Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


virus on my computer

  • Please log in to reply
4 replies to this topic

#1 rockandy


  • Members
  • 3 posts
  • Local time:01:34 PM

Posted 24 April 2011 - 06:39 PM

I am running windows xp home edition and have picked up something malicious. When I try to use google and click on the intended link I get redirected to another page. It seem to consistently take me to somewhere within the mevio website. I have done what research I am capable of and it seems a bunch of other folks are also having similar issues. It is some sort of malware - a "hijacker" or perhaps "Google redirect virus?" I am a "driver" not a "fixer" of computers. So far I have downloaded and run the freeware from Avast with no help. Today I downloaded MS Security Essentials and did a full system scan. It found something and said it was fixed but the problem persisted. On the google forum I found a suggestion and tried checking the host folder of the windows system32 drivers but there were no extra "hosts" listed. Also on that forum there was a suggestion for using combofix, but the warning is not to do this without a helper. On this I really need advice. If combofix seems an appropriate approach, I indeed need a helper. I apologize in advance for my lack of saavy and thanks also for any help.

BC AdBot (Login to Remove)


#2 chromebuster


  • Members
  • 899 posts
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:02:34 PM

Posted 24 April 2011 - 06:50 PM

You should first run Malwarebytes Anti-Malware. It can be downloaded from http://www.malwarebytes.org. When you run the program, you will be presented with an installation screen. Accept all of the defaults and ensure that update Malwarebytes anti-malware and launch Malwarebytes Anti-malware are checked during the installation prompts. The program will then update itself. Then proceed with a full scan of the computer selecting all drives to be scanned. Ensure that all of the results are selected, then click remove selected. After that, a log should open for you in Notepad. Try and copy and paste the log into your next post. If not, seeing as paste seems to be grayed out, you might just have to type it all out. I have definitely seen the redirects before, but the lack of being able to paste text is sort of mind boggling. Even for me and I'm a person who sits at computers all day fooling around with stuff. I hope this helps.


The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge

#3 rockandy

  • Topic Starter

  • Members
  • 3 posts
  • Local time:01:34 PM

Posted 25 April 2011 - 07:00 AM

After running Malwarebytes' Anti-Malware my computer is still infected - same problem. Below is the list of things found and "fixed" but before I post them I will say that on another forum I found this: "I had run AdAware, SpyBot, MalwareBytes, HijackThis, CWShredder, HouseCall, AVG, etc. and none of them could find/remove any of these files. Or if they did find them, they would pretend to delete them but then they'd come right back. This ComboFix program is a DOS-looking window that works like magic -- it looks for "rootkit" activity that apparently the others don't even consider. In about 20 minutes, it deleted a "MoneyBooster" malware toolbar that had snuck onto my machine, detected/repaired my corrupted atapi.sys file, and deleted a bunch of other mutated files in my Windows folder that were viruses. I am officially now virus-free after several reboots."

That posting also had a file log that I will not include now but would do upon request. At any rate here are the results of the Malwarebytes scan. Thanks. Also if it is helpful, all the icons were mysteriously rearranged on my desktop and also if I type an address into firefox google homepage rather than just clicking on the link -things seem to work - that is how I got Malwarebytes on the machine.

Malwarebytes' Anti-Malware

Database version: 6435

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

4/25/2011 7:11:31 AM
mbam-log-2011-04-25 (07-11-31).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 321810
Time elapsed: 3 hour(s), 8 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 16
Files Infected: 29

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3C2D2A1E-031F-4397-9614-87C932A848E0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04A38F6B-006F-4247-BA4C-02A139D5531C} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MiniBugTransporter.MiniBugTransporterX.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MiniBugTransporter.MiniBugTransporterX (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549B5CA7-4A86-11D7-A4DF-000874180BB3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\program files\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\MySearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\MySearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\MySearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\addIns (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\addIns\Php (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\addIns\Php\dlls (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\addIns\Php\sessiondata (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\addIns\Php\uploadtemp (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\htdocs (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\htdocs\myAdmin (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\htdocs\system (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\htdocs\upload (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\htdocs\user (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\htdocs\user\admin (Malware.Trace) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\Owner\local settings\Temp\1BE.tmp (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\cina.ini (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\hosts (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\MySearch\bar\History\search (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\map.txt (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\addIns\Php\php.exe (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\addIns\Php\php.ini (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\addIns\Php\php4ts.dll (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\addIns\Php\dlls\php_sockets.dll (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\addIns\Php\dlls\readme.txt (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\htdocs\!hdd by http.html (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\htdocs\phpinfo.php (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\htdocs\myAdmin\download phpmyadmin from sourceforge into this dir.txt (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\htdocs\system\BACK.gif (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\htdocs\system\BLANK.gif (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\htdocs\system\compressed.gif (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\htdocs\system\dnserror.htm (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\htdocs\system\dnserror_de.htm (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\htdocs\system\FILE.gif (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\htdocs\system\FOLDER.gif (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\htdocs\system\HTML.gif (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\htdocs\system\PAGERROR.gif (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\htdocs\system\PHP.gif (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\htdocs\system\PICTURE.gif (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\htdocs\system\REFRESH.gif (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\htdocs\system\UPFOLDER.gif (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\htdocs\upload\mscreate.dir (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\htdocs\user\test.htm (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\websvr\htdocs\user\admin\htaccess.txt (Malware.Trace) -> Quarantined and deleted successfully.

#4 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 52,090 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:34 PM

Posted 25 April 2011 - 07:22 AM

Also on that forum there was a suggestion for using combofix, but the warning is not to do this without a helper.

This ComboFix program is a DOS-looking window that works like magic -- it looks for "rootkit" activity that apparently the others don't even consider. In about 20 minutes, it deleted a "MoneyBooster" malware toolbar that had snuck onto my machine, detected/repaired my corrupted atapi.sys file, and deleted a bunch of other mutated files in my Windows folder that were viruses.

Sounds like you did not heed the warning and went ahead with using ComboFix. Please be aware that using it is only one part of the disinfection process. Preliminary scans from other tools like DDS, RSIT and GMER should be used first because they provide comprehensive logs with specific details about files, folders and registry keys which may have been modified by malware infection. Analysis of those logs allows planning an strategy for effective disinfection and a determination if using ComboFix is necessary.

Further, when issues arise due to complex malware infections, possible false detections, problems running ComboFix or with other security tools causing conflicts, experts are usually aware of them and can advise what should or should not be done while providing individual assistance. When false detections are identified, experts have access to the developer and can report them so he can investigate, confirm and make corrections. Those attempting to use ComboFix on their own do not have such information and are at risk when running the tool in an unsupervised environment. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read the pinned topic ComboFix usage, Questions, Help? - Look here.

With that said, you were fortunate in this instance that no unforeseen consequences or serious problems occurred.

Rescan again with Malwarebytes Anti-Malware (Quick Scan) in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally will prevent Malwarebytes' from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Please download SUPERAntiSpyware Free and follow these instructions for performing a scan.

  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • Be sure to update the definitions before scanning by selecting "Check for Updates".
    If you encounter any problems while downloading the updates, manually download them from here.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Click Close to exit the program.
  • Please copy and paste the Scan Log results in your next reply.
-- Some types of malware will disable security tools. If SUPERAntiSpyware will not install, please refer to these instructions for using the SUPERAntiSpyware Installer. If SUPERAntiSpyware is already installed but will not run, then follow the instructions for using RUNSAS.EXE to launch the program.

-- Alternatively, you can download and use the SUPERAntiSpyware Portable Scanner or perform a SUPERAntiSpyware Online Safe Scan (both listed under Popular Links) instead. If you cannot download from the infected computer, save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer it. Then double-click on the file to launch the portable version and scan. The file is randomly named to help keep malware from blocking the scanner.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 rockandy

  • Topic Starter

  • Members
  • 3 posts
  • Local time:01:34 PM

Posted 25 April 2011 - 08:50 AM

Due to my total lack of expertise and my need to have my workhorse of a computer back and running - I am throwing in the towel and taking the machine to a local repair shop. They have assured me that they have dealt with this monstrous malware for a couple of years...also suggested I turn the machine off as it continues to corrupt things... Chromebuster - thanks for your attention and advice. I hope that my post will somehow be helpful to others.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users