Google redirect virus, 8 steps completed, logs attached

By esmac1988
Mar 19, 2010
Topic Status:
Not open for further replies.
  1. I was having problems with search engines results redirecting me to bogus websites. It was kind of off and on. Sometimes everything worked fine, sometimes it would redirect but after a couple tries clicking the link it would find the real website, and sometimes I just plain couldn't get to the real website at all. I went through the 8 steps and everything seems to be okay now, but I figured I better post my logs just for good measure, thanks.
  2. esmac1988

    esmac1988 Newcomer, in training Topic Starter Posts: 16

    Here they are.

    Attached Files:

  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    One of your [problems may have been resolved, but the system still has a considerable amount of malware active:

    Please download GMER and save it to your desktop. (This file will have a random name)
    Two other links for the download should you need one:
    Link 2
    Link 3
    • Disconnect from the Internet and close all running programs.
    • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
    • Double-click on the randomly named GMER file and allow the gmer.sys driver to load if asked.
    • Select Rootkit tab> click Scan
    • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system click NO.
    • When scan is completed, click Save button, and save the results as gmer.log
    • Exit GMER and re-enable all active protection when done.
    • If you encounter any problems, try running GMER in Safe Mode.
    This screenshot http://www.gmer.net/faq.php will show you how the display will come up.
    Please attach the log with your next reply

    After that, Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

      Important! Save the renamed download to your desktop.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    • Double click on the setup file on the desktop to run
    • If prompted to download and install the Recovery Console, please do so.
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • If prompted to update, please allow.
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
    .
    Attach both reports to your next reply.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!! DO NOT make any Registry Changes. And it is recommended that if you are running any Registry editing program, that you either uninstall or disable while we are in the cleaning process
  4. esmac1988

    esmac1988 Newcomer, in training Topic Starter Posts: 16

    It seems that I'm having some trouble running the GMER scan. I downloaded it, and while its on the tab that says Rootkit/Malware I clicked scan, but when its finished scanning it doesn't give me any results like the last scans I have done. An information box just pops and says "GMER hasn't found any system modification." where I can click OK, but there are no logs. What am I doing wrong?
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    It doesn't mean you did anything wrong- just that GMER didn't find anything. I'd like you to scan with the following which will check hidden files, hidden processes, hidden registry keys and hidden services:

    Download catchme.exe to your desktop.
    • Double click the catchme.exe to run it
    • Click the "Scan" button to start scan
    • Open catchme.log to see results

    Paste log in next reply.
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Due to lack of activity, this thread is being closed.

    If further help is needed, please send a PM to your helper, including the URL for this thread.
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Thread reopened at members request.
  8. esmac1988

    esmac1988 Newcomer, in training Topic Starter Posts: 16

    Im having trouble posting the scan results. The file is too large to attatch and after I try to copy and paste, it wont let me submit the reply.
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Split the thread and paste it in over 2 replies. We're working on getting the character limit increased.
  10. esmac1988

    esmac1988 Newcomer, in training Topic Starter Posts: 16

    The list is extremely long. So with the 10,000 character limit on here its going to take like 15 separate posts to get it all up here. Is that what your meaning for me to do?
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    No. Can you zip the file and attach it?
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I rechecked the logs- you've got a 64bit system and some of the program we use won't work on 64 bit. Hold the GMER report for a bit and see if you can run the following:

    Please download OTL to your desktop.
    • Double click on the icon to run it. Make sure all other windows are closed to let it run uninterrupted.
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Under the Standard Registry box change it to All.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

    This will get some of the information I need out.
  13. esmac1988

    esmac1988 Newcomer, in training Topic Starter Posts: 16

    Well they are still way too big to paste on here in any convenient manner. Hope attatchments work, if not ill have to paste another 12 posts.

    Attached Files:

  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      
      :Services
      
      :Reg
      
      :Files
      IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
      IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
      IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
      O2 - BHO: (MediaBar) - {0974BA1E-64EC-11DE-B2A5-E43756D89593} - C:\Program Files (x86)\BearShareTb\BearShareDx.dll 
      O2 - BHO: (UrlHelper Class) - {474597C5-AB09-49d6-A4D5-2E8D7341384E} - C:\Program Files (x86)\iMesh Applications\MediaBar\DataMngr\IEBHO.dll 
      O2 - BHO: (UrlHelper Class) - {74322BF9-DF26-493f-B0DA-6D2FC5E6429E} - C:\Program Files (x86)\BearShare Applications\BearShare\BearShareIEHelper.dll 
      O2 - BHO: (MediaBar) - {ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - C:\Program Files (x86)\iMesh Applications\MediaBar\ToolBar\iMeshMediaBarDx.dll 
      O3 - HKLM\..\Toolbar: (MediaBar) - {0974BA1E-64EC-11DE-B2A5-E43756D89593} - C:\Program Files (x86)\BearShareTb\BearShareDx.dll 
      O3 - HKLM\..\Toolbar: (MediaBar) - {ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - C:\Program Files (x86)\iMesh Applications\MediaBar\ToolBar\iMeshMediaBarDx.dll 
      O4 - HKLM..\Run: []  File not found
      O4 - HKLM..\Run: [TWebCamera]  File not found
      O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
      O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
      O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
      O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
      O18:64bit: - Protocol\Filter\x-sdch {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - Reg Error: Key error. File not found
      C:\Users\owner\AppData\Roaming\LimeWire
      C:\Users\owner\AppData\Local\CrashDumps
      C:\Program Files (x86)\BearShareTb\BearShareDx.dll 
      C:\Program Files (x86)\BearShare Applications\BearShare\BearShareIEHelper.dll 
      C:\Program Files (x86)\iMesh Applications\MediaBar\ToolBar\iMeshMediaBarDx.dll 
      
      :Commands
      [purity]
      [emptytemp]
      [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
    ===============================
  15. esmac1988

    esmac1988 Newcomer, in training Topic Starter Posts: 16

    Ok here is the newest OTL scan.

    Attached Files:

    • OTL.Txt
      File size:
      61.8 KB
      Views:
      2
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Did you run the fix in the codebox above?
  17. esmac1988

    esmac1988 Newcomer, in training Topic Starter Posts: 16

    Yea do you need that log too? The one I just posted is the one done after running the fix, rebooting, and then the quick scan.
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Yes, I need that log. That way I can check to make sure the entries were removed and don't have to go line by line in a new log.
  19. esmac1988

    esmac1988 Newcomer, in training Topic Starter Posts: 16

    Gotcha here it is.

    Attached Files:

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.