Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

redirect virus/slow pc


  • This topic is locked This topic is locked
49 replies to this topic

#1 astahle

astahle

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:40 AM

Posted 23 November 2010 - 01:59 AM

I have been having the redirect issue when searching google. also when i am on facebook i get a message that pops up (This web page is being redirected to a new location. Would you like to resend the form data you have typed to the new location? click ok to send no to cancel and if u press no it blanks out the page. I do realize that alot of other ppl are having the same problem but i know very little about how to fix and i have AVG tried hitman pro, unhackme (totally confusing) and tddskiller none have worked. I also have Cloudcare (besecure) on my pc. also some issue with avg detecting tracking cookie sqlite or something like that...here is my log if u would plz take a gander thank u

Attached Files


Edited by astahle, 23 November 2010 - 02:01 AM.


BC AdBot (Login to Remove)

 


#2 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:11:40 AM

Posted 01 December 2010 - 10:48 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
Download DDS by sUBs from one of the following links. Save it to your desktop.
DDS.scr
DDS.pif
Double click on the DDS icon, allow it to run.
A small box will open, with an explaination about the tool. No input is needed, the scan is running.
Notepad will open with the results.
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

Best Regards,
oneof4.

Best Regards,
oneof4.


#3 astahle

astahle
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:40 AM

Posted 06 December 2010 - 07:49 AM

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-06 06:35:13
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e WDC_WD800JD-98JNC0 rev.05.01C05
Running: vclhnpye.exe; Driver: C:\DOCUME~1\jp\LOCALS~1\Temp\uwliqaog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xB59E56C0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xB59E5770]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xB59E5810]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xB59E58B0]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB96AE380, 0x34C81F, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[512] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs BsecFltr.sys (BSafeFil/BSafe Online)
AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat BsecFltr.sys (BSafeFil/BSafe Online)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x6A 0x11 0x93 0xDB ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7D 0x3F 0xCA 0xAA ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x6A 0x11 0x93 0xDB ...

---- EOF - GMER 1.0.15 ----

Attached Files



#4 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:10:40 AM

Posted 08 December 2010 - 08:21 PM

Greetings astahle and Welcome to the Forums,

Let's begin by uninstalling some problem software. Although you removed the "Ask Toolbar" on 11/9, according to the log(s) it's come back since. You must take care when installing certain software. Sometimes other programs are bundled with the download. The "Ask" toolbar is one of those that is often tucked into other downloaded software as an option. Some offer the option to remove a check from the box where it's offered, others don't even bother, just foist it on you with their software. "Ask" is often the cause for many browser redirect complaints. Could be partially responsible here but I rather doubt it's the primary cause.

Along with the "Ask Toolbar", please uninstall the following:
J2SE Runtime Environment 5.0 Update 6 <--These first two Java entries are both out dated and exploited. You need only ONE java installation. The latest version you have, 6U14, is also out of date but you can use it from the control panel to download the latest version.
Java™ 6 Update 7
LimeWire 5.5.16
<--File sharing software...never a good idea.
Viewpoint Media Player <--Foistware, plain and simple.

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista or Windows 7, you can skip the recovery console step...in Vista/7 it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista or Windows 7 installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.


The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a log file for you. Please post that log back here on your next reply. Thanks!

Note:
Do not mouseclick combofix's window while it's running....that may cause the scan to stall

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#5 astahle

astahle
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:40 AM

Posted 11 December 2010 - 02:09 PM

i attempted to run combo fix but it kept telling me i had to uninstall avg i did disable it and it said the same thing. do i have to uninstall?

#6 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:10:40 AM

Posted 11 December 2010 - 06:00 PM

Yes, please do.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#7 astahle

astahle
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:40 AM

Posted 15 December 2010 - 12:00 AM

finally got avg uninstalled and combofix ran...heres that attach

Attached Files



#8 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:10:40 AM

Posted 15 December 2010 - 12:13 PM

Look for the Zynga Toolbar in your add/remove programs listing. If you find it there, click to uninstall it please.

Please open a blank Notepad by clicking start-->run
Then, in the run box type Notepad.exe and click "OK".
Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Also, please let me know if you use "NetMeeting" or not. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



KILLALL::

File::
c:\documents and settings\jp\byazkmoidw.tmp
c:\program files\W3i\InstallIQUpdater\InstallIQUpdater.exe
c:\windows\system32\GameMon.des

Filelook::
d:\PciCon.sys
c:\windows\system32\drivers\samhid.sys


Rootkit::
c:\windows\system32\drivers\dqujhwtt.sys

Firefox::
FF - ProfilePath - c:\documents and settings\jp\Application Data\Mozilla\Firefox\Profiles\2qxbcs3c.default\
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} -
FF - Ext: Calorie Count Toolbar: {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} -
FF - Ext: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} -

Driver::
npggsvc

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InstallIQUpdater"=-

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#9 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:10:40 AM

Posted 20 December 2010 - 09:53 AM

Still with us astahle?

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#10 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:10:40 AM

Posted 22 December 2010 - 05:08 PM

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to anyone of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic
in a new thread. Thanks!


The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#11 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:10:40 AM

Posted 23 December 2010 - 07:14 PM

Topic reopened at member's request.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#12 astahle

astahle
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:40 AM

Posted 24 December 2010 - 12:15 PM

ok so i did the 2nd combofix but after i ran it i ended up having to do a system restore because it totally jacked my bsecure and wouldnt let me reload it. what should i do? do i run that same combofix again and then let u kno what probs im having?

#13 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:10:40 AM

Posted 24 December 2010 - 06:13 PM

I have my doubts...since combofix did nothing with it before, it should have ignored it this time. Post the log that it produced. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#14 astahle

astahle
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:40 AM

Posted 26 December 2010 - 12:31 AM

it did actually disable it the first time as well but i reloaded it but this time it wouldnt let me reload so i did the restore... anyway i am away for the holidays should get back to get u the log by tues for sure thank u

#15 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:10:40 AM

Posted 26 December 2010 - 10:57 AM

Please explain what you mean by "reload"...The cloud antivirus product wasn't disturbed according to the combofix log. It was disabled during the scan:
AV: CloudCare *Disabled/Updated* {BBA75CBF-065F-45F0-AAFA-2AD00C61EED9}
...as it should be since that's what the instruction calls for. If you personally did not disable it as the instruction directs, then I can only imagine that it shows in the log as "disabled" since the internet connection was terminated during the scan (Cloud antivirus products require an internet connection to perform a scan..., thus without a connection, the program is recognized as disabled).

Combofix did however, deregister the Bsecure filter:
*Deregistered* - BsecureFilter
...and why that was, I'm not sure. I'll bring this up with the combofix author to get an explanation. I'll be waiting for your next reply. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users