Monstermarketplace

[mermaid2b]

Hi,

I have a new virus. When ever I search with google, pressing one of the first search results redirects me to the site monstermarketplace.com .
I have used Spybot search and destroy and others but none of them found the problem. I have also tried to follow your blog suggestions:
http://miekiemoes.blogspot.com/2008/10/f...ngine.html
but could find any of the files you talked about in my system.

My Hijackthis report :

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:36:16 PM, on 10/29/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Mio\MMD2\RunMMD.exe
C:\PROGRA~1\SEARCH~1\SEARCH~1\DATAMN~1.EXE
C:\Program Files\Ask.com\Updater\Updater.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\my_server\UniServer\www\sphinx\bin\searchd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SearchCore for Browsers - {BE7A24F5-69CB-4708-B77B-B1EDA6043B95} - C:\PROGRA~1\SEARCH~1\SEARCH~1\BROWSE~1.DLL
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [RunMMD] "C:\Program Files\Mio\MMD2\RunMMD.exe"
O4 - HKLM\..\Run: [DATAMNGR] C:\PROGRA~1\SEARCH~1\SEARCH~1\DATAMN~1.EXE
O4 - HKLM\..\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A14026B-FC8C-4BF5-A399-C24F6B887002}: NameServer = 80.179.52.100 80.179.55.100
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3E99C7D-7E39-40C3-964A-7A94C21B28A7}: NameServer = 10.0.0.138
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A14026B-FC8C-4BF5-A399-C24F6B887002}: NameServer = 80.179.52.100 80.179.55.100
O20 - AppInit_DLLs: C:\PROGRA~1\SEARCH~1\SEARCH~1\datamngr.dll C:\PROGRA~1\SEARCH~1\SEARCH~1\IEBHO.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: TPSvc - TPSvc.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SphinxSearch - Unknown owner - C:\my_server\UniServer\www\sphinx\bin\searchd.exe

--
End of file - 7501 bytes


Thanks in advance,
Dana.

[miekiemoes]

Hi,

You have some questionable toolbars here as well, and I believe one of them is the cause of your redirects.
Normally, these toolbars can get uninstalled easily, so that's why I need a list first of all installed programs so I can tell you exactly what to uninstall.
To get this list, Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

[mermaid2b]

Hi,

Thanks for your quick help. This is the uninstall_list.txt:

Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 6.0 ME
Adobe Reader 9.3
Adobe SVG Viewer
Apple Application Support
Apple Software Update
Ask Toolbar
ATI - Software Uninstall Utility
ATI AVIVO Codecs
ATI Catalyst Control Center
ATI Display Driver
ATI Parental Control & Encoder
ATI Problem Report Wizard
Canon i250
Catalyst Control Center - Branding
Combined Community Codec Pack 2008-09-21 16:18
Compatibility Pack for the 2007 Office system
EditPlus 3
ExamDiff 1.8 (Build 1.8.0.4)
FileZilla Client 3.5.0
FinePixViewer Ver.4.3
FUJIFILM USB Driver
GIMP 2.6.8
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HTML-Kit
HydraVision
J2SE Runtime Environment 5.0 Update 6
Java DB 10.5.3.0
Java™ 6 Update 18
Java™ SE Development Kit 6 Update 18
Java™ Web Services Developer Pack 2.0
Malwarebytes' Anti-Malware version 1.51.2.1300
MBSS Gravity Wells 2.1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mio More Desktop 2
Mozilla Firefox 7.0.1 (x86 en-US)
MySQL Server 5.1
MySQL Tools for 5.0
MySQL Workbench 5.1 OSS
Nero 6 Ultra Edition
NetBeans IDE 6.8
NetBeans IDE 7.0.1
Notepad++
PuTTY version 0.60
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
SearchCore for Browsers
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Side 9 Screensaver
Spybot - Search & Destroy
STDU Viewer version 1.5.18.0
Sun GlassFish Enterprise Server v3
SUPERAntiSpyware
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VIA Platform Device Manager
Windows Defender
Windows Internet Explorer 8
WinRAR archiver
WinSCP 4.2.5



Thanks,
Dana.

(29-10-2011 14:12)miekiemoes schreef:  Hi,

You have some questionable toolbars here as well, and I believe one of them is the cause of your redirects.
Normally, these toolbars can get uninstalled easily, so that's why I need a list first of all installed programs so I can tell you exactly what to uninstall.
To get this list, Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

[miekiemoes]

Hi,

First of all.. important step!
I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.

After you disabled Teatimer, download ResetTeaTimer.exe to your desktop.
Then run ResetTeaTimer.exe.
This will only take a few seconds.

Then...

Please uninstall the following programs via software > add & remove programs:

Ask Toolbar
SearchCore for Browsers

Make sure your browsers (Internet explorer) are closed when you uninstall.
Reboot after uninstalling.

Then, after reboot, rescan with HijackThis and post a log in your next reply. Also let me know if your problem still exists.

[mermaid2b]

Hi,

I have followed all your instructions but the problem with mosntermarketplace persists . Here is my new log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:41:04 PM, on 10/29/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Mio\MMD2\RunMMD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\my_server\UniServer\www\sphinx\bin\searchd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [RunMMD] "C:\Program Files\Mio\MMD2\RunMMD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A14026B-FC8C-4BF5-A399-C24F6B887002}: NameServer = 80.179.52.100 80.179.55.100
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3E99C7D-7E39-40C3-964A-7A94C21B28A7}: NameServer = 10.0.0.138
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A14026B-FC8C-4BF5-A399-C24F6B887002}: NameServer = 80.179.52.100 80.179.55.100
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: TPSvc - TPSvc.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SphinxSearch - Unknown owner - C:\my_server\UniServer\www\sphinx\bin\searchd.exe

--
End of file - 5942 bytes

Thanks,
Dana.

(29-10-2011 14:45)miekiemoes schreef:  Hi,

First of all.. important step!
I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.

After you disabled Teatimer, download ResetTeaTimer.exe to your desktop.
Then run ResetTeaTimer.exe.
This will only take a few seconds.

Then...

Please uninstall the following programs via software > add & remove programs:

Ask Toolbar
SearchCore for Browsers

Make sure your browsers (Internet explorer) are closed when you uninstall.
Reboot after uninstalling.

Then, after reboot, rescan with HijackThis and post a log in your next reply. Also let me know if your problem still exists.

[miekiemoes]

Ok, no worries. I was just making sure that other potential causes were eliminated first.

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix...e-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[mermaid2b]

Hi,

Thanks for your help :-) . Also notice another small problem , on google homepage their logo is missing on IE and Firefox ( on GoogleChrom it does not happen). Maybe this has to do with me trying to resolve the monstermarketplace issue with freewares such as spybot search and destroy etc. Any idea ?

Anyway, My combofix log is:
ComboFix 11-10-29.03 - Owner 10/29/2011 16:33:11.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1255.972.1033.18.2047.1546 [GMT 2:00]
Running from: c:\antivirus\ComboFix.exe
AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\Owner\LOCALS~1\Temp\SAS406.tmp
c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
c:\documents and settings\Owner\Local Settings\Temp\SAS406.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-09-28 to 2011-10-29 )))))))))))))))))))))))))))))))
.
.
2011-10-29 13:33 . 2011-10-29 13:33 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{3CFD4C4E-1E46-4DC1-8BF2-D1CDD3F3B8E6}\offreg.dll
2011-10-29 10:35 . 2011-10-29 10:35 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-10-29 10:35 . 2011-10-29 10:35 -------- d-----w- c:\program files\Trend Micro
2011-10-28 05:54 . 2011-10-18 00:28 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{3CFD4C4E-1E46-4DC1-8BF2-D1CDD3F3B8E6}\mpengine.dll
2011-10-27 17:27 . 2011-10-27 17:27 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2011-10-27 14:47 . 2011-10-27 14:47 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-10-27 14:47 . 2011-10-27 14:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-10-27 14:46 . 2011-10-29 11:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-27 14:46 . 2011-08-31 15:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-27 11:43 . 2011-10-27 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2011-10-27 10:31 . 2011-10-27 10:31 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-10-26 13:50 . 2011-10-26 15:54 -------- d-----w- c:\program files\Monstermarketplacecookie Removal Utility
2011-10-26 12:07 . 2011-10-27 04:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-10-26 12:07 . 2011-10-26 12:10 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-10-26 11:54 . 2011-10-26 11:54 -------- d-----w- c:\documents and settings\Owner\Application Data\Uniblue
2011-10-26 10:36 . 2011-10-18 00:28 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-10-26 10:36 . 2011-05-24 17:14 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-10-26 10:34 . 2011-10-26 10:34 -------- d-----w- c:\program files\Windows Defender
2011-10-26 10:30 . 2011-10-26 10:30 -------- d-----w- C:\windows_defender
2011-10-10 15:10 . 2011-09-29 06:53 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-10-10 15:10 . 2011-09-29 06:53 773080 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-10-10 15:10 . 2011-09-29 06:53 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-10-10 15:10 . 2011-09-29 06:53 1833944 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-10-10 15:10 . 2011-09-29 06:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-10-10 15:10 . 2011-09-29 06:53 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-10-10 15:10 . 2011-09-29 00:26 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-10-10 15:10 . 2011-09-29 00:26 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-10-09 14:50 . 2011-10-29 14:14 -------- d-----w- C:\antivirus
2011-10-09 12:49 . 2011-10-09 12:49 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ESET
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-26 09:41 . 2008-07-29 17:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 09:41 . 2008-04-14 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 09:41 . 2008-04-14 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2008-04-14 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2008-04-14 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2008-04-14 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2008-04-14 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-09-29 06:53 . 2011-10-10 15:10 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"RunMMD"="c:\program files\Mio\MMD2\RunMMD.exe" [2009-11-13 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_18\\bin\\java.exe"=
"c:\\Program Files\\NetBeans 6.8\\bin\\netbeans.exe"=
"c:\\my_server\\UniServer\\usr\\local\\apache2\\bin\\Apache.exe"=
"c:\\my_server\\UniServer\\usr\\local\\mysql\\bin\\mysqld-opt.exe"=
"c:\\my_server\\UniServer\\www\\sphinx\\bin\\searchd.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [12/21/2010 2:04 PM 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [12/21/2010 12:47 PM 94872]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [1/12/2011 3:41 PM 810144]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [1/18/2010 8:13 AM 1374464]
RUnknown SASKUTIL;SASKUTIL; [x]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys --> c:\windows\system32\drivers\is3srv.sys [?]
S0 szkg5;szkg5;c:\windows\system32\DRIVERS\szkg.sys --> c:\windows\system32\DRIVERS\szkg.sys [?]
S0 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys --> c:\windows\system32\drivers\szkgfs.sys [?]
S2 SphinxSearch;SphinxSearch;c:\my_server\UniServer\www\sphinx\bin\searchd.exe --ntservice --config c:\my_server\UniServer\www\sphinx\sphinx.conf.in --servicename SphinxSearch --> c:\my_server\UniServer\www\sphinx\bin\searchd.exe --ntservice --config c:\my_server\UniServer\www\sphinx\sphinx.conf.in --servicename SphinxSearch [?]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys --> c:\windows\system32\drivers\nvhda32.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-796845957-1801674531-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-06 11:01]
.
2011-10-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-796845957-1801674531-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-06 11:01]
.
2011-10-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: Interfaces\{0A14026B-FC8C-4BF5-A399-C24F6B887002}: NameServer = 80.179.52.100 80.179.55.100
TCP: Interfaces\{A3E99C7D-7E39-40C3-964A-7A94C21B28A7}: NameServer = 10.0.0.138
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7flejtqn.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
Notify-TPSvc - TPSvc.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-29 16:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(708)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-10-29 16:36:38
ComboFix-quarantined-files.txt 2011-10-29 14:36
.
Pre-Run: 28,478,197,760 bytes free
Post-Run: 28,822,093,824 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - CB0F41296760467D14E033E8984C8571

(29-10-2011 15:46)miekiemoes schreef:  Ok, no worries. I was just making sure that other potential causes were eliminated first.

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix...e-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[miekiemoes]

Hi,

As for the Google logo, do you have this problem in Windows safe mode? select windows safe mode with networking support as you won't have internet access otherwise.
If the problem isn't present in Windows safe mode, then I guess it's most probably caused by your Nod32 (Eset) or Superantispyware
How are the redirects so far? Still the same problem?

[mermaid2b]

Hi,

I have now tested again . The problem with monstermarketplace seems to be gone :-) , Thanks a lot . The reason I'm not 100% sure is because it was not a consistent problem, sometimes it occured and sometimes not, but on certain terms it always happened and not it is not .Anyway it seems fine now so I think you fixed it - Thanks a lot.
Please explain how do I get to Windows safe mode ?
Meanwhile I removed SuperAntispyware.

Thanks in advance,
Dana.

(29-10-2011 17:09)miekiemoes schreef:  Hi,

As for the Google logo, do you have this problem in Windows safe mode? select windows safe mode with networking support as you won't have internet access otherwise.
If the problem isn't present in Windows safe mode, then I guess it's most probably caused by your Nod32 (Eset) or Superantispyware
How are the redirects so far? Still the same problem?

[miekiemoes]

Hi Dana,

°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode with networking support from the menu that will appear and press Enter.

[mermaid2b]

I could not connect to the internet, even though I chose Safe mode with Networking.
Is there another way to test ?

Thanks,
Dana.

(29-10-2011 17:37)miekiemoes schreef:  Hi Dana,

°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode with networking support from the menu that will appear and press Enter.

[miekiemoes]

Can you temporary uninstall your Nod32? Then reboot afterwards.
Then, after reboot, clean your caches: http://kb.siteground.com/article/How_to_...Opera.html
Let me know if that solved the issue with the google logo.

You can reinstall nod32 afterwards again ofcourse, but uninstalling it temporary first is to troubleshoot and eliminate causes

[mermaid2b]

Hi,

1) Well, I was wrong, my virus was back again this morning.
Further more, after one more google search, I got the following from google itself:

Your computer appears to be infected
It appears that your computer is infected with software that intercepts your connection to Google and other sites.Learn how to fix this.

now I'm trying Microsoft safety scanner, more ideas are welcome.

2) Regarding google logo, I'm not sure regarding uninsatllation of ESET because I can't find the disk. Anyway , I found something interesting :
https://www.google.com shows the logo while http://www.google.com does not.
So I think it rules out NOD32 ? because it is present in both cases .

Thanks,
Dana.

(29-10-2011 23:46)miekiemoes schreef:  Can you temporary uninstall your Nod32? Then reboot afterwards.
Then, after reboot, clean your caches: http://kb.siteground.com/article/How_to_...Opera.html
Let me know if that solved the issue with the google logo.

You can reinstall nod32 afterwards again ofcourse, but uninstalling it temporary first is to troubleshoot and eliminate causes

[miekiemoes]

Ok, please do the following....

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.

• Click on the Start Scan button and wait for the scan and disinfection process to be over.
• If an infected file is detected, the default action will be Cure, click on Continue
• If a suspicious file is detected, the default action will be Skip, click on Continue
• If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
• If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.
  

Also, I see you some custom DNS servers set:

O17 - HKLM\System\CCS\Services\Tcpip\..\{0A14026B-FC8C-4BF5-A399-C24F6B887002}: NameServer = 80.179.52.100 80.179.55.100
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3E99C7D-7E39-40C3-964A-7A94C21B28A7}: NameServer = 10.0.0.138
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A14026B-FC8C-4BF5-A399-C24F6B887002}: NameServer = 80.179.52.100 80.179.55.100

I don't know if you have set these or not. In some cases, dns servers, even though they are legit can be compromised, so it's always a good idea to change the DNS servers to Google DNS or OpenDNS instead as a test.

Please see here: http://techie-buzz.com/how-to/google-pub...winxp.html how to set & use the Google DNS servers

After you have set the DNS to Google DNS, please flush your DNS afterwards: http://www.tech-faq.com/how-to-flush-dns.html
Then reboot.

[mermaid2b]

Hi,

I think TDSSKiller finally killed it ( or I hope so :-) , it found one threat and cured it. I don't get Google warnings and searching terms that have lead to the redirect thing , don't reproduce the redirect . the log file is the following:

15:17:20.0203 0480 TDSS rootkit removing tool 2.6.14.0 Oct 28 2011 11:11:01
15:17:22.0093 0480 ============================================================
15:17:22.0093 0480 Current date / time: 2011/10/30 15:17:22.0093
15:17:22.0093 0480 SystemInfo:
15:17:22.0093 0480
15:17:22.0093 0480 OS Version: 5.1.2600 ServicePack: 3.0
15:17:22.0093 0480 Product type: Workstation
15:17:22.0093 0480 ComputerName: DANA-F4B10E61B5
15:17:22.0093 0480 UserName: Owner
15:17:22.0093 0480 Windows directory: C:\WINDOWS
15:17:22.0093 0480 System windows directory: C:\WINDOWS
15:17:22.0093 0480 Processor architecture: Intel x86
15:17:22.0093 0480 Number of processors: 2
15:17:22.0093 0480 Page size: 0x1000
15:17:22.0093 0480 Boot type: Normal boot
15:17:22.0093 0480 ============================================================
15:17:23.0078 0480 Initialize success
15:18:54.0078 2660 ============================================================
15:18:54.0078 2660 Scan started
15:18:54.0078 2660 Mode: Manual;
15:18:54.0078 2660 ============================================================
15:18:55.0500 2660 Abiosdsk - ok
15:18:55.0515 2660 abp480n5 - ok
15:18:55.0546 2660 ACPI (d8fb7d1c3f5bfa3f53fe9cc6367e9e99) C:\WINDOWS\system32\DRIVERS\ACPI.sys
15:18:55.0578 2660 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ACPI.sys. Real md5: d8fb7d1c3f5bfa3f53fe9cc6367e9e99, Fake md5: 8fd99680a539792a30e97944fdaecf17
15:18:55.0578 2660 ACPI ( Virus.Win32.Rloader.a ) - infected
15:18:55.0578 2660 ACPI - detected Virus.Win32.Rloader.a (0)
15:18:55.0640 2660 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
15:18:55.0656 2660 ACPIEC - ok
15:18:55.0656 2660 adpu160m - ok
15:18:55.0687 2660 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
15:18:55.0703 2660 aec - ok
15:18:55.0781 2660 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
15:18:55.0796 2660 AFD - ok
15:18:55.0843 2660 Aha154x - ok
15:18:55.0843 2660 aic78u2 - ok
15:18:55.0843 2660 aic78xx - ok
15:18:55.0859 2660 AliIde - ok
15:18:55.0875 2660 amsint - ok
15:18:55.0875 2660 asc - ok
15:18:55.0890 2660 asc3350p - ok
15:18:55.0890 2660 asc3550 - ok
15:18:55.0921 2660 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
15:18:55.0937 2660 AsyncMac - ok
15:18:56.0046 2660 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
15:18:56.0046 2660 atapi - ok
15:18:56.0093 2660 Atdisk - ok
15:18:56.0187 2660 ati2mtag (e69b295083419e13521f01df76f35db0) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
15:18:56.0203 2660 ati2mtag - ok
15:18:56.0265 2660 AtiHdmiService (f661f01e990b84c58519c1ff43c2108f) C:\WINDOWS\system32\drivers\AtiHdmi.sys
15:18:56.0281 2660 AtiHdmiService - ok
15:18:56.0312 2660 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
15:18:56.0312 2660 Atmarpc - ok
15:18:56.0421 2660 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
15:18:56.0437 2660 audstub - ok
15:18:56.0515 2660 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
15:18:56.0531 2660 Beep - ok
15:18:56.0593 2660 catchme - ok
15:18:56.0703 2660 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
15:18:56.0718 2660 cbidf2k - ok
15:18:56.0781 2660 cd20xrnt - ok
15:18:56.0890 2660 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
15:18:56.0906 2660 Cdaudio - ok
15:18:56.0984 2660 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
15:18:57.0000 2660 Cdfs - ok
15:18:57.0109 2660 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
15:18:57.0109 2660 Cdrom - ok
15:18:57.0125 2660 Changer - ok
15:18:57.0140 2660 CmdIde - ok
15:18:57.0140 2660 Cpqarray - ok
15:18:57.0156 2660 dac2w2k - ok
15:18:57.0156 2660 dac960nt - ok
15:18:57.0187 2660 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
15:18:57.0203 2660 Disk - ok
15:18:57.0296 2660 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
15:18:57.0343 2660 dmboot - ok
15:18:57.0437 2660 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
15:18:57.0453 2660 dmio - ok
15:18:57.0468 2660 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
15:18:57.0468 2660 dmload - ok
15:18:57.0546 2660 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
15:18:57.0562 2660 DMusic - ok
15:18:57.0562 2660 dpti2o - ok
15:18:57.0593 2660 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
15:18:57.0593 2660 drmkaud - ok
15:18:57.0703 2660 eamon (d42dd9021acd47683b33adf21bca49aa) C:\WINDOWS\system32\DRIVERS\eamon.sys
15:18:57.0718 2660 eamon - ok
15:18:57.0812 2660 ehdrv (fe7824239d132ad9ebd8645fe1199b30) C:\WINDOWS\system32\DRIVERS\ehdrv.sys
15:18:57.0828 2660 ehdrv - ok
15:18:57.0921 2660 epfwtdir (aa0667eb9a92414abb784c101a6c7fec) C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
15:18:57.0937 2660 epfwtdir - ok
15:18:58.0046 2660 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
15:18:58.0062 2660 Fastfat - ok
15:18:58.0078 2660 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
15:18:58.0093 2660 Fdc - ok
15:18:58.0171 2660 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
15:18:58.0187 2660 Fips - ok
15:18:58.0265 2660 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
15:18:58.0281 2660 Flpydisk - ok
15:18:58.0312 2660 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
15:18:58.0328 2660 FltMgr - ok
15:18:58.0375 2660 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
15:18:58.0390 2660 Fs_Rec - ok
15:18:58.0421 2660 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
15:18:58.0437 2660 Ftdisk - ok
15:18:58.0500 2660 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
15:18:58.0515 2660 Gpc - ok
15:18:58.0609 2660 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
15:18:58.0625 2660 HDAudBus - ok
15:18:58.0703 2660 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
15:18:58.0718 2660 hidusb - ok
15:18:58.0781 2660 hpn - ok
15:18:58.0812 2660 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
15:18:58.0843 2660 HTTP - ok
15:18:58.0921 2660 i2omgmt - ok
15:18:58.0921 2660 i2omp - ok
15:18:58.0953 2660 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
15:18:58.0984 2660 i8042prt - ok
15:18:59.0078 2660 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
15:18:59.0093 2660 Imapi - ok
15:18:59.0156 2660 ini910u - ok
15:18:59.0156 2660 IntelIde - ok
15:18:59.0187 2660 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
15:18:59.0203 2660 intelppm - ok
15:18:59.0265 2660 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
15:18:59.0296 2660 Ip6Fw - ok
15:18:59.0406 2660 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
15:18:59.0421 2660 IpFilterDriver - ok
15:18:59.0453 2660 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
15:18:59.0468 2660 IpInIp - ok
15:18:59.0562 2660 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
15:18:59.0578 2660 IpNat - ok
15:18:59.0656 2660 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
15:18:59.0671 2660 IPSec - ok
15:18:59.0750 2660 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
15:18:59.0765 2660 IRENUM - ok
15:18:59.0812 2660 is3srv - ok
15:18:59.0859 2660 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
15:18:59.0875 2660 isapnp - ok
15:18:59.0968 2660 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
15:18:59.0984 2660 Kbdclass - ok
15:19:00.0078 2660 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
15:19:00.0093 2660 kbdhid - ok
15:19:00.0156 2660 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
15:19:00.0171 2660 kmixer - ok
15:19:00.0218 2660 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
15:19:00.0234 2660 KSecDD - ok
15:19:00.0312 2660 lbrtfdc - ok
15:19:00.0343 2660 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
15:19:00.0359 2660 mnmdd - ok
15:19:00.0421 2660 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
15:19:00.0437 2660 Modem - ok
15:19:00.0484 2660 monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\monfilt.sys
15:19:00.0500 2660 monfilt - ok
15:19:00.0593 2660 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
15:19:00.0609 2660 Mouclass - ok
15:19:00.0671 2660 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
15:19:00.0687 2660 mouhid - ok
15:19:00.0703 2660 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
15:19:00.0718 2660 MountMgr - ok
15:19:00.0765 2660 mraid35x - ok
15:19:00.0796 2660 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
15:19:00.0828 2660 MRxDAV - ok
15:19:00.0906 2660 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
15:19:00.0921 2660 MRxSmb - ok
15:19:00.0937 2660 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
15:19:00.0953 2660 Msfs - ok
15:19:01.0015 2660 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
15:19:01.0031 2660 MSKSSRV - ok
15:19:01.0046 2660 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
15:19:01.0062 2660 MSPCLOCK - ok
15:19:01.0125 2660 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
15:19:01.0140 2660 MSPQM - ok
15:19:01.0171 2660 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
15:19:01.0171 2660 mssmbios - ok
15:19:01.0265 2660 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
15:19:01.0281 2660 MTsensor - ok
15:19:01.0359 2660 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
15:19:01.0375 2660 Mup - ok
15:19:01.0453 2660 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
15:19:01.0468 2660 NDIS - ok
15:19:01.0484 2660 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
15:19:01.0500 2660 NdisTapi - ok
15:19:01.0578 2660 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
15:19:01.0593 2660 Ndisuio - ok
15:19:01.0671 2660 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
15:19:01.0687 2660 NdisWan - ok
15:19:01.0718 2660 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
15:19:01.0734 2660 NDProxy - ok
15:19:01.0796 2660 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
15:19:01.0812 2660 NetBIOS - ok
15:19:01.0843 2660 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
15:19:01.0859 2660 NetBT - ok
15:19:01.0937 2660 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
15:19:01.0953 2660 Npfs - ok
15:19:01.0984 2660 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
15:19:02.0015 2660 Ntfs - ok
15:19:02.0093 2660 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
15:19:02.0109 2660 Null - ok
15:19:02.0156 2660 NVHDA - ok
15:19:02.0187 2660 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
15:19:02.0203 2660 NwlnkFlt - ok
15:19:02.0265 2660 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
15:19:02.0281 2660 NwlnkFwd - ok
15:19:02.0375 2660 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
15:19:02.0390 2660 Parport - ok
15:19:02.0406 2660 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
15:19:02.0421 2660 PartMgr - ok
15:19:02.0437 2660 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
15:19:02.0453 2660 ParVdm - ok
15:19:02.0500 2660 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
15:19:02.0515 2660 PCI - ok
15:19:02.0593 2660 PCIDump - ok
15:19:02.0625 2660 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
15:19:02.0640 2660 PCIIde - ok
15:19:02.0703 2660 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
15:19:02.0718 2660 Pcmcia - ok
15:19:02.0734 2660 PDCOMP - ok
15:19:02.0750 2660 PDFRAME - ok
15:19:02.0750 2660 PDRELI - ok
15:19:02.0765 2660 PDRFRAME - ok
15:19:02.0765 2660 perc2 - ok
15:19:02.0781 2660 perc2hib - ok
15:19:02.0812 2660 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
15:19:02.0828 2660 PptpMiniport - ok
15:19:02.0906 2660 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
15:19:02.0921 2660 PSched - ok
15:19:03.0031 2660 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
15:19:03.0046 2660 Ptilink - ok
15:19:03.0046 2660 ql1080 - ok
15:19:03.0062 2660 Ql10wnt - ok
15:19:03.0062 2660 ql12160 - ok
15:19:03.0078 2660 ql1240 - ok
15:19:03.0078 2660 ql1280 - ok
15:19:03.0093 2660 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
15:19:03.0109 2660 RasAcd - ok
15:19:03.0203 2660 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
15:19:03.0218 2660 Rasl2tp - ok
15:19:03.0218 2660 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
15:19:03.0234 2660 RasPppoe - ok
15:19:03.0250 2660 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
15:19:03.0265 2660 Raspti - ok
15:19:03.0359 2660 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
15:19:03.0406 2660 Rdbss - ok
15:19:03.0406 2660 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
15:19:03.0421 2660 RDPCDD - ok
15:19:03.0515 2660 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
15:19:03.0531 2660 RDPWD - ok
15:19:03.0578 2660 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
15:19:03.0578 2660 redbook - ok
15:19:03.0687 2660 RTLE8023xp (b0e1648aae1e59bdd0854af07a605399) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
15:19:03.0687 2660 RTLE8023xp - ok
15:19:03.0718 2660 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
15:19:03.0734 2660 Secdrv - ok
15:19:03.0843 2660 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
15:19:03.0843 2660 serenum - ok
15:19:03.0859 2660 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
15:19:03.0890 2660 Serial - ok
15:19:03.0906 2660 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
15:19:03.0921 2660 Sfloppy - ok
15:19:04.0000 2660 Simbad - ok
15:19:04.0000 2660 Sparrow - ok
15:19:04.0031 2660 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
15:19:04.0046 2660 splitter - ok
15:19:04.0140 2660 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
15:19:04.0156 2660 sr - ok
15:19:04.0234 2660 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
15:19:04.0250 2660 Srv - ok
15:19:04.0281 2660 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
15:19:04.0296 2660 swenum - ok
15:19:04.0359 2660 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
15:19:04.0390 2660 swmidi - ok
15:19:04.0406 2660 symc810 - ok
15:19:04.0406 2660 symc8xx - ok
15:19:04.0421 2660 sym_hi - ok
15:19:04.0421 2660 sym_u3 - ok
15:19:04.0437 2660 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
15:19:04.0453 2660 sysaudio - ok
15:19:04.0468 2660 szkg5 - ok
15:19:04.0468 2660 szkgfs - ok
15:19:04.0515 2660 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
15:19:04.0531 2660 Tcpip - ok
15:19:04.0609 2660 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
15:19:04.0609 2660 TDPIPE - ok
15:19:04.0718 2660 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
15:19:04.0734 2660 TDTCP - ok
15:19:04.0828 2660 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
15:19:04.0875 2660 TermDD - ok
15:19:04.0921 2660 TosIde - ok
15:19:04.0953 2660 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
15:19:04.0968 2660 Udfs - ok
15:19:05.0015 2660 ultra - ok
15:19:05.0046 2660 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
15:19:05.0078 2660 Update - ok
15:19:05.0187 2660 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
15:19:05.0187 2660 usbccgp - ok
15:19:05.0265 2660 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
15:19:05.0281 2660 usbehci - ok
15:19:05.0328 2660 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
15:19:05.0343 2660 usbhub - ok
15:19:05.0406 2660 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
15:19:05.0421 2660 usbprint - ok
15:19:05.0515 2660 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
15:19:05.0531 2660 USBSTOR - ok
15:19:05.0609 2660 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
15:19:05.0625 2660 usbuhci - ok
15:19:05.0671 2660 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
15:19:05.0687 2660 VgaSave - ok
15:19:05.0781 2660 VIAHdAudAddService (29cc58050804de6c3a900045ea2dd564) C:\WINDOWS\system32\drivers\viahduaa.sys
15:19:05.0812 2660 VIAHdAudAddService - ok
15:19:05.0812 2660 ViaIde - ok
15:19:05.0843 2660 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
15:19:05.0859 2660 VolSnap - ok
15:19:05.0906 2660 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
15:19:05.0921 2660 Wanarp - ok
15:19:05.0937 2660 WDICA - ok
15:19:05.0968 2660 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
15:19:05.0984 2660 wdmaud - ok
15:19:06.0031 2660 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
15:19:06.0109 2660 \Device\Harddisk0\DR0 - ok
15:19:06.0109 2660 Boot (0x1200) (302a57559db97760a04ea45d3a4ca122) \Device\Harddisk0\DR0\Partition0
15:19:06.0109 2660 \Device\Harddisk0\DR0\Partition0 - ok
15:19:06.0125 2660 Boot (0x1200) (bb52da0c940bc8663fc0a5e8c56ae637) \Device\Harddisk0\DR0\Partition1
15:19:06.0125 2660 \Device\Harddisk0\DR0\Partition1 - ok
15:19:06.0125 2660 ============================================================
15:19:06.0125 2660 Scan finished
15:19:06.0125 2660 ============================================================
15:19:06.0125 1428 Detected object count: 1
15:19:06.0125 1428 Actual detected object count: 1
15:19:47.0984 1428 Backup copy found, using it..
15:19:48.0031 1428 C:\WINDOWS\system32\DRIVERS\ACPI.sys - will be cured on reboot
15:19:48.0031 1428 ACPI ( Virus.Win32.Rloader.a ) - User select action: Cure
15:20:25.0000 1392 Deinitialize success


As for the registry entries, I will learn the docs you sent then operate on them.
Thanks again , live long and prosper :-)
Dana.

(30-10-2011 14:27)miekiemoes schreef:  Ok, please do the following....

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.

• Click on the Start Scan button and wait for the scan and disinfection process to be over.
• If an infected file is detected, the default action will be Cure, click on Continue
• If a suspicious file is detected, the default action will be Skip, click on Continue
• If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
• If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.
  

Also, I see you some custom DNS servers set:

O17 - HKLM\System\CCS\Services\Tcpip\..\{0A14026B-FC8C-4BF5-A399-C24F6B887002}: NameServer = 80.179.52.100 80.179.55.100
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3E99C7D-7E39-40C3-964A-7A94C21B28A7}: NameServer = 10.0.0.138
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A14026B-FC8C-4BF5-A399-C24F6B887002}: NameServer = 80.179.52.100 80.179.55.100

I don't know if you have set these or not. In some cases, dns servers, even though they are legit can be compromised, so it's always a good idea to change the DNS servers to Google DNS or OpenDNS instead as a test.

Please see here: http://techie-buzz.com/how-to/google-pub...winxp.html how to set & use the Google DNS servers

After you have set the DNS to Google DNS, please flush your DNS afterwards: http://www.tech-faq.com/how-to-flush-dns.html
Then reboot.

[miekiemoes]

Hi,

Yes, looks like TDSKiller nailed it. Strange Combofix didn't list this as it normally should since Combofix is quite up to date regarding these types of infections.
Anyway...
Did that also fix your "Google logo" - after running TDSkiller?

[mermaid2b]

On IE : http://www.google.com displays well ( It seems TDSSKiller fixed it , because before running it , it was a problem).
On Firefox , http://www.google.com is missing the logo still . If I switch to
https://www.google.com , it displays the logo .
On google chrom it was never a problem , and it is still O.K .

Thanks,
Dana.

(30-10-2011 15:45)miekiemoes schreef:  Hi,

Yes, looks like TDSKiller nailed it. Strange Combofix didn't list this as it normally should since Combofix is quite up to date regarding these types of infections.
Anyway...
Did that also fix your "Google logo" - after running TDSkiller?

[miekiemoes]

Hi,

This will resolve itself automatically in Firefox though, just clear your cache in Firefox once again.
Try the url http://www.google.com/webhp?hl=en in firefox as that may trigger the logo again and load it again. In either way, I wouldn't worry about the logo in Firefox as I know this will resolve itself automatically again after a bit.

Let's uninstall Combofix now:

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Also, Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[mermaid2b]

Hi,

I cleared the cache and your right, it fixed Google.com problem
Also uninstalled combofix .
I will sure follow your recommendations

I can't thank you enough , you solved almost all my life problmes

I really learned a lot , and will continue following your advice .
Regards,

Dana.

(30-10-2011 17:10)miekiemoes schreef:  Hi,

This will resolve itself automatically in Firefox though, just clear your cache in Firefox once again.
Try the url http://www.google.com/webhp?hl=en in firefox as that may trigger the logo again and load it again. In either way, I wouldn't worry about the logo in Firefox as I know this will resolve itself automatically again after a bit.

Let's uninstall Combofix now:

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Also, Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[miekiemoes]

Glad I could help