Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Google Redirect Virus?

  • Please log in to reply
1 reply to this topic

#1 kev4ce


  • Members
  • 2 posts
  • Local time:03:58 PM

Posted 08 May 2009 - 10:52 PM

I have a virus that continually redirects me to various ad sites when I click links on websites such as google. Here are my logs

DDS (Ver_09-03-16.01) - NTFSx86
Run by KMei at 22:47:50.10 on Fri 05/08/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767.360 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digsby\lib\digsby-app.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Digsby\lib\aspell\bin\aspell.exe
C:\Documents and Settings\KMei\Desktop\HiJackThis.exe
C:\Documents and Settings\KMei\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.daemon-search.com/startpage
uInternet Settings,ProxyOverride = *.local
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: c:\windows\system32\afnoinkdsfe.dll: {c2ba40a1-74f3-42bd-f434-12345a2c8953} - c:\windows\system32\afnoinkdsfe.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [autochk] rundll32.exe c:\docume~1\networ~1\protect.dll,_IWMPEvents@16
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
dRun: [<NO NAME>] c:\windows\temp\t9mfs.exe
dRun: [uidenhiufgsduiazghs] c:\windows\temp\t9mfs.exe
dRun: [Diagnostic Manager] c:\windows\temp\712508436.exe
dRun: [autochk] rundll32.exe c:\docume~1\locals~1\protect.dll,_IWMPEvents@16
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\documents and settings\kmei\start menu\programs\startup\ChkDisk.dll
StartupFolder: c:\docume~1\kmei\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\kmei\startm~1\programs\startup\digsby.lnk - c:\program files\digsby\digsby.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: HideRunAsVerb = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232585332671
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232585313625
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\afnoinkdsfe.dll: {c2ba40a1-74f3-42bd-f434-12345a2c8953} - c:\windows\system32\afnoinkdsfe.dll
SEH: ShellHook Class: {88485281-8b4b-4f8d-9ede-82e29a064277} - c:\progra~1\markany\conten~1\MACSMA~1.DLL
LSA: Notification Packages = scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kmei\applic~1\mozilla\firefox\profiles\0jqse1s4.default\
FF - prefs.js: browser.search.selectedEngine - YouTube
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\documents and settings\kmei\application data\mozilla\firefox\profiles\0jqse1s4.default\extensions\bkmrksync@nokia.com\components\BkMrkExt.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-2-6 106208]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-2-6 727720]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-2-24 24652]
S2 RPCHE;Remote Procedure Call (RPCE);c:\program files\common files\microsoft shared\speech\csvd.exe --> c:\program files\common files\microsoft shared\speech\csvd.exe [?]
S3 iCheat1;iCheat1;\??\c:\documents and settings\kmei\desktop\maple\nvid999.sys --> c:\documents and settings\kmei\desktop\maple\nvid999.sys [?]

=============== Created Last 30 ================

2009-05-08 21:42 24,064 a--sh--- c:\windows\system32\autochk.dll
2009-05-08 21:42 24,064 a--sh--- c:\documents and settings\kmei\protect.dll
2009-05-08 21:42 27,648 a------- c:\windows\system32\lmn_setup.exe
2009-05-07 01:05 <DIR> --d----- c:\program files\ESET
2009-05-07 00:40 16,896 a------- c:\windows\system32\SET11EA.tmp
2009-05-07 00:40 539,136 a------- c:\windows\system32\SET11BD.tmp
2009-05-07 00:40 177,152 a------- c:\windows\system32\SET11BF.tmp
2009-05-07 00:40 354,304 a------- c:\windows\system32\SET118D.tmp
2009-05-07 00:37 95,744 a------- c:\windows\system32\SET591.tmp
2009-05-07 00:37 471,552 a------- c:\windows\system32\SET58B.tmp
2009-05-07 00:35 271,360 a------- c:\windows\system32\SET343.tmp
2009-05-07 00:34 123,392 a------- c:\windows\system32\SET1BE.tmp
2009-05-07 00:32 19,569 a------- c:\windows\002691_.tmp
2009-05-07 00:27 1,314,816 a------- c:\windows\system32\dllcache\msoe.dll
2009-05-07 00:27 1,497,088 a------- c:\windows\system32\dllcache\shdocvw.dll
2009-05-07 00:27 474,112 a------- c:\windows\system32\dllcache\shlwapi.dll
2009-05-07 00:27 510,976 a------- c:\windows\system32\dllcache\wab32.dll
2009-05-07 00:27 85,504 a------- c:\windows\system32\dllcache\wabimp.dll
2009-05-07 00:27 17,408 a------- c:\windows\system32\dllcache\corpol.dll
2009-05-07 00:27 683,520 a------- c:\windows\system32\dllcache\inetcomm.dll
2009-05-07 00:27 491,520 a------- c:\windows\system32\dllcache\jscript.dll
2009-05-06 22:12 <DIR> --d----- c:\program files\Messenger
2009-05-06 22:12 16,896 a------- c:\windows\system32\SET1114.tmp
2009-05-06 22:12 177,152 a------- c:\windows\system32\SET10E9.tmp
2009-05-06 22:12 354,304 a------- c:\windows\system32\SET10B7.tmp
2009-05-06 22:12 <DIR> --d----- c:\windows\system32\scripting
2009-05-06 22:12 <DIR> --d----- c:\windows\system32\bits
2009-05-06 22:12 <DIR> --d----- c:\program files\windows nt
2009-05-06 22:05 1,025,024 a------- c:\windows\system32\SET3A5.tmp
2009-05-06 22:04 270,336 a------- c:\windows\system32\SET23E.tmp
2009-05-06 22:02 19,569 a------- c:\windows\002683_.tmp
2009-05-06 21:58 2,897,920 -------- c:\windows\system32\_003002_.tmp.dll
2009-05-06 21:54 <DIR> --d----- c:\windows\EHome
2009-05-06 21:48 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-05-06 20:51 <DIR> --d----- c:\windows\Security
2009-05-06 20:51 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-05-01 19:13 <DIR> --d----- c:\program files\Hamachi
2009-04-30 17:29 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-30 17:29 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-30 17:29 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-29 22:21 32,930 a------- c:\windows\scunin.dat
2009-04-29 22:21 94,208 a------- c:\windows\ScUnin.exe
2009-04-29 22:21 967 a------- c:\windows\ScUnin.pif
2009-04-26 19:46 <DIR> --d----- c:\program files\xchat
2009-04-19 01:21 <DIR> --d----- c:\documents and settings\kmei\.thumbnails
2009-04-18 21:48 <DIR> --d----- c:\documents and settings\kmei\.gimp-2.6
2009-04-18 21:43 <DIR> --d----- c:\program files\GIMP-2.0
2009-04-18 14:25 110,592 a------- c:\windows\system32\winsetup66.exe
2009-04-16 21:57 <DIR> --d----- c:\program files\Tukero[X]Team
2009-04-16 21:28 <DIR> --d----- c:\docume~1\kmei\applic~1\ESET
2009-04-14 18:12 <DIR> --d----- c:\program files\mIRC
2009-04-13 21:41 155 a------- c:\windows\system32\SelfDel.bat
2009-04-13 21:25 109,010 a------- c:\windows\system32\drivers\54021a37.sys

==================== Find3M ====================

2009-05-01 19:13 25,280 a------- c:\windows\system32\drivers\hamachi.sys
2009-04-20 23:02 98,304 a------- c:\windows\DUMPa558.tmp
2009-05-08 22:48 24,064 a--sh--- c:\windows\system32\autochk.dll

============= FINISH: 22:48:17.20 ===============

Attached Files

BC AdBot (Login to Remove)


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware

  • Malware Response Team
  • 1,088 posts
  • Gender:Male
  • Location:USA
  • Local time:03:58 PM

Posted 22 May 2009 - 02:29 PM

Hello kev4ce,

If you still have the same issues, and they are un-resolved, and you are not getting help elsewhere, start with the following.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for this member only. If you are casual observer and NOT this OP, do NOT try this on your system!

If at any point, if you have a question or problem, STOP & make a post to the forum.
Also, do not run or start any other programs while these utilities and tools are in use!

Please do NOT run any other tools on your own or do any fixes other than what is listed here, or if directed by a forum moderator or forum admin.

Close all browsers and all other programs that you have started.

1. Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

2. Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}


Download this INF repair file by MS-MVP Miekiemoes: http://users.telenet.be/bluepatchy/miekiem...orepolicies.zip
Unzip the download. Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install.

Delete the download, the unzipped folder and all contents.

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from
>>> here <<<
  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

Next, Download and SAVE this file -- to your Desktop -- (Do NOT run the file straight away from download) from any one of these sources:
Link 1
Link 2
Link 3

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines:

uRun: [autochk] rundll32.exe c:\docume~1\networ~1\protect.dll,_IWMPEvents@16
mRun: [Adobe Reader Speed Launcher]
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
dRun: [<NO NAME>] c:\windows\temp\t9mfs.exe
dRun: [uidenhiufgsduiazghs] c:\windows\temp\t9mfs.exe
dRun: [Diagnostic Manager] c:\windows\temp\712508436.exe
dRun: [autochk] rundll32.exe c:\docume~1\locals~1\protect.dll,_IWMPEvents@16

c:\documents and settings\kmei\protect.dll
C:\Documents and Settings\NetworkService\protect.dll
C:\Documents and Settings\LocalService\protect.dll
c:\documents and settings\kmei\start menu\programs\startup\ChkDisk.dll
c:\documents and settings\kmei\start menu\programs\startup\ChkDisk.lnk

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown:
Posted Image
  • :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Do not run ComboFix more than once :!:

Start your MBAM MalwareBytes Anti-Malware.
Click the Settings Tab. Make sure all option lines have a checkmark.
Click the Update tab. Press the "Check for Updates" button.
At this time, the current definitions are # 2159 or later. The latest program version is 1.36 (released April 6)

When done, click the Scanner tab.
Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.


Next, Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

Once Complete, reboot! :!:

Run Hijackthis
Then close all windows/applications/browsers and run hijackthis, saving the log.

After following the above, post back with 1. Contents of C:\Combofix.txt;
2. the MBAM log;
3. the new Hijackthis log;
4. Goored.txt
5. Tell me, How is your system now ?
Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You'll likely have to do more than 1 reply.
Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users