Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Virus


  • This topic is locked This topic is locked
31 replies to this topic

#1 myth17

myth17

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 01 July 2010 - 04:12 PM

Hi. Great site with people that make a nice counterpoint to those who create viruses. My symptoms seem to match the classic Google Redirect virus, where the first time a google link is clicked it goes to some advertising site, and the second click attempt goes to the correct site. I am unable to remove the virus with multiple free anti-virus tools including McAfee, MBAM, Hitman Pro 3.5, Avast, IObit Security 360, SuperAntiSpyware, etc. I am having issues running GMER. Once GMER run got a blue screen with a result of PFN_LIST_CORRUPT STOP: 0x0000004E (0x00000007, 0x0002F492, 0x00000001, 0x00000000). Other attempts to run GMER seemed to result in an eventual hang where the computer no longer responded to the keyboard, including CNTRL ALT DEL. The screen no longer updated and even the clock displayed on the icon bar stopped updating. This clock freeze seemed to take between 1 1/2 to 5 hours. The longest I let GMER run was 8 1/2 hours. The ability to halt GMER seemed to stop before GMER screen stopped updating and also before the clock no longer updated. I did an early stop of the GMER program and have included those results. I would greatly appreciate any help you can provide. Thanks.
DDS report:
DDS (Ver_10-03-17.01) - NTFSx86
Run by Carol Wall at 19:00:01.12 on Tue 06/29/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.206 [GMT -7:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\StompSoft\PC BackUp\NbkCtrl.exe
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\ISS\Proventia Desktop\blackice.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\StompSoft\PC BackUp\NMSAccess.exe
C:\Program Files\StompSoft\PC BackUp\NSENGINE.exe
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\YTBSDK.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\Documents and Settings\Carol Wall\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://att.net
uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
uDefault_Page_URL = hxxp://att.net
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearch Bar = hxxp://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - &Yahoo! Messenger
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: AT&&T Yahoo! Sidebar: {51085e3d-a958-42a2-a6be-a6a9b0baf276} - c:\program files\yahoo!\browser\ysidebarIE.dll
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe
mRun: [EPSON Stylus C82 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NovaBackup 7 Tray Control] "c:\program files\stompsoft\pc backup\NbkCtrl.exe"
mRun: [SonicWALLNetExtender] c:\program files\sonicwall\ssl-vpn\netextender\NEGui.exe -hideGUI
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35[1].exe" /scan:boot
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
StartupFolder: c:\docume~1\carolw~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\arrayc~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\at&tse~1.lnk - c:\program files\sbc self support tool\bin\matcli.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\PROVEN~1.LNK -
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\program files\iss\proventia desktop\ibe\ICELSP_8.0.675.0.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Yahoo! MahJong Solitaire - hxxp://download.games.yahoo.com/games/clients/y/mjst4_x.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-24 165456]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-17 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-24 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-24 40384]
R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-6-24 312152]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-31 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-2-17 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-2-17 144704]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-24 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-24 40384]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-17 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-17 35272]
R3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [2006-10-10 17136]
S0 black;black;c:\windows\system32\drivers\Blackcat.sys [2006-2-1 234155]
S2 BlackICE;BlackICE;c:\program files\iss\proventia desktop\blackd.exe [2006-2-1 1986902]
S2 VPatch;ISS Buffer Overflow Exploit Prevention;c:\program files\iss\proventia desktop\Vpatch.exe [2006-2-1 426333]
S3 MakoNT;MakoNT;c:\windows\system32\drivers\MakoNT.sys [2006-2-1 76913]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-2-17 606736]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-17 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-17 40552]
S3 rap;rap;c:\windows\system32\drivers\RapDrv.sys [2006-2-1 46001]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-2-1 278384]

=============== Created Last 30 ================

2010-06-29 20:18:41 38848 ------w- c:\windows\avastSS.scr
2010-06-25 00:48:04 0 d-----w- c:\docume~1\carolw~1\applic~1\SUPERAntiSpyware.com
2010-06-25 00:48:04 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-06-25 00:47:50 0 d-----w- c:\program files\SUPERAntiSpyware
2010-06-25 00:09:43 0 d-----w- c:\docume~1\alluse~1\applic~1\IObit
2010-06-24 21:44:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-06-24 21:04:00 0 d-----w- c:\program files\CCleaner
2010-06-24 20:42:57 0 d-----w- c:\program files\IObit
2010-06-24 20:42:57 0 d-----w- c:\docume~1\carolw~1\applic~1\IObit
2010-06-24 08:59:41 16968 ------w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-24 08:57:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-06-24 08:57:27 0 d-----w- c:\program files\Hitman Pro 3.5
2010-06-24 08:03:59 0 d-sh--w- c:\documents and settings\carol wall\IECompatCache
2010-06-24 07:54:50 0 dc-h--w- c:\windows\ie8
2010-06-24 07:52:10 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-10 04:35:35 66096 ---h--w- c:\windows\system32\mlfcache.dat
2010-06-09 04:16:21 0 d-----w- c:\docume~1\carolw~1\applic~1\Malwarebytes
2010-06-09 04:15:46 38224 ------w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-09 04:15:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-09 04:15:37 20952 ------w- c:\windows\system32\drivers\mbam.sys
2010-06-09 04:15:36 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-09 04:14:27 552 ------w- c:\windows\system32\d3d8caps.dat
2010-06-09 04:13:55 664 ------w- c:\windows\system32\d3d9caps.dat
2010-06-03 18:51:22 0 d-sh--w- c:\documents and settings\carol wall\PrivacIE
2010-06-03 18:48:28 0 d-sh--w- c:\documents and settings\carol wall\IETldCache
2010-06-03 18:45:37 0 d-----w- c:\windows\ie8updates
2010-06-03 18:42:26 0 d--h--w- c:\windows\msdownld.tmp
2010-06-03 18:40:09 41984 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-06-03 18:39:59 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-03 18:39:58 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

==================== Find3M ====================

2010-06-23 23:23:10 11634 ------w- c:\docume~1\carolw~1\applic~1\wklnhst.dat
2010-06-08 18:40:40 88656 ------w- c:\docume~1\carolw~1\applic~1\GDIPFONTCACHEV1.DAT
2010-05-26 17:20:28 411368 ------w- c:\windows\system32\deployJava1.dll
2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-04 17:20:33 133120 ------w- c:\windows\system32\dllcache\extmgr.dll
2010-05-04 12:39:27 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-04-08 20:20:02 91424 ------w- c:\windows\system32\dnssd.dll
2010-04-08 20:20:02 107808 ------w- c:\windows\system32\dns-sd.exe
2010-04-03 13:39:36 2377576 ------w- c:\windows\system32\dllcache\WMVCore.dll
2009-01-12 02:25:55 32768 --sh--w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009011120090112\index.dat

============= FINISH: 19:01:04.07 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:48 PM

Posted 05 July 2010 - 01:16 PM

Hello myth17

Welcome to BleepingComputer smile.gif
==========================

=======
Download TDSSKiller and save it to your Desktop.
  • Right click on the file and choose extract all extract the file to your desktop then run it.
  • If prompted to restart the computer type in Y then it will restart.
  • Or if you are prompted with a hidden service warning do go ahead and delete it.
  • Once completed it will create a log in your C:\ drive
  • Please post the contents of that log
========

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 myth17

myth17
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 06 July 2010 - 05:29 PM

Hi Kahdah. Thanks for the help. Requested logs are attached.

Attached Files



#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:48 PM

Posted 07 July 2010 - 06:18 AM

Have the redirects stopped?

You have more than one active antivirus.
Please remove either Mcafee or Avast as the 2 will conflict and cause you to have less protection not more.
Please click here to download Kaspersky Virus Removal Tool.
  1. Double click on the file you just downloaded and let it install.
  2. It will install to your desktop.
  3. After that leave what is selected and put a check next to My Computer.
  4. Click on the option that says Threat Detection and change it to Disinfect,delete if disinfection fails.
  5. Then click on Start Scan.
  6. Before it is done it may prompt for action regardless of the setting so choose delete if prompted.
  7. When the scan is done no log will be produced.
  8. Click on the bottom where it says Report to open the report.
  9. Then highlight of of the items found by using ctrl + a on your keyboard to select all or use your mouse to select all then right click and choose copy.
  10. This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
  11. You can save this on the desktop.
  12. Post the contents of the document in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 myth17

myth17
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 08 July 2010 - 05:27 PM

Hi Kahdah. I only had McAfee running when my computer got the virus. It is now removed. After running the Kaspersky Virus removal tool and rebooting I still have the Google redirects. The tool didn't report finding anything. Report file is attached. Is there anything else I can try? Thanks.

Attached Files



#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:48 PM

Posted 09 July 2010 - 07:32 AM

Nothing is showing as of yet.

Download Bootkit remover to your desktop
This is a rar file if you do not have a programme to open it then download and install Peazip

Extract Remover.exe to your desktop
Double click on Remover.exe to run it.
It will show a Black screen with some data on it
Right click on the screen and select > Select All
Press Control+C
Open a notepad and press Control+V

Post the resultant log here please
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 myth17

myth17
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 14 July 2010 - 01:46 PM

Hi Kahdah. Sorry for the slow reply, I thought I posted a reply days ago, but it doesn't seem to have gone through. The bootkit remover seems to have found something. Result is attached. I have not yet used the disinfect command. Please let me know if I should use the command, and if so, what is the exact command. Thanks.

Attached Files



#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:48 PM

Posted 14 July 2010 - 01:48 PM

No problem.
I would like to check with another utility just to be sure.
  1. Please download mbrcheck from Here
  2. Save that file to your desktop and double click on it to run it.
  3. It will show a Black screen with some data on it
  4. Right click on the screen and select Mark
  5. Then take your mouse and select the info in the black screen then hit the enter key to copy it to the clipboard.
  6. Open a notepad and press Control+V to paste in the contents.

Post the resultant text here please.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 myth17

myth17
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 14 July 2010 - 02:48 PM

Hi Kahdah. Mbrcheck also seems to have found something. Result is attached. Thanks.

Attached Files



#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:48 PM

Posted 15 July 2010 - 06:24 AM

One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you still want to clean it please do the following

===================
Reboot your computer once it reboots you will see a black screen that will say your Windows version and the Recovery Console will be listed.
Choose the Recovery Console and then hit Enter.
Once there select the installation that you want to access from the Recovery Console...by number (usually 1)
When you are prompted to do so, type the Administrator password. If you have not set an administrator password, leave it blank and just press "Enter".
At the Recovery Console command prompt, type fixmbr then hit Enter.
Hit Y at the next prompt then type in exit after it completes.

Reboot and run mbrcheck once more and post the text it creates.


Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 myth17

myth17
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 16 July 2010 - 09:20 PM

Hi Kahdah. I am still having problems. I removed the rootkit that was found and then I reformatted the Windows NTFS partition using a full format (not quick). I then re-installed windows and some of my software from CDs. After using the internet to update Windows, the google re-direct problem was still there or the computer had been re-infected. I have not yet reinstalled any of my old files from backup. The disks I used to re-install from are all old, so I would think re-infection. This time I could get combofix to run (result attached) where before the re-format I couldn't. There are no longer any problems detected in the root (results attached) I also reran TDSSkiller. Any thoughts on what I can try now? Thanks.

Attached Files



#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:48 PM

Posted 17 July 2010 - 07:51 AM

QUOTE
I removed the rootkit that was found

How did you do that?

So you are still getting redirected at this point?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#13 myth17

myth17
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 17 July 2010 - 06:25 PM

I removed the detected rootkit with the bootkit remover program, since I couldn't figure out how to get the fixmbr program to run as you described. I didn't think it mattered which program I ran, since I was doing this as a precaution. I followed this up by reformatting the Windows sector of the drive and re-installing windows from CDs. After re-installing and downloading windows updates and virus software over the internet, the redirect problem was either still there, or back due to re-infection. Thanks

#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:48 PM

Posted 18 July 2010 - 07:33 AM

It could have been because the mbr was not overwritten with the reinstall.
How is it running now?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#15 myth17

myth17
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 18 July 2010 - 07:34 PM

The google redirect virus is as bad as ever. The only difference after re-formatting the partition and re-installing software including the bootkit remover and mbrcheck, is that neither program any longer detects anything besides the Windows software. Shouldn't the re-format have taken out the bootkit checking software and any boot viruses, or could it be that the problem exists in one of the other small auxiliary partitions? Is there anything else I can try? Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users