Another Google Redirect Virus

Status
Not open for further replies.

reubencahn

Posts: 10   +0
Links that appear in Google search lead to random advertising pages. Have run the 8 step process. Any help is much appreciated. Here are the logs:
 
Your HJT log is double the size of most others Users
This is because you have Norton (many entries) and a stack of Dell entries. Actually all up you have:
38 Windows startups (compared to my 1)
39 Service startups (note these are on top of your Windows startups)
Making a grand total of 77 Startups !
Does Windows actually run?

I have to go (so I'm told) But I wanted to post, please remove as many not required startups as humanly possible

Edit:
I'm already back :)

OK please follow the below so we can at least view your HJT log:

Download these Tools, and save them to a New Folder on the Desktop: (ie don't run yet)
IE Reset: http://go.microsoft.com/?linkid=9646978
TFC: http://oldtimer.geekstogo.com/TFC.exe
Combofix: https://www.techspot.com/downloads/5587-combofix.html
Startup Control Panel: http://www.mlin.net/files/StartupCPL.zip
Norton Removal Tool (If you want to remove Norton): ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe
Free Avira (If you decided to Remove Norton) http://dlce.antivir.com/package/wks_avira/win32/en/pecl/avira_antivir_personal_en.exe
Hosts: http://www.mvps.org/winhelp2002/hosts.zip
JavaRa http://downloads.sourceforge.net/javara/JavaRa.zip

Uninstall these:
EmbassySecurityCheck
Spybot - Search & Destroy
SUPERAntiSpyware
All the Google stuff (user preference)
Roxio LiveShare P2P (user preference)
Roxio Hard Drive Watcher (user preference)
Norton (user preference)


At last we can start (note you may have needed to restart if you uninstalled any of the above)

1. Close all open programs (you can also disconnect from the Internet)
2. Run MicrosoftFixit50195.msi (This is IE Reset)
3. Unzip StartupCPL.zip, and install it. Then run it and disable all the known things you don't want starting with Windows
4. Unzip JavaRa and run it (select English) then select "Remove older versions"
5. Run TFC, once in the program press "Start" (you may need to Restart)
6. Disable Norton, and run Combofix (any warnings from Norton - just allow) (you may need to Restart) Note save the log file
7. Restart
8. Unzip and open hosts.zip, double click on mvps.bat
9. Start > Run > Services.msc > ok
  • locate these Services, then double click on them and set them to Manual > Apply
    • DNS Client
    • Help Service (also change the Recovery, to "take no action")
    • Java Quick Starter
    • Many others are Norton and Cisco stuff, we'll discuss later ;))
10. Restart
11. Attach a new HJT log and also that Combofix log
12. Here's hoping you removed Norton (since it didn't help you this time)
 
Can't uninstall Norton since the office requires it. Otherwise followed directions to the best of my limited abilities. Attached are the logs.
 
The following files (if exist still)
c:\windows\system32\stcevent.dll
c:\documents and settings\rcc\Local Settings\Application Data\thqpfn
c:\documents and settings\NetworkService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
I am not aware if they are Malware or not (likely yes)
Please upload them (one at a time) to HERE
And report back

Otherwise no other Malware found :)

But. I would like you to do an online scan

Please run this online scan. It will give you a log and I need to see it:
Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please let me know the results :)


EDIT
The following entries (Office of Defender Services)
Are obviously required by you and your department?
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fd.org
O17 - HKLM\Software\..\Telephony: DomainName = fd.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBB3EDCC-96A6-4466-89A6-538EC7F3A8A4}: Domain = fd.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBB3EDCC-96A6-4466-89A6-538EC7F3A8A4}: NameServer = 192.168.180.11,192.168.182.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fd.org
Why do all large corporations always have Norton?
Norton must have made some big deals with them

EDIT2
Not to sound rude or anything, but don't you guys have onsite techs?
 
The following files (if exist still)

I am not aware if they are Malware or not (likely yes)
Please upload them (one at a time) to HERE
And report back

Otherwise no other Malware found :)
I uploaded the first file. It was not found to be malware.
As to the second file, a folder by that name existed, but it was empty.
As to the third, the Network Services folder no longer exists within Documents and Settings
But. I would like you to do an online scan

Please run this online scan. It will give you a log and I need to see it:
Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

I am attaching the log
Please let me know the results :)


EDIT
The following entries (Office of Defender Services)
Are obviously required by you and your department?
These are entries necessary for our web-based VPN
Why do all large corporations always have Norton?
Norton must have made some big deals with them
Government
EDIT2
Not to sound rude or anything, but don't you guys have onsite techs?

Don't ask
 
Problem seems to be gone when using IE. Redirect still starts to occur in Firefox, but the page to which the browser is being redirected will not load. I get the following messages:

Firefox can't establish a connection to the server at www.primosearch.com
or
Firefox can't establish a connection to the server at atl.mv.bidsystem.com.
or
Firefox can't find the server at dubaiskipark.com.

I also seem to be redirected on fewer links, say 1 out of 4 instead of 2 out of 3
 
You haven't answered if you have on site tech support.

For now, delete the copy of ComboFix that is on your desktop and redownload a fresh copy, run it and for the benefit of this forum, attach the log.
 
You haven't answered if you have on site tech support.

For now, delete the copy of ComboFix that is on your desktop and redownload a fresh copy, run it and for the benefit of this forum, attach the log.

I'm currently out of town, but when I return to the office tomorrow, I will have on site tech support. They haven't been able to help with this problem. Only suggestions were to run Super Anti-Spyware. I will download ComboFix again and run.
 
Okay.

It's always best to have the tech support do any work, if something were to happen to the computer during the cleaning process it will be nothing to do with us and will be completely on your shoulders.
 
Okay.

It's always best to have the tech support do any work, if something were to happen to the computer during the cleaning process it will be nothing to do with us and will be completely on your shoulders.

I understand. Here's the latest log.
 
That's strange
Combofix has now found Malware and removed it, but the first run nothing was found
Also did you end up checking those files for Malware?
And did you end up doing an online scan?

For some reason you have not done this?
 
That's strange
Combofix has now found Malware and removed it, but the first run nothing was found
Also did you end up checking those files for Malware?
And did you end up doing an online scan?

For some reason you have not done this?

I posted but for some reason was told my post would be hidden until reviewed by a moderator. In any case, I followed the instructions. The first file, I uploaded. It was not found to be malware. The second two did not exist any longer. I then ran the online scan. It found no threats. I am attaching the log. The other files asked about are, I believe, those installed by our web-based vpn client.
 
So are you still being redirected in Firefox?
If so, uninstall Firefox (backup any bookmarks) and then run CCleaner
Then go HERE and re-install Firefox. (By the way, I'm using the latest "Beta" version of Firefox (and have been since its first release) Its now up to >> Firefox V3.6 b3)



Un-install Combofix
  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK
(Note: 1 space after ComboFix in that uninstall command)


Update Java
By clicking HERE and confirming you have the latest Java installed
Run JavaRa again
This will remove all your old Java stuff (that is not required)

Remove Restore Points
1. Go to Start > All Programs > Accessories > System Tools > System Restore
2. Select Create a restore point, and OK it.
3. Next, go to Start > Run and type in cleanmgr
4. After selecting your drive, Select the "More options" tab
5.Choose the option to "clean up system restore" and OK it.
This will remove all restore points except the new one you just created.

You could also download and run Smart Defrag and defrag your system fully

Restart
Report how everything is running :)
You can then fully delete the New Folder created earlier, and then empty your Recycle Bin
 
Kimsland, there is a file in there that is infected there are also other files that need looked at before ComboFix is removed. Please do not remove it yet.
 
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:
    :filefind
    *atapi.sys
    *iaStor.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
Note: atapi.sys was recently (a couple of days ago) reported as a false positive by Malwarebytes.
New updates to Malwarebytes database (currently version 3217) has removed the false positive atapi.sys
 
When I returned to the office, our tech support people replaced the drive. So I'm virus free. However, I asked for it back in order to run ComboFix in case anything useful can be learned by reviewing the log. Here it is:
 
Please click here to download AVP Tool by Kaspersky.
  • Save it to your desktop.
  • Reboot your computer into SafeMode.


    • You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
      Use your up arrow key to highlight SafeMode then hit enter.
  • Double click the setup file to run it.
  • Click Next to continue.
  • It will by default install it to your desktop folder.Click Next.
  • Hit ok at the prompt for scanning in Safe Mode.
  • It will then open a box There will be a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked.
    • System Memory
    • Startup Objects
    • Disk Boot Sectors.
    • My Computer.
    • Also any other drives (Removable that you may have)

After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.
  • Then click on Scan at the to right hand Corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left un-neutralized then click the button that says Neutralize all
  • If it says it cannot be Neutralized then chooose The delete option when prompted.
  • After that is done click on the reports button at the bottom and save it to file, name it Kas.
  • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.



    • Note: This tool will self uninstall when you close it so please save the log before closing it.
 
Status
Not open for further replies.
Back