Active Google Redirect and other trojans

here is the drweb log....

ComboFix.exe/data002\32788R22FWJFW\c.bat;C:\Documents and Settings\Andrew\Desktop\ComboFix.exe/data002;Probably BATCH.Virus;;
ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Andrew\Desktop\ComboFix.exe/data002;Program.PsExec.171;;
data002;C:\Documents and Settings\Andrew\Desktop;Archive contains infected objects;;
ComboFix.exe;C:\Documents and Settings\Andrew\Desktop;Container contains infected objects;;
A0036758.bat;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP426;Probably BATCH.Virus;;
A0036829.bat;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP426;Probably BATCH.Virus;;
A0036852.EXE;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP426;Program.PsExec.170;;

 

Still don't see anything that could be causing the issue. Does it happen when using IE also?

 

hmmm interesting....hadn't tried IE yet but it turns out that it only happens when I use firefox. Any ideas on how to get rid of it....like maybe reinstall?

 

I would suggest uninstall/reboot/reinstall.

 

Lets check something else first if you haven't already started. Search the C:\Program Files\Mozilla folder and all subfolders for a file named overlay.xul
If present, please upload it to my submission channel for analysis. Leave a link back to this topic.
Let me know it's exact location also.

 

Just submitted the file a minute ago....here is the location

C:\Program Files\Mozilla Firefox\extensions\{80BB2177-2CED-4EEB-8F53-C1F2819B1E9D}\chrome\content

 

Please move the overlay.xul file out of that location then see if FF still redirects, and functions properly otherwise.

 

still redirects but it works fine otherwise

 

Hi pocket1
noahdfear will be away for a few days, so please be patient until his return.

I would try to help you out, but i don't know the contents of the file(s) submitted to him.

Thanks
Geri

 

ok no problem thanks for letting me know.

 

Sorry for the delay,

Highlight and copy the contents of the code box below.

Code:

cd %userprofile%\desktop
reg query  "HKLM\software\microsoft\windows nt\currentversion\drivers32" >peek.txt
start notepad peek.txt
exit
cls

Click Start>Run and type cmd then hit enter to open a command window. Right click in the command window and select paste. The command window will close on it's own and peek.txt will open. Post it's contents here.

 

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
midimapper REG_SZ midimap.dll
msacm.imaadpcm REG_SZ imaadp32.acm
msacm.msadpcm REG_SZ msadp32.acm
msacm.msg711 REG_SZ msg711.acm
msacm.msgsm610 REG_SZ msgsm32.acm
msacm.trspch REG_SZ tssoft32.acm
vidc.cvid REG_SZ iccvid.dll
vidc.I420 REG_SZ msh263.drv
vidc.iv31 REG_SZ ir32_32.dll
vidc.iv32 REG_SZ ir32_32.dll
vidc.iyuv REG_SZ iyuv_32.dll
vidc.mrle REG_SZ msrle32.dll
vidc.msvc REG_SZ msvidc32.dll
vidc.uyvy REG_SZ msyuv.dll
vidc.yuy2 REG_SZ msyuv.dll
vidc.yvu9 REG_SZ tsbyuv.dll
vidc.yvyu REG_SZ msyuv.dll
wavemapper REG_SZ msacm32.drv
msacm.msg723 REG_SZ msg723.acm
vidc.M263 REG_SZ msh263.drv
vidc.M261 REG_SZ msh261.drv
msacm.msaudio1 REG_SZ msaud32.acm
msacm.sl_anet REG_SZ sl_anet.acm
msacm.l3acm REG_SZ L3CODECA.ACM
vidc.iv41 REG_SZ ir41_32.ax
msacm.iac2 REG_SZ iac25_32.ax
vidc.iv50 REG_SZ ir50_32.dll
wave1 REG_SZ serwvdrv.dll
wave REG_SZ wdmaud.drv
midi REG_SZ wdmaud.drv
mixer REG_SZ wdmaud.drv
msacm.siren REG_SZ sirenacm.dll
vidc.DIVX REG_SZ DivX.dll
vidc.yv12 REG_SZ DivX.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server

 

I'm not sure what did it but over the past few days I have noticed that I haven't really been redirected at all. Maybe from clearing out the cookies after one of the steps earlier took care of it. Anyway thanks for all your help.