Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

GOOGLE redirect MYSHOVEL.COM - help please


  • Please log in to reply
7 replies to this topic

#1 rgc22

rgc22

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 22 April 2010 - 08:08 AM

Dear all..

I have the redirect virus to myshovel.com from google search results. I have read various posts on this site and others, followed instructions and used multiple virus removal programes but nothing has worked. For example, Mcafee, windows defender, malwarebytes etc all show no virus but the search results still redirect. I have also tried super antispyware, atf cleaner, combofix, but nothing has changed. I dont know what to try next.. I would appreciate any help/ steps i should take to remove this as I am worried it might develop into something more serious. Many thanks!

EDIT: Moved from XP forum to Am I Infected, more appropriate ~ Hamluis.

Edited by hamluis, 22 April 2010 - 09:05 AM.


BC AdBot (Login to Remove)

 


#2 rgc22

rgc22
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 22 April 2010 - 09:42 AM

PLEASE see my dds log,

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 14:58:24.34 on 22/04/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.399 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - No File
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Creative WebCam Tray] c:\program files\creative\shared files\CAMTRAY.EXE
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233489406000
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 fecc;fecc;c:\windows\system32\fecc.sys [2010-4-16 75264]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2010-4-21 186128]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-7-29 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-7-29 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-7-29 144704]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-7-29 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-7-29 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-7-29 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-7-29 40552]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-7-29 34248]

=============== Created Last 30 ================

2010-04-22 11:03:18 0 d-----w- c:\program files\ESET
2010-04-22 09:10:39 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-22 09:10:28 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-22 09:10:28 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2010-04-22 09:09:29 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-22 08:39:24 0 d-sha-r- C:\cmdcons
2010-04-22 08:37:49 98816 ----a-w- c:\windows\sed.exe
2010-04-22 08:37:49 77312 ----a-w- c:\windows\MBR.exe
2010-04-22 08:37:49 261632 ----a-w- c:\windows\PEV.exe
2010-04-22 08:37:49 161792 ----a-w- c:\windows\SWREG.exe
2010-04-22 08:24:52 23392 ----a-w- c:\windows\system32\nscompat.tlb
2010-04-22 08:24:52 16832 ----a-w- c:\windows\system32\amcompat.tlb
2010-04-21 19:56:06 7856 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-04-21 19:56:06 64800 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-04-21 19:56:06 2791968 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-04-21 19:56:06 13232 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-04-21 19:55:56 1365 ----a-w- C:\rollback.ini
2010-04-21 19:41:01 0 d-----w- c:\program files\common files\ParetoLogic
2010-04-21 19:41:01 0 d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2010-04-21 19:39:44 0 d-----w- c:\docume~1\alluse~1\applic~1\RegCure
2010-04-21 19:16:41 293376 ------w- c:\windows\system32\browserchoice.exe
2010-04-17 16:14:31 0 d-----w- c:\docume~1\alluse~1\applic~1\XoftSpySE
2010-04-17 10:49:25 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-04-17 10:49:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-17 10:49:10 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-17 10:49:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-17 10:49:09 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-17 02:01:13 0 d-----w- c:\program files\common files\ODBC
2010-04-16 12:55:26 0 d-----w- c:\program files\Ligos
2010-04-16 12:21:41 0 d-----w- c:\program files\Windows Media Connect 2
2010-04-16 08:11:17 75264 ----a-w- c:\windows\system32\fecc.sys

==================== Find3M ====================

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-24 09:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2009-06-13 09:13:40 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 14:58:55.54 ===============

#3 rgc22

rgc22
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 22 April 2010 - 09:49 AM

please let me know if you require anything else... i have created an "attach" file as recommended but am not sure how to attach it to the post. i also tried to scan and save the ark.txt file however that did not run properly and my laptop is now automatically switching off and restarting.. not sure why...thanks

#4 lalamuk1

lalamuk1

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Westbrook CT
  • Local time:09:29 AM

Posted 22 April 2010 - 09:56 AM

owchies seems like ur infected with a rootkit...... run GMER and then post the logs.... Sorry i dont have the link for it...

#5 lalamuk1

lalamuk1

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Westbrook CT
  • Local time:09:29 AM

Posted 22 April 2010 - 09:58 AM

wait nevermind heres a topic post that may help you out http://www.bleepingcomputer.com/forums/t/250928/instructions-for-posting-advice-in-am-i-infected/

wait nevermind heres a topic post that may help you out http://www.bleepingcomputer.com/forums/t/250928/instructions-for-posting-advice-in-am-i-infected/

#6 rgc22

rgc22
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 22 April 2010 - 10:56 AM

Thanks for the reply but im not sure what i need to do once i click the links. Also I haved followed the steps to download and scan using GMER but the scan does not complete and i can not save the finished file... (i will try again later tonight if possible) also what are the possible consequences of this "rootkit" ? many thanks again

#7 rgc22

rgc22
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:29 AM

Posted 25 April 2010 - 02:19 AM

I've tried doing the GMER scan a few times and the system either hangs, freezes or switches off - so no luck with that. I'm thinking might be easier to reformat the computer... might be a good opportunity to upgrade to windows 7?

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:29 AM

Posted 10 May 2010 - 02:40 PM

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users