012 (Administrator)
Firefox version [Unable to determine]

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\

"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [20:50 11/11/2009]


Edited by roweysvn, 12 November 2012 - 08:51 PM.

#14 nasdaq


  • Malware Response Team
  • 40,528 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:54 PM

Posted 13 November 2012 - 07:57 AM

Please download RogueKiller© by Tigzy from one of the links below and save it to your desktop.

Link 1 Bleepingcomputer
Link 2 RogueKiller (par Tigzy)

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.


#15 nasdaq


  • Malware Response Team
  • 40,528 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:54 PM

Posted 19 November 2012 - 09:04 AM

Are you still with me?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users