Inactive Another Google redirect virus, MBAM crashes during all scans

[crunchie]

Please download FileFind from Atribune:
http://www.atribune.org/downloads/FileFind.zip

Unzip the file and save it to your desktop.

To run FileFind, please do the following:

• Click on FileFind.exe
• In the box labeled "Enter the directory to search"
• Enter Drive eg.. C:\
• In the box labeled "Enter the file to search"
• Enter the file wojohilu.dll
• Now click on the "Find" button
• Once the utility has found the files click on "Export"
• This will save a text file to your C:\ drive as "Export.txt"
• Double click on Export.txt, copy and paste this information in your next post.

 

[bsithil]

The FileFind didn't find the wojohilu.dll files

0 Files found in 8280 Directories

 

[crunchie]

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:


netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT


* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[bsithil]

When running the custom scan, an error box popped up

Access violation at address 0040295B in module 'OTL.exe'. Read of address 0021D000


The scan also gets stuck at "Creating restore point .. do not interrupt"


Should I retry the scan?

 

[crunchie]

Try again but remove the last line (CREATERESTOREPOINT) from the script.
Safe mode can also be tried.

 

[bsithil]

Here are the logs, and also, I will be out of town until sunday, so I will not respond until then.

Thanks again for all the help crunchie. I will respond to any replies by sunday night (pacific time)

 

[crunchie]

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  SRV - File not found [Auto | Stopped] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
  SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
  DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\iglpfolx.sys -- (iglpfolx)
  DRV - File not found [Kernel | On_Demand | Stopped] -- H:\INSTALL\GMSIPCI.SYS -- (GMSIPCI)
  DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys -- (esgiguard)
  IE - HKCU\..\URLSearchHook: CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
  O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll File not found
  O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
  O4 - HKLM..\Run: [jswtrayutil] C:\Program Files\NETGEAR\WNA1100\jswtrayutil.exe File not found
  O4 - HKCU..\Run: [{D0D8CAC9-B131-B04E-99C1-B937FB9C4F37}] C:\Documents and Settings\Taru\Application Data\Algo\noac.exe File not found
  O20 - AppInit_DLLs: (c:\windows\system32\ c:\windows\system32\ c:\windows\system32\wiwijadu.dll c:\windows\system32\vozafiwu.dll c:\windows\system32\luzilufe.dll c:\windows\system32\) -  File not found
  O20 - AppInit_DLLs: (riwawake.dll c:\windows\system32\gibumeye.dll) -  File not found
  O21 - SSODL: hopisiwib - {08af4771-4ecd-49f3-b4ff-5c82deb77729} - C:\WINDOWS\System32\nifisito.dll File not found
  O21 - SSODL: jurilevaw - {0cb9b250-77d9-48a9-91fa-bd695fa34e27} - C:\WINDOWS\System32\luzilufe.dll File not found
  O21 - SSODL: sugusopap - {116c4373-13a4-4853-857b-9847c8452270} - C:\WINDOWS\System32\gibumeye.dll File not found
  O22 - SharedTaskScheduler: {08af4771-4ecd-49f3-b4ff-5c82deb77729} - jugezatag - C:\WINDOWS\System32\nifisito.dll File not found
  O22 - SharedTaskScheduler: {0cb9b250-77d9-48a9-91fa-bd695fa34e27} - kupuhivus - C:\WINDOWS\System32\luzilufe.dll File not found
  O22 - SharedTaskScheduler: {116c4373-13a4-4853-857b-9847c8452270} - kupuhivus - C:\WINDOWS\System32\gibumeye.dll File not found
  :Commands
  [emptyflash]
  [emptytemp]
  [resethosts]
  [Reboot]

• Then click the Run Fix button at the top.
• Let the program run unhindered, reboot the PC when it is done.
• Post log from this run.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[bsithil]

Here are the logs, one with the fix and one quick scan after

 

[bsithil]

Also, links still redirect

 

[crunchie]

Please read carefully and follow these steps.

• Download TDSSKiller and save it to your Desktop.
• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

 

[bsithil]

Here is the log

 

[crunchie]

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Ensure all Firefox windows are closed.
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
• When prompted to run the scan, click Yes.
• GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

 

[bsithil]

Here is the log

 

[bsithil]

Also, I have hitman Pro virus scan, and it found winlogon.exe as infected. I did not delete this file though as combofix deleted this last time and my computer was not loading.

 

[bsithil]

Friendly bump

 

[crunchie]

Sorry for the late reply. Have been (and stillam) sick .

I wouldn't mind you giving Combofix another try. You will have to delete the one you have and install the latest from the same link.
It can be run in safe mode if need be.

 

[bsithil]

Hey Crunchie,

Hope you are feeling better. My computer no longer redirects, but some of my scans still show winlogon.exe as being infected. I am a little worried about running combofix again because like last time it might make my computer crash. Any suggestions?

thanks!

 

[crunchie]

Still shaking it off, but I am better, thank you .

Can you upload the winlogon file to jotti or virustotal for a scan and post back the results.

http://virusscan.jotti.org/ http://www.virustotal.com/

 

[bsithil]

[ArcaVir]
2010-08-30 Found nothing

[G DATA]
2010-09-03 Win32.Loader.O

[Avast! antivirus]
2010-09-03 Found nothing

[Ikarus]
2010-09-03 Trojan.Win32.Patched

[Grisoft AVG Anti-Virus]
2010-09-03 Found nothing

[Kaspersky Anti-Virus]
2010-09-03 Trojan.Win32.Patched.kl

[Avira AntiVir]
2010-09-03 TR/Patched.AW

[ESET NOD32]
2010-09-03 Win32/Bamital.DX Patched

[Softwin BitDefender]
2010-09-03 Win32.Loader.O

[Panda Antivirus]
2010-09-03 W32/Patched.AC

[ClamAV]
2010-09-03 Found nothing

[Quick Heal]
2010-09-03 Found nothing

[CPsecure]
2010-09-03 Found nothing

[Sophos]
2010-09-03 Troj/Patched-O

[Dr.Web]
2010-09-03 Win32.Dat.3

[VirusBlokAda VBA32]
2010-09-03 Found nothing

[Frisk F-Prot Antivirus]
2010-09-03 W32/Patched.B

[VirusBuster]
2010-09-03 Found nothing

[F-Secure Anti-Virus]
2010-09-03 Win32.Loader.O


These are the results, and also crunchie i will be away for 2 days! Thanks again!

 

[crunchie]

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  winlogon.exe

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt