TechSpot

Having continual problems with Google redirect virus

Inactive
By vukker
May 10, 2010
  1. Hello I am new to tech post, so thank you all in advance for any help you offer as this problem has just gotten on my last nerve. I have followed the 8 step guide and am including the logs that are asked for. Waiting for further instruction thank you
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    You're running two AV programs, Avira and PC-cillin.
    One of them has to go.


    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!


    Download HijackThis:
    http://free.antivirus.com/hijackthis/
    by clicking on Installer under Version 2.0.4
    Install, and run it.
    Post HijackTHis log.
    Do NOT attempt to fix anything!

    NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
     
  3. vukker

    vukker TS Rookie Topic Starter Posts: 37

    reply

    Hey Broni thanks for responding so quick which one do you feel is better ? The PC-cillin is what came with the computer and Avira is what I downloaded when reading the 8 step guide. I just saw your post and am following the rest of the instructions and will post again when im done. Thanks
     
  4. vukker

    vukker TS Rookie Topic Starter Posts: 37

    Hey Broni here are the hijack this and combo fix log files. Dont ask why im awake at 430 am
     

    Attached Files:

  5. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    I have no preference here, assuming PC-cillin is paid for and current.
    Is the redirection still present?
    Which browser is affected?

    Combofix reports:
    Make sure to allow recovery console installation on next Combofix run.


    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\drivers\lvuvc.hs
    c:\windows\system32\drivers\logiflt.iad
    
    
    Folder::
    
    Driver::
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
    "DisableMonitoring"=-
    
    
    RegLockDel::
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     
  6. vukker

    vukker TS Rookie Topic Starter Posts: 37

    Hey Broni the redirect seems to be gone. I mainly use Mozilla Firefox but I noticed the problem on both chrome and IE. The problem seems to be gone on all browsers so thank you very much for you help. I assume I'm not quite out of the woods yet. Here are the logs you asked for. I ran combo fix twice.....the first time I couldn't install the recovery console like you asked because my internet would not connect. The malware scan still ran the first time then after it was done I connected to the internet and ran combo fix again which installed the recovery console successfully and then did another malware scan.
     
  7. vukker

    vukker TS Rookie Topic Starter Posts: 37

    Sorry didn't realize you could not attach anything in the quick reply section here are the logs. The file titled log2 is the second combofix run after the recovery console was installed.
     

    Attached Files:

  8. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    Very good :)

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    =======================================================================

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

    Post fresh HijackThis log as well.
     
  9. vukker

    vukker TS Rookie Topic Starter Posts: 37

    Here are the logs you asked for the
     

    Attached Files:

  10. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    Please, empty TrendMicro vault. That will take care of all bad files found by Kaspersky.

    Re-run HJT and checkmark:
    O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    Click "Fix checked" button.

    When done....


    Your computer is clean [​IMG]

    1. Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
     
  11. vukker

    vukker TS Rookie Topic Starter Posts: 37

    Dear Broni thank you for your continual help and my computer was clean and running great. Until.....haha this morning I go to turn it on and in the middle of booting it stops and gives me an error message saying the file windows/system32/config/system is missing or corrupt. At the touch of any key it the reboots and tries to run the boot process all over again leaving me in a never ending loop. The only thing that could come to mind is yesterday I transfered the contents of my previous laptop hard drive off my external hard drive and onto the one we have been cleaning. I dont see why this would cause this error but im not the guru.

    Cheers,
    Vuk
     
     
  12. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    Well, I'm not sure what happened, but there is a chance, you transferred some infected files from your old drive.

    Let's see, if we can look at your computer booting from an external source.

    You will need USB flash drive to move information from bad computer to a working computer.

    You need to download two programs.

    First

    ISO Burner this will allow you to burn REATOGO-X-PE ISO to a cd and make it bootable. Just install the programm, from there on it's fairly automatic (Instructions)

    Second

    • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 270.3 MB in size so it may take some time to download.
    • When downloaded double click and this will then open ISOBurner to burn the file to CD
    • Reboot your system (Non working computer) using the boot CD you just created.
      • Note. If you do not know how to set your computer to boot from CD follow the steps HERE
    • Your system should now display a REATOGO-X-PE desktop.
    • Double-click on the OTLPE icon.
    • When asked Do you wish to load the remote registry, select Yes
    • When asked Do you wish to load remote user profile(s) for scanning, select Yes
    • Ensure the box Automatically Load All Remaining Users is checked and press OK
    • OTL should now start. Change the following settings
      • Change Drivers to All
      • Change Registry to All
      • Under Custom Scan box paste this in:

        netsvcs
        %SYSTEMDRIVE%\*.exe
        /md5start
        eventlog.dll
        scecli.dll
        netlogon.dll
        cngaudit.dll
        sceclt.dll
        ntelogon.dll
        logevent.dll
        iaStor.sys
        nvstor.sys
        atapi.sys
        IdeChnDr.sys
        viasraid.sys
        AGP440.sys
        vaxscsi.sys
        nvatabus.sys
        viamraid.sys
        nvata.sys
        nvgts.sys
        iastorv.sys
        ViPrt.sys
        eNetHook.dll
        ahcix86.sys
        KR10N.sys
        nvstor32.sys
        ahcix86s.sys
        nvrd32.sys
        symmpi.sys
        adp3132.sys
        mv61xx.sys
        userinit.exe
        explorer.exe
        /md5stop
        %systemroot%\*. /mp /s
        %systemroot%\system32\*.dll /lockedfiles
        %systemroot%\Tasks\*.job /lockedfiles
        %systemroot%\system32\drivers\*.sys /lockedfiles
        %systemroot%\System32\config\*.sav
    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive.
    • Please post the contents of the C:\OTL.txt file in your reply.
     
  13. vukker

    vukker TS Rookie Topic Starter Posts: 37

    Hey Broni thank you I have succesfully loaded the reatogo desktop but upon double clicking on OTLPE as the next step of your instructions say the program takes a little while to try opening and then pops up an error message titled RunScanner Error : Registry Access Error, ret = 999: Error performing inpage operation. I click ok and nothing happends after that it closes the program and im just back at the desktop. Hope to hear from you soon thanks.

    Cheers,
    Vuk
     
  14. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    On a computer, you downloaded OTLPE.iso to, run the following...

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box into the main textfield:
      Code:
      :filefind
      OTLPE.iso
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  15. vukker

    vukker TS Rookie Topic Starter Posts: 37

    Here is the system look log
     

    Attached Files:

  16. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    It didn't find anything.
    You sure, you ran the scan on a computer, where OTLPE.iso is located?
     
  17. vukker

    vukker TS Rookie Topic Starter Posts: 37

    Sorry read that wrong booting up other computer now and I will post the log but I couldnt connect to the internet on that computer with the reatogo should I just transfer it with a flash drive or can I connect to the internet somehow

    Cheers
    Vuk
     
  18. vukker

    vukker TS Rookie Topic Starter Posts: 37

    hey broni I put systemlook on a flash and moved it to the non working computer and ran it and im posting the log with it but it also didnt find anything. I read your instructions over a number of times so im just going to tell you what I did and maybe you will recognize something im doing wrong. I downloaded Isoburner and installed it, and then downloaded the OTLPE.iso double clicked on it and it opened Isoburner and I burned the boot disk. I put the disk in the non working computer and when starting up I hit f12 to go to boot setup. I choose the cd/dvd drive option and it boots up the Reatogo desktop. I double click OTLPE and that is when i get the error. Thanks again
     

    Attached Files:

  19. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    OK, which computer did you download OTLPE.iso file to?
    Broken one, or some good one?
     
  20. vukker

    vukker TS Rookie Topic Starter Posts: 37

    a good one
     
  21. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    Can you still see OTLPE.iso file on that computer?
    When running SystemLook did you copy everything from a code box, including "colon" in front of "filefind"?
     
  22. vukker

    vukker TS Rookie Topic Starter Posts: 37

    Yes I can see the OTLPE.iso file on the good computer its sitting right on the desktop. I burned a second disk after double clicking it again just to make sure something wasn't wrong with the disk or maybe got damaged or stopped in the burn process but I had the same result. When using systemlook I copied and pasted the code directly from your post and made sure to include the colon.

    Cheers,
    Vuk
     
  23. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    Let's try SystemLook on good computer with little bit different code:

    Code:
    :file
    %userprofile%\desktop\OTLPE.iso
    
     
  24. vukker

    vukker TS Rookie Topic Starter Posts: 37

    Found something heres the results of the new system look
     

    Attached Files:

  25. Broni

    Broni Malware Annihilator Posts: 48,011   +271

    OK, it looks like bad download.
    File size and MD5 number don't match what it's suppose to be.

    Delete OTLPE.iso file, download fresh one and before wasting another CD, run very same SystemLook script and post the log back here.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.