Author Topic: Google redirects my webpage (Read 16181 times)

Jinxie · « **on:** November 16, 2007, 07:48:28 PM »

Hi
Just recently my computer is somehow redirecting my webpages I click on when I do a google search. For example, I search for something related to cars in google. When I click that link it takes me to a webpage that has nothing to do with what I searched for. ie spyware or adult stuff. It takes 2 or 3 times of clicking on the original link to get the page I want from google.
I have tried Ad - Ware 2007 and Spybot Search and destroy with no luck.
All help greatly appreciated!!
BTW....this is a fresh install of XP SP2 as I just lost my previous HD last week. (It is getting fixed as we speak...new heads). I havent had luck on my side this past week! Everything worked fine for a week until today.

Broni · « **Reply #1 on:** November 16, 2007, 08:00:00 PM »

Welcome aboard

Download HijackThis: http://majorgeeks.com/Trend_Micro_HijackThis_d5554.html
and post its log back here.

Jinxie · « **Reply #2 on:** November 16, 2007, 08:09:24 PM »

Hi
Thanks!

Here you go...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:58:35 PM, on 11/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weatheroffice.gc.ca/city/pages/mb-38_metric_e.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F268CEC-6ADF-4F70-85A7-BC3096970FFD}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CDAF9F3-5059-43CE-A6A6-FABF2F6FE89E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{1F268CEC-6ADF-4F70-85A7-BC3096970FFD}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.158 85.255.112.109
O17 - HKLM\System\CS2\Services\Tcpip\..\{1F268CEC-6ADF-4F70-85A7-BC3096970FFD}: NameServer = 85.255.116.158,85.255.112.109
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5672 bytes

Broni · « **Reply #3 on:** November 16, 2007, 08:13:06 PM »

Let me take a look.

Broni · « **Reply #4 on:** November 16, 2007, 08:30:30 PM »

1. Print this post out, since you won't have an access to it, at some point.

2. Download, and install Spybot (if you don't have it) from here: http://www.safer-networking.org/en/download/index.html

3. Close all windows, except for HJT.

4.
***** If:

Quote

OrgName: Freedom Networks LLC
OrgID: FNL-6
Address: 50 Freemont St.
Address: 16 Floor
City: San Francisco
StateProv: CA
PostalCode: 94105
Country: US

is NOT your ISP,
put a checkmark next to the following HJT entries:
- O17 - HKLM\System\CCS\Services\Tcpip\..\{1F268CEC-6ADF-4F70-85A7-BC3096970FFD}: NameServer = 208.67.220.220,208.67.222.222
- O17 - HKLM\System\CCS\Services\Tcpip\..\{8CDAF9F3-5059-43CE-A6A6-FABF2F6FE89E}: NameServer = 208.67.220.220,208.67.222.222
- O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
- O17 - HKLM\System\CS1\Services\Tcpip\..\{1F268CEC-6ADF-4F70-85A7-BC3096970FFD}: NameServer = 208.67.220.220,208.67.222.222
- O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

***** If:

Quote

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

is NOT your ISP,
put a checkmark next to the following HJT entries:
- O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.158 85.255.112.109
- O17 - HKLM\System\CS2\Services\Tcpip\..\{1F268CEC-6ADF-4F70-85A7-BC3096970FFD}: NameServer = 85.255.116.158,85.255.112.109

5. Click on "Fix It" button.

6. Restart your computer in Safe Mode (keep tapping F8 key, when your computer starts)

7. Run Spybot (check for updates, first), and fix whatever it asks you to fix.

8. Open Windows Explorer. Go Tools>Folder Options, put a checkmark next to "Show hidden files, and folders".

9. Delete following files (if they still exist):

nothing to remove

10. Turn off System Restore:

- Windows XP:
   1. Click Start.
   2. Right-click the My Computer icon, and then click Properties.
   3. Click the System Restore tab.
   4. Check "Turn off System Restore".
   5. Click Apply.
   6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
   7. Click OK.
- Windows Vista:
   1. Click Start.
   2. Right-click the Computer icon, and then click Properties.
   3. Click on System Protection under the Tasks column on the left side
   4. Click on Continue on the "User Account Control" window that pops up
   5. Under the System Protection tab, find Available Disks
   6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
   7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
   8. Click OK

11. Restart in Normal Mode.

12. Turn System Restore on.

13. Run HJT again, and post back its log back here.

Jinxie · « **Reply #5 on:** November 16, 2007, 08:49:48 PM »

Neither one should be my ISP (I dont think), especially the AMSTERDAM one.....should I delete them both anyway?

Broni · « **Reply #6 on:** November 16, 2007, 08:51:19 PM »

Fix them all, then. Post back with new log.

Jinxie · « **Reply #7 on:** November 16, 2007, 09:23:26 PM »

Ok.....hows this looking?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:29 PM, on 11/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weatheroffice.gc.ca/city/pages/mb-38_metric_e.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4817 bytes

evilfantasy · « **Reply #8 on:** November 16, 2007, 09:58:17 PM »

Did Spybot remove anything?

Are you still having problems?

Jinxie · « **Reply #9 on:** November 16, 2007, 11:26:02 PM »

I think it was Zlob DNS changer it removed.
tried it a dozrn or so times....so far so good!

evilfantasy · « **Reply #10 on:** November 16, 2007, 11:46:46 PM »

We should run another scan to be sure it is gone. Zlob is a trojan and can be well hidden.

Please download Combofix by sUBs from either here or here

Save Combofix.exe to your your Desktop.

1. Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter at the prompt)
2. When finished, it will produce a log for you.
3. Attach that log in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause your computer to stall

Broni · « **Reply #11 on:** November 17, 2007, 08:49:47 AM »

Your HJT log looks good. No more redirections?

Jinxie · « **Reply #12 on:** November 17, 2007, 12:14:15 PM »

I have tried it again today and it still seems to be working good!
Thanks for the help!

Broni · « **Reply #13 on:** November 17, 2007, 12:18:58 PM »

Cool thing

Stay safe

Jinxie · « **Reply #14 on:** November 17, 2007, 07:11:11 PM »

Crap.....btcar.com and 22traffic.com are coming up again when I try and link to a page from google.
Now what? I have been away for 8 hrs and things were good before I left!!

Thanks

Broni · « **Reply #15 on:** November 17, 2007, 07:17:01 PM »

Post new HJT log, and in a moment I'll have couple of programs, you'll want to install to prevent same thing from happening in the future.

Broni · « **Reply #16 on:** November 17, 2007, 07:20:04 PM »

I don't know, how I missed it before, but I can't see any antivirus program, nor firewall running on your computer.
Do you have at least Windows firewall enabled?

honvetops · « **Reply #17 on:** November 17, 2007, 07:27:10 PM »

this thread needs Chris..... I'll see if he's around...

unless Broni* who is quite capable nails it 1st*

Broni · « **Reply #18 on:** November 17, 2007, 07:41:29 PM »

1. Turn your Windows firewall on (for now):
a.   Click Start, click Run, type Firewall.cpl, and then click OK.
b.   On the General tab, click On (recommended), and then click OK.

2. Download, and install free antivirus AVG: http://free.grisoft.com/

3. Download (don't install, yet) free Comodo firewall: http://www.personalfirewall.comodo.com/

4. Turn your Windows firewall off:
a.   Click Start, click Run, type Firewall.cpl, and then click OK.
b.   On the General tab, click Off (not recommended), and then click OK.

5. Install Comodo firewall.

6. Run full AVG scan.

7. Post new HijackThis log.

Jinxie · « **Reply #19 on:** November 17, 2007, 08:16:43 PM »

My Windows firewall showed it being on.
Just downloading other stuff.....will post shortly

Broni · « **Reply #20 on:** November 17, 2007, 08:19:17 PM »

Good

Jinxie · « **Reply #21 on:** November 17, 2007, 08:56:11 PM »

AVG-No threats found

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:35 PM, on 11/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Comodo\Firewall\cpf.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weatheroffice.gc.ca/city/pages/mb-38_metric_e.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5867 bytes

Broni · « **Reply #22 on:** November 17, 2007, 09:00:53 PM »

Quote

AVG-No threats found

Cool....Let me check your HJT log...

Broni · « **Reply #23 on:** November 17, 2007, 09:07:43 PM »

Your HJT log is nice, and clean. It looks good with all that new protections.
I'm gonna give you two more weapons to your protective arsenal....
Download, and install (both free):
- Spyware Terminator: http://www.spywareterminator.com/
- a-squared: http://www.emsisoft.com/en/software/free/
and you're gonna be good to go.

Jinxie · « **Reply #24 on:** November 17, 2007, 09:35:25 PM »

Still getting redirected

I give up?

Broni · « **Reply #25 on:** November 17, 2007, 09:47:23 PM »

Search your computer for:
hosts
file, and either attach it here, or if it's too big, email it to me.

Broni · « **Reply #26 on:** November 17, 2007, 09:49:00 PM »

Open it in Notepad.

Jinxie · « **Reply #27 on:** November 18, 2007, 07:22:35 AM »

I let spy bot run last night.
It picked up 16 infections including zlob again.
I deleted, but Im sure they will be back

Jinxie · « **Reply #28 on:** November 18, 2007, 07:30:23 AM »

Here are the hosts I found...

hosts
Imhosts

not sure, but I couldnt open them in notepad

Jinxie · « **Reply #29 on:** November 18, 2007, 07:32:06 AM »

ok....here they are

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to computernames
# (NetBIOS) names. Each entry should be kept on an individual line.
# The IP address should be placed in the first column followed by the
# corresponding computername. The address and the computername
# should be separated by at least one space or tab. The "#" character
# is generally used to denote the start of a comment (see the exceptions
# below).
#
# This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts
# files and offers the following extensions:
#
# #PRE
# #DOM:<domain>
# #INCLUDE <filename>
# #BEGIN_ALTERNATE
# #END_ALTERNATE
# \0xnn (non-printing character support)
#
# Following any entry in the file with the characters "#PRE" will cause
# the entry to be preloaded into the name cache. By default, entries are
# not preloaded, but are parsed only after dynamic name resolution fails.
#
# Following an entry with the "#DOM:<domain>" tag will associate the
# entry with the domain specified by <domain>. This affects how the
# browser and logon services behave in TCP/IP environments. To preload
# the host name associated with #DOM entry, it is necessary to also add a
# #PRE to the line. The <domain> is always preloaded although it will not
# be shown when the name cache is viewed.
#
# Specifying "#INCLUDE <filename>" will force the RFC NetBIOS (NBT)
# software to seek the specified <filename> and parse it as if it were
# local. <filename> is generally a UNC-based name, allowing a
# centralized lmhosts file to be maintained on a server.
# It is ALWAYS necessary to provide a mapping for the IP address of the
# server prior to the #INCLUDE. This mapping must use the #PRE directive.
# In addtion the share "public" in the example below must be in the
# LanManServer list of "NullSessionShares" in order for client machines to
# be able to read the lmhosts file successfully. This key is under
# \machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares
# in the registry. Simply add "public" to the list found there.
#
# The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE
# statements to be grouped together. Any single successful include
# will cause the group to succeed.
#
# Finally, non-printing characters can be embedded in mappings by
# first surrounding the NetBIOS name in quotations, then using the
# \0xnn notation to specify a hex value for a non-printing character.
#
# The following example illustrates all of these extensions:
#
# 102.54.94.97 rhino #PRE #DOM:networking #net group's DC
# 102.54.94.102 "appname \0x14" #special app server
# 102.54.94.123 popular #PRE #source server
# 102.54.94.117 localsrv #PRE #needed for the include
#
# #BEGIN_ALTERNATE
# #INCLUDE \\localsrv\public\lmhosts
# #INCLUDE \\rhino\public\lmhosts
# #END_ALTERNATE
#
# In the above example, the "appname" server contains a special
# character in its name, the "popular" and "localsrv" server names are
# preloaded, and the "rhino" server name is specified so it can be used
# to later #INCLUDE a centrally maintained lmhosts file if the "localsrv"
# system is unavailable.
#
# Note that the whole file is parsed including comments on each lookup,
# so keeping the number of comments to a minimum will improve performance.
# Therefore it is not advisable to simply add lmhosts file entries onto the
# end of this file.

Jinxie · « **Reply #30 on:** November 18, 2007, 07:34:40 AM »

I just tried linking from google again after deleting those files from spy bot.
It immediately re directed me twice before getting the right page.

evilfantasy · « **Reply #31 on:** November 18, 2007, 09:07:09 AM »

From post #10

We should run another scan to be sure it is gone. Zlob is a trojan and can be well hidden.

Please download Combofix by sUBs from either here or here

Save Combofix.exe to your your Desktop.

1. Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter at the prompt)
2. When finished, it will produce a log for you.
3. Attach that log in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause your computer to stall

Broni · « **Reply #32 on:** November 18, 2007, 11:54:04 AM »

Your "hosts" file is clean....

Next step:

Download and scan with SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.

Try Google again.

Jinxie · « **Reply #33 on:** November 18, 2007, 12:40:30 PM »

ComboFix 07-11-08.3 - Derek Smith 2007-11-18 12:17:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.223 [GMT -6:00]
Running from: C:\Documents and Settings\Derek Smith\Desktop\ComboFix.exe
* Created a new restore point
.

   Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\kdtsp.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-18 to 2007-11-18 )))))))))))))))))))))))))))))))
.

2007-11-18 12:16   51,200   --a------   C:\WINDOWS\NirCmd.exe
2007-11-18 02:08   271,224   --a------   C:\WINDOWS\system32\mucltui.dll
2007-11-17 22:15   <DIR>   d--------   C:\Program Files\a-squared Anti-Malware
2007-11-17 22:12   <DIR>   d--------   C:\Documents and Settings\Derek Smith\Application Data\Spyware Terminator
2007-11-17 22:12   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2007-11-17 22:11   <DIR>   d--------   C:\Program Files\Spyware Terminator
2007-11-17 21:29   <DIR>   d--------   C:\Documents and Settings\Derek Smith\Application Data\Comodo
2007-11-17 21:29   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Comodo
2007-11-17 21:22   <DIR>   d--------   C:\Program Files\Comodo
2007-11-17 21:20   <DIR>   d--------   C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-17 21:20   <DIR>   d--------   C:\Documents and Settings\Derek Smith\Application Data\AVG7
2007-11-17 21:19   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-17 21:19   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\avg7
2007-11-16 20:57   <DIR>   d--------   C:\Program Files\Trend Micro
2007-11-16 19:58   <DIR>   d--------   C:\WINDOWS\system32\Adobe
2007-11-16 19:58   16,384   --a------   C:\WINDOWS\system32\FileOps.exe
2007-11-16 19:57   <DIR>   d--------   C:\Snap-on
2007-11-16 16:04   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-16 15:56   <DIR>   d--------   C:\Program Files\Lavasoft
2007-11-16 15:56   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-16 15:55   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2007-11-16 03:00   <DIR>   d--------   C:\Program Files\MSXML 4.0
2007-11-14 22:04   <DIR>   d--------   C:\Documents and Settings\Derek Smith\Application Data\HP
2007-11-14 22:04   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\HP
2007-11-14 22:01   <DIR>   d--------   C:\Program Files\Common Files\Sonic Shared
2007-11-14 22:01   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Sonic
2007-11-14 21:58   <DIR>   d--------   C:\WINDOWS\system32\URTTemp
2007-11-14 21:58   <DIR>   d--------   C:\Program Files\Common Files\HP
2007-11-14 21:56   <DIR>   d--------   C:\Program Files\Hewlett-Packard
2007-11-14 21:55   <DIR>   d--------   C:\Program Files\Common Files\Hewlett-Packard
2007-11-14 21:54   16,496   -ra------   C:\WINDOWS\system32\drivers\HPZipr12.sys
2007-11-14 21:53   77,824   -ra------   C:\WINDOWS\system32\HPZIDS01.dll
2007-11-14 21:53   49,664   -ra------   C:\WINDOWS\system32\drivers\HPZid412.sys
2007-11-14 21:53   38,400   --a------   C:\WINDOWS\system32\hpz3l054.dll
2007-11-14 21:52   15,104   --a------   C:\WINDOWS\system32\drivers\usbscan.sys
2007-11-14 21:52   15,104   --a--c---   C:\WINDOWS\system32\dllcache\usbscan.sys
2007-11-14 21:51   306,688   --a------   C:\WINDOWS\IsUninst.exe
2007-11-14 21:51   282,680   --a------   C:\WINDOWS\system32\HPZidr12.dll
2007-11-14 21:51   204,800   --a------   C:\WINDOWS\system32\HPZipr12.dll
2007-11-14 21:51   94,208   --a------   C:\WINDOWS\system32\HPZipt12.dll
2007-11-14 21:51   69,632   --a------   C:\WINDOWS\system32\HPZipm12.exe
2007-11-14 21:51   65,536   --a------   C:\WINDOWS\system32\HPZinw12.exe
2007-11-14 21:51   57,344   --a------   C:\WINDOWS\system32\HPZisn12.dll
2007-11-14 21:50   <DIR>   d--------   C:\Program Files\HP
2007-11-14 21:50   31,616   --a------   C:\WINDOWS\system32\drivers\usbccgp.sys
2007-11-14 21:50   31,616   --a--c---   C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-11-14 21:50   26,496   --a--c---   C:\WINDOWS\system32\dllcache\usbstor.sys
2007-11-14 21:50   25,856   --a------   C:\WINDOWS\system32\drivers\usbprint.sys
2007-11-14 21:50   25,856   --a--c---   C:\WINDOWS\system32\dllcache\usbprint.sys
2007-11-14 21:47   117,094   --a------   C:\WINDOWS\hpoins11.dat
2007-11-11 21:12   <DIR>   d--------   C:\WINDOWS\Downloaded Installations
2007-11-11 21:12   <DIR>   d--------   C:\Program Files\Common Files\Adobe
2007-11-11 11:40   <DIR>   d--------   C:\WINDOWS\Sun
2007-11-11 11:40   <DIR>   d--------   C:\Program Files\Java
2007-11-11 11:39   <DIR>   d--------   C:\Program Files\Common Files\Java
2007-11-10 14:46   <DIR>   d--------   C:\Program Files\Winamp
2007-11-10 14:46   <DIR>   d--------   C:\Documents and Settings\Derek Smith\Application Data\Winamp
2007-11-10 14:40   <DIR>   d--------   C:\Program Files\Winamp Remote
2007-11-10 14:40   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\OrbNetworks
2007-11-10 14:28   <DIR>   d--h-----   C:\WINDOWS\$hf_mig$
2007-11-10 14:28   22,752   --a------   C:\WINDOWS\system32\spupdsvc.exe
2007-11-10 14:24   <DIR>   d--------   C:\Program Files\DivX
2007-11-10 14:22   <DIR>   d---s----   C:\Documents and Settings\Derek Smith\UserData
2007-11-10 14:11   17,920   --a------   C:\WINDOWS\system32\mdimon.dll
2007-11-10 14:10   <DIR>   d--------   C:\WINDOWS\SHELLNEW
2007-11-10 14:10   <DIR>   d--------   C:\Program Files\Microsoft.NET
2007-11-10 14:10   <DIR>   d--------   C:\Program Files\Microsoft ActiveSync
2007-11-10 14:06   145,408   -ra------   C:\WINDOWS\system32\drivers\e100b325.sys
2007-11-10 14:06   145,408   --a--c---   C:\WINDOWS\system32\dllcache\e100b325.sys
2007-11-10 14:06   118,784   -ra------   C:\WINDOWS\system32\Prounstl.exe
2007-11-10 14:06   102,400   -ra------   C:\WINDOWS\system32\drivers\ianswxp.sys
2007-11-10 14:06   24,064   -ra------   C:\WINDOWS\system32\IntelNic.dll
2007-11-10 14:06   12,288   -ra------   C:\WINDOWS\system32\e100bmsg.dll
2007-11-10 14:05   82,944   --a------   C:\WINDOWS\system32\drivers\wdmaud.sys
2007-11-10 14:05   82,944   --a--c---   C:\WINDOWS\system32\dllcache\wdmaud.sys
2007-11-10 14:05   6,400   --a------   C:\WINDOWS\system32\drivers\splitter.sys
2007-11-10 14:05   6,400   --a--c---   C:\WINDOWS\system32\dllcache\splitter.sys
2007-11-10 14:04   <DIR>   d--------   C:\Program Files\Analog Devices
2007-11-10 14:00   155,648   --a------   C:\WINDOWS\system32\igfxres.dll
2007-10-19 18:56   3,596,288   --a------   C:\WINDOWS\system32\qt-dx331.dll
2007-10-19 18:56   1,044,480   --a------   C:\WINDOWS\system32\libdivx.dll
2007-10-19 18:56   524,288   --a------   C:\WINDOWS\system32\DivXsm.exe
2007-10-19 18:56   200,704   --a------   C:\WINDOWS\system32\ssldivx.dll
2007-10-19 18:54   823,296   --a------   C:\WINDOWS\system32\divx_xx0c.dll
2007-10-19 18:54   823,296   --a------   C:\WINDOWS\system32\divx_xx07.dll
2007-10-19 18:54   802,816   --a------   C:\WINDOWS\system32\divx_xx11.dll
2007-10-19 18:54   739,840   --a------   C:\WINDOWS\system32\DivX.dll
2007-10-19 18:54   196,608   --a------   C:\WINDOWS\system32\dtu100.dll
2007-10-19 18:54   81,920   --a------   C:\WINDOWS\system32\dpl100.dll
2007-10-18 03:06   156,992   --a------   C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-10-18 03:03   593,920   --a------   C:\WINDOWS\system32\dpuGUI11.dll
2007-10-18 03:03   344,064   --a------   C:\WINDOWS\system32\dpus11.dll
2007-10-18 03:03   294,912   --a------   C:\WINDOWS\system32\dpu11.dll
2007-10-18 03:03   294,912   --a------   C:\WINDOWS\system32\dpu10.dll
2007-10-18 03:03   57,344   --a------   C:\WINDOWS\system32\dpv11.dll
2007-10-18 03:03   53,248   --a------   C:\WINDOWS\system32\dpuGUI10.dll
2007-10-18 03:02   12,288   --a------   C:\WINDOWS\system32\DivXWMPExtType.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-17 01:57   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-11-17 01:57   ---------   d-----w   C:\Program Files\Common Files\InstallShield
2007-11-10 20:05   ---------   d-----w   C:\Program Files\Intel
2007-11-10 19:47   ---------   d-----w   C:\Program Files\microsoft frontpage
2007-10-20 00:56   43,528   ------w   C:\WINDOWS\system32\drivers\PxHelp20.sys
2006-02-19 09:28   12,288   ----a-w   C:\WINDOWS\Fonts\RandFont.dll

Jinxie · « **Reply #34 on:** November 18, 2007, 12:41:06 PM »

2nd part....file was too big...

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-12-14 10:20]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-12-14 10:07]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 08:57]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 16:24]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-09 23:28]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [2007-10-22 18:47]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 07:56:20]

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-18 12:38:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-18 12:39:42 - machine was rebooted
.
--- E O F ---

evilfantasy · « **Reply #35 on:** November 18, 2007, 12:57:58 PM »

I see you had installed a-squared, did it find anything?

Is the problem still there?

Jinxie · « **Reply #36 on:** November 18, 2007, 06:10:49 PM »

So far, so good. I think combofix may have done the trick.

Now that I have like 8 or more additional programs on my computer, which ones should I keep? Which ones should I delete? Which ones should I setup to do regulat scans?

Thanks for the help!!

Broni · « **Reply #37 on:** November 18, 2007, 06:18:12 PM »

Obviously your firewall, and your antivirus.
Keep "a-squared", and "Spyware Terminator", because they give you real time protection.
For occasional use have Spybot, and Ad-aware on hand. Once a month, should be plenty.

I'm glad, your puter is back to normal.

evilfantasy · « **Reply #38 on:** November 18, 2007, 07:18:58 PM »

In addition to what Broni has suggested you might want to look at WinPatrol 2007 WinPatrol 2007 is free. There is also a WinPatrol Plus but it is not free.

Quote

As a robust SECURITY MONITOR, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission.

=====

IMPORTANT STEP!

Go to Start > Run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit Enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

=====

Last is a read from Tony Klein which has some great tips for tightening security. So how did I get infected in the first place?

Safe surfing.....

Jinxie · « **Reply #39 on:** November 21, 2007, 08:10:51 PM »

Thanks again for the help! Everything is still working great!!

Broni · « **Reply #40 on:** November 21, 2007, 08:23:15 PM »

We're happy for you

Computer Hope Forum

News:

Author Topic: Google redirects my webpage (Read 16181 times)

Jinxie

Broni

Jinxie

Broni

Broni

Jinxie

Broni

Jinxie

evilfantasy

Jinxie

evilfantasy

Broni

Jinxie

Broni

Jinxie

Broni

Broni

honvetops

Broni

Jinxie

Broni

Jinxie

Broni

Broni

Jinxie

Broni

Broni

Jinxie

Jinxie

Jinxie

Jinxie

evilfantasy

Broni

Jinxie

Jinxie

evilfantasy

Jinxie

Broni

evilfantasy

Jinxie

Broni