Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google redirect virus


  • This topic is locked This topic is locked
3 replies to this topic

#1 wheresolive

wheresolive

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 12 October 2009 - 12:08 AM

So for about a week now my google and yahoo searches are redirecting.

So far i have run spybot search and destroy, AVG and malwarebytes.

I removed everything they said was infected.


This is really annoying.

Can you help me fix this and make sure I have the appropriate virus software so it doesn't happen again?

Thanks in advance!

ETA here is my hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:48:42 PM, on 10/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesIntelWirelessBinEvtEng.exe
C:Program FilesIntelWirelessBinS24EvMon.exe
C:Program FilesIntelWirelessBinZcfgSvc.exe
C:Program FilesIntelWirelessBinWLKeeper.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesAviraAntiVir Desktopsched.exe
C:PROGRA~1IntelWirelessBin1XConfig.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSExplorer.EXE
C:Program FilesApointApoint.exe
C:Program FilesIntelWirelessBinifrmewrk.exe
C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
C:Program FilesCyberLinkPowerDVDDVDLauncher.exe
C:Program FilesDellQuickSetquickset.exe
C:WINDOWSsystem32dlatfswctrl.exe
C:WINDOWSsystem32LVCOMSX.EXE
C:Program FilesLogitechVideoLogiTray.exe
C:Program FilesRealRealPlayerRealPlay.exe
C:Program FilesCommon FilesArcSoftConnection ServiceBinACService.exe
C:Program FilesMusicmatchMusicmatch Jukeboxmm_tray.exe
C:Program FilesMusicmatchMusicmatch Jukeboxmmtask.exe
C:Program FilesAviraAntiVir Desktopavguard.exe
C:Program FilesAdobePhotoshop Album Starter Edition3.0Appsapdproxy.exe
C:Program FilesDell Support Centerbinsprtcmd.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesQuickTimeQTTask.exe
C:Program FilesiTunesiTunesHelper.exe
C:Program FilesCommon FilesArcSoftConnection ServiceBinACDaemon.exe
C:Program FilesAviraAntiVir Desktopavgnt.exe
C:Program FilesJava123jre6binjusched.exe
C:PROGRA~1IomegaSystem32AppServices.exe
C:Program FilesDellSupportDSAgnt.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesLogitechVideoFxSvr2.exe
C:Program FilesJava123jre6binjqs.exe
C:Program FilesDigital Line DetectDLG.exe
C:Program FilesLogitechSetPointKEM.exe
C:Program FilesCommon FilesMicrosoft SharedVS7Debugmdm.exe
C:Program FilesLogitechSetPointKHALMNPR.EXE
C:Program FilesApointApntex.exe
C:Program FilesIntelWirelessBinRegSrvc.exe
C:Program FilesDell Support Centerbinsprtsvc.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesViewpointCommonViewpointService.exe
C:Program FilesiPodbiniPodService.exe
C:Program FilesViewpointViewpoint ManagerViewMgr.exe
C:Program FilesMalwarebytes' Anti-Malwarembam.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesMicroTrendHijackThatHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.yahoo.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:WINDOWSsystem32dlatfswshx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program FilesJava123jre6binjp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:Program FilesJava123jre6libdeployjqsiejqs_plugin.dll
O4 - HKLM..Run: [Apoint] C:Program FilesApointApoint.exe
O4 - HKLM..Run: [IntelWireless] C:Program FilesIntelWirelessBinifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM..Run: [ATIPTA] C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
O4 - HKLM..Run: [DVDLauncher] "C:Program FilesCyberLinkPowerDVDDVDLauncher.exe"
O4 - HKLM..Run: [Dell QuickSet] C:Program FilesDellQuickSetquickset.exe
O4 - HKLM..Run: [UpdateManager] "C:Program FilesCommon FilesSonicUpdate Managersgtray.exe" /r
O4 - HKLM..Run: [dla] C:WINDOWSsystem32dlatfswctrl.exe
O4 - HKLM..Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM..Run: [LVCOMSX] C:WINDOWSsystem32LVCOMSX.EXE
O4 - HKLM..Run: [LogitechVideoRepair] C:Program FilesLogitechVideoISStart.exe
O4 - HKLM..Run: [LogitechVideoTray] C:Program FilesLogitechVideoLogiTray.exe
O4 - HKLM..Run: [IPInSightMonitor 01] "C:Program FilesSBC Yahoo!Connection ManagerIP InSightIPMon32.exe"
O4 - HKLM..Run: [Iomega Automatic Backup 1.0.1] C:Program FilesIomegaIomega Automatic Backupibackup.exe
O4 - HKLM..Run: [RealTray] C:Program FilesRealRealPlayerRealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM..Run: [MMTray] C:Program FilesMusicmatchMusicmatch Jukeboxmm_tray.exe
O4 - HKLM..Run: [mmtask] C:Program FilesMusicmatchMusicmatch Jukeboxmmtask.exe
O4 - HKLM..Run: [LogitechGalleryRepair] C:Program FilesLogitechVideoISStart.exe
O4 - HKLM..Run: [MSKDetectorExe] C:Program FilesMcAfeeSpamKillerMSKDetct.exe /uninstall
O4 - HKLM..Run: [Adobe Photo Downloader] "C:Program FilesAdobePhotoshop Album Starter Edition3.0Appsapdproxy.exe"
O4 - HKLM..Run: [dscactivate] "C:Program FilesDell Support Centergs_agentcustomdsca.exe"
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program FilesAdobeReader 8.0ReaderReader_sl.exe"
O4 - HKLM..Run: [DellSupportCenter] "C:Program FilesDell Support Centerbinsprtcmd.exe" /P DellSupportCenter
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeQTTask.exe" -atboottime
O4 - HKLM..Run: [iTunesHelper] "C:Program FilesiTunesiTunesHelper.exe"
O4 - HKLM..Run: [ArcSoft Connection Service] C:Program FilesCommon FilesArcSoftConnection ServiceBinACDaemon.exe
O4 - HKLM..Run: [avgnt] "C:Program FilesAviraAntiVir Desktopavgnt.exe" /min
O4 - HKLM..Run: [Malwarebytes Anti-Malware (reboot)] "C:Program FilesMalwarebytes' Anti-Malwarembam.exe" /runcleanupscript
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJava123jre6binjusched.exe"
O4 - HKCU..Run: [LogitechSoftwareUpdate] "C:Program FilesLogitechVideoManifestEngine.exe" boot
O4 - HKCU..Run: [DellSupport] "C:Program FilesDellSupportDSAgnt.exe" /startup
O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [DellSupportCenter] "C:Program FilesDell Support Centerbinsprtcmd.exe" /P DellSupportCenter
O4 - HKCU..Run: [Google Update] "C:Documents and SettingsAlliLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe" /c
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:Program FilesLogitechDesktop Messenger8876480ProgramLDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:Program FilesLogitechSetPointKEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOffice10OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~4Office10EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:WINDOWSsystem32Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:Program FilesCommon FilesArcSoftConnection ServiceBinACService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:Program FilesAviraAntiVir Desktopsched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:Program FilesAviraAntiVir Desktopavguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:WINDOWSsystem32Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:Program FilesDellSupportbrkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:Program FilesIntelWirelessBinEvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:PROGRA~1IomegaSystem32AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:Program FilesiPodbiniPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:Program FilesJava123jre6binjqs.exe
O23 - Service: RegSrvc - Intel Corporation - C:Program FilesIntelWirelessBinRegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:Program FilesIntelWirelessBinS24EvMon.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:Program FilesDell Support Centerbinsprtsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:Program FilesViewpointCommonViewpointService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:Program FilesIntelWirelessBinWLKeeper.exe

--
End of file - 10626 bytes


My Avira scan gives two warnings - here they are : *****************************************

Begin scan in 'C:'
C:hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.

******************************************************************************

ETA here is my old malwarebytes log (have run it twice since and now its clean but just in case this helps)

Malwarebytes' Anti-Malware 1.41
Database version: 2925
Windows 5.1.2600 Service Pack 3

10/8/2009 5:22:22 PM
mbam-log-2009-10-08 (17-22-22).txt

Scan type: Full Scan (C:|)
Objects scanned: 213500
Time elapsed: 1 hour(s), 19 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USERSOFTWAREMicrosoftInternet ExplorerURLSearchHooks{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:Program FilesMyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:Program FilesMyWaySASrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:Program FilesMyWaySASrchAsDe1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:WINDOWSSYSTEM32mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.

Merged post:
Hi all -

I apologize for the second topic. I was hesitant to reply under my old topic because I read that if you do this, you are moved to the back of the line and I really need help!

I posted here last monday http://www.bleepingcomputer.com/forums/t/263824/google-redirect-virus/

Basically I got a virus, cleaned it up (so I thought) then still had the google redirect problem. My hijack log and virus scan log (when I removed the original virus) are included.

No problems besides the redirect for two weeks. But redirect was bugging me so I decided to post for help.

Then last night, my computer said I should shut down because there was a new windows update. I shut down. When I try to turn it on this am it brings me to a screen that asks if I want to boot in safemode. I pick the safe mode option and it seems as ifit will boot but then a blue screen pops up and then it takes you back to the original screen asking if you want to boot in safe mode

Even when I tried regular boot, the same thing happened.

It will not start.

I tried hitting the power button on and off. It made no difference.

Please help! Although I backed up my comp on an external harddrive a few months ago, I have some new pictures that I would hate to lose!

Thanks!

Edited by The weatherman, 19 October 2009 - 04:55 PM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 PM

Posted 26 October 2009 - 07:06 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems just let me know in your next reply or simply post a Hijackthis log.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 PM

Posted 30 October 2009 - 03:06 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 PM

Posted 04 November 2009 - 12:31 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users