also @ TechSpot: Windows 8 Release Preview leaked, Microsoft may raise OEM prices

TechSpot
Register now for a live online demo to see how the Office 365 suite of tools
- professional email, calendars, video conferencing, and file sharing -

[Solved] Google redirect virus help please!

Discussion in 'Virus and Malware Removal' started by beauty, Dec 19, 2010.

Thread Status:
Not open for further replies.
Page 2 of 2

  1. Bobbye Helper on the Fringe

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	

:Files 
C:\Documents and Settings\All Users\Application Data\2c2e744\33.mof 
C:\Program Files\AIM\Sysfiles\WxBug.EXE 
C:\WINDOWS\system32\drivers\etc\hosts.20100602-142523.backup 
C:\WINDOWS\system32\drivers\etc\hosts.20100602-145049.backup 
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =============================================
    Please reopen HijackThis to 'do system scan only.' Check each of the following if present:

    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    O1 - Hosts: 173.232.149.92 www.google.com
    O1 - Hosts: 173.232.149.92 google.com
    O1 - Hosts: 173.232.149.92 google.com.au
    O1 - Hosts: 173.232.149.92 www.google.com.au
    O1 - Hosts: 173.232.149.92 google.be
    O1 - Hosts: 173.232.149.92 www.google.be
    O1 - Hosts: 173.232.149.92 google.com.br
    O1 - Hosts: 173.232.149.92 www.google.com.br
    O1 - Hosts: 173.232.149.92 google.ca
    O1 - Hosts: 173.232.149.92 www.google.ca
    O1 - Hosts: 173.232.149.92 google.ch
    O1 - Hosts: 173.232.149.92 www.google.ch
    O1 - Hosts: 173.232.149.92 google.de
    O1 - Hosts: 173.232.149.92 www.google.de
    O2 - BHO: (no name) - {dcee3e00-f94a-4740-988e-03dc2f38c34f} - (no file)
    O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
    O3 - Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file)
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    Close all Windows except HijackThis and click on "Fix Checked."

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Click on Start> Control Panel> Add/Remove Programs> Uninstall any Viewpoint entries
    Click on Start> Run> type in services.msc> Double click on Viewpoint Manager Service> Change the Startup type to Disabled> Stop the Service> Exit Services.

    Use Windows Explorer: Windows key + E> My Computer> Double click on Local Drive> Programs> do a right click> Delete any Viewpoint folders.
    Exit Explorer

    Reboot into Normal Mode

    Replace the Host Files
    MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.

    Let me know how they are doing after the cable fix.
    Bobbye, Dec 26, 2010
    #21

  2. beauty Newcomer, in training

    Ok, I did it and the OTM log is pasted below. However, after I removed Viewpoint in Safe mode, there were not any Viewpoint entries to stop/delete for these steps:



    OTM log

    All processes killed
    ========== PROCESSES ==========
    ========== FILES ==========
    C:\Documents and Settings\All Users\Application Data\2c2e744\33.mof moved successfully.
    C:\Program Files\AIM\Sysfiles\WxBug.EXE moved successfully.
    C:\WINDOWS\system32\drivers\etc\hosts.20100602-142523.backup moved successfully.
    C:\WINDOWS\system32\drivers\etc\hosts.20100602-145049.backup moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users
    ->Flash cache emptied: 0 bytes

    User:
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User:
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User:
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 575588 bytes

    User:
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 4450720 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 2527 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 16864 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 5.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 12292010_193841

    Files moved on Reboot...
    File C:\WINDOWS\temp\Perflib_Perfdata_6d8.dat not found!

    Registry entries deleted on Reboot...
    beauty, Dec 29, 2010
    #22

  3. Bobbye Helper on the Fringe

    Are you having any more redirecting?
    Bobbye, Dec 31, 2010
    #23

  4. beauty Newcomer, in training

    No. It always was intermittent, though, but hopefully whatever it was is gone for good. Thanks a bunch!
    beauty, Jan 1, 2011
    #24

  5. Bobbye Helper on the Fringe

    Okay, let's cleanup and close this thread. If the problem recurs, we'll try again.

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
    Bobbye, Jan 3, 2011
    #25
Page 2 of 2
Thread Status:
Not open for further replies.