Results 1 to 3 of 3

Thread: Google redirect virus, tried different things

  1. #1
    Junior Member
    Join Date
    May 2011
    Posts
    1

    Default Google redirect virus, tried different things

    (This is a little long)

    I had this problem before but i forgot how i got rid of it. i didnt reformat my hard drive. Problem is in Internet Explorer too, not just Firefox.

    i ran mbam and tdskiller about 10 times, ccleaner, just ran combo fix. i saw this youtube video http://www.youtube.com/watch?v=TLVifFbLIso and did everything it said. tried doin a google search on another drive but there's so many methods.

    First, I had a few bugs long before this. I think it started with Winrar, I tried googling a free original version of winrar (not the demo) and I d/l'ed what i thought to be a real winrar, but it was a demo. Then a day later (or something i dunno) i get some pop up windows everytime i boot my computer. One window was a winrar installation window, another was a windows explorer error. The last was a firefox error, it would randomly be the same 1-4 windows, the one where it says "send error report". I was too lazy to deal with it then so i just ignored it and closed the windows when they came up. but finally yesterday my computer got too messed up to use. I googled a sports streaming site for something i wanted to watch, my other streams were too laggy or had other problems. I forgot the site, but within 30 minutes my screen went blue, and had a

    Yesterday I got the google redirect virus, not sure how. I was on a sports streaming website, this one i googled what i wanted to watch cause my other streams were too slow or had problems. Then maybe 20 minutes a virus got on my system tray and turned the screen blue. I cant remember what it was, i dealt with things like that and all i had to do was run mbam to get rid of it. It was probably "windows virus removal" or something like that. so after i run mbam it's gone and it got rid of the pop up windows that show up when the computer starts up. so the computer's back to normal. but then when i use google i see the redirect virus is back.

    Also, everytime I close all of the firefox browsers i have running, it changes my "connection settings" to "manual proxy configuration to proxy 127.0.0.1". I have to change it back to "no proxy" to use firefox.

    Other web search sites work, i tried yahoo and it was fine. I can still use the internet and normal speed. I just cant do anything through google. i have to type in or copy paste the url address if it's not in my bookmarks. when i use google search it takes awhile.


    Here's the combofix log. didnt really read it, im not that good w/ computers. hoping someone here can help me get rid of this piece of ****.

    ComboFix 11-05-04.02 - Sandesh 05/04/2011 14:13:34.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1510 [GMT -7:00]
    Running from: c:\documents and settings\Sandesh\My Documents\Downloads\ComboFix.exe
    FW: Sygate Personal Firewall *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\bC28614ClCpD28614
    c:\documents and settings\All Users\Application Data\bC28614ClCpD28614\bC28614ClCpD28614
    c:\documents and settings\All Users\Application Data\bC28614ClCpD28614\bC28614ClCpD28614.exe
    c:\documents and settings\Sandesh\Application Data\chrtmp
    c:\documents and settings\Sandesh\Application Data\SQLite3.dll
    C:\Microsoft
    c:\windows\system32\install
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-04 to 2011-05-04 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-04 17:57 . 2011-05-04 17:57 -------- d-----w- c:\program files\CCleaner
    2011-05-04 17:12 . 2011-05-04 17:12 -------- d-----w- c:\documents and settings\Sandesh\Local Settings\Application Data\Threat Expert
    2011-05-04 01:06 . 2011-01-07 21:54 149456 ----a-w- c:\windows\SGDetectionTool.dll
    2011-05-04 01:06 . 2011-01-07 21:54 1533904 ----a-w- c:\windows\PCTBDRes.dll
    2011-05-04 01:06 . 2011-01-07 21:54 2000848 ----a-w- c:\windows\PCTBDCore.dll
    2011-05-04 01:06 . 2011-01-07 21:54 767952 ----a-w- c:\windows\BDTSupport.dll
    2011-05-04 01:05 . 2010-07-16 21:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
    2011-05-04 01:05 . 2010-07-16 21:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
    2011-05-04 01:05 . 2011-01-17 16:10 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
    2011-05-04 01:04 . 2010-12-10 23:57 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
    2011-05-04 01:04 . 2010-12-10 20:24 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
    2011-05-04 01:04 . 2010-12-16 15:46 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
    2011-05-04 01:04 . 2011-05-04 01:33 -------- d-----w- c:\program files\PC Tools Security
    2011-05-04 01:04 . 2011-05-04 01:06 -------- d-----w- c:\program files\Common Files\PC Tools
    2011-05-04 01:04 . 2011-05-04 01:04 -------- d-----w- c:\documents and settings\Sandesh\Application Data\PC Tools
    2011-05-04 01:04 . 2011-05-04 21:00 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2011-05-04 01:03 . 2011-05-04 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
    2011-05-03 19:14 . 2011-05-03 19:14 55552 ---ha-w- c:\windows\system32\netding6.tmp
    2011-05-03 02:54 . 2011-05-03 02:54 -------- d-----w- c:\documents and settings\Sandesh\Application Data\Malwarebytes
    2011-05-03 02:54 . 2011-05-03 02:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-05-03 02:54 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-03 02:53 . 2011-05-03 20:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-05-03 02:53 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-03 01:34 . 2011-05-03 01:34 0 ---ha-w- c:\documents and settings\Sandesh\Local Settings\Application Data\BIT3.tmp
    2011-04-30 22:49 . 2011-04-30 22:49 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
    2011-04-30 22:49 . 2011-04-30 22:49 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
    2011-04-30 22:49 . 2011-04-30 22:49 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
    2011-04-30 22:49 . 2011-04-30 22:49 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
    2011-04-30 22:49 . 2011-04-30 22:49 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
    2011-04-30 22:49 . 2011-04-30 22:49 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
    2011-04-30 22:49 . 2011-04-30 22:49 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
    2011-04-30 22:49 . 2011-04-30 22:49 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
    2011-04-19 04:22 . 2010-05-25 03:33 108032 ----a-w- c:\windows\system32\ff_vfw.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-30 22:49 . 2011-04-30 22:49 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2006-02-28 12:00 94784 --sh--w- c:\windows\twain.dll
    2008-04-14 00:12 50688 --sh--w- c:\windows\twain_32.dll
    2010-09-18 06:53 974848 --sh--w- c:\windows\system32\mfc42.dll
    2008-04-14 00:12 57344 --sh--w- c:\windows\system32\msvcirt.dll
    2008-04-14 00:12 413696 --sh--w- c:\windows\system32\msvcp60.dll
    2008-04-14 00:12 343040 --sh--w- c:\windows\system32\msvcrt.dll
    2008-04-14 00:12 551936 --sh--w- c:\windows\system32\oleaut32.dll
    2008-04-14 00:12 84992 --sh--w- c:\windows\system32\olepro32.dll
    2008-04-14 00:12 11776 --sh--w- c:\windows\system32\regsvr32.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-16 2577632]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-08 13880424]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    "PCTools FGuard"="c:\program files\PC Tools Security\BDT\FGuard.exe" [2011-01-07 108496]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Sandesh^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    path=c:\documents and settings\Sandesh\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-21 07:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
    2011-01-05 17:11 4321112 ----a-w- c:\program files\AIM\aim.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CXMon]
    2001-08-10 01:06 45056 ----a-w- c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_monitor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2006-10-27 08:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
    2001-08-04 02:24 196608 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon03]
    2001-08-04 02:24 311296 ----a-w- c:\windows\system32\hphmon03.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X Configure]
    2006-06-02 08:45 385024 ------r- c:\windows\system32\JMRaidTool.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M-Audio Taskbar Icon]
    2009-07-29 22:28 252424 ----a-w- c:\windows\system32\MAFWTray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2010-04-17 06:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2011-01-08 03:56 111208 ----a-w- c:\windows\system32\nvmctray.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2010-11-04 16:51 1753192 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
    2006-05-01 10:07 843776 ----a-r- c:\program files\Analog Devices\Core\smax4pnp.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateUSB]
    2006-06-23 06:48 32768 ----a-r- c:\windows\inf\UpdateUSB.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "wuauserv"=3 (0x3)
    "wscsvc"=2 (0x2)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    "c:\\Program Files\\Winamp\\winamp.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Vuze\\Azureus.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\AIM\\aim.exe"=
    "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
    "c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
    .
    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/3/2011 6:04 PM 239168]
    R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [5/3/2011 6:05 PM 338880]
    R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [5/3/2011 6:05 PM 656320]
    R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [5/3/2011 6:06 PM 247760]
    R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;c:\windows\system32\drivers\atl01_xp.sys [1/28/2011 3:18 PM 34944]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2011 5:43 PM 136176]
    S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [8/3/2001 7:24 PM 18864]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2011 5:43 PM 136176]
    S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [5/3/2011 6:04 PM 366840]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-01-29 00:43]
    .
    2011-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-01-29 00:43]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.ca/
    uInternet Settings,ProxyServer = http=127.0.0.1:55333
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
    FF - ProfilePath - c:\documents and settings\Sandesh\Application Data\Mozilla\Firefox\Profiles\l53s6wij.default\
    FF - prefs.js: keyword.URL - hxxp://www.zumix2.com/s/?engine=web&src=IE-Address&site=Bing&cfg=2-471-0&q=
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 55333
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    .
    - - - - ORPHANS REMOVED - - - -
    .
    MSConfigStartUp-HKCU - c:\windows\system32\install\server.exe
    MSConfigStartUp-HKLM - c:\windows\system32\install\server.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-04 14:16
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
    "ImagePath"=""
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(756)
    c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
    .
    Completion time: 2011-05-04 14:17:55
    ComboFix-quarantined-files.txt 2011-05-04 21:17
    .
    Pre-Run: 2,076,930,048 bytes free
    Post-Run: 2,117,832,704 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - 1F70F3331E618A1AB3645C051DED0152
    Last edited by tashi; 2011-05-05 at 07:50. Reason: Revealed and deactivated link

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hello pcyouzer.

    So that everyone is on the same track please see the forum FAQ which along with other information includes instructions on how to post preliminary DDS logs for analysis in post #2.
    "BEFORE You POST"(Please read this Procedure Before Requesting Assistance)

    Then start a new topic providing the DDS logs as shown in that sticky.

    Also please give a link back to this thread so that helpers are aware of the CF log and that you followed instructions on You Tube.

    FYI: Please DO NOT RUN ComboFix without being asked

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  3. #3
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    pcyouzer please do not start a new topic until you address this.

    Your other topic: http://www.bleepingcomputer.com/forums/topic395506.html

    From our FAQ:

    Posters who start topics at multiple sites for their PC problem waste valuable volunteer resources as our analysts assist people at several forums. Worse scenario would be to run fixes given at one site unbeknown to the person helping the same user elsewhere. If you have already requested help at another site choose where you wish to continue and advise all parties.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •