TechSpot

Yet another google redirect virus

By iankbailey
Nov 22, 2009
Topic Status:
Not open for further replies.
  1. Like many others it appears I have the Google redirect virus. I'm just getting redirected it doesn't seem to be effecting me in any other way. The only other thing it may be effecting is this program called Team fortress 2 but that might be another problem altogether. I followed the 8 steps and it didn't seem to do anything, I do have ad-aware installed which seems to be considered a threat by most of the virus protection programs. Thank you in advance for the help.

    Edit: Would I be safe to just run combofix at this point?
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    No, please don't run Combofix at this point- I'm reviewing your logs.
  3. iankbailey

    iankbailey TS Rookie Topic Starter

    Don't know if this helps but my avast has been picking up files like this roughly every 10-20 minutes.
    C:\WINDOWS\TEMP\mlex.tmp\svchost.exe
    C:\WINDOWS\TEMP\ueuc.tmp\svchost.exe
    C:\WINDOWS\TEMP\ibgy.tmp\svchost.exe

    I've just been moving them to the chest as it recommends.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot, iankbailey. I'll help with the malware.

    I don't see AdAware from Lavasoft on the system. But Malwarebytes found this: C:\Program Files\AdwareAlert (Rogue.AdwareAlert)

    Rogue
    From SpywareWarrior:
    FYI:
    One of the most frequent, heavy advertisers of rogue spyware is AdwareAlert. this program exploits the name of the legitimate program AdAware from Lavasoft the same way a program named Spwarebot does for Spybot Search & Destroy.

    This is the reason why it is so important to use the links we give.

    Please revisit Step 3 for instructions on stopping TeaTimer.

    Please reopen HijackThis to 'do system scan only'.. Check each of the following, if present: NOTE: optional removals are in green.

    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Search Settings\SearchSettings.exe
    R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll
    >See Optional 1
    O2 - BHO: (no name) - {4E45C414-5019-4966-9013-6950C35E6C06} - (no file) See Special
    O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll> See Optional 1
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)(McAfee Site Advisor)
    O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\btdna.exe"> See Optional 2
    O16 - DPF: {931C1175-E08E-4ADA-9AED-4A2828AE1011} (PbEbkick Control) - http://210.166.234.104/activex/pbebkick.cab
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


    Close all Windows except HijackThis and click on "Fix Checked"

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Click on Start > Settings > Control Panel > Add/Remove Programs > highlight and remove. These are all optional removals, but I recommend removing ALL of the,
    Viewpoint - i.e. Viewpoint, Viewpoint Manager, Viewpoint Media Player.
    SearchSettings
    BitTorrent


    Access Windows Explorer: Right click on Start> Run> My Computer> Local Drive (C)> go to Tools> Folder Options> View tab> Check 'show hidden files and folders'> Uncheck 'hide operating sysdtem files- Recommended> Apply> OK

    Go to Programs and do a right click> delete on these Program folders:
    C:\Program Files\Viewpoint
    C:\Program Files\BitTorrent
    C:\Program Files\Search Settings


    Click on Start > Run and type: services.msc> OK
    • Click the "Extended tab".
    • Double-click on "Viewpoint Manager Service"
    • In the Properties Window > General Tab that opens, click the "Stop" button.
    • From the drop-down menu next to "Startup Type", click on "Disabled".
    • Now click "Apply", then "OK" and close any open windows.
    Open Internet Explorer> Tools> Manage add-on> look for PbEbkick Control and click to highlight> click on Disable.

    Go back and hide the files and Folders.
    Empty the recycle Bin

    Special: this toolbar is for a Parasite producing false spyware warnings and redirecting to fake security sites, member of the FakeAlert aka SmitFraud malware family.

    Optional 1: Foistware>> Not a virus or malware. Usually bundled with something you downloaded and installs without your knowledge or permission. The removals are optional but I do recommend foistware be removed.
    Viewpoint: You have Viewpoint Media Player installed on your system.
    SearchSettings: Vendio "Search Settings" foistware, bundled with its Dealio toolbar or PDF Creator, which is in turn bundled with numerous third party applications.

    Optional 2: P2P Warning: Bit Torrent
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall BitTorrent for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.

    The warning you're getting has to do with the 'fake alert' and it's in the temp files.
    Reboot into Normal Mode when you have finished:

    TFC (Temp File Cleaner)

    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

    TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

    TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

    Then run new scan with HijackThis. Please paste the log into the next reply.
  5. iankbailey

    iankbailey TS Rookie Topic Starter

    It would seem that I can't boot in to safe mode. When I try I get a message that says something along the lines of "press esc to cancel loading SPTD.SYS." then the machine just restarts itself and goes back to the loading screen.
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Can you get in to the system at all? Was it at the end of the HJT removal when I had you boot in to Safe Mode?

    Whenever you report an error message, it needs to be exact.

    IF you can boot into Normal Mode, hold on HJT directions and do this first:

    Filename: sptd.sys is for Driver used by the CD Rom emulation program, Daemon Tools Version 4. There have been some reports of problems with this driver.

    Apparently you have this on Startup. It does not need to be there:

    Click on Start> Run> type in msconfig> enter> Selective Startup> Startup tab> UNCHECK any process relating to Daemon Tools> Apply> OK

    If you have a problem knowing which process, see the image at this URL.
    http://img116.imageshack.us/img116/5327/msconfigyd9.jpg

    Click on the cross hair dividing line on the frame between Command and Location. Hold left mouse button down and move to the right. This will expand the Command column so you can see what a process goes with:

    Command: System32\Drivers\sptd.sys

    Reboot the computer when finished and resume the Safe Mode section. If you cannot get into Normal Mode either, then you'll have to do a repair.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.