Inactive [InActive] Google Redirect Problem - Beginner

on broad band, hardwired from phone socket into modem into computer

I am running zone alarm and avg 8

Any other ideas?

 

Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
c:\windows\system32\drivers\Ndisprot.sys
Driver::
Ndisprot

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

 

It seems the problem has been fixed. This is the order i (think) i did things:

Uninstalled the google toolbar

Deny any registry changes alerted by Spybot (i denied them incase it was like you say - spoof requests)

Went to google.co.uk and did a search - everything fine, no redirects

Re installed google toolbar, and accepted any registry changes from spybot

Searched in google toolbar - everything fine, no redirects.

Not sure why it worked, maybe it just needed a kick up the proverbial.

Should i still run that last piece of code you suggested?

 

Yes, the recommended fix still needs to be done.

 

Just tried my google searching again and the problem is back....

Must have got lucky yesterday....

I have uninstalled google toobar and will run the code you suggest

 

Done what was asked and here it is

ComboFix 08-11-18.A2 - Gray 2008-11-19 19:26:13.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703 [GMT 0:00]
Running from: c:\documents and settings\Gray\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Gray\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\drivers\ndisprot.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ndisprot.sys
D:\resycled

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NDISPROT
-------\Service_Ndisprot


((((((((((((((((((((((((( Files Created from 2008-10-19 to 2008-11-19 )))))))))))))))))))))))))))))))
.

2008-11-16 20:21 . 2008-11-16 20:22 <DIR> d-------- c:\program files\malware
2008-11-16 20:21 . 2008-11-16 20:21 <DIR> d-------- c:\documents and settings\Gray\Application Data\Malwarebytes
2008-11-16 20:21 . 2008-11-16 20:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-16 20:21 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-16 20:21 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-16 17:34 . 2008-11-16 17:34 250 --a------ c:\windows\gmer.ini
2008-11-16 11:29 . 2008-11-16 17:31 <DIR> d-------- C:\rsit
2008-11-16 11:29 . 2008-11-16 17:31 <DIR> d-------- c:\program files\trend micro
2008-11-16 09:43 . 2008-11-16 09:43 <DIR> d-------- C:\!KillBox
2008-11-15 21:40 . 2008-11-15 21:43 <DIR> d-------- c:\program files\WinAVIVideoConverter
2008-11-15 21:37 . 2008-11-17 21:03 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-15 21:37 . 2008-11-16 09:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-15 20:52 . 2008-11-15 21:00 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-15 13:44 . 2008-11-15 13:44 <DIR> d-------- c:\documents and settings\Gray\Application Data\AVS4YOU
2008-11-15 13:43 . 2008-11-15 13:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\AVS4YOU
2008-11-15 13:31 . 2008-11-15 20:59 <DIR> d-------- c:\program files\Common Files\AVSMedia
2008-11-15 13:31 . 2008-11-15 20:59 <DIR> d-------- c:\program files\AVS4YOU
2008-11-15 13:31 . 2007-02-27 18:36 1,700,352 --a------ c:\windows\system32\GdiPlus.dll
2008-11-15 13:31 . 2007-02-27 18:36 974,848 --a------ c:\windows\system32\mfc70.dll
2008-11-15 13:31 . 2007-02-27 18:36 24,576 --a------ c:\windows\system32\msxml3a.dll
2008-11-13 09:08 . 2008-09-04 17:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-13 09:08 . 2008-10-24 11:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-05 20:57 . 2006-05-03 11:57 520,192 --------- c:\windows\system32\ati2sgag.exe
2008-11-05 20:47 . 2008-11-05 20:58 <DIR> d-------- c:\program files\ATI Technologies
2008-11-05 20:18 . 2008-11-16 16:05 139 --a------ c:\windows\WININIT.INI
2008-11-05 18:55 . 2008-11-17 01:22 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-01 11:09 . 2008-11-01 11:09 <DIR> d-------- c:\program files\Alex Buturuga
2008-10-28 19:08 . 2008-10-28 19:08 <DIR> d-------- c:\windows\system32\scripting
2008-10-28 19:07 . 2008-10-28 19:07 <DIR> d-------- c:\windows\system32\en
2008-10-28 19:07 . 2008-10-28 19:07 <DIR> d-------- c:\windows\system32\bits
2008-10-28 19:07 . 2008-10-28 19:07 <DIR> d-------- c:\windows\l2schemas
2008-10-27 21:01 . 2008-11-15 22:46 69 --a------ c:\windows\NeroDigital.ini
2008-10-27 20:55 . 2008-10-27 20:55 30,912 --a------ c:\documents and settings\Gray\Application Data\GDIPFONTCACHEV1.DAT
2008-10-27 20:33 . 2003-02-28 18:26 139,536 --a------ c:\windows\system32\javaee.dll
2008-10-27 20:33 . 2003-02-28 18:26 46,352 --a------ c:\windows\setdebug.exe
2008-10-27 20:33 . 2003-02-28 16:54 7,315 --a------ c:\windows\system32\javasup.vxd
2008-10-27 20:33 . 2003-02-28 16:35 6,550 --a------ c:\windows\jautoexp.dat
2008-10-27 20:33 . 2003-02-28 16:38 113 --a------ c:\windows\system32\zonedon.reg
2008-10-27 20:33 . 2003-02-28 16:38 113 --a------ c:\windows\system32\zonedoff.reg
2008-10-27 18:30 . 2008-10-27 18:30 <DIR> d-------- c:\program files\MSXML 4.0
2008-10-26 09:50 . 2008-10-26 09:50 <DIR> d-------- c:\documents and settings\Gray\Application Data\Sonic
2008-10-26 09:49 . 2008-10-26 09:49 <DIR> d-------- c:\documents and settings\Gray\Application Data\Leadertech
2008-10-26 09:47 . 2008-10-26 09:47 <DIR> d-------- c:\program files\Belkin
2008-10-26 09:40 . 2008-11-05 21:04 <DIR> d-------- c:\documents and settings\Gray\Application Data\ATI
2008-10-26 09:28 . 2008-10-26 09:28 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-10-26 09:27 . 2008-10-26 09:27 <DIR> d-------- c:\program files\Common Files\Adobe
2008-10-25 21:16 . 2008-04-14 00:12 712,704 --------- c:\windows\system32\windowscodecs.dll
2008-10-25 21:16 . 2008-04-14 00:12 346,112 --------- c:\windows\system32\windowscodecsext.dll
2008-10-25 21:16 . 2008-04-14 00:12 276,992 --------- c:\windows\system32\wmphoto.dll
2008-10-25 21:16 . 2008-04-14 00:12 69,120 --------- c:\windows\system32\wlanapi.dll
2008-10-25 21:16 . 2008-04-14 00:12 53,248 --------- c:\windows\system32\tsgqec.dll
2008-10-25 21:16 . 2008-04-14 00:12 50,688 --------- c:\windows\system32\tspkg.dll
2008-10-25 21:16 . 2008-04-14 00:12 28,672 --------- c:\windows\system32\verclsid.exe
2008-10-25 21:14 . 2008-04-14 00:11 650,752 --------- c:\windows\system32\dot3ui.dll
2008-10-25 21:09 . 2008-10-25 21:10 <DIR> d-------- c:\documents and settings\Gray\Application Data\Teleca
2008-10-25 21:09 . 2007-04-23 14:54 108,680 -ra------ c:\windows\system32\drivers\s115mdm.sys
2008-10-25 21:09 . 2007-04-23 14:54 100,488 -ra------ c:\windows\system32\drivers\s115mgmt.sys
2008-10-25 21:09 . 2007-04-23 14:54 98,568 -ra------ c:\windows\system32\drivers\s115obex.sys
2008-10-25 21:09 . 2007-04-23 14:54 83,208 -ra------ c:\windows\system32\drivers\s115bus.sys
2008-10-25 21:09 . 2007-04-23 14:54 15,112 -ra------ c:\windows\system32\drivers\s115mdfl.sys
2008-10-25 21:09 . 2007-04-23 14:54 12,424 -ra------ c:\windows\system32\drivers\s115whnt.sys
2008-10-25 21:09 . 2007-04-23 14:54 12,424 -ra------ c:\windows\system32\drivers\s115wh.sys
2008-10-25 21:09 . 2007-04-23 14:54 12,424 -ra------ c:\windows\system32\drivers\s115cmnt.sys
2008-10-25 21:09 . 2007-04-23 14:54 12,424 -ra------ c:\windows\system32\drivers\s115cm.sys
2008-10-25 21:07 . 2008-10-25 21:08 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-10-25 21:05 . 2008-10-25 21:05 <DIR> d-------- c:\program files\Sony Ericsson
2008-10-25 21:05 . 2008-10-25 21:05 <DIR> d-------- c:\program files\Common Files\Sony Ericsson Shared
2008-10-25 21:05 . 2008-10-25 21:05 <DIR> d-------- c:\documents and settings\Gray\Application Data\Sony Ericsson
2008-10-25 21:04 . 2008-10-25 21:04 <DIR> d-------- c:\windows\Downloaded Installations
2008-10-25 21:04 . 2008-10-25 21:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Teleca
2008-10-25 21:04 . 2008-10-25 21:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sony Ericsson
2008-10-25 20:47 . 2008-10-25 21:07 <DIR> d-------- c:\program files\Common Files\Teleca Shared
2008-10-25 20:42 . 2008-10-25 20:42 <DIR> d-------- c:\program files\NOS
2008-10-25 20:42 . 2008-10-26 08:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2008-10-25 20:35 . 2008-09-15 12:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-10-25 20:35 . 2008-09-08 10:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-10-25 20:35 . 2008-06-13 11:05 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2008-10-25 20:35 . 2008-05-08 14:02 203,136 --------- c:\windows\system32\dllcache\rmcast.sys
2008-10-25 20:34 . 2008-08-14 10:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-25 20:34 . 2008-08-14 10:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-25 20:34 . 2008-08-14 09:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-25 20:34 . 2008-08-14 09:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-25 20:34 . 2008-04-11 19:04 691,712 --------- c:\windows\system32\dllcache\inetcomm.dll
2008-10-25 20:34 . 2008-05-01 14:33 331,776 --------- c:\windows\system32\dllcache\msadce.dll
2008-10-25 20:31 . 2008-10-15 16:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-10-25 20:21 . 2008-10-26 07:59 51 --a------ c:\windows\iTouch.ini
2008-10-25 20:17 . 2008-10-25 20:17 <DIR> d-------- c:\program files\Microsoft ActiveSync
2008-10-25 20:17 . 2008-10-25 20:17 376 --a------ c:\windows\ODBC.INI
2008-10-25 20:16 . 2008-10-25 20:17 <DIR> d-------- c:\windows\ShellNew
2008-10-25 20:09 . 2008-10-25 20:09 <DIR> d-------- c:\documents and settings\Gray\Application Data\Ahead
2008-10-25 20:06 . 2008-10-25 20:06 <DIR> d-------- c:\program files\Nero
2008-10-25 20:06 . 2008-10-25 20:10 <DIR> d-------- c:\program files\Common Files\Ahead
2008-10-25 20:06 . 2008-10-25 20:06 81,920 -r------- c:\windows\bwUnin-6.1.4.36-8876480L.exe
2008-10-25 20:05 . 2002-11-21 08:50 155,648 --a------ c:\windows\system32\ifc21.dll
2008-10-25 20:05 . 2002-11-08 09:50 152,064 --------- c:\windows\system32\lmoufrc.dll
2008-10-25 20:05 . 2002-11-21 08:50 105,472 --a------ c:\windows\system32\COMNCTR.DLL
2008-10-25 20:05 . 2002-11-21 08:50 99,328 --a------ c:\windows\system32\LGUICOM.DLL
2008-10-25 20:05 . 2002-11-21 08:50 94,208 --a------ c:\windows\system32\FEELIT.DLL
2008-10-25 20:05 . 2002-11-08 09:50 70,238 --a------ c:\windows\system32\drivers\LMouFlt2.Sys
2008-10-25 20:05 . 2002-11-08 09:50 52,238 --------- c:\windows\system32\drivers\L8042PR2.SYS
2008-10-25 20:05 . 2002-11-08 09:50 23,838 --a------ c:\windows\system32\drivers\LHidFlt2.Sys
2008-10-25 20:05 . 2002-11-08 09:50 19,968 --------- c:\windows\LOGI_MWX.EXE
2008-10-25 20:05 . 2002-11-21 08:50 16,896 --a------ c:\windows\system32\LMOUSE32.DLL
2008-10-25 20:05 . 2002-11-08 09:50 4,524 --------- c:\windows\system32\LCOINST.DLL
2008-10-25 20:05 . 2002-11-21 08:50 3,568 --a------ c:\windows\system32\LMOUSE16.DLL
2008-10-25 20:04 . 2008-10-25 20:06 <DIR> d-------- c:\program files\Logitech
2008-10-25 20:04 . 2008-10-25 20:04 <DIR> d-------- c:\program files\Common Files\Logitech
2008-10-25 20:04 . 2002-11-23 11:15 322,832 --a------ c:\windows\system32\MFC30.DLL
2008-10-25 20:04 . 2002-11-08 09:50 41,420 --a------ c:\windows\system32\drivers\LHidUsb.sys
2008-10-25 20:04 . 2002-11-08 09:50 14,156 --a------ c:\windows\system32\drivers\LCcfltr.sys
2008-10-25 20:04 . 2002-11-15 02:15 12,640 --------- c:\windows\system32\drivers\itchfltr.sys
2008-10-25 13:33 . 2008-10-25 13:33 <DIR> d-------- C:\OEMCUST
2008-10-25 13:31 . 2008-11-14 12:32 <DIR> d--h----- c:\windows\$hf_mig$
2008-10-25 13:29 . 2008-11-19 19:17 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-10-25 13:29 . 2008-10-25 13:29 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-10-25 13:29 . 2008-10-25 13:29 <DIR> d-------- c:\program files\AVG
2008-10-25 13:29 . 2008-10-25 20:24 <DIR> d-------- c:\documents and settings\Gray\Application Data\AVGTOOLBAR
2008-10-25 13:29 . 2008-10-25 13:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-10-25 13:29 . 2008-10-26 09:42 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-10-25 13:29 . 2008-10-25 13:29 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-10-25 13:29 . 2008-10-25 13:29 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-10-25 13:27 . 2008-10-25 13:27 <DIR> d-------- c:\windows\system32\LogFiles
2008-10-25 13:27 . 2008-10-25 13:28 <DIR> d-------- c:\windows\system32\drivers\UMDF
2008-10-25 13:19 . 2008-10-25 13:25 316,640 --a------ c:\windows\WMSysPr9.prx
2008-10-25 13:17 . 2008-10-28 19:08 <DIR> d-------- c:\windows\ServicePackFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-17 01:23 1,618,432 ----a-w c:\windows\Internet Logs\xDB1.tmp
2008-11-16 18:59 977,334 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-27 08:24 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-08-25 08:38 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-08-25 08:37 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-08-23 05:56 635,848 ------w c:\windows\system32\dllcache\iexplore.exe
2008-08-23 05:54 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
.

((((((((((((((((((((((((((((( snapshot@2008-11-16_16.42.20.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 20:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2008-11-16 17:34:40 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-17 21:13:02 811,008 ----a-w c:\windows\gmer.exe
+ 2008-11-16 17:34:40 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer "= "c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client "= "c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2008-10-26 1234712]
"ATICCC "= "c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2008-10-25 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Gray\Start Menu\Programs\Startup\
Flip.lnk - c:\program files\Belkin\Flip\flip.exe [2006-08-22 385024]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2005-11-24 14:38 94208 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2002-12-13 06:10 114688 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2002-12-13 06:22 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
--a------ 2008-10-25 20:06 16384 c:\program files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 09:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2007-06-13 07:16 528384 c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--a------ 2002-11-23 01:15 631362 c:\program files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2002-11-08 09:50 19968 c:\windows\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-10-25 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-10-25 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-25 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-10-25 76040]
R3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\DRIVERS\s115bus.sys [2008-10-25 83208]
R3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s115mdfl.sys [2008-10-25 15112]
R3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s115mdm.sys [2008-10-25 108680]
R3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s115mgmt.sys [2008-10-25 100488]
R3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s115obex.sys [2008-10-25 98568]
R3 STAC97NA;SigmaTel 3D Environmental Audio;c:\windows\system32\drivers\stac97na.sys [1979-12-31 296179]
R3 STAC97NH;STAC97NH;c:\windows\system32\drivers\stac97nh.sys [1979-12-31 231983]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-10-25 33752]
S3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\Drivers\LCcFltr.Sys [2008-10-25 14156]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-19 19:32:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\ati2evxx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-11-19 19:36:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-19 19:35:52
ComboFix2.txt 2008-11-16 21:44:25
ComboFix3.txt 2008-11-16 18:28:57
ComboFix4.txt 2008-11-16 16:43:06

Pre-Run: 26,951,794,688 bytes free
Post-Run: 27,005,272,064 bytes free

279 --- E O F --- 2008-11-14 12:34:11

 

Please do an online scan with Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Post the Kaspersky log here.

 

Hi

I tried to run the programme but the accept box is greyed out. I have closed spybot, avg and zone alarm. Still greyed out.

It says i need java 1.5 which i have installed. Still greyed out.

One thing i have noticed, the with all of this shutdown, the redirect seems to have stopped. I shall now do a reeboot and try angain, see if the redirect comes back, and see if i can run the scan.

Any other ideas in the meantime?

 

re boot worked

i am scanning now

 

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, November 21, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, November 21, 2008 16:12:31
Records in database: 1399616
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
Q:\
R:\

Scan statistics:
Files scanned: 73829
Threat name: 2
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 03:37:39


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\autorun.inf.vir Infected: Worm.Win32.AutoRun.nuu 1
C:\Qoobox\Quarantine\C\resycled\boot.com.vir Infected: Trojan.Win32.Agent.aoir 1
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP45\A0012073.inf Infected: Worm.Win32.AutoRun.nuu 1
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP46\A0012119.inf Infected: Worm.Win32.AutoRun.nuu 1

The selected area was scanned.

 

How's the behavior now?

 

It seems to be working correctly

However, i dont have google toolbar installed any more.

I suspect if i re install the GT the problem will re occur

 

I do not suspect it is the Google toolbar. It would be the first I'd ever heard of it if it is though. Would actually be great if you could confirm. Lets clean up.

Click Start>Run and type or paste the following command then hit enter to uninstall gmer.

%systemroot%\gmer_uninstall.cmd

Restart the computer to complete the uninstallation of gmer.

Now open MBAM and remove any items quarantined. Do the same with your resident antivirus.

Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing any infected files there as well.
Verify the C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file.
You can delete any other logs that were created/saved too.

Run ATF Cleaner once again as previously described.


Provided there are no other problems, that should wrap this up.

 

i have ran the first line of code and re booted

forgive by ignorance, what is MBAM?

 

makware byte anti malware (sorry)
running thatnow

 

It didnt delete the C:\ComboFix folder, although it did delete most of the stuff in it, except 'moveex' and 'nircmd'

C:\ComboFix.txt file was NOT removed.

i did get a box saying that combofix was uninistalled successfully

I tried deleting them myself but i got the error saying it was being used by another process.

qoobox file was removedshould i still run atf cleaner?

 

Go ahead and run ATF and reboot. You should be able to remove the leftovers then.

 

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0E04FC30-8D36-43B4-9D5D-E30458C65896}
UseZeroBroadcast REG_DWORD 0x0
EnableDHCP REG_DWORD 0x0
IPAddress REG_MULTI_SZ 0.0.0.0\0\0
SubnetMask REG_MULTI_SZ 0.0.0.0\0\0
DefaultGateway REG_MULTI_SZ \0
EnableDeadGWDetect REG_DWORD 0x1
DontAddDefaultGateway REG_DWORD 0x0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{39EA83D4-86B1-4C4F-9592-517144DFF1AE}
UseZeroBroadcast REG_DWORD 0x0
EnableDeadGWDetect REG_DWORD 0x1
EnableDHCP REG_DWORD 0x1
IPAddress REG_MULTI_SZ 0.0.0.0\0\0
SubnetMask REG_MULTI_SZ 0.0.0.0\0\0
DefaultGateway REG_MULTI_SZ \0
DefaultGatewayMetric REG_MULTI_SZ \0
NameServer REG_SZ
Domain REG_SZ
RegistrationEnabled REG_DWORD 0x1
RegisterAdapterName REG_DWORD 0x0
TCPAllowedPorts REG_MULTI_SZ 0\0\0
UDPAllowedPorts REG_MULTI_SZ 0\0\0
RawIPAllowedProtocols REG_MULTI_SZ 0\0\0
NTEContextList REG_MULTI_SZ 0x00000002\0\0
DhcpClassIdBin REG_BINARY
DhcpIPAddress REG_SZ 192.168.1.3
DhcpSubnetMask REG_SZ 255.255.255.0
DhcpServer REG_SZ 192.168.1.1
Lease REG_DWORD 0x15180
LeaseObtainedTime REG_DWORD 0x4929a23d
T1 REG_DWORD 0x492a4afd
T2 REG_DWORD 0x492ac98d
LeaseTerminatesTime REG_DWORD 0x492af3bd
IPAutoconfigurationAddress REG_SZ 0.0.0.0
IPAutoconfigurationMask REG_SZ 255.255.0.0
IPAutoconfigurationSeed REG_DWORD 0x0
AddressType REG_DWORD 0x0
IsServerNapAware REG_DWORD 0x0
DhcpRetryTime REG_DWORD 0xa8be
DhcpRetryStatus REG_DWORD 0x0
DhcpNameServer REG_SZ 192.168.1.1
DhcpDefaultGateway REG_MULTI_SZ 192.168.1.1\0\0
DhcpSubnetMaskOpt REG_MULTI_SZ 255.255.255.0\0\0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EB879521-6354-4BC0-A544-81E745F8CB74}
UseZeroBroadcast REG_DWORD 0x0
EnableDHCP REG_DWORD 0x0
IPAddress REG_MULTI_SZ 0.0.0.0\0\0
SubnetMask REG_MULTI_SZ 0.0.0.0\0\0
DefaultGateway REG_MULTI_SZ \0
EnableDeadGWDetect REG_DWORD 0x1
DontAddDefaultGateway REG_DWORD 0x0

 

Looks fine. How's everything now?

 

Everything is fine, should i try reinstalling google toolbar?

I dont want to mess it up again by putting in GT