BleepingComputer.com: Google Redirect Virus

Hello Admin,

(Many thanks for any help!)

I seem to have picked up a google redirecting virus since updating to Kaspersky 8.0.

I've updated run malwarebytes and found "Worm.Magania", this has been quarantined and deleted but I'm still getting redirected on both my main browser (Google Chrome) and IE8. TDSSKiller picks up nothing

I've used Crap cleaner to no avail and I have these programs on standby which have been downloaded today (not yet installed):

Combofix
DDS
Dfogger - Running
Gmer
Hijackthis
OTL
RkunhookerLE
TFC
Secruitycheck
ESET Online Scanner
TDSSKiller


I'm running Windows Vista 32 Bit but I don't have the windows disks (I can't find them at all), windows restore points have also been deleted. I'm currently waiting for the GMER results.



DDS (Ver_11-03-05.01) - NTFSx86
Run by comet at 15:40:16.29 on 13/05/2011
Internet Explorer: 8.0.6001.18813
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3198.1964 [GMT 1:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\rundll32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\bin32\nSvcAppFlt.exe
C:\Program Files\bin32\nSvcIp.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SearchFilterHost.exe
C:\Users\comet\Desktop\dds.scr
C:\Users\comet\Desktop\gmer.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=1&o=vp32&d=1006&m=aspire_x3200
mStart Page = hxxp://en.uk.acer.yahoo.com
mDefault_Page_URL = hxxp://en.uk.acer.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\program files\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Google Update] "c:\users\comet\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ISUSPM] "c:\programdata\macrovision\flexnet connect\6\ISUSPM.exe" -scheduler
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [WarReg_PopUp] c:\program files\acer\wr_popup\WarReg_PopUp.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 7.0\avp.exe"
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\comet\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 7.0\SCIEPlgn.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: %SYSTEMROOT%\system32\nvLsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
TCP: {590382B4-75E6-4CF4-B948-7693F27692AB} = 217.171.132.1 217.171.135.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1.0\r3hook.dll, c:\progra~1\kasper~1\kasper~1.0\adialhk.dll
.
============= SERVICES / DRIVERS ===============
.
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2010-12-12 56208]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2007-4-4 20760]
R2 AVP;Kaspersky Internet Security 7.0;c:\program files\kaspersky lab\kaspersky internet security 7.0\avp.exe [2007-6-26 218376]
R2 BecHelperService;BecHelperService;c:\program files\3 mobile broadband\3connect\BecHelperService.exe [2010-8-17 1737464]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-3-3 16384]
R2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2008-4-30 24576]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-26 45056]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-4-26 131072]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2009-9-18 9216]
R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2010-5-20 30576]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-4-30 43552]
S3 CEDRIVER55;CEDRIVER55;c:\program files\cheat engine\dbk32.sys [2010-8-19 61056]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2010-2-26 112128]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [2010-2-26 100736]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2008-12-8 9216]
.
=============== File Associations ===============
.
scrfile="%1" /S
.
=============== Created Last 30 ================
.
2011-05-13 13:55:53 -------- d-----w- c:\program files\ESET
2011-05-12 19:06:50 -------- d-----w- c:\users\comet\appdata\roaming\Malwarebytes
2011-05-12 19:06:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-12 19:06:40 -------- d-----w- c:\progra~2\Malwarebytes
2011-05-12 19:06:36 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-12 19:06:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-12 18:29:19 -------- d-----w- c:\progra~2\PC Tools
2011-05-12 18:18:06 -------- d-----w- c:\progra~2\SafeReturner
2011-05-12 18:06:25 -------- d-----w- C:\!KillBox
2011-05-10 18:46:41 -------- d-----w- c:\users\comet\appdata\roaming\mkvtoolnix
2011-05-10 18:45:19 -------- d-----w- c:\program files\MKVtoolnix
2011-05-10 18:20:45 -------- d-----w- c:\program files\Combined Community Codec Pack
2011-04-29 20:14:21 -------- d-----w- c:\program files\Sibelius Software
2011-04-29 19:56:06 -------- d-----w- c:\progra~2\Sibelius Software
2011-04-29 19:56:03 -------- d-----w- c:\users\comet\appdata\roaming\Sibelius Software
.
==================== Find3M ====================
.
2011-05-13 14:26:52 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-09 17:34:20 104960 --sha-r- c:\windows\system32\fdBthu.dll
.
============= FINISH: 15:42:23.91 ===============

This post has been edited by RanmSyaoran: 13 May 2011 - 09:58 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

• Do not run any other tool untill instructed to do so!
  
• Please Do not Attach logs or put in code boxes.
  
• Tell me about any problems that have occurred during the fix.
  
• Tell me of any other symptoms you may be having as these can help also.
  
• Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

• The application window will appear
  
• Click the Disable button to disable your CD Emulation drivers
  
• Click Yes to continue
  
• A 'Finished!' message will appear
  
• Click OK
  
• DeFogger may ask you to reboot the machine, if it does - click OK

Do not re-enable these drivers until otherwise instructed.

Download DDS:

Please download DDS by sUBs from one of the links below and save it to your desktop:


Download DDS and save it to your desktop

Link1
Link2
Link3

Please disable any anti-malware program that will block scripts from running before running DDS.


• Double-Click on dds.scr and a command window will appear. This is normal.
  
• Shortly after two logs will appear:
  
  • DDS.txt
    
  • Attach.txt
  
  
• A window will open instructing you save & post the logs
  
• Save the logs to a convenient place such as your desktop
  
• Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

• Please Download Rootkit Unhooker Save it to your desktop.
  
• Now double-click on RKUnhookerLE.exe to run it.
  
• Click the Report tab, then click Scan.
  
• Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  
• Wait till the scanner has finished and then click File, Save Report.
  
• Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".


information and logs:

In your next post I need the following


• .logs from DDS
  
• log from RKUnHooker
  
• let me know of any problems you may have had

Gringo

Hello

48 Hour bump

It has been more than 48 hours since my last post.

• do you still need help with this?
  
• do you need more time?
  
• are you having problems following my instructions?
  
• if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.