We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Help! Google redirecting to other s/engines ...
Comments
-
I think the host has been compromised and theres a trojan downloading s**t which is morphing....kill the host, stop the trojan and then clear the mess up?
i may be wrong...i often am! but its summink nasty pretending to be not as nasty, its hiding, but like any bit of bad code, it can be brought forward, mostly without destruction..i think you guys are on the right path...i will try to help, but my knowledge is not recent, i used to do this 6 years ago...so dont read too much into what i am saying...I used to be on yahoo comp help about 8 years ago, if any of you are familar i can verify myself by saying who i am...otherwise im just some guy who used to help on yahoo lol0 -
I've just sent Mimijane a link to download a specific tool for this via PMEx forum ambassador
Long term forum member0 -
surfer_blue wrote: »...i will try to help, but my knowledge is not recent, i used to do this 6 years ago...
Six years ago - hell in malware terms 6 weeks is a lifetime!! :rotfl:0 -
OK guys, this one worked! Looks horrendously long to me, but here goes. Also there's another Att.text.doc that it asked me zip. No idea how to do this, so I've put it into Word and on my desktop for now, so let me know if you need it :-
DDS (Ver_09-12-01.01) - NTFSx86
Run by Main at 21:40:34.60 on 08/02/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.90 [GMT 0:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CSHelper.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Main\Local Settings\Temporary Internet Files\Content.IE5\ZZO3934N\dds[1].pif
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.co.uk/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Spamihilator] "c:\program files\spamihilator\spamihilator.exe"
mRun: [SpeedTouch USB Diagnostics] "c:\program files\thomson\speedtouch usb\Dragdiag.exe" /icon
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\main\startm~1\programs\startup\cyber-~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Customize Menu - [URL]file://c:\program[/URL] files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - [URL]file://c:\program[/URL] files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - [URL]file://c:\program[/URL] files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - [URL]file://c:\program[/URL] files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: tesco.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179551984125
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {C080D6CE-FAC4-47F8-9754-C967B601A6AC} = 212.69.36.3 212.69.40.3
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-25 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-4 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-4 28424]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-4 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-10 285392]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-3-3 266240]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1181328]
S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [2006-12-15 40788]
=============== Created Last 30 ================
2010-02-07 16:48:09 0 d
w- c:\windows\system32\wbem\Repository
2010-02-03 09:22:10 0 d
w- c:\program files\SUPERAntiSpyware
2010-01-22 09:58:14 0 d
w- c:\docume~1\alluse~1\applic~1\Spamihilator
==================== Find3M ====================
2010-01-10 22:30:22 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-01-07 16:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-21 13:19:18 173056
w- c:\windows\system32\dllcache\ie4uinit.exe
2009-11-21 15:51:04 471552 ----a-w- c:\windows\system32\dllcache\aclayers.dll
============= FINISH: 21:41:43.92 ===============Wins since 2009 = £17,600MANY THANKS TO ALL OPS0 -
ok lets try this - you have spybot installed;
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
Download ResetTeaTimer.bat to the Desktop
ResetTeaTimer.bat
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).
Then try combofix again0 -
Teatimer is already unchecked. Do I have to do anything else, or will this suffice?
Not sure I understand how to download it to the desktop anyway.
EDIT : Just noticed I'd re-activated AVg somewhere along the line, so now dectivated again, sorry!Wins since 2009 = £17,600MANY THANKS TO ALL OPS0 -
0
-
Yep, running now and will "remove found threats", though I've been warned it could take some time.Wins since 2009 = £17,600MANY THANKS TO ALL OPS0
-
Potentially a few hours.
Post the log after you let it clean what it finds.
then follow the instruction for combofix here - http://www.bleepingcomputer.com/combofix/how-to-use-combofix
I appreciate that you have combofix already so skip that bit and follow the instruction for disabling your Av etc...0 -
Oh my god, a few hours! Am I OK to try again in the morning then ... need to get some sleep in a bit?
I'll let it run 'til it finishes later of course.
xWins since 2009 = £17,600MANY THANKS TO ALL OPS0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.2K Banking & Borrowing
- 253.6K Reduce Debt & Boost Income
- 454.3K Spending & Discounts
- 245.2K Work, Benefits & Business
- 600.9K Mortgages, Homes & Bills
- 177.5K Life & Family
- 259K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards