Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Google Redirect Virus?

  • This topic is locked This topic is locked
3 replies to this topic

#1 mikeyd23


  • Members
  • 4 posts
  • Local time:09:50 AM

Posted 01 June 2010 - 01:52 PM

Hello. This is my first post on this site. From what it looks like, it seems to be a great site to get info for help on virus removal. The problem I am having is that everytime I google something, once I click on the link, I am redirected to an advertising site. I have tried Malwarebytes and SuperAntiSpyware. They have not worked. A friend told me about ComboFix so I tried it, but I am not sure if I did it correctly. From what I am reading on this site, it seems that I should not have tried ComboFix unless I was reccomended to by a training professional. What should I do to remove this annoying virus or malware? Please help! I have posted the DDS log and have attached the Attach.txt file, the ark.txt log, and the ComboFix log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Michael De Gregorio at 11:38:38.75 on Tue 06/01/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.553 [GMT -4:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Michael De Gregorio\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msn.com
uInternet Settings,ProxyServer = http=
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: NameServer =,
TCP: {305843B1-D929-4BE1-A4FE-D15D607C1316} =,
TCP: {E0ECAED8-2C1F-420D-8266-50191DBF2945} =,
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 68168]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-30 136176]
S2 MSWA-f4241546;MSWA-f4241546;c:\windows\system32\f4241546.exe [2010-5-24 75776]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version;c:\windows\system32\drivers\libusb0.sys [2010-2-20 28672]

=============== Created Last 30 ================

2010-06-01 15:33:06 0 ----a-w- c:\documents and settings\michael de gregorio\defogger_reenable
2010-05-27 16:08:44 75776 ----a-w- c:\windows\system32\ernel32.dll
2010-05-26 20:37:19 0 d-----w- c:\docume~1\alluse~1\applic~1\FrontLine Registry Cleaner
2010-05-26 20:36:45 0 d-----w- c:\program files\Frontline Registry Cleaner
2010-05-26 19:32:26 0 d-sha-r- C:\cmdcons
2010-05-26 19:27:09 98816 ----a-w- c:\windows\sed.exe
2010-05-26 19:27:09 77312 ----a-w- c:\windows\MBR.exe
2010-05-26 19:27:09 256512 ----a-w- c:\windows\PEV.exe
2010-05-26 19:27:09 161792 ----a-w- c:\windows\SWREG.exe
2010-05-25 23:24:29 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-25 22:55:47 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-25 22:55:47 0 d-----w- c:\docume~1\michae~1\applic~1\SUPERAntiSpyware.com
2010-05-25 22:54:04 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-05-24 17:41:14 120 ----a-w- c:\windows\Cqopevokoxa.dat
2010-05-24 17:41:14 0 ----a-w- c:\windows\Gvodo.bin
2010-05-24 17:38:57 0 d-----w- c:\docume~1\michae~1\applic~1\A62EEFDC13337424256034F534F54567
2010-05-24 17:38:39 75776 ----a-w- c:\windows\system32\f4241546.exe

==================== Find3M ====================

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

============= FINISH: 11:48:32.60 ===============

Attached Files

BC AdBot (Login to Remove)


#2 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:50 PM

Posted 01 June 2010 - 02:27 PM

Good evening. smile.gif

I can't see either a firewall or an anti-virus in your log- is this the case and, if so, how long has your machine been this way?

So long, and thanks for all the fish.



#3 mikeyd23

  • Topic Starter

  • Members
  • 4 posts
  • Local time:09:50 AM

Posted 02 June 2010 - 02:58 PM

Hi. Well I do have Windows Firewall. I'm not sure why it wouldn't be in the log. I don't have an antivirus. I just have virus and malware removal, such as Malwarebytes and SuperAntiSpyware. I haven't had an antivirus since I have owned this computer (about 5 years), and I haven't needed one until now. Do you know what I should do to get rid of whatever is causing me to be redirected on Google?

#4 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:50 PM

Posted 03 June 2010 - 01:52 PM

Good evening. smile.gif

While the SP2 firewall is better than nothing, it doesn't monitor outgoing traffic, so anything malicious on your computer can 'phone home' at will.

Malwarebytes and SuperAntiSpyware are good tools but they have their limitations and are not replacements for resident real-time anti-virus protection unfortunately.


I haven't had an antivirus since I have owned this computer (about 5 years), and I haven't needed one until now.

Sadly you have needed one, but you perhaps haven't had to regret not having one until now. Although an anti-virus is not all-singing and all-dancing and won't guarantee a clean machine, it does give you the best chance of staying clean online that you can have.

Given that you have been significantly unprotected for so long, my best advice to you is to back up any important files and then reformat and reinstall your operating system. The possibility that legitimate files may have been infected or corrupted by the malware present on your PC, and also that security settings may have been lowered making your computer more liable to infection in the future, means that starting over is the easiest and most reliable solution to your problems.
You also need to be aware of the risk of identity theft if you have accessed bank accounts with this computer or shopped online. Keylogging software could have recorded details of these actions and a lack of an effective firewall means that there is nothing to stop this information being sent home. If this does apply to you, i'd monitor your accounts and perhaps consider getting credit/debit cards, passwords etc... changed - obviously not using this PC!


I can let you have links to free software that will help keep your machine clean in the future, but they do not guarantee to clean up an infected machine and in your case the time frame makes it for me a no-brainer and if this was my PC I would start afresh.

So long, and thanks for all the fish.



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users