Google Redirect Virus, 8 Steps Complete, Still Have Virus..

By angelrem · 10 replies
Nov 22, 2009
  1. Logs attached. Still have the virus. Please help. I'm using an HP 1010nr Netbook running Windows XP.

    Attached Files:

  2. angelrem

    angelrem TS Rookie Topic Starter

    Do I need to do the ComboFix?
  3. AnonymousSurfer

    AnonymousSurfer TS Guru Posts: 452   +40

    Hi angelrem,

    Here are the Malicious software found via Hijackthis (There are a lot):

    O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0
    NOTE: That is extremely nasty ^^^^^^^^^^^^.

    O4 - HKCU\..\Run: [calc] rundll32.exe C:\DOCUME~1\Angel\ntuser.dll,_IWMPEvents@0
    O4 - HKUS\S-1-5-18\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\ntuser.dll,_IWMPEvents@0 (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [ttool] C:\WINDOWS\9129837.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\ntuser.dll,_IWMPEvents@0 (User 'Default user')
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    angelrem, please do not run Combofix at this point. I will review your logs shortly and help you with the malware.

    You system is badly infected. Can you please give me some history on this:
    Your system has a Vundo infection, to name one and also numerous Trojans.

    AnonymousSurfer, please stop advising these members.
  5. angelrem

    angelrem TS Rookie Topic Starter

    Everytime I run ZoneAlarm, it says it finds all these viruses and will delete on reboot. I reboot, and they are still there.
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Are you running the Zone Alarm Security Suite which includes an antivirus, anti-spyware, and firewall protection and costs $40.00? Or are you just using the free Zone Alarm firewall?

    The only entries I see are the usual ones for the ZA firewall. If that is all you have, then you don't have an antivirus program to protect you. If this is the case, please get one of the following AV programs on the system:

    Recommended Free Anti Virus:
    Avira Free
    Avast Free

    When you have resolved the possible AV problem:

    Please download VundoFix.exe HERE and save to your desktop:
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the ‘Fix Vundo’ button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    Please attach the C:\vundofix.txt in next reply.

    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

    Please rescan with HijackThis and paste that log into the next reply.
  7. angelrem

    angelrem TS Rookie Topic Starter

    I have Zone Alarm Security Suite.

    Ran VundoFix, and it found nothing.

    Ran HIjack This again, and the log is attached.
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Someone will get to you as soon as possible. Please be patient- this is a very busy forum.
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    It appears that you may have a Virut infection. Before we go any further, please do the following:

    • Make sure to use Internet Explorer for this
    • Please go to FREE on-line scan service
    • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
      • c:\windows\system32\userinit.exe
    • Click on the Upload button
    • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
    • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
    • Paste the contents of the Clipboard in your next reply.
    Also scan these,



    Paste the log into your next reply.

    Virut is a Polymorphic File Infector that infects .EXE and .SCR files. It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker

    More information here:

    Because of this possibility, please change all of your passwords and monitor any online financial transactions.

    I will advise you further after I see that log.
  10. allyssax3

    allyssax3 TS Rookie

    Will you please help me also?

    I tried to download something off of the internet which I first scanned with McAfee and it said it didn't have any viruses.
    When I tried to run the program, a windows alert came up and said: "A spooler subsystem app has encountered a problem and needs to close.
    Ever since that time, every 5 minutes, I was getting an alert from McAfee telling me that a trojan was quarantined. It was New Malware.j My McAfee subscription is up so I think that is why it won't delete the trojan. Ever since I got the first trojan alert, I had a google redirect problem.
    I went into C:\Windows\TEMP and deleted all of the files, then proceeded to shred my recycling bin to get rid of them and for about ten minutes after didn't have the redirectinig problem, but it came back?

    Will you help me?
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    allyssax3, you will need to start a separate thread for help.

    The first thing you need to do tough is to get a functioning, updated antivirus program on the computer. Here are 2 free recommendations> use either one, not both:
    Avira Free
    Avast Home

    Okay to copy what you have in your post here, but you will need to follow the steps in our Virus and Malware Removal HERE.

    Please attach the logs from the programs in your new thread.

    There is no 'also' in this forum. While problem may sound alike, all help given is only for the member who began this thread. Your problem will be seen by more members in a new thread.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...