Google Redirect Virus Removal
- Thread starter diziego
- Start date
- Status
Bobbye
Posts: 16,313 +36
Sorry for the delay.
You are running two antivirus programs> AVG and Avira. Please remove one of them. Update and do a full system scan with the AV you keep. Save the log.
I advise you to change your passwords. Some of the malware may have compromised the current passwords.
Please reopen HijackThis to 'do system scan only'.
Check the following entries if present:
C:\Program Files\Viewpoint\Common\ViewpointService.exe
(The following are all portals to AOL: http://hp-desktop.aol.com/)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
P2P Warning: Advise Stop, then Uninstall.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fmz.qiwa.com
Free Music Zilla is a simple tool specialized for social music downloading, ... A P2P file-sharing freeware fully compatible with BitTorrent ...
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Close all open Windows except HijackThis. Click on 'Fix Checked'
Boot into Safe Mode
[*] Restart your computer and start pressing the F8 key on your keyboard.
[*] Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
Click on Start> Run> type in msconfig> enter> Selective Startup> Startup tab> UNCHECK all Viewpoint and FreeZilla entries> Apply> OK.
Suggest both Viewpoint and FreeZilla be uninstalled in Add/Remove Programs in the control Panel.
Please temporarily disable this Real Time Protection:
Disable AdWatch:
Please download ComboFix HERE:
Do not click on the ComoboFix window, as it may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Follow with new scan with HijackThis. Attach new log.
Summary:
Remove one AV program.
Do scan with remaining AV program. Attach log.
Remove HijackThis entries.
Stop AdWatch
Run Combofix and attach report
new log for HijackThis.
You are running two antivirus programs> AVG and Avira. Please remove one of them. Update and do a full system scan with the AV you keep. Save the log.
I advise you to change your passwords. Some of the malware may have compromised the current passwords.
Please reopen HijackThis to 'do system scan only'.
Check the following entries if present:
C:\Program Files\Viewpoint\Common\ViewpointService.exe
(The following are all portals to AOL: http://hp-desktop.aol.com/)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
P2P Warning: Advise Stop, then Uninstall.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fmz.qiwa.com
Free Music Zilla is a simple tool specialized for social music downloading, ... A P2P file-sharing freeware fully compatible with BitTorrent ...
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Close all open Windows except HijackThis. Click on 'Fix Checked'
Boot into Safe Mode
[*] Restart your computer and start pressing the F8 key on your keyboard.
[*] Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
Click on Start> Run> type in msconfig> enter> Selective Startup> Startup tab> UNCHECK all Viewpoint and FreeZilla entries> Apply> OK.
Suggest both Viewpoint and FreeZilla be uninstalled in Add/Remove Programs in the control Panel.
Please temporarily disable this Real Time Protection:
Disable AdWatch:
- Right click on the Ad-Watch icon in the system tray.
- At the bottom of the screen there will be two checkable items:
[o] Active: This will turn Ad-Watch On\Off without closing it.
[o]Automatic: Suspicious activity will be blocked automatically. - Uncheck both of those boxes.
Please download ComboFix HERE:
- With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
- Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
- Run Combo-Fix.exe and follow the prompts.
(Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.) - Wait for the scan to be completed.
- If it requires a reboot, please do it.
Do not click on the ComoboFix window, as it may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Follow with new scan with HijackThis. Attach new log.
Summary:
Remove one AV program.
Do scan with remaining AV program. Attach log.
Remove HijackThis entries.
Stop AdWatch
Run Combofix and attach report
new log for HijackThis.
Bobbye
Posts: 16,313 +36
If AVG was checked in CCleaner, the log was removed- you might have to run both again:
Credit to Piriform:
If this works, run the full system scan with AVG again. Save the log when finished.
P2P Warning:
I see you use a file sharing program: Limewire. And you have download through it in your Documents and Settings. P2P programs are a constant source of malware. I suggest you uninstall it. If you choose not to, please don't use it while cleaning. If you do and it contributes to the malware we are trying to remove, I will withdraw my support.
Question: Did you set this override?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
I see traces of Vundo in the logs. Please run the following:
Please download VundoFix.exe HERE and save to your desktop:
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
After running the Vundo fix, please UPDATE and rescan with Malwarebytes. Attach new log.
Summary:
1. Check CCleaner setting
2. Run AVG- save and attach log
3. Run Vundo fix- save and attach log
4. Rescan with HijackThis and attach new log.
Credit to Piriform:
If this works, run the full system scan with AVG again. Save the log when finished.
P2P Warning:
I see you use a file sharing program: Limewire. And you have download through it in your Documents and Settings. P2P programs are a constant source of malware. I suggest you uninstall it. If you choose not to, please don't use it while cleaning. If you do and it contributes to the malware we are trying to remove, I will withdraw my support.
Question: Did you set this override?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
I see traces of Vundo in the logs. Please run the following:
Please download VundoFix.exe HERE and save to your desktop:
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the ‘Fix Vundo’ button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
After running the Vundo fix, please UPDATE and rescan with Malwarebytes. Attach new log.
Summary:
1. Check CCleaner setting
2. Run AVG- save and attach log
3. Run Vundo fix- save and attach log
4. Rescan with HijackThis and attach new log.
Bobbye
Posts: 16,313 +36
Yes, I recommend you replace AVG with Avira. It is a better program and you should be able to get the log without problem.
When changing AV, in order to be protected, follow this:
1. Download Avira and save it to your desktop. Don't run it yet.
2. Boot into Safe Mode
[*] Restart your computer and start pressing the F8 key on your keyboard.
[*] Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
3. Open your browser> click on File> Choose 'work off line'
4. Go to Start> Run> type in msconfig> enter> Selective startup> Startup tab> UNCHECK all AVG entries> Apply> OK
5. Go to Control Panel> Add/Remove Programs> UNINSTALL Avg.
6. Double-click on Avira setup on desktop and Run.
7. When finished: reboot the computer into Normal Mode. NOTE: You will get a nag message that you can ignore and close after checking 'don't show this message again.' Stay in Selective Startup.
8. When you get prompt about working offline- do you want to go back online- Yes- you do.
10.Update Avira and run full system scan. save log.
This looks like a lot of steps, but it's easy and keeps you protected between AV programs.
New Summary:
1. Download, install and Run Avira as instructed. Save log. Attach to next reply.
2. Run Vundo Fix. Save log and attach to next reply.
3 Rescan with HijackThis and attach new log.
Edit:
When changing AV, in order to be protected, follow this:
1. Download Avira and save it to your desktop. Don't run it yet.
2. Boot into Safe Mode
[*] Restart your computer and start pressing the F8 key on your keyboard.
[*] Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
3. Open your browser> click on File> Choose 'work off line'
4. Go to Start> Run> type in msconfig> enter> Selective startup> Startup tab> UNCHECK all AVG entries> Apply> OK
5. Go to Control Panel> Add/Remove Programs> UNINSTALL Avg.
6. Double-click on Avira setup on desktop and Run.
7. When finished: reboot the computer into Normal Mode. NOTE: You will get a nag message that you can ignore and close after checking 'don't show this message again.' Stay in Selective Startup.
8. When you get prompt about working offline- do you want to go back online- Yes- you do.
10.Update Avira and run full system scan. save log.
This looks like a lot of steps, but it's easy and keeps you protected between AV programs.
New Summary:
1. Download, install and Run Avira as instructed. Save log. Attach to next reply.
2. Run Vundo Fix. Save log and attach to next reply.
3 Rescan with HijackThis and attach new log.
Edit:
Bobbye
Posts: 16,313 +36
Speeding up the computer:
Please reopen HijackThis to 'do system scan only'
Check each of the following if present: Note: Don't click on Fix Checked until you have finished the list:
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\iPod\bin\iPodService.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
Close all open Windows except hijackThs and click on 'Fix Checked.'
Boot into Safe Mode
[1[ Start> Run> type in msconfig> enter> Selective Startup> Startup tab> UNCHECK each of the following if present:
ALL HP entries (hpsysdrv.exe, hkcmd.exe, hpqcmon.exe, hpgs2wnf.exe)
iTunesHelper.exe
All Java entries : (jusched.exe, jqs.exe, jp2ssv.dll, jqs_plugin.dll)
iPodService.exe
All Adobe entries (AcroIEHelperShim.dll, exeReader_sl.exe)
AAWTray.exe
Bonjour and/or mDNSResponder.exe
When finished: Then check Apply> OK
[2] Control Panel> Java> Update tab> UNCHECK 'cleck automatically for udate'> Apply> When asked to confirm> click Yes.
[3] Right click on Start> Explore> Programs> QuickTime directory> Rename the qttask.exe file>: right click on qttask.exe> rename to qttask.exeold.
[4] Start> Run> type in services.msc> double-click on each of the following> Set Startup Type for each to Manual:
Adobe LM Service
Bonjour Service - (mDNSResponder.exe) FirebirdServerMAGIXI (fbserver.exe) started by Magix Movie Editor.
iPodService.exe
JavaQuickStarterService: (jqs.exe)
AAWService.exe
LexBce Server (LexBceS)
NVIDIA Driver Helper Service (NVSvc)
Close
[5] Open the Adobe Reader and Disable all Toolbars-unless you use the PDF feature frequently.
[6[ Open IE> Tools> Manage add-ons> right click on Java (tm) Plug-In 2 SSV Helper' (jp2ssv.dll> Click on and Disable Java Plugin2 and Java Quick Start
[7] QTTask: Disable tray icon: Right-click on the icon and select QuickTime Preferences > Browser Plugin. Clear the check box next to "QuickTime system tray icon," and then close the settings box.
Reboot the computer into Normal Mode: NOTE: Ignore the nag message that comesupo and close after checking 'don't show this message again.' Stay in Selective Startup.
Run the AV again, save and attach the log
Rescan with HijackThis and attach new log..
Let me know how the speed it. We're not quite through yet but I think this will; make a big difference.
Special Consideration:
BONJOUR/MDSRESPONDER: If you use this program regularly, ignore this part. If you do not, follow the directions tor emove it. It is a big resource user
Usually installed by Apple for iTunes. But also 'pre-checked' to load with the new Adobe CS3 applications, "mDNSResponder.exe" is installed somewhere in the install process. Used in iTunes files sharing
IF you do not use this process, it is best to stop and unintall it: Here’s how to safely uninstall Bonjour and remove mDNSResponder.exe
Please reopen HijackThis to 'do system scan only'
Check each of the following if present: Note: Don't click on Fix Checked until you have finished the list:
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\iPod\bin\iPodService.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
Close all open Windows except hijackThs and click on 'Fix Checked.'
Boot into Safe Mode
- Restart your computer and start pressing the F8 key on your keyboard.
- Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
[1[ Start> Run> type in msconfig> enter> Selective Startup> Startup tab> UNCHECK each of the following if present:
ALL HP entries (hpsysdrv.exe, hkcmd.exe, hpqcmon.exe, hpgs2wnf.exe)
iTunesHelper.exe
All Java entries : (jusched.exe, jqs.exe, jp2ssv.dll, jqs_plugin.dll)
iPodService.exe
All Adobe entries (AcroIEHelperShim.dll, exeReader_sl.exe)
AAWTray.exe
Bonjour and/or mDNSResponder.exe
When finished: Then check Apply> OK
[2] Control Panel> Java> Update tab> UNCHECK 'cleck automatically for udate'> Apply> When asked to confirm> click Yes.
[3] Right click on Start> Explore> Programs> QuickTime directory> Rename the qttask.exe file>: right click on qttask.exe> rename to qttask.exeold.
[4] Start> Run> type in services.msc> double-click on each of the following> Set Startup Type for each to Manual:
Adobe LM Service
Bonjour Service - (mDNSResponder.exe) FirebirdServerMAGIXI (fbserver.exe) started by Magix Movie Editor.
iPodService.exe
JavaQuickStarterService: (jqs.exe)
AAWService.exe
LexBce Server (LexBceS)
NVIDIA Driver Helper Service (NVSvc)
Close
[5] Open the Adobe Reader and Disable all Toolbars-unless you use the PDF feature frequently.
[6[ Open IE> Tools> Manage add-ons> right click on Java (tm) Plug-In 2 SSV Helper' (jp2ssv.dll> Click on and Disable Java Plugin2 and Java Quick Start
[7] QTTask: Disable tray icon: Right-click on the icon and select QuickTime Preferences > Browser Plugin. Clear the check box next to "QuickTime system tray icon," and then close the settings box.
Reboot the computer into Normal Mode: NOTE: Ignore the nag message that comesupo and close after checking 'don't show this message again.' Stay in Selective Startup.
Run the AV again, save and attach the log
Rescan with HijackThis and attach new log..
Let me know how the speed it. We're not quite through yet but I think this will; make a big difference.
Special Consideration:
BONJOUR/MDSRESPONDER: If you use this program regularly, ignore this part. If you do not, follow the directions tor emove it. It is a big resource user
Usually installed by Apple for iTunes. But also 'pre-checked' to load with the new Adobe CS3 applications, "mDNSResponder.exe" is installed somewhere in the install process. Used in iTunes files sharing
IF you do not use this process, it is best to stop and unintall it: Here’s how to safely uninstall Bonjour and remove mDNSResponder.exe
1. Go to Start > Run > type the command below and hit OK.
“%PROGRAMFILES%\Bonjour\mDNSResponder.exe” -remove
2. Right click on Start> Explore> Programs> Bonjour> right click on mdnsNSP.dll> rename to> mdnsNSP.old
3. Restart your computer**** see note regarding reboot
5. Delete the Program Files\Bonjour folder
Bobbye
Posts: 16,313 +36
One online scan to make sure the Trojan is gone:
Run Eset NOD32 Online AntiVirus Scanner HERE
Note: You will need to use Internet Explorer for this scan.
IF this is clean, I'll have you remove the cleaning tools and old restore points.
Have the original problems been resolved? The redirect is gone and I see you decided to leave some of the startup entries I listed. You should be seeing some increase in speed.
Run Eset NOD32 Online AntiVirus Scanner HERE
Note: You will need to use Internet Explorer for this scan.
- Tick the box next to YES, I accept the Terms of Use.
- Click Start
- When asked, allow the Active X control to install
- Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
- Click Start
- Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
- Click Scan
- Wait for the scan to finish
- Re-enable your Antivirus software.
- A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
IF this is clean, I'll have you remove the cleaning tools and old restore points.
Have the original problems been resolved? The redirect is gone and I see you decided to leave some of the startup entries I listed. You should be seeing some increase in speed.
- Status
Similar threads
Latest posts
-
Researchers have unlocked the "Holy Grail" of memory technology- DanteSmith replied