Yet another google redirect virus

By lostreality
Jun 6, 2010
Topic Status:
Not open for further replies.
  1. My google searches have all been redirecting to advertisements since yesterday the search works fine, but when you click on the links it redirects to some random ad sites. Although it doesn't redirect it 100% of the time. Yahoo is also redirecting occasionally.

    So far I've tried the steps from this forum and (based on advice I could find on random forums online) I've also tried Hitman pro 3.5, gooredfix, ad-aware, spybot search and destroy, AVG and spywareblaster. Some of these programs have come up with a couple of infected files and said it fixed them, but nothing has taken care of my redirect problem. I turned off system restore beforehand so the virus wouldn't be saved in a restore point.

    I see some people have suggested combofix, but I've also seen a lot of warnings against potentially messing up your computer with combofix, so if someone could walk me through some next steps that would be really appreciated.

    I'm attaching all the logs below- the malware bites one is clear, but I ran it yesterday afternoon (before my husband told me about this website) and it deleted the following files:

    Files Infected:
    C:\Documents and Settings\Arielle\Local Settings\Temp\2D73.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Arielle\Local Settings\Temp\2D76.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Arielle\Local Settings\Temp\CMEY.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Arielle\Local Settings\Temporary Internet Files\Content.IE5\BIFTCJX4\yHfff090eaV03009f35002R6ad7e23f102Tb3fabf45Q000002fd901801F002d000aJ0f000601l0409Kf4bad4d63180[1] (Rootkit.Dropper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Arielle\Local Settings\Temporary Internet Files\Content.IE5\L7VL1KIO\eH0972e11eV03f01730002R5b9a9595102T4220cbaeQ000002fc901801F0020000aJ0f000601l0409Kf8f9f9d43180[1] (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Arielle\Local Settings\Temporary Internet Files\Content.IE5\QC4QK6SA\0001134[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\18467.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\2D78.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\2D7A.tmp (Rootkit.Dropper) -> Quarantined and deleted successfully.


    Thanks so much in advance!!

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Not good:
    Please remove Hitman pro 3.5, gooredfix. Both need to be uninstalled. The others can stay.

    Very good:
    I have checked the logs and you do need to run Combofix. I'm giving your the directions to do so. You showed good restraint in not running it until and unless your helper instructed tyou to. You have a Rootkit. We'll see if Combofix fixes it- if not, I'll move it after seeing the Combofix report:

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    ================================
    Please follow with this:
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Please leave both of the logs in your next reply.

    Please do not use any other cleaning programs or scans while I am helping you unless I instruct you to. Do not use a Registry cleaner or make any changes in the Registry.
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    I noticed you are running Bit Torrent:
    P2P or 'file sharing' Warning:
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall BitTorrent for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.

    If you choose not to uninstall BitTorrent, please do not use it while I am helping clean your system.

    When I write script for you to use after I see the Combofix report, I would like to include the removal of all Ask.com and Viewpoint entries if you have no objection. We don't recommend using either of these because of adware and occasionally spyware.
  4. lostreality

    lostreality Newcomer, in training Topic Starter

    ok I ran both programs. The combo fix log is attached below. The eset program took a really long time to run last night and I fell asleep while it was running...just woke up to it being complete, but it doesn't seem to have saved a log file anywhere? If it has saved a log file, it's not where you said it will be...should I rerun the program? Is there somewhere else it could be saved? Or was I supposed to check something off to save a logged file?

    oh and I never use bittorrent but I will uninstall it...

    Attached Files:

  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    The Eset log is located here:
    A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.

    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    KillAll::
    
    File::
    c:\windows\system32\drivers\hitmanpro35.sys
    c:\program files\Viewpoint\Common\ViewpointService.exe
    c:\program files\AskBarDis\bar\bin\askBar.dll
    
    Folder::
    c:\documents and settings\All Users\Application Data\Hitman Pro
    c:\program files\Hitman Pro 3.5
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\Arielle\Application Data\DNA
    c:\program files\DNA
    
    Registry::
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"=- 
    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"=- 
    
    Extra::
    File::
    c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
    
    Firefox-: - Profile-  c:\documents and settings\Arielle\Application Data\Mozilla\Firefox\Profiles\4jed5k7n.default\
    Firefox-: - prefs.js- Search.Defaulturl
    
    Driver::
    Viewpoint Manager Service
    FCopy::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    =========================================
    Note: I have included the removal of the ask.com toolbars, Viewpoint, remaining entries from Hitman Pro and Bit Torrent.
  6. lostreality

    lostreality Newcomer, in training Topic Starter

    attached is the new combo fix file.

    I still can't find the eset file. Under my c:/programfiles I have a folder called "Eset" not one called "esetonlinescanner". In the eset file is an "esetonlinescanner" file, but that does not have the log in it either. I did a search for log.txt on my c drive and it didn't come up with it either. Maybe something happened when I was asleep and it didn't complete the scan or generate a log or something? This morning is just had a button that said "Finish" but didn't generate any log when I hit it. Should I rerun that program? If yes, that will take me a few hours...last night before I fell asleep it had been running around an hour and a half.

    Meanwhile, my google redirect problem no longer seems to be happening...at least so far. :) So, awesome! Is there anything else I need to do (apart from maybe rerunning eset?)

    Attached Files:

  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Follow the directions and screen shots on this Java site HERE to clear the cache.

    Combofix report looks good. We need to get an online scan though. Try the Eset scan again. Save log.

    If the does not work, run this one:
    Run Kaspersky Online Scanner in Internet Explorer

    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
    • Click Accept and the web scanner will begin to load
    • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
    • You will be prompted to install an ActiveX component from Kaspersky, click Install
    • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT and then Scan Settings
    • In the scan settings make that the following are selected:
      [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
      [o] Scan Options: Scan Archives> Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      [o] Select My Computer
    • The program will start to scan your system.
    • Once the scan is complete, click on the Save as Text button and save the file to your desktop
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

    If it's clean, I'll have you remove the cleaning tools.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.