Solved Google results redirected, pop ups virus

[united77]

Hi
I seem to have some sort of virus on my laptop, if I click on a result from a google search it takes me to different site, also sometimes it will bring up pop ups aswell. Can someone help?

I have attached 2 superantispyware logs, as the last one is one I did earlier, a quick scan, and it was unfinished, but it did find some threats so I thought they may be useful aswell.

thanks

 

[Bobbye]

Welcome to TechSpot, united. I'll help with the malware.
I'll help you reset the Cookies to prevent them in the future. but the 2nd SAS scan found Trojans so we need to work on them first.

The most important thing you can do first is update AVG from v8 to v9.xx.

Then Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls.
  
• Double click on the setup file on the desktop to run
• If prompted to download and install the Recovery Console, please do so.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
• If prompted to update, please allow.
• Click on Yes, to continue scanning for malware.
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.

.
Follow that with Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

The Eset scan will show us what else has gotten past outdated programs.

Please attach the Combofix report and Eset log to your next reply.

Please do not use any other cleaning programs while I am working with you. If you have a Registry Cleaner, please disable it and do not make any registry changes.

 

[united77]

Thanks bobbye, I ran the combifix fine, but only got half way though the eset scan, as it had been 3 hours and it had only got to 49%, but if it is necessary I can do the whole thing tomorrow.

 

[Bobbye]

Your main problem is that the system is full of torrent programs and data:
P2P or 'file sharing' Warning:
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall [all torrent related programs[/b] for the following reasons:

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.

I have started you off below. It's up to you.

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\users\sean\AppData\Roaming\StreamTorrent
c:\programdata\ReviverSoft
c:\users\sean\AppData\Roaming\uTorrent
c:\windows\system32\ezsvc7x.dll
c:\program files\uTorrent\uTorrent.ex
C:\Users\sean\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\55f19477-2ab515f0
Folder::
c:\program files\StreamTorrent 1.0
c:\program files\PFPortChecker
c:\program files\uTorrent

RegLock::
[HKEY_USERS\S-1-5-21-2576920828-643336720-614938838-1000_Classes\CLSID\{07d14086-149d-440c-8dd1-5d87355ee545}]
[HKEY_USERS\S-1-5-21-2576920828-643336720-614938838-1000_Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================

 

[united77]

Thanks for the help, ive attached the log

 

[Bobbye]

Just a couple more removals:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

KillAll::
File::
c:\windows\system32\ezsidmv.dat
c:\users\sean\AppData\Roaming\uTorrent
c:\users\sean\AppData\Roaming\StreamTorrent
Folder::

Registry::

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.

Have you uninstalled the torrent programs?
Start> Settings> control Panel> Add/Remove programs> uninstall here.
Use Windows Explorer to find and delete torrent program folders> Right click on Start> explore> My Computer> d/c on Local Drive> Programs> delete here.

Have the problems resolved?
====================

 

[united77]

hi, i tried using that, but when it was on the scan it brought up a blue screen, then the laptop restarted itself then when it came back on again it brought up the same screen and restarted again

 

[united77]

I tried it again, it seemed to work, but it seems like my laptop is getting more problems, ive attached the log

 

[Bobbye]

I think the added problems are 'user caused'. Here's some comparison for you:
C1
Completion time: 2010-04-07 10:38:05
ComboFix-quarantined-files.txt 2010-04-07 09:37
ComboFix2.txt 2010-04-06 18:53
Pre-Run: 72,206,491,648 bytes free
Post-Run: 72,263,049,216 bytes free
2010-04-07 09:32 . 2010-04-07 09:32 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-07 09:32 . 2010-04-07 09:32 -------- d-----w- c:\users\Default\AppData\Local\temp
=========================
C2
Completion time: 2010-04-07 17:58:58 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-07 16:58
ComboFix2.txt 2010-04-07 09:38
ComboFix3.txt 2010-04-06 18:53
Pre-Run: 71,868,616,704 bytes free
Post-Run: 71,882,063,872 bytes free
2010-04-07 16:43 . 2010-04-07 16:46 -------- d-----w- c:\users\sean\AppData\Local\temp
2010-04-07 16:43 . 2010-04-07 16:43 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-07 16:43 . 2010-04-07 16:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-07 15:47 . 2010-04-07 15:47 5136 ----a-w- c:\windows\system32\gport_.dll
================================
And I set these up for removal twice: But it appears you are continuing to use them in spite of my P2P Warning
2010-04-03 21:27 . 2010-04-03 21:27 -------- d-----w- c:\users\sean\AppData\Roaming\StreamTorrent
2010-04-07 07:55 . 2009-04-21 14:59 -------- d-----w- c:\users\sean\AppData\Roaming\uTorrent

You also has an entry:2010-04-07 08:01 . 2009-05-01 21:11:- c:\program files\folder
What is this?

 

[united77]

erm to be honest i dont really know what they mean, i have uninstalled utorrent already, i cant find streamtorrent anywhere on the program files and its not on the start menu or on the control panel>install/uninstall programmes, so i dont really know about that, it has dissapeared from the desktop, that folder is just an empty folder i used once

 

[united77]

ok at the moment it doesnt seem to be redirecting, but is there anything i can post which you can take a look at to check if everything is ok?

EDIT: damn, seems to have started again

 

[Bobbye]

As long as you continue to use P2P programs, you are going to get malware.

 

[united77]

im not using p2p programs, i uninstalled utorrent when you said to, but the google redirect problem is still there

 

[Bobbye]

Please run Combofix again. You can delete the previous exe files for Combofix on the desktop before rerunning. Leave new Report.

The last data shows:
2010-04-03 21:27 . 2010-04-03 21:27 -------- d-----w- c:\users\sean\AppData\Roaming\StreamTorrent

 

[united77]

Ok here is the new one, I have only used stream torrent once and that was last saturday

 

[Bobbye]

In between the first Combofix and this one, you downloaded and installed HitmanPro.

Why did you do that?

2010-04-07 17:57 . 2010-04-07 17:57 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-07 17:49 . 2010-04-07 20:51 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-07 17:49 . 2010-04-07 17:57 -------- d-----w- c:\programdata\Hitman Pro
2010-04-07 17:49 . 2010-04-07 17:49 -------- d-----w- c:\program files\Hitman Pro 3.5

Some days I have to stop and ask myself why I do this! You changed the system when you did that.

Is there a particular reason you don't recommend the Hitman program?

Yes, a few. Based on what I read and the cleaning programs I run. Others may think differently. The publisher's description is:

Anti-spyware program combines up to six popular engines to maximize removal effectiveness.

Part is personal preference, wanting to maintain control over my system. Hitman is also different in the versions. One main objection is the use of multiple programs that are free on the internet. Depending on the program, it should prevent and/or remove. While the scans with Hitman are free, removal of the malware can only be done within the 30 trial.

Hitman Pro (version 1 and 2) automatically downloads, installs and runs third party anti-spyware and anti-adware programs that are freely available on the Internet:

• 
  [*] Eset NOD32 antivirus system (trial, expires in 30 days)
  [*] Webroot Spy Sweeper (trial, expires in 7 days)
  [*] PC tools Spyware doctor (demo, will not clean anything)
  [*] Lavasoft AdAware SE (freeware)
  [*] Safer Networking Spybot - Search & Destroy (freeware)
  [*] TrendMicro CWShredder (freeware)
  [*] JavaCool Software SpywareBlaster (freeware)
  [*] McAfee VirusScan SuperDAT (virus signature definition updates, McAfee PrimeSupport license required for qualifying product)
  [*] Ewido Micro Scanner (freeware)(AVG)

The scan time was very long, the program used many system resources and errors in the used third party programs could cause system instability.

Hitman Pro is using other people’s knowledge without their permission. NOD32 has granted permission to use their software. Software producer Lavasoft is in discussion with Mr. Loman over changes to the program before granting any official permission to implement their software and McAfee says they did not grant permission and claim no knowledge at all of the program with no further comment.

Hitman Pro 3 uses a white list that includes Windows system files and other (safe) files that are present on most PCs. Hitman Pro 3 also requires a license key to remove malware found on a users computer, however it does offer a free 30-day trial.

The new version of Hitman Pro, version 3, uses:

• NOD32 Antivirus
• Avira AntiVir
• Prevx
• G DATA Anti-Virus
• a-squared Anti-Malware

Virus scanners are not installed on the local computer, but in the scan cloud on Internet
Unlimited free scanning and free 30-day version to remove detected malware

None of these programs- alone or together have the power of a program like Combofix- or other 'intensive' programs. While Hitman may resolve one problem, that does not mean all of the malware has been removed.

Most of the logs I see have multiple malware infections. Some, like the DNS Changer malware, will require a DNS flush and a router reset. If that isn't done, the resolution to the problem is only temporary.
[/QUOTE]

Remove my cleaning tools:

Uninstall ComboFix and all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.

• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

More details and screenshots for Disk Cleanup in Windows Vista can be found here.