Redirecting to other sites

[krasotka1]

Hello. 1 week ago, when I searched in google/yahoo/icq and more ( not all browsers because in russian browsers I don't have any problem) I'm redirected to gomeo.es  or other sites. If I enter a original site it gives me: Error in codification. That means that either way I can't enter this site. I tried everything. The last thing I did is scan my computer with combofix and here I put a log(hgfd.exe is combofic. I renamed it because this virus didn't let me open it with previous name):
ComboFix 11-02-12.02 - Olga 13/02/2011  20:11:38.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1251.7.3082.18.1023.793 [GMT 1:00]
Running from: c:\documents and settings\Olga\Mis documentos\Descargas\hgfd.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
(((((((((((((((((((((((((   Files Created from 2011-01-13 to 2011-02-13  )))))))))))))))))))))))))))))))
.

2011-02-12 15:48 . 2011-02-12 16:16   --------   d-----w-   C:\AeriaGames
2011-02-10 19:25 . 2011-02-10 19:25   --------   d-----w-   C:\Perfect World Entertainment
2011-02-09 14:27 . 2011-02-09 14:27   --------   d-----w-   C:\Program Files
2011-02-09 07:42 . 2011-02-09 07:42   --------   d-----w-   C:\Ntreev
2011-02-06 20:29 . 2011-02-06 20:29   --------   d-----r-   C:\MSOCache
2011-02-06 20:26 . 2011-02-06 20:28   --------   d-----w-   C:\Mo2007sp1

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------

[-] 2008-04-14 . D9900206D5391357018E6111EAB4E1BF . 510976 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . C6BF10FAFEBCF4D1BBB06E1BB0DBB806 . 1036288 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\archivos de programa\Skype\Phone\Skype.exe" [2011-01-26 15026056]
"Advanced SystemCare 3"="c:\archivos de programa\IObit\Advanced SystemCare 3\AWC.exe" [2010-12-16 2402512]
"uTorrent"="c:\archivos de programa\uTorrent\uTorrent.exe" [2011-02-06 395640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 77824]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"nwiz"="nwiz.exe" [2008-10-07 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Archivos de programa\\Skype\\Phone\\Skype.exe"=
"c:\\Archivos de programa\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Archivos de programa\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Archivos de programa\\uTorrent\\uTorrent.exe"=
"c:\\Archivos de programa\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Ntreev\\Grand Chase\\main.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57152:TCP"= 57152:TCP:Pando Media Booster
"57152:UDP"= 57152:UDP:Pando Media Booster

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [14/04/2008 13:00 14336]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 RegKernelHelp;RegKernelHelp;\??\c:\archivos de programa\Safe Returner\RegKernelHelp.sys --> c:\archivos de programa\Safe Returner\RegKernelHelp.sys [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [06/02/2011 21:45 27064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai   REG_MULTI_SZ      Akamai
.
.
------- Supplementary Scan -------
.
uStart Page = www.apeha.ru
IE: &Экспорт в Microsoft Excel - c:\archiv~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Olga\Datos de programa\Mozilla\Firefox\Profiles\gow49jyl.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.es/
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-Symantec Database Services - symdbsvc.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-13 20:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="C:/Archivos de programa/Archivos comunes/Akamai/netsession_win_dbc0250.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="C:/Archivos de programa/Archivos comunes/Akamai/netsession_win_dbc0250.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
Completion time: 2011-02-13  20:17:04
ComboFix-quarantined-files.txt  2011-02-13 19:17

Pre-Run: 168.670.588.928 bytes libres
Post-Run: 168.784.658.432 bytes libres

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 394F36CC7D813610C2438C0075E86506



Help please.

[Pondus]

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

Essexboy is notified...

[krasotka1]

I saw this but I can't delete these files. They're important. I tried a few programs that fixes exe problems but a problem persists...

[Pondus]

Essexboy will fix it. waite for his advice


while waiting you can try doing this


Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
(post the logs here in this topic and not in the guide)


To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt. / Extras.Txt / Malwarebytes scan log )

[essexboy]

If you could run OTL with this script it will show me if there are any spares available

Download OTL  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Attach both logs

[krasotka1]

Here I attach the logs. sorry but I can't post it here because it exceeds 10000 characters

[Pondus]

Here I attach the logs. sorry but I can't post it here because it exceeds 10000 characters

You mean Malwarebytes log? try attaching in a new post

[krasotka1]

no. I downloaded Malwarebytes installer, but for some reason I can't install it. My computer freezes. I posted OTL logs. OTL.txt  and  Extras.txt

[Pondus]

OK, i guess Essexboy have logged off for today so you have to wait to tomorrow before he is back
he is usually here 8:00pm - 11:59pm uk time

[argus]

I do not understand why OTL when Combofix see Bamital  

[krasotka1]

okay. I'll wait for his answer  and what's the meaning of Bamital?

[essexboy]

I can not see where it says bamital, there are several different infections that hit explorer and winlogon

Download fresh copies of winlogon and explorer from here and then save them to the following folder  C:\WINDOWS\system32\dllcache

You may need to make hidden folders visible

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Show hidden files and folders.
  
• Click Yes to confirm.
• Click OK.

http://cid-32d8666f4048075b.office.live.com/self.aspx/Malware%20files/winlogon.exe
http://cid-32d8666f4048075b.office.live.com/self.aspx/Malware%20files/winlogon.exe#resId/32D8666F4048075B!536

Once done re-run combofix and post the log please

[Pondus]

and what's the meaning of Bamital?

Bamital info 
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=W32/Bamital

[krasotka1]

okay, but why do I need to put winlogon.exe and explorer.exe in dllcache? my explorer.exe is in windows folder and winlogon.exe is in system32 folder

[Pondus]

Combofix will remove the infected one and replace with the fresh one you have downloaded and saved