Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect


  • Please log in to reply
7 replies to this topic

#1 JN73

JN73

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:16 AM

Posted 19 December 2009 - 02:37 PM

Hi-

I recently had the Antivirus System Pro virus, and was able to get it handled via help from this site, but now this google redirect virus seems to be left in its wake.

I have seen many other posts here on this, and I share the same symptoms- google search items when clicked (some, not all of the time) send me to random sites- the host/domain symbol in the browser bar looks like a number two, or a cursive capital 'Q'.

I've done the malwarebytes, online scans, rootkit blacklight, everything, and nothing has found it. Now, my computer is often running at or near 100% alot due to hpqthb08.exe running (which appears to be a benign HP photo program), so I have to kill that process constantly.

Any help is greatly appreciated, thanks!

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:16 AM

Posted 19 December 2009 - 02:47 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 MATTSPCHELP

MATTSPCHELP

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leicester, United kingdom
  • Local time:09:16 AM

Posted 19 December 2009 - 02:54 PM

Step
1
Click the Windows "Start" menu on the desktop. Click "Run" and type "%SystemRoot%\system32\restore\rstrui.exe" (without quotes), and then click "OK." Click "Create a restore point" on the Welcome to System Restore page and click "Next." Type in a name for your restore point and click "Create." Click "Close." This will back up the registry and your computer system.

Step
2
Press the Ctrl, Alt and Delete keys on your keyboard at the same time to open the Windows Task Manager. Click the "Processes" tab to show the currently running processes on your computer.

Step
3
Scroll down and click "Hpqthb08.exe." Click "End Process."

Step
4
Click the Windows "Start" button and click "Run." Type "msconfig" (without quotes) and press "Enter" to open the Systems Configuration Utility.

Step
5
Click the "Startup" tab and remove a check from "HP Image Zone." Click "OK" and restart your computer. This will remove HP Image Zone from startup and prevent it from running.
Microsoft Certified Desktop Support Technician

#4 JN73

JN73
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:16 AM

Posted 19 December 2009 - 06:58 PM

Ok, thx. Did as you asked, and will wait on the combofix fix...should I leave this thread open, or just start a new one in a while?

Thanks again,

JN

#5 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:04:16 AM

Posted 19 December 2009 - 07:20 PM

There are other methods that can be used

:trumpet:
We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
==============================

:flowers:
USE THIS ONE

Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.
--------------------------------------


:thumbsup: Go to Posted Image > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#6 JN73

JN73
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:16 AM

Posted 30 December 2009 - 01:39 PM

Sorry for the delay- will do this today and get back...thx!!!!

#7 JN73

JN73
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:16 AM

Posted 01 January 2010 - 11:41 AM

OK, Here is the Root Repeal:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/01 09:20
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF070C000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\sqlite_xskseawbnazkawt
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcmsc_mofqq9f5eexockz
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\mcafee_pcgl6it7wkfsf6c
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\all users\application data\mcafee\msc\logs\events.dat
Status: Size mismatch (API: 20480, Raw: 21504)

==EOF==

HERE IS THE WIN32K DIAG:


Running from: C:\Documents and Settings\Tricia Norvell\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Tricia Norvell\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!


AND HERE IS THE CMD PROMPT:

Volume in drive C has no label.
Volume Serial Number is 705B-A433

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/10/2004 04:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/10/2004 04:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/10/2004 04:00 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/14/2008 05:42 AM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/14/2008 05:42 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/14/2008 05:41 AM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

04/13/2008 05:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

04/13/2008 05:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

04/13/2008 05:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/14/2008 05:42 AM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/14/2008 05:42 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/14/2008 05:41 AM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
12 File(s) 2,576,896 bytes
0 Dir(s) 105,525,170,176 bytes free

Thanks!!!!

#8 JN73

JN73
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:16 AM

Posted 06 January 2010 - 09:17 PM

btt :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users