TechSpot

Google Redirect, did 8 steps

By KM71822
Apr 30, 2010
  1. Please help! I have been trying to get rid of this issue for several days to no avail. I was able to remove a few trojans through Malwarebytes and PC-cillin; however, anytime I google something, I am redirected to random sites.

    I did the 8 steps. Here are my logs. Thanks for your help in advance.
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot, KM. I'll help with the malware.

    There is another part to the DDS log. It's named Attach.txt. Please find it and include it in the next reply. I'd also like you to run the following:

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..

    Please don't run any other cleaning programs or scans while I am helping you unless I request you to. Don't use a Registry cleaner or make any changes in the Registry
     
  3. KM71822

    KM71822 TS Rookie Topic Starter

    OK, here they are. The combo fix said there was a root kit, but I'm sure you will know that from looking at the log. Thanks again.
     

    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're the second person today to tell me there is a Rootkit in Combofix! I can't figure out why you think this. This line just identifies what's running:
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-30 18:43


    It is part of the Combofix program. If you look at the end of that section, you'll see that nothing was found. You did have a rogue program installed> it has been removed in Combofix:

    Home Antivirus 2010 is a rogue anti-virus program. It will create fake files throughout your computer using random names, then a scan with the programs picks up these fake files and tells you they have to be remove- but the scam is that you are told you have to buy the program in order to remove them!
    ====================
    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\program files\Viewpoint\Common\ViewpointService.exe
    
    Folder::
    Registry::
    
    Driver::
    Viewpoint Manager Service
    
    FCopy::
    C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    Please download HijackThis from here.
    • Save it to a permanent folder (such as C:\HJT).
    • Next, open HijackThis, and select Do a system scan and save a logfile.
    • A Notepad document will open. Please post the contents of that document.

    Please paste the HJT log into the next reply and attach the new Comboscript report.

    Edit: I meant to include this. You should remove the earlier versions of these 2 programs:
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Player 10
    Windows Media Player 11


    And you should also update the Adobe reader from v7 to v9.xx:
    Visit this Adobe Reader site and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
     
  5. KM71822

    KM71822 TS Rookie Topic Starter

    When I intially ran Combofix, it said it detected a rootkit. It restarted my computer and then finished running.

    Here are the two new logs. Thanks for your help. I updated Adobe Reader, but I'm not sure how to delete older versions of Internet Explorer or Media Player.
     

    Attached Files:

  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    IE 7 was a new version and I think you'll find it in Add/remove Programs.
    For WMP, go to same Add/Remove screen in control Panel but the click on Windows Components on the left. You should find WMP there. When you finish doing that:
    Use Windows explorer (Windows key + E): Click on My Computer> double click on Local Drive (C)> Programs> look for both IE and WMP> if 2 are listed, do a right click> Delete on the older version of each.

    The logs are clean. Are there any malware-related problems remaining?
     
  7. KM71822

    KM71822 TS Rookie Topic Starter

    Everything appears to be running normally. Thanks for all of your help, I really appreciate it.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome- glad to help.
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Let me know if I can be of help in the future.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...