Help removing Google Redirect virus?

**shinysideup** · 2011-10-16, 02:13

Thanks for the extra info. I've followed your steps and here's the logs.

------------------------------------------------------------
OTM LOG
All processes killed
========== FILES ==========
C:\Users\John Alan\AppData\Local\Google\Chrome\User Data\Default\Default\paeppcipagaoidkchjkoamhllbncdnel\contentscript.js moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: GuestAccess
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: John Alan
->Temp folder emptied: 2002906 bytes
->Temporary Internet Files folder emptied: 5495495 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 123470001 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 2100 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 256 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 670 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 125.00 mb

OTM by OldTimer - Version 3.1.18.0 log created on 10152011_163118

Files moved on Reboot...
C:\Users\John Alan\AppData\Local\Temp\~DF4792.tmp moved successfully.
File C:\Windows\temp\ZLT0299e.TMP not found!

Registry entries deleted on Reboot...

------------------------------------------------------------

DDS LOG
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by John Alan at 17:08:22 on 2011-10-15
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.7934.6203 [GMT -7:00]
.
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ZoneAlarm Firewall *Disabled* {D17DF357-CFF5-F001-D1C1-FCD21DFE3D5E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\M-AudioTaskBarIcon.exe
C:\Windows\V0510Mon.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
C:\Program Files (x86)\Ipswitch\WS_FTP 12\WsftpCOMHelper.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.facebook.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: {B7CF5C23-CA56-440B-8E87-8E2D05BE2113} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {283B4AA3-1B7A-46E6-B56D-90EF4743FB2C} - No File
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [V0510Mon.exe] C:\Windows\V0510Mon.exe
mRun: [ZoneAlarm Client] "C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
TCP: Interfaces\{6EC0F224-EF5E-49E6-8A9B-1A93AA941275} : DhcpNameServer = 192.168.0.1 205.171.3.25
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-X64: 0x1 - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO-X64: Increase performance and video formats for your HTML5 <video> - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: DivX HiQ: {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO-X64: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - No File
BHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO-X64: {B7CF5C23-CA56-440B-8E87-8E2D05BE2113} - No File
BHO-X64: Video Downloader BHO - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: {283B4AA3-1B7A-46E6-B56D-90EF4743FB2C} - No File
TB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [V0510Mon.exe] C:\Windows\V0510Mon.exe
mRun-x64: [ZoneAlarm Client] "C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\John Alan\AppData\Roaming\Mozilla\Firefox\Profiles\ythxg1q2.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxps://www.facebook.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnG=Google+Search&q=
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\NOS\bin\np_gp.dll
FF - plugin: C:\Program Files (x86)\PACE Anti-Piracy\iLok\NPPaceILok.dll
FF - plugin: C:\Users\John Alan\AppData\Local\Google\Update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
============= SERVICES / DRIVERS ===============
.
R0 FixTDSS;TDSS Fixtool driver;C:\Windows\system32\drivers\FixTDSS.sys --> C:\Windows\system32\drivers\FixTDSS.sys [?]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2011-10-15 44768]
R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 PaceLicenseDServices;PACE License Services;C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe [2010-11-8 2647552]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-10-3 1153368]
R3 iLokDrvr;Usb Driver;C:\Windows\system32\DRIVERS\iLokDrvr.sys --> C:\Windows\system32\DRIVERS\iLokDrvr.sys [?]
R3 MAUSBFASTTRACKPRO;Service for M-Audio FastTrack Pro;C:\Windows\system32\DRIVERS\MAudioFastTrackPro.sys --> C:\Windows\system32\DRIVERS\MAudioFastTrackPro.sys [?]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\Windows\system32\drivers\viahduaa.sys --> C:\Windows\system32\drivers\viahduaa.sys [?]
R3 VST64_DPV;VST64_DPV;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
R3 VST64HWBS2;VST64HWBS2;C:\Windows\system32\DRIVERS\VSTBS26.SYS --> C:\Windows\system32\DRIVERS\VSTBS26.SYS [?]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-10-11 89920]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2009-10-28 1038088]
S3 gupdate1ca5ac954b0d243;Google Update Service (gupdate1ca5ac954b0d243);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-11-1 133104]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-11-1 133104]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 V0510Dev;Rocketfish Webcam VF0510 Driver;C:\Windows\system32\DRIVERS\V0510Vid.sys --> C:\Windows\system32\DRIVERS\V0510Vid.sys [?]
S3 V0510Vfx;Rocketfish Webcam VF0510 Video VFX Driver;C:\Windows\system32\DRIVERS\V0510Vfx.sys --> C:\Windows\system32\DRIVERS\V0510Vfx.sys [?]
S4 ahcix64s;ahcix64s;C:\Windows\system32\drivers\ahcix64s.sys --> C:\Windows\system32\drivers\ahcix64s.sys [?]
S4 nosGetPlusHelper;getPlus(R) Helper 3004;C:\Windows\System32\svchost.exe -k nosGetPlusHelper [2008-1-20 21504]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2011-10-15 23:54:19 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{7F62215D-5CAC-46E0-B67F-32F6E6FBFF90}\offreg.dll
2011-10-15 23:40:39 601944 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2011-10-15 23:40:38 65368 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2011-10-15 23:40:29 41184 ----a-w- C:\Windows\avastSS.scr
2011-10-15 23:40:21 -------- d-----w- C:\ProgramData\AVAST Software
2011-10-15 23:40:21 -------- d-----w- C:\Program Files\AVAST Software
2011-10-15 23:31:18 -------- d-----w- C:\_OTM
2011-10-15 14:34:52 -------- d-----w- C:\Program Files (x86)\ESET
2011-10-15 14:30:03 -------- d-----w- C:\Users\John Alan\AppData\Roaming\PeerNetworking
2011-10-15 14:21:08 -------- d-----w- C:\Users\John Alan\AppData\Local\CrashDumps
2011-10-15 14:21:01 -------- d-----w- C:\Users\John Alan\AppData\Roaming\Malwarebytes
2011-10-15 14:20:46 -------- d-----w- C:\ProgramData\Malwarebytes
2011-10-15 14:20:42 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-10-15 14:20:42 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-10-15 14:14:52 -------- d-sh--w- C:\$RECYCLE.BIN
2011-10-14 23:05:17 -------- d-----w- C:\Users\John Alan\AppData\Local\temp
2011-10-14 22:43:15 98816 ----a-w- C:\Windows\sed.exe
2011-10-14 22:43:15 518144 ----a-w- C:\Windows\SWREG.exe
2011-10-14 22:43:15 256000 ----a-w- C:\Windows\PEV.exe
2011-10-14 22:43:15 208896 ----a-w- C:\Windows\MBR.exe
2011-10-14 16:23:05 4240384 ----a-w- C:\Windows\SysWow64\GameUXLegacyGDFs.dll
2011-10-14 16:23:05 32256 ----a-w- C:\Windows\System32\Apphlpdm.dll
2011-10-14 16:23:05 28672 ----a-w- C:\Windows\SysWow64\Apphlpdm.dll
2011-10-14 16:23:04 4240384 ----a-w- C:\Windows\System32\GameUXLegacyGDFs.dll
2011-10-14 16:22:59 9049936 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{7F62215D-5CAC-46E0-B67F-32F6E6FBFF90}\mpengine.dll
2011-10-13 18:16:52 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-10-13 16:40:37 479744 ----a-w- C:\Windows\System32\XpsGdiConverter.dll
2011-10-13 16:40:37 288768 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll
2011-10-13 16:40:37 1555968 ----a-w- C:\Windows\System32\DWrite.dll
2011-10-13 16:40:37 1149440 ----a-w- C:\Windows\System32\FntCache.dll
2011-10-13 16:40:37 1068544 ----a-w- C:\Windows\SysWow64\DWrite.dll
2011-10-13 16:40:27 1927680 ----a-w- C:\Windows\System32\gameux.dll
2011-10-13 16:40:27 1696256 ----a-w- C:\Windows\SysWow64\gameux.dll
2011-10-13 16:38:00 876032 ----a-w- C:\Windows\SysWow64\XpsPrint.dll
2011-10-13 16:38:00 1653760 ----a-w- C:\Windows\System32\XpsPrint.dll
2011-10-13 16:37:57 2409784 ----a-w- C:\Program Files\Windows Mail\OESpamFilter.dat
2011-10-13 16:37:57 2409784 ----a-w- C:\Program Files (x86)\Windows Mail\OESpamFilter.dat
2011-10-13 16:29:01 -------- d-----w- C:\Users\John Alan\AppData\Local\NPE
2011-10-13 16:29:00 -------- d-----w- C:\ProgramData\Norton
2011-10-13 16:19:08 27256 ----a-w- C:\Windows\System32\drivers\FixTDSS.sys
2011-10-13 16:19:08 -------- d-----w- C:\Users\John Alan\AppData\Roaming\FixTDSS
2011-10-13 00:10:46 -------- d-----w- C:\ProgramData\PC Tools
2011-10-12 19:09:29 200976 ----a-w- C:\Windows\SysWow64\drivers\tmcomm.sys
2011-10-12 18:56:50 -------- d-----w- C:\Users\John Alan\AppData\Roaming\f-secure
2011-10-12 18:56:38 -------- d-----w- C:\ProgramData\F-Secure
2011-10-09 23:25:59 -------- d-----w- C:\Users\John Alan\AppData\Local\Deployment
.
==================== Find3M ====================
.
2011-10-05 18:24:07 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-09-06 13:56:50 2764288 ----a-w- C:\Windows\System32\win32k.sys
2011-09-01 05:24:07 2309120 ----a-w- C:\Windows\System32\jscript9.dll
2011-09-01 05:17:57 1389056 ----a-w- C:\Windows\System32\wininet.dll
2011-09-01 05:12:04 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-09-01 02:35:59 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-09-01 02:28:15 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-08-25 16:20:38 735744 ----a-w- C:\Windows\System32\UIAutomationCore.dll
2011-08-25 16:19:32 847360 ----a-w- C:\Windows\System32\oleaut32.dll
2011-08-25 16:19:32 332288 ----a-w- C:\Windows\System32\oleacc.dll
2011-08-25 16:15:04 555520 ----a-w- C:\Windows\SysWow64\UIAutomationCore.dll
2011-08-25 16:14:01 563712 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2011-08-25 16:14:01 238080 ----a-w- C:\Windows\SysWow64\oleacc.dll
2011-08-25 13:54:14 4096 ----a-w- C:\Windows\System32\oleaccrc.dll
2011-08-25 13:31:01 4096 ----a-w- C:\Windows\SysWow64\oleaccrc.dll
2011-07-29 16:08:29 375808 ----a-w- C:\Windows\System32\psisdecd.dll
2011-07-29 16:08:27 289792 ----a-w- C:\Windows\System32\psisrndr.ax
2011-07-29 16:06:52 73216 ----a-w- C:\Windows\System32\MSDvbNP.ax
2011-07-29 16:06:42 100352 ----a-w- C:\Windows\System32\Mpeg2Data.ax
2011-07-29 16:01:34 293376 ----a-w- C:\Windows\SysWow64\psisdecd.dll
2011-07-29 16:01:33 217088 ----a-w- C:\Windows\SysWow64\psisrndr.ax
2011-07-29 16:00:14 57856 ----a-w- C:\Windows\SysWow64\MSDvbNP.ax
2011-07-29 16:00:05 69632 ----a-w- C:\Windows\SysWow64\Mpeg2Data.ax
.
============= FINISH: 17:08:55.69 ===============

**JonTom** · 2011-10-16, 13:11

Hello shinysideup

Thank you for the logs.

Now that you have Avast! installed, make sure that it is updated then please check to see if you are being re-directed when you browse.

Let me know how it goes in your next reply.

**shinysideup** · 2011-10-16, 19:50

Updated the Avast! right off the bat yesterday.

...and very much liking the fact that the Google search results show an icon near each result indicating the level of trust of a given website...very handy, indeed. The search results are now back in working order!

I'm sure you will address it anyway, as you've been extremely thorough, but I feel compelled to ask: is it now safe to turn the TeaTimer back on? And, should I simply delete the downloaded applications.

Forgive me if I'm getting too far ahead of myself...I suppose it's the elation of having that insidious infection squashed. I will await any further instruction before proceeding with anything.

THANK YOU SO MUCH FOR YOUR TIME AND EFFORT ON THIS, IF YOU HAVE A DONATION LINK, PLEASE PROVIDE IT EITHER HERE OR IN A PM. I'M NOT "LOADED" BUT I DO WISH TO EXPRESS MY GRATITUDE AS BEST I CAN.

**JonTom** · 2011-10-16, 23:35

Hello shinysideup

I am glad to hear that your machine is running well.

Your DDS log appears to be clean and provided you are no longer experiencing any problems we can remove our tools:

Please Uninstall Combofix
- Hold down the Windows key (has the Windows symbol on it) and press the "R" key.
- A Run box will open.
- Type combofix /uninstall in the run box and click "OK". Please note the space between the "x" and the "/Uninstall", it needs to be there.
Please perform the following cleanup procedure
- Double click on the OTM.exe icon on your desktop to run the program. (Note: If you are running Vista/Windows 7, right-click on the file and choose Run As Administrator).
- Once OTM has opened, click on the "CleanUp!" button.
- Follow any prompts that you receive.
Removal of Tools
- You no longer need aswMBR or MBRCheck. Please delete them from your machine.
is it now safe to turn the TeaTimer back on?

It is
Your Adobe Reader is out of date
- You can obtain the latest version of Adobe Reader from here, and the latest version of Flash Player from here.
- For more information and links to Adobe updates and downloads click here.
I DO WISH TO EXPRESS MY GRATITUDE AS BEST I CAN

You are very kind shinysideup. I never accept any donations for the help I provide, but if you would like to make a donation towards the upkeep of this site you may do so here: Donate

Once you have completed the above steps you should be good to go! If you have any further questions, please feel free to ask.
Finally, please take the time to read through the information provided below:

Enhance your System Security
- For an excellent list of free anti virus software, free online virus scanners, free spyware detection/removal and free firewalls, click here.
- IMPORTANT! Please make sure you only have ONE firewall and ONE real-time antivirus installed on your system. When using "on demand" scanners, first update the detection signature files, then disconnect from the internet and disable your resident security program before running the scan.
- Once complete, remember to re-engage your resident security before going online.
Web Browsers and Browser Security

Firefox
- You can download Firefox from here.
No-Script
- If you use Firefox as your default browser, No-Script can provide additional security by preventing malicious scripts from being executed on your system.
- You can download No-Script by clicking here.
Internet Explorer
- The newest version of Internet Explorer is available from here.
- Please Note: IE9 is not configured to run on XP machines.
SpywareBlaster
- If you use Internet Explorer as your default browser, SpywareBlaster would be a valuable addition to your online security.
- SpywareBlaster prevents malicious ActiveX objects from being downloaded onto your system.
- You can download SpywareBlaster by clicking here.
Web of Trust
- When using search engines, Web of Trust provides you with an easy way of telling the good sites from the bad and is compatible with both Firefox and Internet Explorer.
- Coloured symbols are displayed next to search results, giving you more confidence in the links you choose to click on: Green (To go), Yellow (Caution) and Red (Stop).
- You can download Web of Trust by clicking here.
Keep your Software Updated
- Outdated software can sometimes have vulnerabilities that are exploitable by malware.
- Check if there are available updates for your installed software with Secunia's Online Software Inspector by clicking here.
Passwords
- Learn how to create strong passwords by clicking here and test the strength of the passwords you already use by clicking here.
General Reading
- PC Safety and Security - What do I need?
- How to prevent Malware (by Miekiemoes)
Learn How To Combat Malware
- Would you like to learn how to fight back against malware and help others? Enroll at the What The Tech (Formerly Tom Coyotes) Malware Classroom by clicking here.

**shinysideup** · 2011-10-17, 05:01

Yes, everything seems to be asymptomatic!

Thank you, thank you! I've followed the rest of your instructions and am almost through the supplemental material. I am feeling confident that the thread can be closed and filed under "success". :D

Originally Posted by JonTom

You are very kind... I never accept donations... if you would like to make a donation...

Thank you for your devotion to the cause. I did make a donation to the project; a mere pittance in comparison to the valuable assistance you've provided, but a token of appreciation, at least.

Once again, I greatly appreciate your time and expertise!!

**JonTom** · 2011-10-17, 07:46

Hello shinysideup

Thank you for your kind donation.

Once again, I greatly appreciate your time and expertise!!

You are more than Welcome

Glad we could help.

As your problem appears to be resolved this thread is now closed.

Best wishes
JonTom

Thread: Help removing Google Redirect virus?

Thread Tools

Display

Posting Permissions