Inactive Having continual problems with Google redirect virus

Status
Not open for further replies.

vukker

Posts: 34   +0
Hello I am new to tech post, so thank you all in advance for any help you offer as this problem has just gotten on my last nerve. I have followed the 8 step guide and am including the logs that are asked for. Waiting for further instruction thank you
 

Attachments

  • mbam-log-2010-05-10 (09-54-01).txt
    4.4 KB · Views: 2
  • GMER.log
    6 KB · Views: 2
  • Attach.txt
    20.6 KB · Views: 0
  • DDS.txt
    19.5 KB · Views: 2
You're running two AV programs, Avira and PC-cillin.
One of them has to go.


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!


Download HijackThis:
http://free.antivirus.com/hijackthis/
by clicking on Installer under Version 2.0.4
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!

NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
 
reply

Hey Broni thanks for responding so quick which one do you feel is better ? The PC-cillin is what came with the computer and Avira is what I downloaded when reading the 8 step guide. I just saw your post and am following the rest of the instructions and will post again when im done. Thanks
 
Hey Broni here are the hijack this and combo fix log files. Dont ask why im awake at 430 am
 

Attachments

  • hijackthis.log
    13.5 KB · Views: 0
  • log.txt
    24.6 KB · Views: 2
which one do you feel is better ?
I have no preference here, assuming PC-cillin is paid for and current.
Is the redirection still present?
Which browser is affected?

Combofix reports:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
Make sure to allow recovery console installation on next Combofix run.


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
File::
c:\windows\system32\drivers\lvuvc.hs
c:\windows\system32\drivers\logiflt.iad


Folder::

Driver::

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=-


RegLockDel::


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
 
Hey Broni the redirect seems to be gone. I mainly use Mozilla Firefox but I noticed the problem on both chrome and IE. The problem seems to be gone on all browsers so thank you very much for you help. I assume I'm not quite out of the woods yet. Here are the logs you asked for. I ran combo fix twice.....the first time I couldn't install the recovery console like you asked because my internet would not connect. The malware scan still ran the first time then after it was done I connected to the internet and ran combo fix again which installed the recovery console successfully and then did another malware scan.
 
Sorry didn't realize you could not attach anything in the quick reply section here are the logs. The file titled log2 is the second combofix run after the recovery console was installed.
 

Attachments

  • log.txt
    22.5 KB · Views: 1
  • log2.txt
    22.9 KB · Views: 1
  • hijackthis.log
    12.5 KB · Views: 0
Very good :)

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

=======================================================================

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

  • Spyware, Adware, Dialers, and other potentially dangerous programs
    [*] Archives
    [*] Mail databases
6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Post fresh HijackThis log as well.
 
Here are the logs you asked for the
 

Attachments

  • hijackthis.log
    12.8 KB · Views: 1
  • kaspersky log.txt
    2 KB · Views: 1
Please, empty TrendMicro vault. That will take care of all bad files found by Kaspersky.

Re-run HJT and checkmark:
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Click "Fix checked" button.

When done....


Your computer is clean

1. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.
 
Dear Broni thank you for your continual help and my computer was clean and running great. Until.....haha this morning I go to turn it on and in the middle of booting it stops and gives me an error message saying the file windows/system32/config/system is missing or corrupt. At the touch of any key it the reboots and tries to run the boot process all over again leaving me in a never ending loop. The only thing that could come to mind is yesterday I transfered the contents of my previous laptop hard drive off my external hard drive and onto the one we have been cleaning. I dont see why this would cause this error but im not the guru.

Cheers,
Vuk
 
Well, I'm not sure what happened, but there is a chance, you transferred some infected files from your old drive.

Let's see, if we can look at your computer booting from an external source.

You will need USB flash drive to move information from bad computer to a working computer.

You need to download two programs.

First

ISO Burner this will allow you to burn REATOGO-X-PE ISO to a cd and make it bootable. Just install the programm, from there on it's fairly automatic (Instructions)

Second

  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 270.3 MB in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Reboot your system (Non working computer) using the boot CD you just created.
    • Note. If you do not know how to set your computer to boot from CD follow the steps HERE
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked Do you wish to load the remote registry, select Yes
  • When asked Do you wish to load remote user profile(s) for scanning, select Yes
  • Ensure the box Automatically Load All Remaining Users is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to All
    • Change Registry to All
    • Under Custom Scan box paste this in:

      netsvcs
      %SYSTEMDRIVE%\*.exe
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      nvrd32.sys
      symmpi.sys
      adp3132.sys
      mv61xx.sys
      userinit.exe
      explorer.exe
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %systemroot%\System32\config\*.sav
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive.
  • Please post the contents of the C:\OTL.txt file in your reply.
 
Hey Broni thank you I have succesfully loaded the reatogo desktop but upon double clicking on OTLPE as the next step of your instructions say the program takes a little while to try opening and then pops up an error message titled RunScanner Error : Registry Access Error, ret = 999: Error performing inpage operation. I click ok and nothing happends after that it closes the program and im just back at the desktop. Hope to hear from you soon thanks.

Cheers,
Vuk
 
On a computer, you downloaded OTLPE.iso to, run the following...

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Vista users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box into the main textfield:
    Code:
    :filefind
    OTLPE.iso
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
It didn't find anything.
You sure, you ran the scan on a computer, where OTLPE.iso is located?
 
Sorry read that wrong booting up other computer now and I will post the log but I couldnt connect to the internet on that computer with the reatogo should I just transfer it with a flash drive or can I connect to the internet somehow

Cheers
Vuk
 
Hey broni I put systemlook on a flash and moved it to the non working computer and ran it and im posting the log with it but it also didnt find anything. I read your instructions over a number of times so im just going to tell you what I did and maybe you will recognize something im doing wrong. I downloaded Isoburner and installed it, and then downloaded the OTLPE.iso double clicked on it and it opened Isoburner and I burned the boot disk. I put the disk in the non working computer and when starting up I hit f12 to go to boot setup. I choose the cd/dvd drive option and it boots up the Reatogo desktop. I double click OTLPE and that is when I get the error. Thanks again
 

Attachments

  • SystemLook.txt
    460 bytes · Views: 1
OK, which computer did you download OTLPE.iso file to?
Broken one, or some good one?
 
Can you still see OTLPE.iso file on that computer?
When running SystemLook did you copy everything from a code box, including "colon" in front of "filefind"?
 
Yes I can see the OTLPE.iso file on the good computer its sitting right on the desktop. I burned a second disk after double clicking it again just to make sure something wasn't wrong with the disk or maybe got damaged or stopped in the burn process but I had the same result. When using systemlook I copied and pasted the code directly from your post and made sure to include the colon.

Cheers,
Vuk
 
Let's try SystemLook on good computer with little bit different code:

Code:
:file
%userprofile%\desktop\OTLPE.iso
 
Found something heres the results of the new system look
 

Attachments

  • SystemLook.txt
    840 bytes · Views: 1
OK, it looks like bad download.
File size and MD5 number don't match what it's suppose to be.

Delete OTLPE.iso file, download fresh one and before wasting another CD, run very same SystemLook script and post the log back here.
 
Status
Not open for further replies.
Back