Redirecting to other sites

Hello. 1 week ago, when I searched in google/yahoo/icq and more ( not all browsers because in russian browsers I don’t have any problem) I’m redirected to gomeo.es or other sites. If I enter a original site it gives me: Error in codification. That means that either way I can’t enter this site. I tried everything. The last thing I did is scan my computer with combofix and here I put a log(hgfd.exe is combofic. I renamed it because this virus didn’t let me open it with previous name):
ComboFix 11-02-12.02 - Olga 13/02/2011 20:11:38.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.3082.18.1023.793 [GMT 1:00]
Running from: c:\documents and settings\Olga\Mis documentos\Descargas\hgfd.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2011-01-13 to 2011-02-13 )))))))))))))))))))))))))))))))
.

2011-02-12 15:48 . 2011-02-12 16:16 -------- d-----w- C:\AeriaGames
2011-02-10 19:25 . 2011-02-10 19:25 -------- d-----w- C:\Perfect World Entertainment
2011-02-09 14:27 . 2011-02-09 14:27 -------- d-----w- C:\Program Files
2011-02-09 07:42 . 2011-02-09 07:42 -------- d-----w- C:\Ntreev
2011-02-06 20:29 . 2011-02-06 20:29 -------- d-----r- C:\MSOCache
2011-02-06 20:26 . 2011-02-06 20:28 -------- d-----w- C:\Mo2007sp1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------

[-] 2008-04-14 . D9900206D5391357018E6111EAB4E1BF . 510976 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . C6BF10FAFEBCF4D1BBB06E1BB0DBB806 . 1036288 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Skype”=“c:\archivos de programa\Skype\Phone\Skype.exe” [2011-01-26 15026056]
“Advanced SystemCare 3”=“c:\archivos de programa\IObit\Advanced SystemCare 3\AWC.exe” [2010-12-16 2402512]
“uTorrent”=“c:\archivos de programa\uTorrent\uTorrent.exe” [2011-02-06 395640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“NeroFilterCheck”=“c:\windows\system32\NeroCheck.exe” [2001-07-09 155648]
“SoundMan”=“SOUNDMAN.EXE” [2004-11-15 77824]
“NvCplDaemon”=“c:\windows\system32\NvCpl.dll” [2008-10-07 13574144]
“nwiz”=“nwiz.exe” [2008-10-07 1630208]
“NvMediaCenter”=“c:\windows\system32\NvMcTray.dll” [2008-10-07 86016]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“c:\windows\system32\ctfmon.exe” [2008-04-14 15360]

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“%windir%\system32\sessmgr.exe”=
“c:\Archivos de programa\Skype\Phone\Skype.exe”=
“c:\Archivos de programa\Skype\Plugin Manager\skypePM.exe”=
“c:\Archivos de programa\Microsoft Office\Office12\OUTLOOK.EXE”=
“c:\Archivos de programa\uTorrent\uTorrent.exe”=
“c:\Archivos de programa\Pando Networks\Media Booster\PMB.exe”=
“c:\Ntreev\Grand Chase\main.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“57152:TCP”= 57152:TCP:Pando Media Booster
“57152:UDP”= 57152:UDP:Pando Media Booster

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [14/04/2008 13:00 14336]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service → c:\windows\system32\GameMon.des -service [?]
S3 RegKernelHelp;RegKernelHelp;??\c:\archivos de programa\Safe Returner\RegKernelHelp.sys → c:\archivos de programa\Safe Returner\RegKernelHelp.sys [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [06/02/2011 21:45 27064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
.
------- Supplementary Scan -------
.
uStart Page = www.apeha.ru
IE: &Экспорт в Microsoft Excel - c:\archiv~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Olga\Datos de programa\Mozilla\Firefox\Profiles\gow49jyl.default
FF - prefs.js: browser.startup.homepage - hxxp://www.google.es/
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
.

        • ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-Symantec Database Services - symdbsvc.exe


catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-13 20:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0


[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
“ServiceDll”=“C:/Archivos de programa/Archivos comunes/Akamai/netsession_win_dbc0250.dll”

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
“ServiceDll”=“C:/Archivos de programa/Archivos comunes/Akamai/netsession_win_dbc0250.dll”

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
“ImagePath”=“c:\windows\system32\GameMon.des -service”
.
Completion time: 2011-02-13 20:17:04
ComboFix-quarantined-files.txt 2011-02-13 19:17

Pre-Run: 168.670.588.928 bytes libres
Post-Run: 168.784.658.432 bytes libres

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons
UnsupportedDebug=“do not select this” /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Microsoft Windows XP Professional” /noexecute=optin /fastdetect

    • End Of File - - 394F36CC7D813610C2438C0075E86506

Help please.

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!


Essexboy is notified…

I saw this but I can’t delete these files. They’re important. I tried a few programs that fixes exe problems but a problem persists…

Essexboy will fix it. waite for his advice

while waiting you can try doing this

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
(post the logs here in this topic and not in the guide)

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt. / Extras.Txt / Malwarebytes scan log )

If you could run OTL with this script it will show me if there are any spares available

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

Here I attach the logs. sorry but I can’t post it here because it exceeds 10000 characters

You mean Malwarebytes log? try attaching in a new post

no. I downloaded Malwarebytes installer, but for some reason I can’t install it. My computer freezes. I posted OTL logs. OTL.txt and Extras.txt

OK, i guess Essexboy have logged off for today so you have to wait to tomorrow before he is back
he is usually here 8:00pm - 11:59pm uk time

I do not understand why OTL when Combofix see Bamital ???

okay. I’ll wait for his answer :slight_smile: and what’s the meaning of Bamital?

I can not see where it says bamital, there are several different infections that hit explorer and winlogon

Download fresh copies of winlogon and explorer from here and then save them to the following folder C:\WINDOWS\system32\dllcache

You may need to make hidden folders visible

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

http://cid-32d8666f4048075b.office.live.com/self.aspx/Malware%20files/winlogon.exe
http://cid-32d8666f4048075b.office.live.com/self.aspx/Malware%20files/winlogon.exe#resId/32D8666F4048075B!536

Once done re-run combofix and post the log please

and what's the meaning of Bamital?
Bamital info ;) http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=W32/Bamital

okay, but why do I need to put winlogon.exe and explorer.exe in dllcache? my explorer.exe is in windows folder and winlogon.exe is in system32 folder

Combofix will remove the infected one and replace with the fresh one you have downloaded and saved

Spot on - As combofix will replace them using RC commands. They cannot be overwritten whilst the system is running

I can not see where it says bamital, there are several different infections that hit explorer and winlogon

------- Sigcheck -------

[-] 2008-04-14 . D9900206D5391357018E6111EAB4E1BF . 510976 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

http://www.virustotal.com/file-scan/report.html?id=5675c5f0fa159cd837b364119291ffd13984d966440fe274e0466f87d19865e5-1297603746

[-] 2008-04-14 . C6BF10FAFEBCF4D1BBB06E1BB0DBB806 . 1036288 . . [6.00.2900.5512] . . c:\windows\explorer.exe

http://www.virustotal.com/file-scan/report.html?id=76d362bf3150c867a3fd6b780ab668529bdb69a1b0639e97abafa6747b2231e5-1297603999

With bamital I would expect to see multiple infected files failing the sigcheck

Cheers :slight_smile:

hello. I made what you told me to but google keeps redirecting me =( Here is combofix log:

ComboFix 11-02-13.04 - Olga 14/02/2011 20:51:41.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1251.7.3082.18.1023.795 [GMT 1:00]
Running from: c:\documents and settings\Olga\Mis documentos\Descargas\hgfd.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2011-01-14 to 2011-02-14 )))))))))))))))))))))))))))))))
.

2011-02-13 19:04 . 2011-02-13 19:17 -------- d-----w- C:\hgfd
2011-02-12 15:48 . 2011-02-12 16:16 -------- d-----w- C:\AeriaGames
2011-02-10 19:25 . 2011-02-14 04:00 -------- d-----w- C:\Perfect World Entertainment
2011-02-09 14:27 . 2011-02-09 14:27 -------- d-----w- C:\Program Files
2011-02-09 07:42 . 2011-02-09 07:42 -------- d-----w- C:\Ntreev
2011-02-06 20:29 . 2011-02-06 20:29 -------- d-----r- C:\MSOCache
2011-02-06 20:26 . 2011-02-06 20:28 -------- d-----w- C:\Mo2007sp1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------

[-] 2011-02-14 . F309D41AD9B28D8669312388E1F339E2 . 507904 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\winlogon.exe
[-] 2008-04-14 . D9900206D5391357018E6111EAB4E1BF . 510976 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2011-02-14 . 6206A84FDE20F44ED86760B82E2E0C3F . 1033728 . . [6.00.2900.5512] . . c:\windows\system32\dllcache\explorer.exe
[-] 2008-04-14 . C6BF10FAFEBCF4D1BBB06E1BB0DBB806 . 1036288 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2011-02-13_19.15.32 )))))))))))))))))))))))))))))))))))))))))
.

  • 2011-02-14 19:50 . 2011-02-14 19:50 16384 c:\windows\Temp\Perflib_Perfdata_638.dat
  • 2011-02-06 20:58 . 2011-02-14 19:19 49152 c:\windows\Historial\History.IE5\index.dat
  • 2011-02-06 20:58 . 2011-02-13 19:00 49152 c:\windows\Historial\History.IE5\index.dat
  • 2011-02-13 23:58 . 2011-02-13 23:58 258352 c:\windows\system32\unicows.dll
  • 2011-02-06 20:58 . 2011-02-14 19:19 589824 c:\windows\Archivos temporales de Internet\Content.IE5\index.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    Note empty entries & legit default entries are not shown
    REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Skype”=“c:\archivos de programa\Skype\Phone\Skype.exe” [2011-01-26 15026056]
“Advanced SystemCare 3”=“c:\archivos de programa\IObit\Advanced SystemCare 3\AWC.exe” [2010-12-16 2402512]
“uTorrent”=“c:\archivos de programa\uTorrent\uTorrent.exe” [2011-02-06 395640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“NeroFilterCheck”=“c:\windows\system32\NeroCheck.exe” [2001-07-09 155648]
“SoundMan”=“SOUNDMAN.EXE” [2004-11-15 77824]
“NvCplDaemon”=“c:\windows\system32\NvCpl.dll” [2008-10-07 13574144]
“nwiz”=“nwiz.exe” [2008-10-07 1630208]
“NvMediaCenter”=“c:\windows\system32\NvMcTray.dll” [2008-10-07 86016]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“c:\windows\system32\ctfmon.exe” [2008-04-14 15360]

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“%windir%\system32\sessmgr.exe”=
“c:\Archivos de programa\Skype\Phone\Skype.exe”=
“c:\Archivos de programa\Skype\Plugin Manager\skypePM.exe”=
“c:\Archivos de programa\Microsoft Office\Office12\OUTLOOK.EXE”=
“c:\Archivos de programa\uTorrent\uTorrent.exe”=
“c:\Archivos de programa\Pando Networks\Media Booster\PMB.exe”=
“c:\Ntreev\Grand Chase\main.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“57152:TCP”= 57152:TCP:Pando Media Booster
“57152:UDP”= 57152:UDP:Pando Media Booster

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [14/04/2008 13:00 14336]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service → c:\windows\system32\GameMon.des -service [?]
S3 RegKernelHelp;RegKernelHelp;??\c:\archivos de programa\Safe Returner\RegKernelHelp.sys → c:\archivos de programa\Safe Returner\RegKernelHelp.sys [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [06/02/2011 21:45 27064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
.
------- Supplementary Scan -------
.
uStart Page = www.apeha.ru
IE: &Экспорт в Microsoft Excel - c:\archiv~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Olga\Datos de programa\Mozilla\Firefox\Profiles\gow49jyl.default
FF - prefs.js: browser.startup.homepage - hxxp://www.google.es/
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
.


catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-14 20:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0


[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
“ServiceDll”=“C:/Archivos de programa/Archivos comunes/Akamai/netsession_win_dbc0250.dll”

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
“ServiceDll”=“C:/Archivos de programa/Archivos comunes/Akamai/netsession_win_dbc0250.dll”

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
“ImagePath”=“c:\windows\system32\GameMon.des -service”
.
Completion time: 2011-02-14 20:57:37
ComboFix-quarantined-files.txt 2011-02-14 19:57
ComboFix2.txt 2011-02-13 19:17

Pre-Run: 166.612.000.768 bytes libres
Post-Run: 166.610.804.736 bytes libres

    • End Of File - - ECCBCDB0E4B40268633E56B5854C73C8