Google redirect problems and slow computer

[ken545]

So far so good, there are a couple of suspicious files on your system.

You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, if it says this file has been checked before, have them recheck it. When the scan is done just copy and paste the link back to this forum for me to see.

c:\windows\system32\drivers\drhvmyvf.sys

If the site is busy you can try this one
http://virusscan.jotti.org/en


Check this file as well , you will have to do a windows search for it
ppvwrkdk.exe




Then go ahead and run aswMBR once more and post the NEW LOG please

[touyama]

I'm afraid after numerous attempts I haven't been able to locate either file. I did follow the instructions to make hidden folders visible but even when I copied and pasted both file names into the search bar I couldn't find them.

[ken545]

ok, how are things running now ?

[touyama]

It's not as slow as it used to be and I haven't noticed any redirection issues lately, would you still advise reinstalling windows?

[ken545]

Go ahead and open aswMBR and let it update if it asks and run a new scan and post the log please

[touyama]

Hello again, here is the aswMBR logfile:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-08 22:17:29
-----------------------------
22:17:29.796 OS Version: Windows 6.1.7600
22:17:29.796 Number of processors: 2 586 0x1C0A
22:17:29.796 ComputerName: MIYOKO-TOSH UserName: Miyoko
22:17:32.931 Initialize success
22:17:53.274 AVAST engine defs: 12070801
22:19:07.811 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
22:19:07.826 Disk 0 Vendor: Hitachi_ PB2O Size: 238475MB BusType: 3
22:19:07.842 Disk 0 MBR read successfully
22:19:07.857 Disk 0 MBR scan
22:19:07.920 Disk 0 Windows 7 default MBR code
22:19:07.951 Disk 0 Partition 1 80 (A) 27 Hidden NTFS WinRE NTFS 400 MB offset 2048
22:19:07.982 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 119237 MB offset 821248
22:19:08.013 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 118837 MB offset 245018624
22:19:08.045 Disk 0 scanning sectors +488396800
22:19:08.138 Disk 0 scanning C:\Windows\system32\drivers
22:19:24.456 Service scanning
22:20:09.633 Modules scanning
22:20:27.012 AVAST engine scan C:\Windows
22:20:31.021 AVAST engine scan C:\Windows\system32
22:20:31.364 File: C:\Windows\system32\092RLa8 **INFECTED** Win32:Katusha-FK [Trj]
22:20:44.858 File: C:\Windows\system32\cDb4823 **INFECTED** Win32:Katusha-FK [Trj]
22:21:05.591 File: C:\Windows\system32\dtINN23 **INFECTED** Win32:Katusha-FK [Trj]
22:21:08.508 File: C:\Windows\system32\ELiEi23 **INFECTED** Win32:Katusha-FK [Trj]
22:25:20.903 AVAST engine scan C:\Windows\system32\drivers
22:25:39.062 AVAST engine scan C:\Users\Miyoko
22:29:58.428 File: C:\Users\Miyoko\Desktop\092RLa8 **INFECTED** Win32:Katusha-FK [Trj]
22:30:00.643 File: C:\Users\Miyoko\Desktop\dtINN23 **INFECTED** Win32:Katusha-FK [Trj]
22:30:18.724 AVAST engine scan C:\ProgramData
22:30:50.360 File: C:\ProgramData\Microsoft\Windows\DRM\EF53.tmp **INFECTED** Win32:Malware-gen
22:31:39.859 File: C:\ProgramData\vista32\EBLib.dll **INFECTED** Win32:Ramnit-AC [Drp]
22:31:40.280 File: C:\ProgramData\vista32\Microsoft.VC80.MFC\mfc80.dll **INFECTED** Win32:Ramnit-AC [Drp]
22:31:40.608 File: C:\ProgramData\vista32\Microsoft.VC80.MFC\mfc80u.dll **INFECTED** Win32:Ramnit-AC [Drp]
22:32:10.825 File: C:\ProgramData\win7_32\Microsoft.VC80.MFC\mfc80.dll **INFECTED** Win32:Ramnit-AC [Drp]
22:32:11.200 File: C:\ProgramData\win7_32\Microsoft.VC80.MFC\mfc80u.dll **INFECTED** Win32:Ramnit-AC [Drp]
22:32:12.729 Scan finished successfully
22:38:05.352 Disk 0 MBR has been saved successfully to "C:\Users\Miyoko\Desktop\MBR.dat"
22:38:05.398 The log file has been saved successfully to "C:\Users\Miyoko\Desktop\aswMBR3.txt"

[ken545]

Sorry to tell you my friend but your still very much infected with Ramnit

Some reading for you so you can see what your up against
http://www.microsoft.com/security/po...n32%2FRamnit.A
http://www.f-secure.com/v-descs/viru...ramnit_n.shtml
http://arstechnica.com/business/2012...ook-passwords/


At this point a complete format of your hard drive and reinstall of windows would be the only option. This virus can spread via usb thumb drives, I think it may be safe to back up any documents or pictures to a CD, not a thumb drive. Any programs that you installed that you have downloaded, the exe file to install those programs are infected as well, this virus infects all .exe files on your system.

I hope you followed my previous instructions to use a known clean computer to change all your passwords for any banking or shopping sites you use.

If you need help with the format and reinstall, please let me know and I can link you to a good windows forum to help you.

Sorry, wish I had better news for you


Ken

[touyama]

Thank you for trying, if you could link me to any of the windows forums re: reformating I would be grateful.

Do you think it would be worth my Mother alerting her bank as she has used her debit card on this laptop before but it was a long time ago and as far as I know she hasn't noticed any strange activities on her statements. In any case all of her passwords have been changed on my Mac which has had no contact with this laptop via USB or any other medium.

[ken545]

Hi,

As far as the bank, it wouldn't hurt to give them a heads up.

You can post here, you can also link them to this thread so they can see what we have done and what where up against. This forum like Safer is free but you will need to register, use the same user name that your using now so that I can find you and follow along and offer any advice that may be needed.


http://forums.whatthetech.com/index.php?showforum=119



Good Luck,

Ken

[ken545]

• How did I get infected in the first place ?
  Read these links and find out how to prevent getting infected again.
• Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
• WhattheTech
• Grinler BleepingComputer
• GeeksTo Go
• Dslreports

Safe Surfn
Ken