Google Redirect Virus

[Sixx]

Hello,

I've followed the 8 step removal instructions and I don't seem to be having any symptoms - at least not that I know of - and google is no longer redirecting at the moment. Here are my logs. Thanks in advance for any help.

 

[Sixx]

Anyone? ...

 

[Bobbye]

It appears that you are running a program designed to get keys or licenses to program to run without payment> in other words, piracy:

O4 - HKLM\..\Run: [vsokey] C:\Windows\system32\vsokey.exe>> keygen

This will have to be removed before any malware support.

 

[Sixx]

I've removed the file and attached the new hijack log below.

 

[Bobbye]

Please run the AVG Removal Tool. You still have entries:
AVG Removal: Note: You may have to reinstall AVG to uninstall it fully.

You have a Trojan Dropper associated with "Zeldar."
Another Trojan has changed these:
O4 - HKLM\..\Policies\Explorer\Run: [x] C:\Windows\oz.exe
O4 - HKCU\..\Policies\Explorer\Run: [x] C:\Windows\oz.exe

I don't know the extent because of the use of the keygen:
Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  
• Run Combo-Fix.exe and follow the prompts.
  (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
• Wait for the scan to be completed.
• If it requires a reboot, please do it.

• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

And follow with this online scan:
Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please rescan with HijackThis when finished> paste new log in next reply.

Attach Combofix report and Eset log.

 

[Sixx]

I've completed your instructions and attached the required logs below.

 

[Bobbye]

You've had malware that is capable of stealing your information. Please change all of your passwords. Monitor any online financial transactions.

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files  
  C:\Windows\System32\kentut.exe
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
---------------------------------------
Please reopen HijackThis to 'do system scan only.' Check the following if present:
O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16

Close all Windows except HijackThis and click on "Fix Checked

NOTE: if the removal of this file causes a problem with the Dell printer, please reinstall the printer. There is a problem with this file as shown.

You have Viewpoint Media Player installed on your system. This program is not malware but it is foistware in that it is usually installed without the user's knowledge or approval, and for this reason I recommend you remove it. If you actually use this program, I recommend you try using safe and free alternatives such as VLC Media Player:

To remove, find and remove Viewpoint Media Player

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

• Click on Start > Run and type: services.msc> OK
• Click the "Extended tab".
• Scroll down the list and find the service called "Viewpoint Manager Service"
• When you find the service, double-click on it.
• In the Properties Window > General Tab that opens, click the "Stop" button.
• From the drop-down menu next to "Startup Type", click on "Disabled".
• Now click "Apply", then "OK" and close any open windows.
• Click on Start > Settings > Control Panel >Add/Remove Programs
• Highlight and remove all references to Viewpoint - i.e. Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Finally, delete the following folders if they still exist: Open Windows Explorer> Programs:
C:\Program Files\ViewManager\ <-- and delete this folder
C:\Program Files\Viewpoint\ <-- and delete this folder

Empty the Recycle Bin

TFC (Temp File Cleaner)

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

Empty the Recycle Bin

Okay, when you finish these, tel me how the system is working.

 

[Sixx]

I ran OTMovit and here are it's contents.

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Windows\System32\kentut.exe moved successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: IUSR_NMPR
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
 
User: Nat
->Temp folder emptied: 381406 bytes
->Temporary Internet Files folder emptied: 8205990 bytes
->Java cache emptied: 65423729 bytes
->FireFox cache emptied: 63836317 bytes
->Google Chrome cache emptied: 48695479 bytes
->Apple Safari cache emptied: 17157693 bytes
 
User: Public
->Temp folder emptied: 0 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 24684676 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 218.00 mb
 
 
OTM by OldTimer - Version 3.1.4.0 log created on 12272009_204036

Files moved on Reboot...

Registry entries deleted on Reboot...

I ran hijackthis and O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16 was still present; it has now been removed successfully.

Viewpoint Media Player has also been removed successfully (which I wasn't using by the way).

And I've run TFC, restarted the computer and emptied the recycling bin.

The computer is running much smoother, especially on startup. Firefox.exe is no longer appearing twice in task manager. Google redirects still aren't happening since going through the 8 step removal instructions. I can't remember the last time this computer has been running this well, so thank you very much for your assistance, it's greatly appreciated. I'll check back tomorrow morning to see if there's anything else you'd like me to do.

 

[Bobbye]

Well you just made my day! I'm so glad that you noticed the difference in how the computer runs- see-there is hope after all!

Please run one more scan with HJT and leave a new log. If noting else shows up, I'll have you remove the cleaning tools and old restore points.

 

[Sixx]

Here's the HJT log.

 

[Bobbye]

Okay, looks good. I have some suggestions you might want to consider- all are optional.

Dell preloads a lot and puts it all on Startup. It doesn't need to be. In fact, many don't know about it or use it:
Dell Browser Address Error Redirector>> BAE
Dell Support Center>> dsca.exe" (can also be uninstalled if not used)
Dell AIO 810>> dlcgmon.exe" (this one also has a Service set to Automatic. You can changes that to Manual to start when you need it.
Dell Fax Solutions>> fm3032.exe

Advise take all off startup using the msconfig utility. That includes the printer. When you need to use it, click on File> Print.
You are not uninstalling these programs when you use msconfig> you are unchecking them so they don't start on boot and run in the background. You can access them whenever you need them.

Reconsider having this for Start page:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=0&l=dir

ask.com is a "dirty site". By that I mean it is know for the 'extra' stuff it sends like ads

Be careful with C:\Program Files\Last.fm\LastFM.exe>> This is a licensed music sharing program.>> associated with audio player from LastFM.
http://en.wikipedia.org/wiki/Last.fm

While it doesn't seem to be the typical "sharing" or P2P, it is clear that some of your info is mined and used.
-------------------------------------------------
Remove the cleaning tools and old restore points:
Remove all of the tools we used and the files and folders they created

• DownloadOTCleanIt by OldTimer
• Save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

If you are prompted to Reboot during the cleanup, select Yes.

You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:

• Go to Start > All Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
• Click "OK" to select the partition or drive you desire.
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Let me know if I can be of more help.

 

[Sixx]

Done.

While I was disabling the Dell programs from preloading, I noticed that Quicktime, Adobe Reader and Manager, and Adobe Acrobat all also preloading at startup; could I disable those?

 

[Bobbye]

I noticed that Quicktime, Adobe Reader and Manager, and Adobe Acrobat all also preloading at startup; could I disable those?

Absolutely. None of them need to start on boot. Easiest way is to use the msconfig utility and uncheck any related processe for these programs:


Unchecking on Startup using the msconfig utility. These are on most systems- none need to strt on boot and run in the background.

Stopping unnecessary startups

1. Unchecking on Startup using the msconfig utility. These are on most systems- none need to start on boot and run in the background.

JAVA:
[1] UNCHECK all Java entries on the Startup menu: Start> Run> msconfig> enter> Selective Startup Startup tab.
[2] Open IE> Tools> Manage add-ons> right click on Java (tm) Plug-In 2 SSV Helper' (jp2ssv.dll> Click on and Disable Java Plugin2 and Java Quick Start.
[3]. Start> Run> services.msc> right click on JavaQuickStarterService)> Properties> Change Startup Type to Disabled> Stop the Service
[4] Stop auto update:. Control Panel> Java> Update tab> UNCHECK 'check automatically for updates'> Apply> Click YES when asked to confirm> OK
[5]. Make sure only the current version of Java v6u11 is in Add/Remove Programs in the Control Panel. Uninstall any other versions.

ADOBE READER:
1. Use msconfig to UNCHECK all; Adobe Reader entries> Apply> OK
2. Open the Adobe Reader and Disable all Toolbars-unless you use the PDF feature frequently.
3. Change the Adobe LM Service to Manual Startup.
4. Only the most current version (now v9.xxx) should be listed in Add/Remove Programs.

REAL PLAYER:
1. UNCHECK all 'Real', Real Player' and 'Real One' entries on the Startup menu
2. If you use Real Player disable the auto-update feature in your Tools- Preferences- Automatic Services- AutoUpdate (In RealPlayer).
Right click on Start> Exp[ore> Programs> Common> Real Update> right click> delete the file "realshed.exe"

QUICK TIME
1. Use msconfig to UNCHECK any QuickTime entries on Startup> Apply> OK
2. Disable tray icon: Right-click on the icon and select QuickTime Preferences > Browser Plugin. Clear the check box next to "QuickTime system tray icon," and then close the settings box. The icon won't appear anymore.
3. Rename the qttask.exe file:
Right click on Start> Explore> Programs> QuickTime directory> right click on qttask.exe> rename to qttask.exeold.

ITUNES Big resource user!
iTunesHelper.exe
Background task installed by Apple's iTunes music player and also by version 7 of QuickTime which now comes inseparably bundled with iTunes. It is thought that this task used to be a 3rd party add-on program in the early days of Apple's iPod when its iTunes software was incompatible with many CD-Writers. This task does not need to be installed as a startup since iTunes starts it up anyway when it needs it.
1. UNCHECK on Startup menu using msconfig. It uses nearly 6MB of memory.

BONJOUR/MDSRESPONDER:
Usually installed by Apple for iTunes. But also 'pre-checked' to load with the new Adobe CS3 applications, "mDNSResponder.exe" is installed somewhere in the install process. Used in iTunes files sharing
IF you do not use this process, it is best to stop and unintall it: Here’s how to safely uninstall Bonjour and remove mDNSResponder.exe
1. Go to Start > Run > type the command below and hit OK.
“%PROGRAMFILES%\Bonjour\mDNSResponder.exe” -remove
2. Right click on Start> Explore> Programs> Bonjour> right click on mdnsNSP.dll> rename to> mdnsNSP.old
3. Restart your computer**** see note regarding reboot
5. Delete the Program Files\Bonjour folder

The first command will stop and remove Bonjour Service from your computer. To confirm, go to Start > Run and type services.msc. Look for Bonjour Service name. If it’s not there, you’ve successfully removed it.

Your printer, scanner, fax doesn’t need to start on boot. Uncheck them all.

HP Printer processes on startup:
HP Port Resolver
HP Status Server
Pml Driver HPZ12

To change the Startup type for a related Service:
Start> Run> type in services.msc> double click the Service>> if you are going to use this, set it to Manual> if you aren't going to use this> set it to Disabled.
------------------------------------------------------------------------

 

[Sixx]

Okay, I've disabled everything that isn't needed on startup.

I don't think I need anymore assistance, so thank you very much for your help, it was appreciated. I promise to keep this computer clean, so you won't be seeing me again!

 

[Bobbye]

You're welcome. Let us know if you need more help.