Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

need help with redirect virus


  • This topic is locked This topic is locked
2 replies to this topic

#1 lwhite91

lwhite91

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 20 April 2011 - 07:35 PM

my computer is redirecting me to other sites and is very slow..... I ran hi jack this and this is what it gave me... Thanks.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:18:27 PM, on 4/20/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\rundll32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?ilc=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Microsoft
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: ::1 localhost
O1 - Hosts: 64.46.36.163 www.google.com
O1 - Hosts: 64.46.36.163 google.com
O1 - Hosts: 64.46.36.163 google.com.au
O1 - Hosts: 64.46.36.163 www.google.com.au
O1 - Hosts: 64.46.36.163 google.be
O1 - Hosts: 64.46.36.163 www.google.be
O1 - Hosts: 64.46.36.163 google.com.br
O1 - Hosts: 64.46.36.163 www.google.com.br
O1 - Hosts: 64.46.36.163 google.ca
O1 - Hosts: 64.46.36.163 www.google.ca
O1 - Hosts: 64.46.36.163 google.ch
O1 - Hosts: 64.46.36.163 www.google.ch
O1 - Hosts: 64.46.36.163 google.de
O1 - Hosts: 64.46.36.163 www.google.de
O1 - Hosts: 64.46.36.163 google.dk
O1 - Hosts: 64.46.36.163 www.google.dk
O1 - Hosts: 64.46.36.163 google.fr
O1 - Hosts: 64.46.36.163 www.google.fr
O1 - Hosts: 64.46.36.163 google.ie
O1 - Hosts: 64.46.36.163 www.google.ie
O1 - Hosts: 64.46.36.163 google.it
O1 - Hosts: 64.46.36.163 www.google.it
O1 - Hosts: 64.46.36.163 google.co.jp
O1 - Hosts: 64.46.36.163 www.google.co.jp
O1 - Hosts: 64.46.36.163 google.nl
O1 - Hosts: 64.46.36.163 www.google.nl
O1 - Hosts: 64.46.36.163 google.no
O1 - Hosts: 64.46.36.163 www.google.no
O1 - Hosts: 64.46.36.163 google.co.nz
O1 - Hosts: 64.46.36.163 www.google.co.nz
O1 - Hosts: 64.46.36.163 google.pl
O1 - Hosts: 64.46.36.163 www.google.pl
O1 - Hosts: 64.46.36.163 google.se
O1 - Hosts: 64.46.36.163 www.google.se
O1 - Hosts: 64.46.36.163 google.co.uk
O1 - Hosts: 64.46.36.163 www.google.co.uk
O1 - Hosts: 64.46.36.163 google.co.za
O1 - Hosts: 64.46.36.163 www.google.co.za
O1 - Hosts: 64.46.36.163 www.google-analytics.com
O1 - Hosts: 64.46.36.163 www.bing.com
O1 - Hosts: 64.46.36.163 search.yahoo.com
O1 - Hosts: 64.46.36.163 www.search.yahoo.com
O1 - Hosts: 64.46.36.163 uk.search.yahoo.com
O1 - Hosts: 64.46.36.163 ca.search.yahoo.com
O1 - Hosts: 64.46.36.163 de.search.yahoo.com
O1 - Hosts: 64.46.36.163 fr.search.yahoo.com
O1 - Hosts: 64.46.36.163 au.search.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {ad708c09-d51b-45b3-9d28-4eba2681febf} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10o_ActiveX.exe -update activex
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.05\AMVConverter\grab.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.05\MediaManager\grab.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://pccheckup.dellfix.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Monopoly\Images\stg_drm.ocx
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} (BitDefender QuickScan Control) - http://quickscan.bitdefender.com/qsax/qsax.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Monopoly\Images\armhelper.ocx
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/SU1.5/ocx/15034/CTPID.cab
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11447 bytes

not sure what to do but have ran several scans and they didnt help

Edited by hamluis, 20 April 2011 - 07:42 PM.
Moved from XP forum to Malware Removal Logs.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:30 AM

Posted 21 April 2011 - 07:53 PM

Hi

Please do the following:

  • Open HiJackThis
  • Click on Do a system scan only
  • Check the boxes next to ONLY the entries listed below (if still present):


O1 - Hosts: 64.46.36.163 www.google.com
O1 - Hosts: 64.46.36.163 google.com
O1 - Hosts: 64.46.36.163 google.com.au
O1 - Hosts: 64.46.36.163 www.google.com.au
O1 - Hosts: 64.46.36.163 google.be
O1 - Hosts: 64.46.36.163 www.google.be
O1 - Hosts: 64.46.36.163 google.com.br
O1 - Hosts: 64.46.36.163 www.google.com.br
O1 - Hosts: 64.46.36.163 google.ca
O1 - Hosts: 64.46.36.163 www.google.ca
O1 - Hosts: 64.46.36.163 google.ch
O1 - Hosts: 64.46.36.163 www.google.ch
O1 - Hosts: 64.46.36.163 google.de
O1 - Hosts: 64.46.36.163 www.google.de
O1 - Hosts: 64.46.36.163 google.dk
O1 - Hosts: 64.46.36.163 www.google.dk
O1 - Hosts: 64.46.36.163 google.fr
O1 - Hosts: 64.46.36.163 www.google.fr
O1 - Hosts: 64.46.36.163 google.ie
O1 - Hosts: 64.46.36.163 www.google.ie
O1 - Hosts: 64.46.36.163 google.it
O1 - Hosts: 64.46.36.163 www.google.it
O1 - Hosts: 64.46.36.163 google.co.jp
O1 - Hosts: 64.46.36.163 www.google.co.jp
O1 - Hosts: 64.46.36.163 google.nl
O1 - Hosts: 64.46.36.163 www.google.nl
O1 - Hosts: 64.46.36.163 google.no
O1 - Hosts: 64.46.36.163 www.google.no
O1 - Hosts: 64.46.36.163 google.co.nz
O1 - Hosts: 64.46.36.163 www.google.co.nz
O1 - Hosts: 64.46.36.163 google.pl
O1 - Hosts: 64.46.36.163 www.google.pl
O1 - Hosts: 64.46.36.163 google.se
O1 - Hosts: 64.46.36.163 www.google.se
O1 - Hosts: 64.46.36.163 google.co.uk
O1 - Hosts: 64.46.36.163 www.google.co.uk
O1 - Hosts: 64.46.36.163 google.co.za
O1 - Hosts: 64.46.36.163 www.google.co.za
O1 - Hosts: 64.46.36.163 www.google-analytics.com
O1 - Hosts: 64.46.36.163 www.bing.com
O1 - Hosts: 64.46.36.163 search.yahoo.com
O1 - Hosts: 64.46.36.163 www.search.yahoo.com
O1 - Hosts: 64.46.36.163 uk.search.yahoo.com
O1 - Hosts: 64.46.36.163 ca.search.yahoo.com
O1 - Hosts: 64.46.36.163 de.search.yahoo.com
O1 - Hosts: 64.46.36.163 fr.search.yahoo.com
O1 - Hosts: 64.46.36.163 au.search.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {ad708c09-d51b-45b3-9d28-4eba2681febf} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

  • Close all windows except Hijackthis and click Fix Checked
  • Click Yes when prompted
  • Close HijackThis.


NEXT



Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT


Download GMER Rootkit Scanner from here to your desktop. It will be a randomly named executable.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Ensure the following are unchecked
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in reply.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Edited by CatByte, 21 April 2011 - 07:53 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:30 AM

Posted 28 April 2011 - 06:43 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users