Please help. some type of virus keeps redirecting me when Internet surfing

Jay Pfoutz · Aug 11, 2012

ComboFix

Please download ComboFix by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:

Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.

It is important to rename ComboFix before the download.

Please do not rename ComboFix to other names, but only the one indicated.

After the download:

Close any open browsers.

Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.

If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:

Double click on svchost.exe & follow the prompts.

It will attempt to install the Recovery Console:

When ComboFix finishes, it will produce a report for you.

Please post the "C:\Combo-Fix.txt" in your next reply.

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

jondjames · Aug 11, 2012

ComboFix 12-08-10.01 - angela 08/11/2012 12:47:36.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2813.1520 [GMT -4:00]
Running from: c:\users\angela\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *Disabled/Outdated* {48929DFC-7A52-A34F-8351-C4DBEDBD9C50}
FW: Trend Micro Personal Firewall *Disabled* {70A91CD9-303D-A217-A80E-6DEE136EDB2B}
SP: Trend Micro Internet Security *Disabled/Updated* {F3F37C18-5C68-ACC1-B9E1-FFA9963AD6ED}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\angela\AppData\Roaming\alggui.exe
c:\users\angela\AppData\Roaming\scdata
c:\users\angela\AppData\Roaming\scdata\images\i1.gif
c:\users\angela\AppData\Roaming\scdata\images\i2.gif
c:\users\angela\AppData\Roaming\scdata\images\i3.gif
c:\users\angela\AppData\Roaming\scdata\images\j1.gif
c:\users\angela\AppData\Roaming\scdata\images\j2.gif
c:\users\angela\AppData\Roaming\scdata\images\j3.gif
c:\users\angela\AppData\Roaming\scdata\images\jj1.gif
c:\users\angela\AppData\Roaming\scdata\images\jj2.gif
c:\users\angela\AppData\Roaming\scdata\images\jj3.gif
c:\users\angela\AppData\Roaming\scdata\images\l1.gif
c:\users\angela\AppData\Roaming\scdata\images\l2.gif
c:\users\angela\AppData\Roaming\scdata\images\l3.gif
c:\users\angela\AppData\Roaming\scdata\images\pix.gif
c:\users\angela\AppData\Roaming\scdata\images\t1.gif
c:\users\angela\AppData\Roaming\scdata\images\t2.gif
c:\users\angela\AppData\Roaming\scdata\images\Thumbs.db
c:\users\angela\AppData\Roaming\scdata\images\up1.gif
c:\users\angela\AppData\Roaming\scdata\images\up2.gif
c:\users\angela\AppData\Roaming\scdata\images\w1.gif
c:\users\angela\AppData\Roaming\scdata\images\w11.gif
c:\users\angela\AppData\Roaming\scdata\images\w2.gif
c:\users\angela\AppData\Roaming\scdata\images\w3.jpg
c:\users\angela\AppData\Roaming\scdata\images\word.doc
c:\users\angela\AppData\Roaming\scdata\images\wt1.gif
c:\users\angela\AppData\Roaming\scdata\images\wt2.gif
c:\users\angela\AppData\Roaming\scdata\images\wt3.gif
c:\users\angela\AppData\Roaming\scdata\wispex.html
c:\users\angela\AppData\Roaming\skynet.dat
c:\users\angela\AppData\Roaming\wp3.dat
c:\users\angela\AppData\Roaming\wp4.dat
c:\users\angela\Documents\~WRL0866.tmp
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\system32\pt
c:\windows\system32\pt\smartfacevcp.dll.mui
c:\windows\system32\pt\toscdspd.cpl.mui
c:\windows\system32\service
c:\windows\system32\service\10042010_TIS17_SfFniAU.log
c:\windows\system32\service\16012012_TIS17_SfFniAU.log
c:\windows\system32\service\17022009_TIS17_SfFniAU.log
c:\windows\system32\service\20062011_TIS17_SfFniAU.log
c:\windows\TEMP\mia45\mEXEFunc.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-07-11 to 2012-08-11 )))))))))))))))))))))))))))))))
.
.
2012-08-11 17:00 . 2012-08-11 17:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-08 01:45 . 2012-08-08 01:45 -------- d-----w- C:\FRST
2012-07-27 12:55 . 2012-07-27 12:55 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-07-25 00:12 . 2012-07-25 00:12 -------- d-----w- c:\users\angela\AppData\Local\Macromedia
2012-07-24 13:00 . 2012-06-29 08:44 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{59D4FD3F-CE2D-4008-BCB7-9B8BACC8CA74}\mpengine.dll
2012-07-24 00:56 . 2012-08-03 21:52 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-13 00:16 . 2012-07-13 00:22 -------- d-----w- c:\users\angela\AppData\Local\Apple Computer
2012-07-13 00:11 . 2009-05-18 17:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-07-13 00:11 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2012-07-13 00:09 . 2012-07-13 00:09 -------- d-----w- c:\program files\iPod
2012-07-13 00:09 . 2012-07-13 00:10 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2012-07-13 00:09 . 2012-07-13 00:10 -------- d-----w- c:\program files\iTunes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-03 21:52 . 2012-02-13 20:50 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-03 17:46 . 2010-04-30 01:29 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-31 16:25 . 2010-03-29 23:06 237072 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-01-29 23975720]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-30 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"iCloudServices"="c:\program files\Common Files\Apple\Internet Services\iCloudServices.exe" [2011-10-06 59240]
"ApplePhotoStreams"="c:\program files\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2011-09-29 59240]
"HP Photosmart 5510 series (NET)"="c:\program files\HP\HP Photosmart 5510 series\Bin\ScanToPCActivationApp.exe" [2011-09-16 1804648]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-03-19 716800]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-07 1029416]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 81920]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-10-21 995528]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-07-03 973488]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]
.
c:\users\angela\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Hawkes Update Notifier.lnk - c:\program files\Hawkes Learning Systems\Hawkes Update Service Manager\HawkesUpdater.exe [2011-11-23 3140288]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-26 214360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
2008-04-29 18:33 417792 ----a-w- c:\program files\Camera Assistant Software for Toshiba\traybar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-04-08 23:14 6037504 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2007-12-07 02:12 1029416 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-24 21:52]
.
2012-08-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-02 17:27]
.
2012-08-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-02 17:27]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\angela\AppData\Roaming\Mozilla\Firefox\Profiles\si4rnafn.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-TOSCDSPD - TOSCDSPD.EXE
MSConfigStartUp-cfFncEnabler - cfFncEnabler.exe
MSConfigStartUp-jswtrayutil - c:\program files\Jumpstart\jswtrayutil.exe
MSConfigStartUp-NDSTray - NDSTray.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-11 13:07
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\WLANExt.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Hawkes Learning Systems\Hawkes Update Service Manager\srvany.exe
c:\program files\Medicomp\Server\medcinserv.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\program files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
c:\program files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\HP Photosmart 5510 series\Bin\HPNetworkCommunicator.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2012-08-11 13:11:50 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-11 17:11
.
Pre-Run: 151,130,435,584 bytes free
Post-Run: 152,286,380,032 bytes free
.
- - End Of File - - 74A93BD2C0D7310A1D209DBD90CD72B5

jondjames · Aug 11, 2012

things are looking pretty good over here

Jay Pfoutz · Aug 12, 2012

Scan with Malwarebytes' Anti-Malware

Please open Malwarebytes' Anti-Malware, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

jondjames · Aug 12, 2012

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.12.06
Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 8.0.6001.19088
angela :: ANGELA-PC [administrator]
8/12/2012 8:22:30 PM
mbam-log-2012-08-12 (20-22-30).txt
Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 351918
Time elapsed: 1 hour(s), 54 minute(s), 59 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)

Jay Pfoutz · Aug 13, 2012

ESET Online Scan

Please run a free online scan with the ESET Online Scanner

Tick the box next to YES, I accept the Terms of Use

Click Start

When asked, allow the ActiveX control to install

Click Start

Make sure that the options Remove found threats and the option Scan unwanted applications is checked

Click Scan (This scan can take several hours, so please be patient)

Once the scan is completed, you may close the window

Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

Copy and paste that log as a reply to this topic

jondjames · Aug 17, 2012

not sure if I did something wrong or not but this is all that appears in the .txt log from the eset scan

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK

Jay Pfoutz · Aug 18, 2012

That's okay.

Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

Slow computer

Error messages

Fake antivirus alerts or the icon in the system tray

svchost.exe running at 100%

System crashes or blue screen of death

jondjames · Aug 18, 2012

performance wise I think the computer is back to normal with a few minor exceptions, previously when restarting or turning the pc on it would boot much faster. and I keep getting an error message when trying to download updates from windows, doing a little resedrarch I think it has something to do with the BIT service. I dont see it running when running services.msc

Jay Pfoutz · Aug 19, 2012

Go to Start > type in CMD and right-click on Command Prompt in the results pane and hit Run as administrator...

Type the following in Command Prompt and hit enter:

sc create BITS binpath= "c:\windows\system32\svchost.exe -k netsvcs" start= delayed-auto

Once done, tell me how it's working.

jondjames · Aug 19, 2012

woot woot! that got the bits started and the updates installed successfully! computer seems to be running like a brand new one other than the extrememly slow boot process. it use to be very snappy

jondjames · Aug 19, 2012

maybe I spoke too soon now im having problems getting windows defender to run I keep getting a error message when I try to start it that says "application failed to initialize: 0x800106ba a problem caused this service to stop...."

Jay Pfoutz · Aug 20, 2012

Go into Command Prompt as before and enter the following, hitting the Enter button after each line:

sc stop WinDefend
sc start WinDefend
exit

Then, let me know if it will update.

Jay Pfoutz · Aug 25, 2012

Hello. Are you still with us?

Your thread has been marked as "Inactive" because of your lack of reply. Please let us know how your computer is running, or if you want to continue in this topic.

Thanks.

TechSpot

Welcome to TechSpot

Please help. some type of virus keeps redirecting me when Internet surfing

Jay Pfoutz Malware Helper Posts: 4,286 +49

jondjames Newcomer, in training Posts: 22

jondjames Newcomer, in training Posts: 22

Jay Pfoutz Malware Helper Posts: 4,286 +49

jondjames Newcomer, in training Posts: 22

Jay Pfoutz Malware Helper Posts: 4,286 +49

jondjames Newcomer, in training Posts: 22

Jay Pfoutz Malware Helper Posts: 4,286 +49

jondjames Newcomer, in training Posts: 22

Jay Pfoutz Malware Helper Posts: 4,286 +49

jondjames Newcomer, in training Posts: 22

jondjames Newcomer, in training Posts: 22

Jay Pfoutz Malware Helper Posts: 4,286 +49

Jay Pfoutz Malware Helper Posts: 4,286 +49

Add New Comment

	Social Login & Guest Posting			TechSpot Members Login here or sign up for free, it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.