I need help with getting rid of Google redirect virus please

[Mewsaidthetoast]

I believe i have a google redirect virus since every time i search something on google then click the link it takes me to some anti virus scan website of some sort. (The website keeps changing every time.) And every time i hit back and try the link again it redirects me to google search. I was wondering if anyone knows how to help me get rid of it. Thanks.

 

[Bobbye]

If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[Mewsaidthetoast]

Logs

Completed the 8 steps. Sorry it took so long computer is really slow D:

 

[Bobbye]

No problem- I'm running behind also!
Looks like you may have a Vundo infection and Rootkit.

There was an Error on 6/17/2010 that instructed as follows:

The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:

IF you did not do this at the time, please do it now as follows:
Click on My Computer> right click on Local Drive (C)> Properties> Tools tab> Error checking> Check now> check both boxes> Apply> OK> Close the message that will com up and reboot the computer. The Error checking will begin. IF you have not done this as a part of your routine maintenance, it will take a while. Let it complete. The system will reboot itself when finished.
=====================================
I notice you already have Combofix on the system. I want you to uninstall it, the install newest version:
Uninstall ComboFix and all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

=======================================
Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
===================================
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  ohci1394.*
  redbook.*

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
==============================
Please leave both logs in next reply.

You have Frontline Registry Cleaner running. Please either uninstall it (recommended) or disable it so it doesn't run while cleaning. Most of us don't recommend registry cleaners at all.

Your also have LimeWire, a file sharing program running. Please either uninstall (recommended) or disable so it doesn't run while cleaning.

I will be setting up some script for you to run after Combofix has scanned.

 

[Mewsaidthetoast]

Log2

Logs completed. How do I delete Frontline Registry Cleaner? I searched for it and found a exe for the uninstall but it said it's name has been changed so the exe won't work and then deleted the shortcut of it and I couldn't find it in the add or remove programs tool.

 

[Bobbye]

You should know that Live Security Suite (LiveSecuritySuite) is a rogue, fake antivirus program which infect your PC when you download a video codec, or update your flash player. So you will need to remove it and get a functioning antivirus program.

First, download one of the free antivirus programs below and save it to the desktop. Don't run yet:
Avira Free
Avast Home

Second Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Then Check Add/Remove Programs in the Control Panel> uninstall Live Security Suite if present.
Do a right click on Start> explore> My Computer> Double click on Local Drive (C)> Programs. look for the folder for this program and do a right click> Delete.

Now double click on the setup for the new antivirus program and install it. You will have entries for the rogue program remaining, but I'll have them removed with script I set up.
===========================
Okay, we have a language problem here. Are the following in your language? Can you translate for me?
Please open the Combofix log. In the section named Bestanden Gemaakt van 2010-05-26 to 2010-06-26(Files from the last 30 days) there is a group of entries beginning with:
2010-06-18 23:12 . 2010-06-18 23:12 41472 ----a-w- c:\windows\system32\crbrhvjmw.dll
and going through:
2010-06-13 19:16 . 2010-06-13 19:16 19 ----a-w- c:\windows\system32\pb.sys
Which I cannot identify (ignore the c:\windows\system32\drivers\SAMSUNG entry)

There are 36 entries in this group.

Additionally, there is another file set up by Help Assistant, another malware infection, SelfDel.bat which is a batch script that will delete the original malware file after it completes its tasks. Since there is another language on some entries, I have to ask to be sure these aren't files from things you may have intentionally set up.

This is the same date you installed Hitman Pro (which you should uninstall)

 

[Mewsaidthetoast]

Umm ya... our computer is put in Netherlands I've tried changing it to English but it wouldn't work so we always had to stick with it. Sorry I don't know what those files are either. I used the Add or Remove tool to remove Hitman Pro hoping it would delete it/Uninstall it. Was i wrong?

 

[Bobbye]

Please download VundoFix.exe HERE and save to your desktop:

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the ‘Fix Vundo’ button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.

Please attach the C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
==============================
There are so many entries I can't identify that I'm hoping this will remove at least some of them. Otherwise I will have to put them in the Combofix script, taking a chance that I might remove a valid entry in your language.

Do you understand what I'm saying?

 

[Mewsaidthetoast]

Logs

'TR/Tdss.beea.93' found in crbrhvjmw.dll was found by avira then found 32 infected about 5 minutes.

 

[Bobbye]

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

KillAll::
File::
c:\docume~1\alluse~1\applic~1\FrontLine Registry Cleaner
c:\docume~1\owner\locals~1\temp\vtayn.sys
c:\documents and settings\HelpAssistant\SelfDel.bat
c:\windows\system32\drivers\hitmanpro35.sys
c:\documents and settings\All Users\Application Data\Hitman Pro
c:\program files\Hitman Pro 3.5
c:\windows\system32\crbrhvjmw.dll
c:\windows\system32\btdmgnud.dll
c:\windows\system32\qqepshr.dll
c:\documents and settings\OWNER\SelfDel.bat
c:\windows\system32\nsihvuvwg.dll
c:\windows\system32\uvllkli.dll
c:\windows\system32\vjmorwqg.dll
c:\windows\system32\tomteiest.dll
c:\windows\system32\dpejcrtub.dll
c:\windows\system32\upqcenuna.dll
c:\windows\system32\oqburpmfi.dll
c:\windows\system32\sdrtdevef.dll
c:\windows\system32\ernmlqd.dll
c:\windows\system32\roeairhpre.dll
c:\windows\system32\pviboik.dll
c:\windows\system32\ffgqewkfa.dll
c:\windows\system32\irdbuhwc.dll
c:\windows\system32\jslqowo.dll
c:\windows\system32\ktupospn.dll
c:\windows\system32\uljrogocim.dll
c:\windows\system32\ucptkoakr.dll
c\windows\system32\mabugsn.dll
c:\windows\system32\ubhrmpn.dll
c:\windows\system32\uijjpnon.dll
c:\windows\system32\vvpgboqkb.dll
c:\windows\system32\rgrkvgcjs.dll
c:\windows\system32\vlwmuvvssc.dll
c:\windows\system32\tucwfed.dll
c:\windows\system32\prgujuu.dll
c:\windows\system32\heptckcdh.dll
c:\windows\system32\narotgppu.dll
c:\windows\system32\lipplajv.dll
c:\windows\system32\jifprkoo.dll
c:\windows\system32\ptmndsuiw.dll
c:\windows\system32\ddmmhpvh.dll
c:\windows\system32\pb.sys
	
Folder::
c:\documents and settings\All Users\Application Data\ZeoBIT

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AVPath"= -
SecCenter::
{477593FD-E36C-4D8B-AF80-7B9D3FFFBA20}

Driver::
vtayn

FCopy::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Please tell me who your ISP is. You said you are in the Netherlands. However I note the two following providers- one in AZ, related to the military and the other in CO, both in the US:
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF66B923-E002-48E2-B56F-FB03648C78A3}: NameServer = 6.1.1.2,4.2.2.2

IP 6.1.1.2
OrgID: HEADQU-3
Address: NETC-ANC CONUS TNOSC
City: Fort Huachuca
StateProv: AZ
IP 4.2.2.2
OrgName: Level 3 Communications, Inc.
OrgID: LVLT
Address: 1025 Eldorado Blvd.
City: Broomfield
StateProv: CO

See next reply after this has finished.

 

[Bobbye]

Complete instructions in Post #10 before running this:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Activex control to install
4. Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Anvirisus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

 

[Mewsaidthetoast]

ISP is Shaw. I live in Canada not Netherlands. It was a custom computer built.

 

[Bobbye]

I'm sorry- I misread this:

Umm ya... our computer is put in Netherlands I've tried changing it to English

I don't see much of a chance of you getting the system clean> you are using LimeWire, a file sharing program which has brought in malware and there appears to be pirated programs

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files  
  C:\Documents and Settings\HelpAssistant\Local Settings\Temp\Av-test.txt	Eicar test file
  C:\Documents and Settings\HelpAssistant\My Documents\trey's stuff\kukbot_1.12 2update\Bot\Config\System\Process.exe	
  C:\Documents and Settings\HelpAssistant\My Documents\trey's stuff\kukbot_1.12 update\Bot\Config\System\Process.exe	
  C:\Documents and Settings\HelpAssistant\My Documents\trey's stuff\mm.BOT.545\Config\System\Process.exe	
  C:\Documents and Settings\OWNER\My Documents\LimeWire\Saved\moonshine bandits (rare track).wav	
  C:\Documents and Settings\OWNER\My Documents\LimeWire\Saved\moonshine bandits [new album].au	
  C:\Documents and Settings\OWNER\My Documents\trey's stuff\kukbot_1.12 2update\Bot\Config\System\Process.exe	
  C:\Documents and Settings\OWNER\My Documents\trey's stuff\kukbot_1.12 update\Bot\Config\System\Process.exe	
  C:\Documents and Settings\OWNER\My Documents\trey's stuff\mm.BOT.545\Config\System\Process.exe	
  D:\ACDSee.Pro.2.v2.0.219.[B][COLOR="Red"]Incl.Keymaker-CORE\keygen.exe	[/COLOR][/B]
  D:\ACDSee.Pro.2.v2.0.219.[B][COLOR="Red"]Incl.Keymaker-CORE\ACDSee PRO 2.0.219\keygen.exe	[/COLOR][/B]
  D:\My Documents\trey's stuff\mm.Check.exe	
  D:\My Documents\trey's stuff\drop hacks\zDropHack\zLoader.exe	
  D:\My Documents\trey's stuff\OblivionV300b\zLoader.exe	
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
===================================
Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

This ends my support.