Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirector Virus


  • Please log in to reply
9 replies to this topic

#1 beeg

beeg

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 26 October 2009 - 09:19 PM

I could use your help please. I'm running Vista Ultimate 64 bit. When I attempt to go to website (in either Firefox or IE, with both yahoo and google), I am redirected to a page that says " Oops! This page does not exist." It then lists 3 links to google sponsors and has "Google Ads" at hte bottom. At the top, there is a frowning emoticon and it says Orbit. This happens about half the time, and it happens regardless of whether I've the web address myself or am trying to click from a search result.

I ran full systems scans in Norton, Malwarebytes and Ad Aware and they are clean. I also ran an temp file cleanse with TFC.exe I do have an ERUNT log from today, if that would help. And I ran OTL and have logs I can share of that too. I tried to download RootRepeal but whenever I do it, a box pops up that says that it doesn't support 64 bit. I can (I think) use Hijack This if that will help.

I've done alot of research on this and other forums and it seems that each person has had a slightly different fix using combo fix. But, just as you warn in this forum, I wouldn't do that without guidance.

Your help would be greatly appreciated! Thank you.

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:03:34 PM

Posted 28 October 2009 - 08:55 PM

Welcome to BC


:trumpet:

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

Also try: right-click on rootrepeal.exe and rename it to tatertot.scr

===========================

:flowers:
Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.
--------------------------------------


:thumbsup: Go to Posted Image > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 beeg

beeg
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 29 October 2009 - 02:17 PM

Hi garmanma. Sorry, checked all day yesterday and didn't see y our reply. Will do as you instruct now. FYI - I was unable to use root repeal the other day. Will try again. Do I only download the primary mirror or do I need to download all them? Thanks again for helping.

#4 beeg

beeg
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 29 October 2009 - 02:23 PM

Root repeal won't run. Says it doesn't support 64 bit systems. I am running Vista Ultimate, 64 bit. Renamed as you instructed but still didn't work. Opened settings (through a right click on the icon and then selecting Compatibility) but there is no slider. Options for settings are check boxes for the following:
Run in 256 colors
Run in 640 x 480 screen resolution
Disable visual themes
Disable desktop composition
Disable display scale setting on high DPI settings

Will follow the rest of your instructions now.

#5 beeg

beeg
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 29 October 2009 - 02:33 PM

Downloaded win32kdiagnostic.exe. Clicked icon on desktop. Won't run. Tried to run as administrator but it still won't run. From trying as an administrator, the screen says:

Running from: C:\Users\Barrie\Desktop\Win32kDiag.exe

Log file at : C:\Users\Barrie\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Cannot access: C:\Windows\bthservsdp.dat

[1] 2009-10-29 01:22:20 1077 C:\Windows\bthservsdp.dat ()



Also followed your directions for the start . . .run command. When I enter cmd, the prompt is C:\Users\Barrie and is NOT C:\> I tried to delete \Users\Barrie but it won't let me. Also couldn't copy the command so I typed it in exactly. But nothing happened. No log/txt file created.

#6 beeg

beeg
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 29 October 2009 - 02:38 PM

Sorry for all the emails. Trying to keep you informed. After sending the last one, a note pad page opened but I have no idea which exercise I did created it. Here's what it says (title is Log notepad but it's not saved to my desktop):

Volume in drive C has no label.
Volume Serial Number is F480-ECCA

Directory of C:\Windows\SoftwareDistribution\Download\b08b2e34e2dcabf120c2446b2941b27e\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_9617f6eb8e9aab94

04/11/2009 12:11 AM 235,520 scecli.dll
1 File(s) 235,520 bytes

Directory of C:\Windows\SoftwareDistribution\Download\b08b2e34e2dcabf120c2446b2941b27e\wow64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_a06ca13dc2fb6d8f

04/10/2009 11:28 PM 177,152 scecli.dll
1 File(s) 177,152 bytes

Directory of C:\Windows\System32

01/20/2008 07:48 PM 235,520 scecli.dll
1 File(s) 235,520 bytes

Directory of C:\Windows\SysWOW64

01/20/2008 07:49 PM 177,152 scecli.dll
1 File(s) 177,152 bytes

Directory of C:\Windows\winsxs\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_942c7ddf9178e048

01/20/2008 07:48 PM 235,520 scecli.dll
1 File(s) 235,520 bytes

Directory of C:\Windows\winsxs\wow64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_9e812831c5d9a243

01/20/2008 07:49 PM 177,152 scecli.dll
1 File(s) 177,152 bytes

#7 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:03:34 PM

Posted 30 October 2009 - 10:17 AM

Using the RSIT log and the one you posted before that, you need to post them in the HJT forum:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/
In that forum, they will help you with special custom scripts and tools we are not allowed to run in this forum

Give a small description of your problem and tell them those were the only logs you could run
Include a link to this topic

Now the difficult part

Once your topic is posted, do not add to or bump your post
It will only move your topic further back in line

The HJT team is extremely busy and it will take time to get to you

Also once you do have a team member respond there is no need to keep sending PM's unless you have not had a response back from them in 24 hours

Please be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#8 beeg

beeg
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 30 October 2009 - 07:10 PM

Thanks. Will have to do it this weekend. Had trouble starting the computer (more sluggish than usual). Appreciate your help. Please don't close my topic until I can follow your instructions. Muchas gracias!

#9 beeg

beeg
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 31 October 2009 - 01:43 PM

Well, after all of this I think I found the problem. Turns out I was wrong - the redirect was happening only with Firefox, not IE. So I took a chance (stupid of me, I know), and uninstalled Firefox along with all the history, addons, password etc. logs. THen I reinstalled the latest version without addons and the problem hasn't happened again. Hope I didn't just condemn myself by doing the reinstall - I probably let a virus loose and it just hasn't reared it's ugly head yet! Anyway, I did some research and figure I probably had the goored infection but may have deleted the extension causing the problems when I uninstalled all the files. Before I bother your HJT, just thought I see what you think. Any need to bother them now?

#10 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:03:34 PM

Posted 31 October 2009 - 05:35 PM

Give it some time and see how it runs for you
Hopefully that might have been all that it was
I didn't see anything that stood out in the RSIT log
I'm going to remove the RSIT now because it is really not allowed in this forum
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users