Google results redirected, pop ups virus

Solved
By united77
Apr 6, 2010
Topic Status:
Not open for further replies.
  1. Hi
    i seem to have some sort of virus on my laptop, if i click on a result from a google search it takes me to different site, also sometimes it will bring up pop ups aswell. Can someone help?

    i have attached 2 superantispyware logs, as the last one is one i did earlier, a quick scan, and it was unfinished, but it did find some threats so i thought they may be useful aswell.

    thanks

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Welcome to TechSpot, united. I'll help with the malware.
    I'll help you reset the Cookies to prevent them in the future. but the 2nd SAS scan found Trojans so we need to work on them first.

    The most important thing you can do first is update AVG from v8 to v9.xx.

    Then Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

      Important! Save the renamed download to your desktop.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    • Double click on the setup file on the desktop to run
    • If prompted to download and install the Recovery Console, please do so.
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • If prompted to update, please allow.
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
    .
    Follow that with Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    The Eset scan will show us what else has gotten past outdated programs.

    Please attach the Combofix report and Eset log to your next reply.

    Please do not use any other cleaning programs while I am working with you. If you have a Registry Cleaner, please disable it and do not make any registry changes.
  3. united77

    united77 Newcomer, in training Topic Starter

    thanks bobbye, i ran the combifix fine, but only got half way though the eset scan, as it had been 3 hours and it had only got to 49%, but if it is necessary i can do the whole thing tomorrow.

    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Your main problem is that the system is full of torrent programs and data:
    P2P or 'file sharing' Warning:
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall [all torrent related programs[/b] for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.

    I have started you off below. It's up to you.

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:

    Code:
    File::
    c:\users\sean\AppData\Roaming\StreamTorrent
    c:\programdata\ReviverSoft
    c:\users\sean\AppData\Roaming\uTorrent
    c:\windows\system32\ezsvc7x.dll
    c:\program files\uTorrent\uTorrent.ex
    C:\Users\sean\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\55f19477-2ab515f0
    Folder::
    c:\program files\StreamTorrent 1.0
    c:\program files\PFPortChecker
    c:\program files\uTorrent
    
    RegLock::
    [HKEY_USERS\S-1-5-21-2576920828-643336720-614938838-1000_Classes\CLSID\{07d14086-149d-440c-8dd1-5d87355ee545}]
    [HKEY_USERS\S-1-5-21-2576920828-643336720-614938838-1000_Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    
    Driver::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
  5. united77

    united77 Newcomer, in training Topic Starter

    thanks for the help, ive attached the log

    Attached Files:

  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Just a couple more removals:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    c:\windows\system32\ezsidmv.dat
    c:\users\sean\AppData\Roaming\uTorrent
    c:\users\sean\AppData\Roaming\StreamTorrent
    Folder::
    
    Registry::
    
    Driver::
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.

    Have you uninstalled the torrent programs?
    Start> Settings> control Panel> Add/Remove programs> uninstall here.
    Use Windows Explorer to find and delete torrent program folders> Right click on Start> explore> My Computer> d/c on Local Drive> Programs> delete here.

    Have the problems resolved?
    ====================
  7. united77

    united77 Newcomer, in training Topic Starter

    hi, i tried using that, but when it was on the scan it brought up a blue screen, then the laptop restarted itself then when it came back on again it brought up the same screen and restarted again
  8. united77

    united77 Newcomer, in training Topic Starter

    i tried it again, it seemed to work, but it seems like my laptop is getting more problems, ive attached the log

    Attached Files:

  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    I think the added problems are 'user caused'. Here's some comparison for you:
    C1
    Completion time: 2010-04-07 10:38:05
    ComboFix-quarantined-files.txt 2010-04-07 09:37
    ComboFix2.txt 2010-04-06 18:53
    Pre-Run: 72,206,491,648 bytes free
    Post-Run: 72,263,049,216 bytes free
    2010-04-07 09:32 . 2010-04-07 09:32 -------- d-----w- c:\users\Public\AppData\Local\temp
    2010-04-07 09:32 . 2010-04-07 09:32 -------- d-----w- c:\users\Default\AppData\Local\temp
    =========================
    C2
    Completion time: 2010-04-07 17:58:58 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-04-07 16:58
    ComboFix2.txt 2010-04-07 09:38
    ComboFix3.txt 2010-04-06 18:53
    Pre-Run: 71,868,616,704 bytes free
    Post-Run: 71,882,063,872 bytes free
    2010-04-07 16:43 . 2010-04-07 16:46 -------- d-----w- c:\users\sean\AppData\Local\temp
    2010-04-07 16:43 . 2010-04-07 16:43 -------- d-----w- c:\users\Public\AppData\Local\temp
    2010-04-07 16:43 . 2010-04-07 16:43 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-04-07 15:47 . 2010-04-07 15:47 5136 ----a-w- c:\windows\system32\gport_.dll
    ================================
    And I set these up for removal twice: But it appears you are continuing to use them in spite of my P2P Warning
    2010-04-03 21:27 . 2010-04-03 21:27 -------- d-----w- c:\users\sean\AppData\Roaming\StreamTorrent
    2010-04-07 07:55 . 2009-04-21 14:59 -------- d-----w- c:\users\sean\AppData\Roaming\uTorrent

    You also has an entry:2010-04-07 08:01 . 2009-05-01 21:11:- c:\program files\folder
    What is this?
  10. united77

    united77 Newcomer, in training Topic Starter

    erm to be honest i dont really know what they mean, i have uninstalled utorrent already, i cant find streamtorrent anywhere on the program files and its not on the start menu or on the control panel>install/uninstall programmes, so i dont really know about that, it has dissapeared from the desktop, that folder is just an empty folder i used once
  11. united77

    united77 Newcomer, in training Topic Starter

    ok at the moment it doesnt seem to be redirecting, but is there anything i can post which you can take a look at to check if everything is ok?

    EDIT: damn, seems to have started again
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    As long as you continue to use P2P programs, you are going to get malware.
  13. united77

    united77 Newcomer, in training Topic Starter

    im not using p2p programs, i uninstalled utorrent when you said to, but the google redirect problem is still there
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Please run Combofix again. You can delete the previous exe files for Combofix on the desktop before rerunning. Leave new Report.

    The last data shows:
    2010-04-03 21:27 . 2010-04-03 21:27 -------- d-----w- c:\users\sean\AppData\Roaming\StreamTorrent
  15. united77

    united77 Newcomer, in training Topic Starter

    ok here is the new one, i have only used stream torrent once and that was last saturday

    Attached Files:

  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    In between the first Combofix and this one, you downloaded and installed HitmanPro.

    Why did you do that?

    2010-04-07 17:57 . 2010-04-07 17:57 12872 ----a-w- c:\windows\system32\bootdelete.exe
    2010-04-07 17:49 . 2010-04-07 20:51 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-04-07 17:49 . 2010-04-07 17:57 -------- d-----w- c:\programdata\Hitman Pro
    2010-04-07 17:49 . 2010-04-07 17:49 -------- d-----w- c:\program files\Hitman Pro 3.5


    Some days I have to stop and ask myself why I do this! You changed the system when you did that.

    Yes, a few. Based on what I read and the cleaning programs I run. Others may think differently. The publisher's description is:
    Part is personal preference, wanting to maintain control over my system. Hitman is also different in the versions. One main objection is the use of multiple programs that are free on the internet. Depending on the program, it should prevent and/or remove. While the scans with Hitman are free, removal of the malware can only be done within the 30 trial.

    Hitman Pro (version 1 and 2) automatically downloads, installs and runs third party anti-spyware and anti-adware programs that are freely available on the Internet:
    Hitman Pro 3 uses a white list that includes Windows system files and other (safe) files that are present on most PCs. Hitman Pro 3 also requires a license key to remove malware found on a users computer, however it does offer a free 30-day trial.

    The new version of Hitman Pro, version 3, uses:
    None of these programs- alone or together have the power of a program like Combofix- or other 'intensive' programs. While Hitman may resolve one problem, that does not mean all of the malware has been removed.

    Most of the logs I see have multiple malware infections. Some, like the DNS Changer malware, will require a DNS flush and a router reset. If that isn't done, the resolution to the problem is only temporary.
    [/QUOTE]

    Remove my cleaning tools:

    Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]

    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    More details and screenshots for Disk Cleanup in Windows Vista can be found here.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.