Google redirects, among other things

By PlayTheCharade
Oct 2, 2008
  1. Well glad that i finally found a board that knows what theyre doing.
    It seems like im following the trend for infected computers, because as of yesterday my google searches have been bad. Its probably from what i thought was a driver for my sound card. Anyways the sound card is fine now, but my computer is obviously infected/hacked.

    Links lead to other links, plus i cant access sites like Symantec or Mcafee, the sites on your 8 steps to clean are also blocked, as in unable to visit at all. Other sites like yahoo and cnet are okay, as long as i type the address in the search bar manually.

    Restore points are gone, cant create and cant go back to a previous point.

    Ive been able to run your programs, delete the found files (adware, worms, trojans...). Then the links work fine and im able to visit Symantec and sites like that. But as soon as i turn off the computer/restart it, the problems are back. Ive cleaned the computer twice, but each restart brings the problems back.
    Thankfully i was able to download the programs to a flash drive from another computer and did like you guys said in the guide. Anyways here are the attached logs.
  2. tw0rld

    tw0rld TS Maniac Posts: 572   +6

    How are things looking now that you have completedd the removal Instructions?b You were badly infected. Will see if anything remains on HJT log.
  3. momok

    momok TS Rookie Posts: 2,265

    Considering the extent of your infections (from your logs and your account), I would like you to do the following:

    Please download Panda Antirootkit from HERE.

    Download and run Combofix via these instructions HERE. Ensure that you have installed the Windows recovery console, as well as disabled any real-time monitoring programs (such as Spybot, firewalls etc) before you run the program itself. When its done, a log will be saved under C:\combofix.txt.

    After that run Panda Antirootkit and let me know the results.

    I notice that you have not run CCleaner, and your Superantispyware log shows it set to only 'quick scan'. Do re run it with full scan after you have run CCleaner via the instructions sticky, after ComboFix and Panda Anti Rootkit.

    Post your logs here when you are done.
  4. tw0rld

    tw0rld TS Maniac Posts: 572   +6

    You seem to have three Antivirus programs installed(Norton, Mcafee and Avast). You should only have one AV program Installed at a time(Preferrebly avast).

    Run HJT again and remove the following:

    O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll

    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Documents and Settings\Mama\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

    Remove Viewpoint Toolbar from Start > Control Panel > Add/Remove Programs

    General question;
    Does anyone know what this is?
  5. momok

    momok TS Rookie Posts: 2,265

    That O17 entry is legitimate. I get your point on Viewpoint, but the other O4 entries do not need to be removed, in fact every single one of them is legit. We should not be messing with a user's settings without his/her authorization.

    The reason why I did not provide HJT cleaning instructions is because it is easier to do the cleaning at one go. If you check his SAS log you'll realise his system is pretty badly infected, and cleaning the infection is not so simple as fixing some HJT entries. Thus, we do not wish to confuse the user with too many different instructions from different people. Your input on the Viewpoint, the 3 AV and O17 entry is valid though, and that is appreciated.
  6. tw0rld

    tw0rld TS Maniac Posts: 572   +6

    Unnecessary startup entries, which slows system, but you are right.
  7. PlayTheCharade

    PlayTheCharade TS Rookie Topic Starter

    Thanks for the responses guys, youve been very helpful.

    Done and deleted. But i guess it wasnt needed momok? Either way, theyre gone.

    Ive DLed Panda, CCleaner, and Combofix, just need to run them. Only thing holding me back is that my computer never came with an OS disk, so I dont think i have the Recovery Center, and i cant install it. Ive tried searching for "recovery" and "Center" on my computer but nothing comes up. Can i run those programs without the Recovery Center, or is RC required for it to work?
  8. tw0rld

    tw0rld TS Maniac Posts: 572   +6

    The O4 entries I told you to delete were startup entries, which tends to slow windows down, no big deal really.
  9. momok

    momok TS Rookie Posts: 2,265

    The link which I gave provides some alternative ways to create the Recovery Console through Combofix by downloading a file.
    Go back to the link and scroll down a little and you'll find it.
  10. PlayTheCharade

    PlayTheCharade TS Rookie Topic Starter

    Yea from what i saw the files didnt look like anything i used extensively anyways, so getting some space and a faster boot was appreciated, thanks for that.

    Ah, right. Sorry i didnt see that. Ill post back in a bit after running the programs and for new logs.
  11. PlayTheCharade

    PlayTheCharade TS Rookie Topic Starter

    Thanks for being patient and helping me out, you guys are lifesavers.
    Alright so here are the results:

    EDIT: Its working so far (can visit Symantec, Mcafee, google searches not redirected) but im going to go ahead and do the reboot that SAS said it needed to delete the things it found. Do i just do a normal restart (Start>ShutDown>Restart)? Or is there a command that SAS has to ensure that the items are removed?

    -Panda didnt detect anything

  12. momok

    momok TS Rookie Posts: 2,265

    1. Open notepad and copy/paste the text in the quote box below into it:
    2. Save this as CFScript on the desktop.
    3. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
    4. Run CCleaner.
    5. Continue with the SAS scan. Restart as and if needed.
    6. Run HJT and save a log
    Post your new logs (HJT, Combofix, SAS) here after that, thanks.
  13. PlayTheCharade

    PlayTheCharade TS Rookie Topic Starter

    Updated logs:
  14. momok

    momok TS Rookie Posts: 2,265

    Your logs are clean and you're good to go. But before that,

    1. Please download and run CCleaner via step 3 of the instructions HERE.

    2. Turn off system restore (XP/ME only). Learn how to do that HERE.
      This will remove all the remaining nasties from your old restore points.

    3. After that turn system restore back on.
      This would have created a new safe and clean restore point for your system.

    4. Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
      May I recommend you to read this article.
      This can help to prevent future infections.
  15. PlayTheCharade

    PlayTheCharade TS Rookie Topic Starter

    Thank you very much guys, your help really saved me on this.
    Truth is, if i wasnt able to find a way to get rid of the infections i would have been forced to hire a somewhat "shady" self proclaimed computer tech again. I say "shady" because he installed a copy of windows xp pro on my sister's laptop which was apparently pirated, as we were greeted with a message from Microsoft when we booted the computer a couple days later.
    Anyways, I saw how most of the things in your guides are for XP. I was planning on buying a new laptop and protecting it with freeware like the ones you guys showed me for this (as you saw, this comp has mcafee and norton. Obviously neither of them ever work very well, especially not when one isnt completely uninstalled and the other is sporadic. My parents think the only good protection is bought haha). Are they mostly Vista compatible? Has there been an updated guide for Vista, or can i probably follow you guide on Vista easily enough?
  16. momok

    momok TS Rookie Posts: 2,265

    You're welcome.
    Most of the programs are compatible with Vista, no worries about that. =)

    For antivirus, AVG/Avast are compatible.
    For firewalls, Zonealarm and Comodo are good, but I personally experienced some problems with Zonealarm (probably rare, but BSOD's not something to joke about) though.
    I'd recommend Spybot and CCleaner to just about anyone too.

    Personally I use Vista too, with AVG, Comodo and Spybot running, and I haven't been infected ever since I joined Techspot and fixed my malware issue and learnt how to deal with such issues.

    That said, the best defence is nothing in the hands of an uninformed user. So good habits definitely help you go a long way ;)
  17. PlayTheCharade

    PlayTheCharade TS Rookie Topic Starter

    Well looks like i found a place to stick around at, ive been looking for an informed crowd like this. Especially good is that I can probably learn something useful here.
    And agreed on your uninformed user point, a soldier could go into war with a bulletproof vest, but if he doesnt learn to hide and adapt to the circumstances...well we could say hes gonna get a BSOD in the near future =p
    Will definitely jump on those tips, thanks guys.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...