# Browser (mainly google) redirects me to random sites



## Jakez12345 (Jun 5, 2011)

I have a problem where my browser re-directs me to different sites, when i get to these site sometimes the browser tries to download things labelled "S(1)" etc, i have tried to system restore to no avail and i have tried to download things to remove it to no avail.

After reading the stickied topic on what to do it tells us to download Hijackthis, it says "page not available" when i click the link, it also does this when i try to access anti-virus/malware/spyware sites.

My loading times for youtube etc have become sluggish and any help is appreciated

(PS: i dont understand most computer terminology so if its possible break it down for me, thanks)

edit 1: i can overcome the redirecting when i right click on the link then click "open in a new tab" and then it effectively opens the link to the place i waned to go to


----------



## Jakez12345 (Jun 5, 2011)

DDS.txt:

.
DDS (Ver_2011-06-03.01) - NTFSx86 
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_23
Run by SHEELA at 16:30:40 on 2011-06-05
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.895.209 [GMT 1:00]
.
AV: McAfee VirusScan Enterprise *Enabled/Outdated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: Norton Internet Worm Protection *Disabled* 
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\APPS\Powercinema\PCMService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ClickPotatoLite\bin\10.0.659.0\ClickPotatoLiteSA.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\TalkTalk\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2567697
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Plusmedia uk Toolbar: {193d7001-bd9f-48c2-b5c7-69775aa2201d} - c:\program files\plusmedia_uk\prxtbPlu2.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Plusmedia uk Toolbar: {193d7001-bd9f-48c2-b5c7-69775aa2201d} - c:\program files\plusmedia_uk\prxtbPlu2.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\Scriptcl.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Plusmedia uk Toolbar: {193d7001-bd9f-48c2-b5c7-69775aa2201d} - c:\program files\plusmedia_uk\prxtbPlu2.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MessengerPlus3] "c:\program files\messengerplus! 3\MsgPlus.exe" /WinStart
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [PCMService] "c:\apps\powercinema\PCMService.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Vade Retro Outlook Express] "c:\progra~1\gotoso~1\vadere~1\Vaderetro_oe.exe"
mRun: [TalkTalk] "c:\program files\talktalk\bin\sprtcmd.exe" /P TalkTalk
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [nonep] c:\docume~1\sheela\locals~1\temp\tmp62b6a38c\KillEXE.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ClickPotatoLiteSA] "c:\program files\clickpotatolite\bin\10.0.659.0\ClickPotatoLiteSA.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\sheela\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {B58926D6-CFB0-45d2-9C28-4B5A0F0368AE} - {7A3D6D17-9DD5-4C60-8076-D1784DABAF8C} - c:\program files\clickpotatolite\bin\10.0.659.0\ClickPotatoLiteSABHO.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{9D3B91B1-3518-484B-B5A4-54B5C250F8B5} : DhcpNameServer = 192.168.1.1
Hosts: 127.0.0.1	www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\sheela\application data\mozilla\firefox\profiles\3jr9frg8.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\byond\bin\npbyond.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2006-9-5 14336]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2005-9-17 191848]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2005-9-17 169320]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-5-15 54760]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 144960]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]
R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\talktalk\bin\sprtsvc.exe [2007-10-12 202016]
R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\common files\supportsoft\bin\tgsrvc.exe [2007-8-2 148768]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2010-12-21 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2010-12-21 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2010-12-21 168776]
S2 gupdate1ca83f9a144b390;Google Update Service (gupdate1ca83f9a144b390);c:\program files\google\update\GoogleUpdate.exe [2009-12-23 133104]
S2 tukoo;Installer Center;c:\windows\system32\svchost.exe -k netsvcs [2006-9-5 14336]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 NAIMServInst;NAI ePO Agent Install;c:\docume~1\sheela\locals~1\temp\unz66.tmp\framepkg.exe /signalcomplete /logdir="c:\docume~1\sheela\locals~1\temp\nailogs" /cleanup2="c:\docume~1\sheela\locals~1\temp\unz66.tmp" /waitfor=2412 /currentfolder="c:\windows\system32" /install=updater /product=viruscan8600 /silent /instdir="c:\program files\mcafee\common framework" /sti=1 --> c:\docume~1\sheela\locals~1\temp\unz66.tmp\FramePkg.exe [?]
S3 vmtgnxjno;vmtgnxjno;c:\windows\system32\04.tmp [2010-7-28 4096]
.
=============== Created Last 30 ================
.
2011-06-04 01:20:10	142296	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
2011-06-04 01:20:07	89048	----a-w-	c:\program files\mozilla firefox\libEGL.dll
2011-06-04 01:20:07	781272	----a-w-	c:\program files\mozilla firefox\mozsqlite3.dll
2011-06-04 01:20:07	465880	----a-w-	c:\program files\mozilla firefox\libGLESv2.dll
2011-06-04 01:20:07	1974616	----a-w-	c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-06-04 01:20:07	1892184	----a-w-	c:\program files\mozilla firefox\d3dx9_42.dll
2011-06-04 01:20:07	1874904	----a-w-	c:\program files\mozilla firefox\mozjs.dll
2011-06-04 01:20:07	15832	----a-w-	c:\program files\mozilla firefox\mozalloc.dll
2011-06-04 01:05:11	--------	d-----w-	c:\windows\system32\wbem\repository\FS
2011-06-04 01:05:11	--------	d-----w-	c:\windows\system32\wbem\Repository
2011-06-04 01:03:28	--------	d-----w-	c:\program files\Learn2.com
.
==================== Find3M ====================
.
2011-06-04 01:09:01	0	----a-w-	c:\windows\system32\ConduitEngine.tmp
.
============= FINISH: 16:31:48.82 ===============

ps: have no clue how to zip up and attach the other file


----------



## Jakez12345 (Jun 5, 2011)

bump


----------



## Jakez12345 (Jun 5, 2011)

Bump


----------



## Jakez12345 (Jun 5, 2011)

Bump again.......


----------



## dvk01 (Dec 14, 2002)

Delete any existing version of ComboFix you have sitting on your desktop
*Please read and follow all these instructions very carefully*​* Do not edit or remove any information or user names etc, otherwise we cannot fix the problem. If you insist on editing out anything then I will close the topic & refuse to offer any help.  *

Download ComboFix from *Here* or * Here*to your Desktop.
*As you download it rename it to username123.exe*

***Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer***
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


*Very Important!* *Temporarily disable* your *anti-virus* and *anti-malware* real-time protection and any *script blocking components of them or your firewall*_* before* _performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results" or stop combofix running at all_
Click on *THIS LINK * to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re enable the protection again after combofix has finished*
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running 
Double click on *renamed combofix.exe* & follow the prompts.​If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" * for further review

*****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze *****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read  HERE  why we disable autoruns

*Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version. *

Please tell us if it has cured the problems or if there are any outstanding issues


----------



## Jakez12345 (Jun 5, 2011)

Having some problems, i disabled Mcafee and spybot, and renamed and ran combofix, i downloaded all updates etc, and got the pop-up stating that it would take several minutes, since i had my browser open whilst i did this i closed it during the scan (my bad), anyways i got a log called "catchme.log" whilst combofix was running (the blue box screen thing) and i waited 10 minutes but nothing happened so i closed it and restarted combofix with my browser closed, after it updated and ran a second time i waited 30 minutes and the blue box (looks like a command-line interface) was blank, although i did get a notepad document which just said:

File "C:\WINDOWS\system32\drivers\volsnap.sys" added successfully
File list cleared


----------



## dvk01 (Dec 14, 2002)

you didn't leave it long enough, it can take up to 1 hour 

reboot & run combofix with no other prograams running at all.


----------



## Jakez12345 (Jun 5, 2011)

Yea basically, last time i did it the scan didnt even start, but this time it worked

ComboFix 11-06-11.01 - SHEELA 12/06/2011 16:00:55.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.895.567 [GMT 1:00]
Running from: c:\documents and settings\SHEELA\Desktop\username123.exe
AV: McAfee VirusScan Enterprise *Enabled/Outdated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\ClickPotatoLiteSA
c:\documents and settings\All Users\Application Data\ClickPotatoLiteSA\ClickPotatoLiteSA.dat
c:\documents and settings\All Users\Application Data\ClickPotatoLiteSA\ClickPotatoLiteSA_kyf.dat
c:\documents and settings\All Users\Application Data\ClickPotatoLiteSA\ClickPotatoLiteSAAbout.mht
c:\documents and settings\All Users\Application Data\ClickPotatoLiteSA\ClickPotatoLiteSAau.dat
c:\documents and settings\All Users\Application Data\ClickPotatoLiteSA\ClickPotatoLiteSAEULA.mht
c:\documents and settings\All Users\Application Data\Tarma Installer
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
c:\documents and settings\All Users\Start Menu\Programs\ClickPotato
c:\documents and settings\All Users\Start Menu\Programs\ClickPotato\About Us.lnk
c:\documents and settings\All Users\Start Menu\Programs\ClickPotato\ClickPotato Customer Support.lnk
c:\documents and settings\All Users\Start Menu\Programs\ClickPotato\ClickPotato Uninstall Instructions.lnk
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\SHEELA\Application Data\ClickPotatoLite
c:\documents and settings\SHEELA\Application Data\PriceGong
c:\documents and settings\SHEELA\Application Data\PriceGong\Data\1.xml
c:\documents and settings\SHEELA\Application Data\PriceGong\Data\a.xml
c:\documents and settings\SHEELA\Application Data\PriceGong\Data\b.xml
c:\documents and settings\SHEELA\Application Data\PriceGong\Data\c.xml
c:\documents and settings\SHEELA\Application Data\PriceGong\Data\d.xml
c:\documents and settings\SHEELA\Application Data\PriceGong\Data\e.xml
c:\documents and settings\SHEELA\Application Data\PriceGong\Data\f.xml
c:\documents and settings\SHEELA\Application Data\PriceGong\Data\g.xml
c:\documents and settings\SHEELA\Application Data\PriceGong\Data\h.xml
c:\documents and settings\SHEELA\Application Data\PriceGong\Data\i.xml
c:\documents and settings\SHEELA\Application Data\PriceGong\Data\J.xml
c:\documents and settings\SHEELA\Application Data\PriceGong\Data\k.xml
c:\documents and settings\SHEELA\Application Data\PriceGong\Data\l.xml
c:\documents and settings\SHEELA\Application Data\PriceGong\Data\m.xml
c:\documents and settings\SHEELA\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\SHEELA\Application Data\PriceGong\Data\n.xml
c:\documents and settings\SHEELA\Application Data\PriceGong\Data\o.xml
c:\documents and settings\SHEELA\Application Data\PriceGong\Data\p.xml
c:\documents and settings\SHEELA\Application Data\PriceGong\Data\q.xml
c:\documents and settings\SHEELA\Application Data\PriceGong\Data\r.xml
c:\documents and settings\SHEELA\Application Data\PriceGong\Data\s.xml
c:\documents and settings\SHEELA\Application Data\PriceGong\Data\t.xml
c:\documents and settings\SHEELA\Application Data\PriceGong\Data\u.xml
c:\documents and settings\SHEELA\Application Data\PriceGong\Data\v.xml
c:\documents and settings\SHEELA\Application Data\PriceGong\Data\w.xml
c:\documents and settings\SHEELA\Application Data\PriceGong\Data\x.xml
c:\documents and settings\SHEELA\Application Data\PriceGong\Data\y.xml
c:\documents and settings\SHEELA\Application Data\PriceGong\Data\z.xml
c:\documents and settings\SHEELA\WINDOWS
c:\program files\ClickPotatoLite
c:\program files\ClickPotatoLite\bin\10.0.659.0\ClickPotatoLiteSA.exe
c:\program files\ClickPotatoLite\bin\10.0.659.0\ClickPotatoLiteSAAX.dll
c:\program files\ClickPotatoLite\bin\10.0.659.0\ClickPotatoLiteSABHO.dll
c:\program files\ClickPotatoLite\bin\10.0.659.0\ClickPotatoLiteSAHook.dll
c:\program files\ClickPotatoLite\bin\10.0.659.0\ClickPotatoLiteUninstaller.exe
c:\program files\ClickPotatoLite\bin\10.0.659.0\firefox\extensions\install.rdf
c:\program files\ClickPotatoLite\bin\10.0.659.0\firefox\extensions\plugins\npclntax_ClickPotatoLiteSA.dll
c:\program files\Mozilla Firefox\plugins\npclntax_ClickPotatoLiteSA.dll
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\drivers\vsfocemhjupoaq.sys
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected 
Restored copy from - Kitty had a snack  
.
((((((((((((((((((((((((( Files Created from 2011-05-12 to 2011-06-12 )))))))))))))))))))))))))))))))
.
.
2011-06-12 12:16 . 2011-06-12 12:16	--------	d-----w-	C:\username123
2011-06-09 21:46 . 2011-06-09 21:46	--------	d-----w-	c:\windows\system32\wbem\Repository
2011-06-09 21:04 . 2011-06-09 21:20	--------	d-----w-	C:\QUARANTINE
2011-06-05 16:20 . 2011-04-14 16:26	142296	----a-w-	c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-06-04 01:20 . 2011-04-14 16:25	781272	----a-w-	c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-06-04 01:20 . 2011-04-14 16:25	1874904	----a-w-	c:\program files\Mozilla Firefox\mozjs.dll
2011-06-04 01:20 . 2011-04-14 16:25	15832	----a-w-	c:\program files\Mozilla Firefox\mozalloc.dll
2011-06-04 01:20 . 2011-04-14 16:25	465880	----a-w-	c:\program files\Mozilla Firefox\libGLESv2.dll
2011-06-04 01:20 . 2011-04-14 16:25	89048	----a-w-	c:\program files\Mozilla Firefox\libEGL.dll
2011-06-04 01:20 . 2010-01-01 08:00	1974616	----a-w-	c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-06-04 01:20 . 2010-01-01 08:00	1892184	----a-w-	c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-06-04 01:03 . 2011-06-04 01:03	--------	d-----w-	c:\program files\Learn2.com
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-04 01:09 . 2010-11-10 16:31	0	----a-w-	c:\windows\system32\ConduitEngine.tmp
2011-04-14 16:26 . 2011-06-05 16:20	142296	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{193d7001-bd9f-48c2-b5c7-69775aa2201d}"= "c:\program files\Plusmedia_uk\prxtbPlu2.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{193d7001-bd9f-48c2-b5c7-69775aa2201d}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{193d7001-bd9f-48c2-b5c7-69775aa2201d}]
2011-01-17 14:54	175912	----a-w-	c:\program files\Plusmedia_uk\prxtbPlu2.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54	175912	----a-w-	c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{193d7001-bd9f-48c2-b5c7-69775aa2201d}"= "c:\program files\Plusmedia_uk\prxtbPlu2.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{193d7001-bd9f-48c2-b5c7-69775aa2201d}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{193D7001-BD9F-48C2-B5C7-69775AA2201D}"= "c:\program files\Plusmedia_uk\prxtbPlu2.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{193d7001-bd9f-48c2-b5c7-69775aa2201d}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-18 39408]
"MessengerPlus3"="c:\program files\MessengerPlus! 3\MsgPlus.exe" [2010-05-15 190024]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-16 3872080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 577536]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-11 53096]
"PCMService"="c:\apps\Powercinema\PCMService.exe" [2006-02-23 147456]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Vade Retro Outlook Express"="c:\progra~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe" [2004-10-04 310272]
"TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" [2007-10-12 202016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-02-28 15360]
.
c:\documents and settings\SHEELA\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=c:\windows\pss\AOL 9.0 Tray Icon.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=c:\windows\pss\AOL Companion.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 23:24	1694208	------w-	c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 21:12	3872080	----a-w-	c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 20:53	421888	----a-w-	c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-08-27 20:28	26112	----a-w-	c:\program files\Real\RealPlayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-13 20:42	212992	----a-w-	c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2006-01-18 19:05	19417640	----a-w-	c:\program files\Skype\Phone\Skype.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\APPS\\Powercinema\\PowerCinema.exe"=
"c:\\APPS\\Powercinema\\PCMService.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\tgsrvc.exe"=
"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Riot Games\\League of Legends\\air\\LolClient.exe"=
"c:\\Riot Games\\League of Legends\\game\\League of Legends.exe"=
"c:\\Program Files\\BYOND\\bin\\byond.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2795:TCP"= 2795:TCP:umepl
"57886:TCP"= 57886:TCPando Media Booster
"57886:UDP"= 57886:UDPando Media Booster
"8394:TCP"= 8394:TCP:League of Legends Launcher
"8394:UDP"= 8394:UDP:League of Legends Launcher
"6974:TCP"= 6974:TCP:League of Legends Launcher
"6974:UDP"= 6974:UDP:League of Legends Launcher
"6918:TCP"= 6918:TCP:League of Legends Launcher
"6918:UDP"= 6918:UDP:League of Legends Launcher
"8395:TCP"= 8395:TCP:League of Legends Launcher
"8395:UDP"= 8395:UDP:League of Legends Launcher
"6965:TCP"= 6965:TCP:League of Legends Launcher
"6965:UDP"= 6965:UDP:League of Legends Launcher
"8396:TCP"= 8396:TCP:League of Legends Launcher
"8396:UDP"= 8396:UDP:League of Legends Launcher
"6952:TCP"= 6952:TCP:League of Legends Launcher
"6952:UDP"= 6952:UDP:League of Legends Launcher
"2369:TCP"= 2369:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [05/09/2006 15:57 14336]
R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\TalkTalk\bin\sprtsvc.exe [12/10/2007 08:33 202016]
R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\Common Files\SupportSoft\bin\tgsrvc.exe [02/08/2007 13:42 148768]
S2 gupdate1ca83f9a144b390;Google Update Service (gupdate1ca83f9a144b390);c:\program files\Google\Update\GoogleUpdate.exe [23/12/2009 18:58 133104]
S2 tukoo;Installer Center;c:\windows\system32\svchost.exe -k netsvcs [05/09/2006 15:57 14336]
S3 NAIMServInst;NAI ePO Agent Install;c:\docume~1\SHEELA\LOCALS~1\Temp\unz66.tmp\FramePkg.exe /SignalComplete /LOGDIR="c:\docume~1\SHEELA\LOCALS~1\Temp\NAILogs" /Cleanup2="c:\docume~1\SHEELA\LOCALS~1\Temp\unz66.tmp" /WaitFor=2412 /CurrentFolder="c:\windows\system32" /Install=Updater /Product=VIRUSCAN8600 /Silent /InstDir="c:\program files\McAfee\Common Framework" /sti=1 --> c:\docume~1\SHEELA\LOCALS~1\Temp\unz66.tmp\FramePkg.exe [?]
S3 vmtgnxjno;vmtgnxjno;c:\windows\system32\04.tmp [28/07/2010 23:55 4096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai	REG_MULTI_SZ Akamai
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
tukoo
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 17:57]
.
2011-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 17:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2567697
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\SHEELA\Application Data\Mozilla\Firefox\Profiles\3jr9frg8.default\
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-LogitechVideoRepair - c:\program files\Logitech\Video\ISStart.exe
HKLM-Run-ClickPotatoLiteSA - c:\program files\ClickPotatoLite\bin\10.0.659.0\ClickPotatoLiteSA.exe
Notify-AtiExtEvent - (no file)
MSConfigStartUp-AOL Spyware Protection - c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
MSConfigStartUp-AOLDialer - c:\program files\Common Files\AOL\ACS\AOLDial.exe
AddRemove-AOLCoach uk - c:\program files\Common Files\aolshare\Coach\AolCInUn.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-12 16:08
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vmtgnxjno]
"ImagePath"="\??\c:\windows\system32\04.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tukoo]
"ServiceDll"="c:\windows\system32\ycozpdap.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2736321232-2322014553-1728349049-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-2736321232-2322014553-1728349049-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1847B7E0-DD8C-14D0-0394-2107DEB2BDA9}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"naghdbodoohplfpbgabdpoadplpl"=hex:6a,61,6c,67,6f,66,61,6e,6f,70,70,61,69,62,
6b,68,63,62,70,70,00,00
"maahnpcgbckpidaejlmlonccfm"=hex:6a,61,6b,67,6b,65,6d,69,6d,6b,6c,69,63,6f,66,
70,66,65,6d,63,00,f9
.
[HKEY_USERS\S-1-5-21-2736321232-2322014553-1728349049-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7F8A7E56-E13D-56AD-ABBC-9AEA7827FF16}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"napgjilcbdndmgpdpmnhgablennm"=hex:6a,61,6b,6d,63,67,69,6f,6b,65,6c,61,69,66,
62,65,6b,69,6e,68,00,00
"manhpbkianklmlgfhfogncmkme"=hex:6a,61,64,6d,63,62,68,70,6f,68,6c,63,61,6e,6b,
6d,70,70,69,66,00,36
.
Completion time: 2011-06-12 16:10:47
ComboFix-quarantined-files.txt 2011-06-12 15:10
.
Pre-Run: 52,358,156,288 bytes free
Post-Run: 53,362,851,840 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - EB79723AC6869ACC0BB6BF387C87F1F2


----------



## Jakez12345 (Jun 5, 2011)

Oh, as for the redirecting, its not happening anymore, thanks

EDIT 1: normally my internet explorer would randomly crash (i use google chrome) even when i wouldnt use it, also sometimes adverts play when im not on a browser and have nothing running and i can hear the sound of the adverts playing.


----------



## dvk01 (Dec 14, 2002)

ok a bit more cleaning up to do

Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press *SAVE * and choose desktop in the list of selections in that window & press save)
*Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished *
Close any open browsers 
Then drag the CFScript.txt into the ComboFix.exe or renamed combofix icon as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply

*Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum *

This will create a zip file inside C:\QooBox\quarantine named something like [38][email protected]

at the end it will pop up an alert & open your browser and ask you to send the zip file

please follow those instructions. We need to see the zip file before we can carry on with the fix

If there is no pop up alert or open browser then

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
the zip file inside C:\QooBox\quarantine created by combofix named something like [38][email protected]

or to 
http://www.bleepingcomputer.com/submit-malware.php?channel=38


----------



## Jakez12345 (Jun 5, 2011)

I couldnt find the .zip file but heres the combofix.txt i also dragged your code thing into combofix and no zip was produced, although when i searched my computer there was a file called "Qoobox\ quarantine.txt" but i dont believe that is the file (because its in .txt format and has no submit info on it)

ComboFix 11-06-11.01 - SHEELA 12/06/2011 20:44:53.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.895.450 [GMT 1:00]
Running from: c:\documents and settings\SHEELA\Desktop\username123.exe
Command switches used :: c:\documents and settings\SHEELA\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *Disabled/Outdated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
file zipped: c:\windows\system32\ycozpdap.dll
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\ycozpdap.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_TUKOO
-------\Service_tukoo
-------\Service_vmtgnxjno
.
.
((((((((((((((((((((((((( Files Created from 2011-05-12 to 2011-06-12 )))))))))))))))))))))))))))))))
.
.
2011-06-12 12:16 . 2011-06-12 12:16	--------	d-----w-	C:\username123
2011-06-09 21:46 . 2011-06-09 21:46	--------	d-----w-	c:\windows\system32\wbem\Repository
2011-06-09 21:04 . 2011-06-09 21:20	--------	d-----w-	C:\QUARANTINE
2011-06-05 16:20 . 2011-04-14 16:26	142296	----a-w-	c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-06-04 01:20 . 2011-04-14 16:25	781272	----a-w-	c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-06-04 01:20 . 2011-04-14 16:25	1874904	----a-w-	c:\program files\Mozilla Firefox\mozjs.dll
2011-06-04 01:20 . 2011-04-14 16:25	15832	----a-w-	c:\program files\Mozilla Firefox\mozalloc.dll
2011-06-04 01:20 . 2011-04-14 16:25	465880	----a-w-	c:\program files\Mozilla Firefox\libGLESv2.dll
2011-06-04 01:20 . 2011-04-14 16:25	89048	----a-w-	c:\program files\Mozilla Firefox\libEGL.dll
2011-06-04 01:20 . 2010-01-01 08:00	1974616	----a-w-	c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-06-04 01:20 . 2010-01-01 08:00	1892184	----a-w-	c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-06-04 01:03 . 2011-06-04 01:03	--------	d-----w-	c:\program files\Learn2.com
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-04 01:09 . 2010-11-10 16:31	0	----a-w-	c:\windows\system32\ConduitEngine.tmp
2011-04-14 16:26 . 2011-06-05 16:20	142296	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{193d7001-bd9f-48c2-b5c7-69775aa2201d}"= "c:\program files\Plusmedia_uk\prxtbPlu2.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{193d7001-bd9f-48c2-b5c7-69775aa2201d}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{193d7001-bd9f-48c2-b5c7-69775aa2201d}]
2011-01-17 14:54	175912	----a-w-	c:\program files\Plusmedia_uk\prxtbPlu2.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54	175912	----a-w-	c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{193d7001-bd9f-48c2-b5c7-69775aa2201d}"= "c:\program files\Plusmedia_uk\prxtbPlu2.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{193d7001-bd9f-48c2-b5c7-69775aa2201d}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{193D7001-BD9F-48C2-B5C7-69775AA2201D}"= "c:\program files\Plusmedia_uk\prxtbPlu2.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{193d7001-bd9f-48c2-b5c7-69775aa2201d}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-18 39408]
"MessengerPlus3"="c:\program files\MessengerPlus! 3\MsgPlus.exe" [2010-05-15 190024]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-16 3872080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 577536]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-11 53096]
"PCMService"="c:\apps\Powercinema\PCMService.exe" [2006-02-23 147456]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Vade Retro Outlook Express"="c:\progra~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe" [2004-10-04 310272]
"TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" [2007-10-12 202016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-02-28 15360]
.
c:\documents and settings\SHEELA\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=c:\windows\pss\AOL 9.0 Tray Icon.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
backup=c:\windows\pss\AOL Companion.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 23:24	1694208	------w-	c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 21:12	3872080	----a-w-	c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 20:53	421888	----a-w-	c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-08-27 20:28	26112	----a-w-	c:\program files\Real\RealPlayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-13 20:42	212992	----a-w-	c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2006-01-18 19:05	19417640	----a-w-	c:\program files\Skype\Phone\Skype.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\APPS\\Powercinema\\PowerCinema.exe"=
"c:\\APPS\\Powercinema\\PCMService.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\tgsrvc.exe"=
"c:\\Program Files\\TalkTalk\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Riot Games\\League of Legends\\air\\LolClient.exe"=
"c:\\Riot Games\\League of Legends\\game\\League of Legends.exe"=
"c:\\Program Files\\BYOND\\bin\\byond.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2795:TCP"= 2795:TCP:umepl
"57886:TCP"= 57886:TCPando Media Booster
"57886:UDP"= 57886:UDPando Media Booster
"8394:TCP"= 8394:TCP:League of Legends Launcher
"8394:UDP"= 8394:UDP:League of Legends Launcher
"6974:TCP"= 6974:TCP:League of Legends Launcher
"6974:UDP"= 6974:UDP:League of Legends Launcher
"6918:TCP"= 6918:TCP:League of Legends Launcher
"6918:UDP"= 6918:UDP:League of Legends Launcher
"8395:TCP"= 8395:TCP:League of Legends Launcher
"8395:UDP"= 8395:UDP:League of Legends Launcher
"6965:TCP"= 6965:TCP:League of Legends Launcher
"6965:UDP"= 6965:UDP:League of Legends Launcher
"8396:TCP"= 8396:TCP:League of Legends Launcher
"8396:UDP"= 8396:UDP:League of Legends Launcher
"6952:TCP"= 6952:TCP:League of Legends Launcher
"6952:UDP"= 6952:UDP:League of Legends Launcher
"1035:TCP"= 1035:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [05/09/2006 15:57 14336]
R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\TalkTalk\bin\sprtsvc.exe [12/10/2007 08:33 202016]
R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\Common Files\SupportSoft\bin\tgsrvc.exe [02/08/2007 13:42 148768]
S2 gupdate1ca83f9a144b390;Google Update Service (gupdate1ca83f9a144b390);c:\program files\Google\Update\GoogleUpdate.exe [23/12/2009 18:58 133104]
S3 NAIMServInst;NAI ePO Agent Install;c:\docume~1\SHEELA\LOCALS~1\Temp\unz66.tmp\FramePkg.exe /SignalComplete /LOGDIR="c:\docume~1\SHEELA\LOCALS~1\Temp\NAILogs" /Cleanup2="c:\docume~1\SHEELA\LOCALS~1\Temp\unz66.tmp" /WaitFor=2412 /CurrentFolder="c:\windows\system32" /Install=Updater /Product=VIRUSCAN8600 /Silent /InstDir="c:\program files\McAfee\Common Framework" /sti=1 --> c:\docume~1\SHEELA\LOCALS~1\Temp\unz66.tmp\FramePkg.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai	REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 17:57]
.
2011-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 17:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2567697
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\SHEELA\Application Data\Mozilla\Firefox\Profiles\3jr9frg8.default\
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-12 20:52
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2736321232-2322014553-1728349049-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-2736321232-2322014553-1728349049-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1847B7E0-DD8C-14D0-0394-2107DEB2BDA9}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"naghdbodoohplfpbgabdpoadplpl"=hex:6a,61,6c,67,6f,66,61,6e,6f,70,70,61,69,62,
6b,68,63,62,70,70,00,00
"maahnpcgbckpidaejlmlonccfm"=hex:6a,61,6b,67,6b,65,6d,69,6d,6b,6c,69,63,6f,66,
70,66,65,6d,63,00,f9
.
[HKEY_USERS\S-1-5-21-2736321232-2322014553-1728349049-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7F8A7E56-E13D-56AD-ABBC-9AEA7827FF16}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"napgjilcbdndmgpdpmnhgablennm"=hex:6a,61,6b,6d,63,67,69,6f,6b,65,6c,61,69,66,
62,65,6b,69,6e,68,00,00
"manhpbkianklmlgfhfogncmkme"=hex:6a,61,64,6d,63,62,68,70,6f,68,6c,63,61,6e,6b,
6d,70,70,69,66,00,36
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(644)
c:\progra~1\GOTOSO~1\VADERE~1\VrOe_hook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\SOUNDMAN.EXE
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\apps\Powercinema\Kernel\TV\CLCapSvc.exe
c:\apps\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wdfmgr.exe
c:\apps\Powercinema\Kernel\TV\CLSched.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
c:\program files\Symantec\LiveUpdate\AUpdate.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
.
**************************************************************************
.
Completion time: 2011-06-12 20:56:42 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-12 19:56
ComboFix2.txt 2011-06-12 15:10
.
Pre-Run: 53,369,331,712 bytes free
Post-Run: 53,280,481,280 bytes free
.
- - End Of File - - 6F3133DD76C0886C05D6B8F3D2D8E1C2


----------



## dvk01 (Dec 14, 2002)

can you please go to C:\qoobox & right click the quarantine folder, select send to compressed(zip) folders 
that will make a zipped copy of the quarantine folder
then 
please upload that to http://www.thespykiller.co.uk/index.php?board=1.0 so we can examine the files

Just press new topic, fill in the needed details 
Use files for DVK01 as subject

In the body of the post paste this

combofix Quarantine folder from 
http://forums.techguy.org/virus-oth...r-mainly-google-redirects-me.html#post7967086

& then press the browse button and then navigate to & select the files on your computer, When the file is listed in the windows press send to upload the file


----------



## Jakez12345 (Jun 5, 2011)

Ok, ive done it


----------



## dvk01 (Dec 14, 2002)

the file uplaoded was conficker worm 
I am surprised that mcafee didn't fix it

there is bound to be more so

Download  the standalone Microsoft Security Scanner  do a Quick scan, let it fix what ever it finds & post back any log it makes


----------



## Jakez12345 (Jun 5, 2011)

am i using a 32-bit or 64-bit computer? it tells me to download a 32-bit or 64-bit version


----------



## dvk01 (Dec 14, 2002)

32 bit


----------



## Jakez12345 (Jun 5, 2011)

god, the download was interrupted, i'll download it again and scan and tell you the results tomorrow, its getting late and i have college tomorrow


----------



## dvk01 (Dec 14, 2002)

you might need to download it to a different computer & transfer over using a flash drive
this malware will block many antivirus sites


----------



## Jakez12345 (Jun 5, 2011)

i've downloaded the 32-bit version successfully and opened the application, ive run the software scan thing but nothing happens, no pop-ups or anything saying that its scanning etc so im assuming its not doing anything?


----------



## dvk01 (Dec 14, 2002)

in that case try this one instead

reboot first, then

Click http://www.freedrweb.com/cureit/?lng=en to download *Dr.Web CureIt *and save it to your desktop.

Doubleclick the *drweb-cureit.exe *file and allow to run the express scan
This will scan the files currently running in memory and when something is found, click the *yes* button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click *'Yes to all' *if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found: 








If so, click it and then click the next icon right below and select Move incurable as you'll see in next image: 








This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the *Dr.Web CureIt *menu on top, click file and choose save report list
Save the report to your desktop. The report will be called *DrWeb.csv*
*Close Dr.Web Cureit*.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from *Dr.Web *you saved previously in your next reply


----------



## Jakez12345 (Jun 5, 2011)

Ok, im downloading it as i type, my browser calls the download "e2rat334.exe" is this normal?


----------



## dvk01 (Dec 14, 2002)

yes, they give it a random name each time to stop malware interfering


----------



## Jakez12345 (Jun 5, 2011)

04.tmp;C:\WINDOWS\system32;Win32.HLLW.Autoruner.5555;Deleted.;
VLCSetup.exe;C:\Documents and Settings\SHEELA\My Documents\Downloads;Trojan.DownLoader2.43030;Deleted.;
XvidSetup.exe;C:\Documents and Settings\SHEELA\My Documents\Downloads;Trojan.DownLoader2.15959;Incurable.Moved.;
vaderetro_oe.exe;c:\program files\goto software\vade retro;BackDoor.Nels.11;Deleted.;
sprtsync.dll;c:\program files\talktalk\bin;Probably DLOADER.Trojan;;


----------



## dvk01 (Dec 14, 2002)

Are you having any problems now or have they all been cleared up


----------



## Jakez12345 (Jun 5, 2011)

everything is fine, thanks, but is there any other threats on my computer or is this process finished?


----------



## dvk01 (Dec 14, 2002)

it should be fine now so

*Follow these steps to uninstall Combofix and the other tools it downloaded to remove the malware*
* Click *START* then * RUN*
* Now type *Combofix /Uninstall * in the runbox and click *OK*. Note the *space *between the *X* and the */U*, it needs to be there.









This will also purge the restore folder and clear any malware that has been put in there. Now Empty Recycle bin on desktop Then reboot.

go here* http://www.thespykiller.co.uk/index.php?page=3 *for info on how to tighten your security settings and how to help prevent future attacks.

and scan here* http://secunia.com/software_inspector/ * for out of date & vulnerable common applications on your computer and update whatever it suggests

Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place. * If windows update doesn't work, please come back & tell us*


----------

