Google Redirect Problem + Strange ie8 Crasher Called vRs7joRV

[WavieDavie]

Hello

I hope some of you can help me with a familiar problem to this board? Like many I'm having problems with a Google re-direct but I also have a strange process that crashes ie8 very randomly!

Recently I had a problem with ave.exe which hijacked my browser and sent it to a scam antivirus site. That seems to have been sorted using Malwarebytes Anti-Malware. I also used CCleaner, Spybot S&D, Combofix, Super Anti-Spyware and MG Tools! Nothing has gotten rid of the redirect which takes me to a random ad page and nothing has touched the ie8 crashing process...

The process writes itself to C:/Documents and settings/all users/application data and presents as vRs7joRV...

I can kill it in task manager and then erase it from app data and that buys me some time before it writes itself again! I have no idea where it's coming from and haven't been able to find any reference to it online.

I followed advice on the sequence and locations for the above malware removers but am still having problems. Can anyone shed any light please?

Regards

Dave

 

[WavieDavie]

Some more logs...

Can't seem to get a hijackthis log onto here though!

 

[WavieDavie]

Another try at getting hijackthis log on here... And failed! It's saved as a log file, just won't let me upload it. Help me please?!?!?!

Dave

 

[Bobbye]

Welcome to TechSpot, Dave. I will help with the malware but you need to get some control over what's you're running.

You should have started out with out Preliminary Virus and Malware Removal thread HERE. Had you done that, you would likely have had better results. You might also have seen out note that Combofix should only be run if your helper instructs you to run it and then, only with guidance.

What happens when you try to leave the HijackThis log? Have you tried pasting it into the reply?

If you are intentionally running a program called Perfect Optimizer, please remove it as it is a rogue program.

One of the deleted entries in Combofix indicates that you may have an infected flash drive. have you been actively using the flash drive at this point?

Another entry shows me: Microsoft Windows XP Home Edition without any of the SP updates. Considering that Windows XP is up to SP3 now, with additional updates, that means the system is way behind and very vulnerable. Unless that is brought current, there's not much point in trying to remove malware as it will be right back:

Visit the Microsoft Download Site. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.

The Combofix report is full of entries that are going to have to be removed. but as long as you're using this, that also is futile: MGTools is there as well as Vundofix and it's backup.
Globally open port in the firewall for:
3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDPeer Name Resolution Protocol (PNRP)

P2P or 'file sharing' Warning:
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall all P2P programs and/or networksfor the following reasons:

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.

 

[WavieDavie]

Hello Bobbye, thank you for the welcome and for your quick response.

I actually followed a Preliminary Virus and Malware Removal thread from another site but I will certainly follow your advice and do as instructed.

To answer your questions, I'm not using Perfect Optimizer and haven't got it installed on my pc.

I also don't have a flash drive either. I have 2 internal hard drives with 3 partitions and an external Maxtor drive.

I'm surprised that the log shows I haven't got any XP updates. I have SP3 installed and regularly update it. Interestingly, I get the same response when I visit the Microsoft download site (Windows Update) as when I try to upload a hijackthis log here. It displays the "Internet explorer cannot display this webpage" page, as if I have no internet connection (which I clearly do)! Does that sound suspicious to you?

The other 3 logs loaded fine as attachments, the hijackthis log won't. I even tried renaming it and just got the same as above in the small upload manager box.

I've now uninstalled all P2P programs and will go do the removal as per your thread recommendation. Will report back soon...

Dave

 

[Bobbye]

It's strange that the HJT log is the one giving you the problem! It doesn't even remove anything so should be affected by malware. Try to open the log, then copy in Notepad, paste into the next reply.

If that doesn't work, try removing what you have for HJT. Then go back to our download site:
https://www.techspot.com/downloads/317-hijackthis.html and d/l again. then do a new scan, paste the log into next reply.

 

[WavieDavie]

Hi Bobbye, still no luck with the HJT file! Not much found on the other two scans either but I still have the redirect and the rougue process...

I can't copy and paste the HJT log to here either! Just gives me that same "Internet explorer cannot display this page" message!

I really don't understand what's going on...

Dave

 

[Bobbye]

There are at least 2 members right not that cannot get the HJT log either attached or pasted. I have sent a PM to the moderator about the problem and will get back to you.

 

[Bobbye]

WavieDavie, do you still need help? This thread will be closed if there is no reply today.

 

[WavieDavie]

Hi Bobbye, yes, I do still need help, I was waiting for someone to get back to me about the HJT log problem

Dave

 

[Bobbye]

Sorry, I didn't realize you were waiting on that. We have made some changes in our preliminary removal so please follow Step 5 and Step 6 HERE.

You can remove the HJT program and delete the log. Leave the GMER and DDS reports in your next reply.

And follow with Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Logs to leave in next reply:
GMER
DDS (2)
Eset

 

[WavieDavie]

Bobbye

I'm having so much trouble with this! I've followed your instructions using the new procedures but all that's happened is on reboot from TFC I've lost Quick Launch from my toolbar and most of my programs from my taskbar!

I can't save a GMER log, it just freezes the machine when I try to do so and I have to restart again! When I try to save the file, task manager goes to 100% CPU usage and I have no option but to reboot, losing the file... And I've lost more web pages, Windows Update, anything I try to post from HJT (you knew about this) and Facebook now return the same "Internet Explorer Cannot Display This Page" message!

And, despite running Malwarebytes and AVG scans, I still have this ridiculous Google redirect!

Dave

 

[Bobbye]

Dave, I note you've posted on another forum and had were getting instructions. Your helper on majorgeeks said this to you:

However we did request for you to attach the C:\Mglogs.zip from running C:\MGTools.exe. So once you have done that I can make a start on removing malware for you.

But you did not continue and abandoned the thread. I note that you had a problem posting the HijackThis log there also. In my opinion, you are showing more system problems than malware at this point. You are the only reported finder of anything called vRs7joRV on the internet.

None of the programs I had you run would have caused the problem you are reporting. Something might turn up in the Event Viewer::

Please download VEW and save it to your Desktop:

Setting up the program
Double-click VEW.exe then under Select log to query, select:

• Application
  [*] System
  
  Under Select type to list, select:
• Critical (Vista only)
• Error
  
  Click the radio button for Number of events
• Type 20 in the 1 to 20 box
• Then click the Run button.
• Notepad will open with the output log.
  
  Load the log
• In Notepad, click Edit> Select all
• Then press Edit > Copy
• Press Ctrl+V on your keyboard to paste the log to your next reply.

(Courtesy rev-Olie)
If you plan to continue here, consider telling your other helper that you are getting help elsewhere so he or she can go on to someone else.

 

[WavieDavie]

Bobbye, yes, I have googled vRs7joRV and I know this is/was unique to me. It was in my application settings, killing ave.exe in task manager and then erasing vRs7joRV enabled me to get online.

I haven't persued any other help apart from here after initially posting to both forums. To be honest (and this isn't a criticism) before embarking on these elaborate removal processess I had a very stable system... I'm seriously considering a clean install.

Dave

 

[WavieDavie]

Vino's Event Viewer v01c run on Windows XP in English
Report run at 25/04/2010 00:47:01

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 24/04/2010 17:06:50
Type: error Category: 101
Event: 1002 Source: Application Hang
Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Log: 'Application' Date/Time: 24/04/2010 17:04:43
Type: error Category: 101
Event: 1002 Source: Application Hang
Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Log: 'Application' Date/Time: 24/04/2010 17:04:40
Type: error Category: 101
Event: 1002 Source: Application Hang
Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Log: 'Application' Date/Time: 23/04/2010 22:13:30
Type: error Category: 101
Event: 1002 Source: Application Hang
Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Log: 'Application' Date/Time: 23/04/2010 22:13:29
Type: error Category: 101
Event: 1002 Source: Application Hang
Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Log: 'Application' Date/Time: 22/04/2010 22:04:36
Type: error Category: 0
Event: 11704 Source: MsiInstaller
Product: Skype™ 4.2 -- Error 1704. An installation for Microsoft Office 2000 Premium is currently suspended. You must undo the changes made by that installation to continue. Do you want to undo those changes?

Log: 'Application' Date/Time: 21/04/2010 20:15:28
Type: error Category: 0
Event: 1001 Source: Application Hang
Fault bucket 1180947459.

Log: 'Application' Date/Time: 21/04/2010 20:15:25
Type: error Category: 101
Event: 1002 Source: Application Hang
Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Log: 'Application' Date/Time: 21/04/2010 18:17:21
Type: error Category: 0
Event: 11704 Source: MsiInstaller
Product: Microsoft Office Word Viewer 2003 -- Error 1704. An installation for Microsoft Office 2000 Premium is currently suspended. You must undo the changes made by that installation to continue. Do you want to undo those changes?

Log: 'Application' Date/Time: 21/04/2010 18:12:04
Type: error Category: 0
Event: 11704 Source: MsiInstaller
Product: Compatibility Pack for the 2007 Office system -- Error 1704. An installation for Microsoft Office 2000 Premium is currently suspended. You must undo the changes made by that installation to continue. Do you want to undo those changes?

Log: 'Application' Date/Time: 21/04/2010 18:11:08
Type: error Category: 0
Event: 11704 Source: MsiInstaller
Product: Compatibility Pack for the 2007 Office system -- Error 1704. An installation for Microsoft Office 2000 Premium is currently suspended. You must undo the changes made by that installation to continue. Do you want to undo those changes?

Log: 'Application' Date/Time: 13/04/2010 23:16:51
Type: error Category: 0
Event: 1001 Source: Application Hang
Fault bucket 1795826947.

Log: 'Application' Date/Time: 13/04/2010 23:16:48
Type: error Category: 101
Event: 1002 Source: Application Hang
Hanging application Tl.exe, version 8.4.105.1, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 25/04/2010 00:24:00
Type: error Category: 0
Event: 7901 Source: Schedule
The At1.job command failed to start due to the following error: %%2147942402

Log: 'System' Date/Time: 24/04/2010 23:24:00
Type: error Category: 0
Event: 7901 Source: Schedule
The At24.job command failed to start due to the following error: %%2147942402

Log: 'System' Date/Time: 24/04/2010 23:00:00
Type: error Category: 0
Event: 7901 Source: Schedule
The At72.job command failed to start due to the following error: %%2147942402

Log: 'System' Date/Time: 24/04/2010 22:24:00
Type: error Category: 0
Event: 7901 Source: Schedule
The At23.job command failed to start due to the following error: %%2147942402

Log: 'System' Date/Time: 24/04/2010 22:00:00
Type: error Category: 0
Event: 7901 Source: Schedule
The At71.job command failed to start due to the following error: %%2147942402

Log: 'System' Date/Time: 24/04/2010 21:24:00
Type: error Category: 0
Event: 7901 Source: Schedule
The At22.job command failed to start due to the following error: %%2147942402

Log: 'System' Date/Time: 24/04/2010 21:00:00
Type: error Category: 0
Event: 7901 Source: Schedule
The At70.job command failed to start due to the following error: %%2147942402

Log: 'System' Date/Time: 24/04/2010 20:24:00
Type: error Category: 0
Event: 7901 Source: Schedule
The At21.job command failed to start due to the following error: %%2147942402

Log: 'System' Date/Time: 24/04/2010 20:00:00
Type: error Category: 0
Event: 7901 Source: Schedule
The At69.job command failed to start due to the following error: %%2147942402

Log: 'System' Date/Time: 24/04/2010 19:24:00
Type: error Category: 0
Event: 7901 Source: Schedule
The At20.job command failed to start due to the following error: %%2147942402

Log: 'System' Date/Time: 24/04/2010 19:02:11
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 24/04/2010 19:00:00
Type: error Category: 0
Event: 7901 Source: Schedule
The At68.job command failed to start due to the following error: %%2147942402

Log: 'System' Date/Time: 24/04/2010 18:55:06
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The ASKUpgrade service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 24/04/2010 18:55:06
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The ASKService service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 24/04/2010 18:54:06
Type: error Category: 0
Event: 49 Source: Ftdisk
Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.

Log: 'System' Date/Time: 24/04/2010 18:54:06
Type: error Category: 0
Event: 45 Source: Ftdisk
The system could not sucessfully load the crash dump driver.

Log: 'System' Date/Time: 24/04/2010 18:54:06
Type: error Category: 0
Event: 11 Source: Disk
The driver detected a controller error on \Device\Harddisk1\D.

Log: 'System' Date/Time: 24/04/2010 18:54:06
Type: error Category: 0
Event: 11 Source: Disk
The driver detected a controller error on \Device\Harddisk1\D.

Log: 'System' Date/Time: 24/04/2010 18:54:06
Type: error Category: 0
Event: 11 Source: Disk
The driver detected a controller error on \Device\Harddisk1\D.

Log: 'System' Date/Time: 24/04/2010 18:54:06
Type: error Category: 0
Event: 11 Source: Disk
The driver detected a controller error on \Device\Harddisk1\D.

 

[Bobbye]

You were already having system problems when you posted on both forums. You furthered the problems by running programs on your own, like Combofix. Then you additionally added to the problems by not posting the logs. We do not expect all of the malware to be found and fixed in the preliminary programs. We review the logs and determine what additional entries need to be removed.

Based on your Combofix report posted elsewhere, I recommend you run this script to remove bad entries. It should leave you in better system shape.

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\documents and settings\Dave\Application Data\Azureus
C:\WINDOWS\EntPack.dat
c:\windows\popcreg.dat
c:\windows\popcinfot.dat
c:\documents and settings\All Users\Application Data\oiALETo02.dat
c:\program files\AskBarDis\bar\bin\AskService.exe
c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe

FileLook:
c:\windows\PIF

Folder::
c:\VundoFix Backups
c:\windows\Dduzupij.dat
c:\windows\Dgokediqadunujan.bin
c:\documents and settings\Dave\Application Data\Azureus
c:\Windows\Fonts\Qoh5N0.com 

ATJob::

Registry::

AtJob::

Driver::
AASKUpgrade;
ASKService

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
The multiple errors for Office indicate 2 things: you should take it off of the Startup menu and eventually make sure it has been fully and properly installed. this should help the IE crashes.