PDA

View Full Version : Google redirect virus, tried different things



pcyouzer
2011-05-05, 03:23
(This is a little long)

I had this problem before but i forgot how i got rid of it. i didnt reformat my hard drive. Problem is in Internet Explorer too, not just Firefox.

i ran mbam and tdskiller about 10 times, ccleaner, just ran combo fix. i saw this youtube video http://www.youtube.com/watch?v=TLVifFbLIso and did everything it said. tried doin a google search on another drive but there's so many methods.

First, I had a few bugs long before this. I think it started with Winrar, I tried googling a free original version of winrar (not the demo) and I d/l'ed what i thought to be a real winrar, but it was a demo. Then a day later (or something i dunno) i get some pop up windows everytime i boot my computer. One window was a winrar installation window, another was a windows explorer error. The last was a firefox error, it would randomly be the same 1-4 windows, the one where it says "send error report". I was too lazy to deal with it then so i just ignored it and closed the windows when they came up. but finally yesterday my computer got too messed up to use. I googled a sports streaming site for something i wanted to watch, my other streams were too laggy or had other problems. I forgot the site, but within 30 minutes my screen went blue, and had a

Yesterday I got the google redirect virus, not sure how. I was on a sports streaming website, this one i googled what i wanted to watch cause my other streams were too slow or had problems. Then maybe 20 minutes a virus got on my system tray and turned the screen blue. I cant remember what it was, i dealt with things like that and all i had to do was run mbam to get rid of it. It was probably "windows virus removal" or something like that. so after i run mbam it's gone and it got rid of the pop up windows that show up when the computer starts up. so the computer's back to normal. but then when i use google i see the redirect virus is back.

Also, everytime I close all of the firefox browsers i have running, it changes my "connection settings" to "manual proxy configuration to proxy 127.0.0.1". I have to change it back to "no proxy" to use firefox.

Other web search sites work, i tried yahoo and it was fine. I can still use the internet and normal speed. I just cant do anything through google. i have to type in or copy paste the url address if it's not in my bookmarks. when i use google search it takes awhile.


Here's the combofix log. didnt really read it, im not that good w/ computers. hoping someone here can help me get rid of this piece of ****. :)

ComboFix 11-05-04.02 - Sandesh 05/04/2011 14:13:34.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1510 [GMT -7:00]
Running from: c:\documents and settings\Sandesh\My Documents\Downloads\ComboFix.exe
FW: Sygate Personal Firewall *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\bC28614ClCpD28614
c:\documents and settings\All Users\Application Data\bC28614ClCpD28614\bC28614ClCpD28614
c:\documents and settings\All Users\Application Data\bC28614ClCpD28614\bC28614ClCpD28614.exe
c:\documents and settings\Sandesh\Application Data\chrtmp
c:\documents and settings\Sandesh\Application Data\SQLite3.dll
C:\Microsoft
c:\windows\system32\install
.
.
((((((((((((((((((((((((( Files Created from 2011-04-04 to 2011-05-04 )))))))))))))))))))))))))))))))
.
.
2011-05-04 17:57 . 2011-05-04 17:57 -------- d-----w- c:\program files\CCleaner
2011-05-04 17:12 . 2011-05-04 17:12 -------- d-----w- c:\documents and settings\Sandesh\Local Settings\Application Data\Threat Expert
2011-05-04 01:06 . 2011-01-07 21:54 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-05-04 01:06 . 2011-01-07 21:54 1533904 ----a-w- c:\windows\PCTBDRes.dll
2011-05-04 01:06 . 2011-01-07 21:54 2000848 ----a-w- c:\windows\PCTBDCore.dll
2011-05-04 01:06 . 2011-01-07 21:54 767952 ----a-w- c:\windows\BDTSupport.dll
2011-05-04 01:05 . 2010-07-16 21:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-05-04 01:05 . 2010-07-16 21:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-05-04 01:05 . 2011-01-17 16:10 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-05-04 01:04 . 2010-12-10 23:57 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-05-04 01:04 . 2010-12-10 20:24 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-05-04 01:04 . 2010-12-16 15:46 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-05-04 01:04 . 2011-05-04 01:33 -------- d-----w- c:\program files\PC Tools Security
2011-05-04 01:04 . 2011-05-04 01:06 -------- d-----w- c:\program files\Common Files\PC Tools
2011-05-04 01:04 . 2011-05-04 01:04 -------- d-----w- c:\documents and settings\Sandesh\Application Data\PC Tools
2011-05-04 01:04 . 2011-05-04 21:00 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-05-04 01:03 . 2011-05-04 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-05-03 19:14 . 2011-05-03 19:14 55552 ---ha-w- c:\windows\system32\netding6.tmp
2011-05-03 02:54 . 2011-05-03 02:54 -------- d-----w- c:\documents and settings\Sandesh\Application Data\Malwarebytes
2011-05-03 02:54 . 2011-05-03 02:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-03 02:54 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-03 02:53 . 2011-05-03 20:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-03 02:53 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-03 01:34 . 2011-05-03 01:34 0 ---ha-w- c:\documents and settings\Sandesh\Local Settings\Application Data\BIT3.tmp
2011-04-30 22:49 . 2011-04-30 22:49 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-04-30 22:49 . 2011-04-30 22:49 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-04-30 22:49 . 2011-04-30 22:49 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-04-30 22:49 . 2011-04-30 22:49 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-04-30 22:49 . 2011-04-30 22:49 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-04-30 22:49 . 2011-04-30 22:49 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-04-30 22:49 . 2011-04-30 22:49 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-04-30 22:49 . 2011-04-30 22:49 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-04-19 04:22 . 2010-05-25 03:33 108032 ----a-w- c:\windows\system32\ff_vfw.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-30 22:49 . 2011-04-30 22:49 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-02-28 12:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12 50688 --sh--w- c:\windows\twain_32.dll
2010-09-18 06:53 974848 --sh--w- c:\windows\system32\mfc42.dll
2008-04-14 00:12 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12 413696 --sh--w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12 343040 --sh--w- c:\windows\system32\msvcrt.dll
2008-04-14 00:12 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 00:12 11776 --sh--w- c:\windows\system32\regsvr32.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-16 2577632]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-08 13880424]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"PCTools FGuard"="c:\program files\PC Tools Security\BDT\FGuard.exe" [2011-01-07 108496]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Sandesh^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Sandesh\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 07:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2011-01-05 17:11 4321112 ----a-w- c:\program files\AIM\aim.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CXMon]
2001-08-10 01:06 45056 ----a-w- c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_monitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 08:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2001-08-04 02:24 196608 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon03]
2001-08-04 02:24 311296 ----a-w- c:\windows\system32\hphmon03.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X Configure]
2006-06-02 08:45 385024 ------r- c:\windows\system32\JMRaidTool.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M-Audio Taskbar Icon]
2009-07-29 22:28 252424 ----a-w- c:\windows\system32\MAFWTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 06:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2011-01-08 03:56 111208 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2010-11-04 16:51 1753192 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2006-05-01 10:07 843776 ----a-r- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateUSB]
2006-06-23 06:48 32768 ----a-r- c:\windows\inf\UpdateUSB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=3 (0x3)
"wscsvc"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/3/2011 6:04 PM 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [5/3/2011 6:05 PM 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [5/3/2011 6:05 PM 656320]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [5/3/2011 6:06 PM 247760]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;c:\windows\system32\drivers\atl01_xp.sys [1/28/2011 3:18 PM 34944]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2011 5:43 PM 136176]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [8/3/2001 7:24 PM 18864]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2011 5:43 PM 136176]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [5/3/2011 6:04 PM 366840]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-29 00:43]
.
2011-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-29 00:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyServer = http=127.0.0.1:55333
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\Sandesh\Application Data\Mozilla\Firefox\Profiles\l53s6wij.default\
FF - prefs.js: keyword.URL - hxxp://www.zumix2.com/s/?engine=web&src=IE-Address&site=Bing&cfg=2-471-0&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 55333
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-HKCU - c:\windows\system32\install\server.exe
MSConfigStartUp-HKLM - c:\windows\system32\install\server.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-04 14:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(756)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
Completion time: 2011-05-04 14:17:55
ComboFix-quarantined-files.txt 2011-05-04 21:17
.
Pre-Run: 2,076,930,048 bytes free
Post-Run: 2,117,832,704 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 1F70F3331E618A1AB3645C051DED0152

tashi
2011-05-05, 07:19
Hello pcyouzer.

So that everyone is on the same track please see the forum FAQ which along with other information includes instructions on how to post preliminary DDS logs for analysis in post #2.
"BEFORE You POST"(Please read this Procedure Before Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Then start a new topic providing the DDS logs as shown in that sticky. :)

Also please give a link back to this thread so that helpers are aware of the CF log and that you followed instructions on You Tube. ;)

FYI: Please DO NOT RUN ComboFix without being asked (http://forums.spybot.info/showthread.php?t=16806)

Best regards.

tashi
2011-05-05, 07:46
pcyouzer please do not start a new topic until you address this.

Your other topic: http://www.bleepingcomputer.com/forums/topic395506.html

From our FAQ:


Posters who start topics at multiple sites for their PC problem waste valuable volunteer resources as our analysts assist people at several forums. Worse scenario would be to run fixes given at one site unbeknown to the person helping the same user elsewhere. If you have already requested help at another site choose where you wish to continue and advise all parties.