Google Redirect Virus Removal

By diziego
Jul 11, 2009
Topic Status:
Not open for further replies.
  1. Hi i've had that nasty google redirect virus for a while i just wanted to know what i need to do to remove it. Iv'e attatched my logs. PLEASE HELP!
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Sorry for the delay.

    You are running two antivirus programs> AVG and Avira. Please remove one of them. Update and do a full system scan with the AV you keep. Save the log.

    I advise you to change your passwords. Some of the malware may have compromised the current passwords.

    Please reopen HijackThis to 'do system scan only'.
    Check the following entries if present:

    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    (The following are all portals to AOL: http://hp-desktop.aol.com/)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/


    P2P Warning: Advise Stop, then Uninstall.
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fmz.qiwa.com
    Free Music Zilla is a simple tool specialized for social music downloading, ... A P2P file-sharing freeware fully compatible with BitTorrent ...
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    Close all open Windows except HijackThis. Click on 'Fix Checked'

    Boot into Safe Mode
    [*] Restart your computer and start pressing the F8 key on your keyboard.
    [*] Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Click on Start> Run> type in msconfig> enter> Selective Startup> Startup tab> UNCHECK all Viewpoint and FreeZilla entries> Apply> OK.

    Suggest both Viewpoint and FreeZilla be uninstalled in Add/Remove Programs in the control Panel.

    Please temporarily disable this Real Time Protection:

    Disable AdWatch:
    • Right click on the Ad-Watch icon in the system tray.
    • At the bottom of the screen there will be two checkable items:
      [o] Active: This will turn Ad-Watch On\Off without closing it.
      [o]Automatic: Suspicious activity will be blocked automatically.
    • Uncheck both of those boxes.
    (When done, you can re-enable it using the same steps but this time check both boxes.)

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Do not click on the ComoboFix window, as it may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Follow with new scan with HijackThis. Attach new log.

    Summary:
    Remove one AV program.
    Do scan with remaining AV program. Attach log.
    Remove HijackThis entries.
    Stop AdWatch
    Run Combofix and attach report
    new log for HijackThis.
  3. diziego

    diziego Newcomer, in training Topic Starter Posts: 25

    ok i have followed all the steps. i dont know how to access a log for the AVG scan so if you could please tell me how that would be great. I have attached my other 2 logs below.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    If AVG was checked in CCleaner, the log was removed- you might have to run both again:

    Credit to Piriform:
    If this works, run the full system scan with AVG again. Save the log when finished.

    P2P Warning:

    I see you use a file sharing program: Limewire. And you have download through it in your Documents and Settings. P2P programs are a constant source of malware. I suggest you uninstall it. If you choose not to, please don't use it while cleaning. If you do and it contributes to the malware we are trying to remove, I will withdraw my support.

    Question: Did you set this override?
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local

    I see traces of Vundo in the logs. Please run the following:
    Please download VundoFix.exe HERE and save to your desktop:
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the ‘Fix Vundo’ button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    Please attach the C:\vundofix.txt and a new HiJackThis log.

    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

    After running the Vundo fix, please UPDATE and rescan with Malwarebytes. Attach new log.

    Summary:
    1. Check CCleaner setting
    2. Run AVG- save and attach log
    3. Run Vundo fix- save and attach log
    4. Rescan with HijackThis and attach new log.
  5. diziego

    diziego Newcomer, in training Topic Starter Posts: 25

    I still can't manage to produce a log for AVG
    Should i uninstall and use AVIRA?
    I didn't want to continue through the otehr steps without knowing this first
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Yes, I recommend you replace AVG with Avira. It is a better program and you should be able to get the log without problem.

    When changing AV, in order to be protected, follow this:
    1. Download Avira and save it to your desktop. Don't run it yet.
    2. Boot into Safe Mode
    [*] Restart your computer and start pressing the F8 key on your keyboard.
    [*] Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    3. Open your browser> click on File> Choose 'work off line'
    4. Go to Start> Run> type in msconfig> enter> Selective startup> Startup tab> UNCHECK all AVG entries> Apply> OK
    5. Go to Control Panel> Add/Remove Programs> UNINSTALL Avg.
    6. Double-click on Avira setup on desktop and Run.

    7. When finished: reboot the computer into Normal Mode. NOTE: You will get a nag message that you can ignore and close after checking 'don't show this message again.' Stay in Selective Startup.
    8. When you get prompt about working offline- do you want to go back online- Yes- you do.
    10.Update Avira and run full system scan. save log.

    This looks like a lot of steps, but it's easy and keeps you protected between AV programs.

    New Summary:
    1. Download, install and Run Avira as instructed. Save log. Attach to next reply.
    2. Run Vundo Fix. Save log and attach to next reply.
    3 Rescan with HijackThis and attach new log.

    Edit:
  7. diziego

    diziego Newcomer, in training Topic Starter Posts: 25

    ok i've done all the steps. I attached my logs.

    Quote:
    Question: Did you set this override?
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local

    I dont know what that means. Can you explain?
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    I'll have you remove it from the new HijackThis log. If you don't know what it is, you didn't set up.

    Specifically, what symptoms are you now having with the system, if any?
  9. diziego

    diziego Newcomer, in training Topic Starter Posts: 25

    the redirecting has gone.
    the only thing is my computer seems a bit slower
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Speeding up the computer:
    Please reopen HijackThis to 'do system scan only'
    Check each of the following if present: Note: Don't click on Fix Checked until you have finished the list:

    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\iPod\bin\iPodService.exe
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
    O1 - Hosts: ::1 localhost
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

    Close all open Windows except hijackThs and click on 'Fix Checked.'

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    [1[ Start> Run> type in msconfig> enter> Selective Startup> Startup tab> UNCHECK each of the following if present:
    ALL HP entries (hpsysdrv.exe, hkcmd.exe, hpqcmon.exe, hpgs2wnf.exe)
    iTunesHelper.exe
    All Java entries : (jusched.exe, jqs.exe, jp2ssv.dll, jqs_plugin.dll)
    iPodService.exe
    All Adobe entries (AcroIEHelperShim.dll, exeReader_sl.exe)
    AAWTray.exe
    Bonjour and/or mDNSResponder.exe
    When finished: Then check Apply> OK

    [2] Control Panel> Java> Update tab> UNCHECK 'cleck automatically for udate'> Apply> When asked to confirm> click Yes.

    [3] Right click on Start> Explore> Programs> QuickTime directory> Rename the qttask.exe file>: right click on qttask.exe> rename to qttask.exeold.

    [4] Start> Run> type in services.msc> double-click on each of the following> Set Startup Type for each to Manual:

    Adobe LM Service
    Bonjour Service - (mDNSResponder.exe) FirebirdServerMAGIXI (fbserver.exe) started by Magix Movie Editor.
    iPodService.exe
    JavaQuickStarterService: (jqs.exe)
    AAWService.exe
    LexBce Server (LexBceS)
    NVIDIA Driver Helper Service (NVSvc)

    Close

    [5] Open the Adobe Reader and Disable all Toolbars-unless you use the PDF feature frequently.

    [6[ Open IE> Tools> Manage add-ons> right click on Java (tm) Plug-In 2 SSV Helper' (jp2ssv.dll> Click on and Disable Java Plugin2 and Java Quick Start

    [7] QTTask: Disable tray icon: Right-click on the icon and select QuickTime Preferences > Browser Plugin. Clear the check box next to "QuickTime system tray icon," and then close the settings box.

    Reboot the computer into Normal Mode: NOTE: Ignore the nag message that comesupo and close after checking 'don't show this message again.' Stay in Selective Startup.

    Run the AV again, save and attach the log
    Rescan with HijackThis and attach new log..

    Let me know how the speed it. We're not quite through yet but I think this will; make a big difference.

    Special Consideration:

    BONJOUR/MDSRESPONDER: If you use this program regularly, ignore this part. If you do not, follow the directions tor emove it. It is a big resource user

    Usually installed by Apple for iTunes. But also 'pre-checked' to load with the new Adobe CS3 applications, "mDNSResponder.exe" is installed somewhere in the install process. Used in iTunes files sharing
    IF you do not use this process, it is best to stop and unintall it: Here’s how to safely uninstall Bonjour and remove mDNSResponder.exe

    • 1. Go to Start > Run > type the command below and hit OK.
      “%PROGRAMFILES%\Bonjour\mDNSResponder.exe” -remove
      2. Right click on Start> Explore> Programs> Bonjour> right click on mdnsNSP.dll> rename to> mdnsNSP.old
      3. Restart your computer**** see note regarding reboot
      5. Delete the Program Files\Bonjour folder
    The first command will stop and remove Bonjour Service from your computer. To confirm, go to Start > Run and type services.msc. Look for Bonjour Service name. If it’s not there, you’ve successfully removed it
  11. diziego

    diziego Newcomer, in training Topic Starter Posts: 25

    ok i have attached the logs
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    One online scan to make sure the Trojan is gone:
    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    IF this is clean, I'll have you remove the cleaning tools and old restore points.

    Have the original problems been resolved? The redirect is gone and I see you decided to leave some of the startup entries I listed. You should be seeing some increase in speed.
  13. diziego

    diziego Newcomer, in training Topic Starter Posts: 25

    the computer seems faster. i will fix the startups, i probably just didnt catch them. i am on acation right now so i will do the scan when i get back
     
  14. diziego

    diziego Newcomer, in training Topic Starter Posts: 25

    sorry for such a late response i did the scan i attached my log file
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.