Solved I also have the Google redirect Virus. Completed 8 steps and logs attached

[bruceb58]

I just joined your site and am interested if I could get some help with this Google redirect virus. As others state, I can click on a link in the google search and it will send me elsewhere. If I go back and click on the link again, all is good.

Thanks in advance
Bruce

 

[Bobbye]

Bruce, we'll start here:
Download and run LSP-Fix

• 
  [1][Download LSP-Fix and Save to its own directory on the desktop..
  [2] Double-click on the file to open.
  [3] In the left hand column, you should see the xfire_lsp_10650.dll files listed.
  [o[Click on it to highlight
  [o] Click the arrow in the middle of the screen that points to the right
  [4]This will move the filename to the right-hand column labeled Remove
  [o]NOTE: If the arrow is greyed out and does not allow you to click it, you need to check the box above labeled "I know what I'm doing"
  [5] Once the file has been transferred to the Remove column, click Finish at the bottom of the screen.
  [6]You'll be presented with a results screen showing the file was removed from the Winsock layer entries in the registry.
  [7] Close the LSPFix .

Follow with Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls.
  
• Double click on the setup file on the desktop to run
• If prompted to download and install the Recovery Console, please do so.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
• If prompted to update, please allow.
• Click on Yes, to continue scanning for malware.
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.

.

Then rescan with Hijackthis and the entry for xfire_lsp_10650.dll should now be gone from the list.

Attach new HijackThis log and Combofix report to next reply.

 

[bruceb58]

I ran everything and I am attaching the 2 logs.

I did some checks to see if I still have the problem and it appears things are working normal right now.

I really appreciate the help.

Please let me know what you would like me to do next.

 

[Bobbye]

Bruce, you're going to have to help me out here. The processes I'm seeing don't add up to the random home computer. For instance:

c:\altera\90\quartus\bin\jtagserver.exe>> The Joint Test Action Group (JTAG) server was developed to facilitate sharing JTAG hardware between the Quartus II software version 2.0 and third-party JTAG application software
O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner - c:\altera\90\quartus\bin\jtagserver.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe>> LogMeIn Maintenance Service
C:\Program Files\LogMeIn\x86\LogMeIn.exe>> LogMeIn Remotely connect
C:\Program Files\LogMeIn\x86\LMIGuardian.exe>> LogMeIn Guardian>> sole purpose is to gather detailed information should a LogMeIn crash occur.
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\UltraMon\UltraMon.exe>> UltraMon is a utility for multi-monitor systems,

C:\Modeltech_6.3h\win32pe\lmgrd.exe>> lmgrd.exe is Part of the Macrovision FLEXlm software. This software is installed as part of the licensing of the ArcGis software.FlexNet Publisher (formerly known as FLEXlm) is a common software license manager from Flexera Software which implements license management and is intended to be used in corporate environments to provide floating licenses to multiple end users of computer software.
C:\Modeltech_6.3h\win32pe\mgcld.exe>> Mentor Graphics® ModelSim®[/b]
O23 - Service: license_server - Macrovision Corporation - C:/Modeltech_6.3h/win32pe/lmgrd.exe[/b]

I'm not gertting any English sites for tModeltech_6.3h
Win32pe is a Portable Executable

Our help, which is all volunteer and free, is geared toward the home PC user.

 

[bruceb58]

I do FPGA design and this is just my work software that I have installed on my home computer so that is what the Altera and JTAG software is for. The LMGRD is for the licensing.

Modeltech is the simulator for my design work.

The logmein.com allows me to remotely log into my home computer.

Ultramon is for my dual monitor set up.

This is my home computer but I have this stuff on it so I can work when I come home at night.

 

[Bobbye]

Okay, no problem. Better I have you verify entries than allow malware to get through.

I recommend that you remove this entry from the Trusted Zone:
Trusted Zone: att.com\ufix
The entry isn't complete as written and I discourage putting any sites in the Trusted Zone.

P2P or 'file sharing Warning:
You have LimeWire installed and you have given it access through the firewall.
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall LimeWire for the following reasons:

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.

I'd like you to run this online scan to make sure we haven't missed anything:
Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

If the scan is clean and the problem has been resolved, I'll have you remove the cleaning tools and old restore points.

 

[bruceb58]

Weird...the ESET can not download its signature database. Asks me if my proxy is configured. I don't think I need to do anything like that.

EDIT: Tried going through the whole process a few times and now it is.

 

[Bobbye]

Okay, leave the log wheh finished. It there is more trouble, there is an alternate online AV scan you can run.

 

[bruceb58]

It is running right now. 1 hour 20 minutes and it is only 28% done. I started by going through Firefox. Couldn't get it to run going trough IE8.

 

[bruceb58]

Ok...finished the ESET and here is the log. I can delete the setupmpe.exe file. Not sure what it is but I have had it on my computer for ages.

 

[Bobbye]

Bruce, it looks like SDFix is loading and running in the background. Please uninstall it.

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
C:\Bruce Folder\setupmpe.exe
D:\Backup\bruce folder\setupmpe.exe	
D:\Bruce Folder\setupmpe.exe

Folder::
Registry::
Driver::

FCopy::
c:\windows\$NtServicePackUninstall$\atapi.sys | c:\windows\system32\drivers\atapi.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.

 

[bruceb58]

Attached ComboFix log

 

[bruceb58]

Here it is.

 

[bruceb58]

So..is there anything else I should do? Virus seems to be gone.

 

[Bobbye]

Sorry Bruce, your reply got lost! Let's do one more Eset scan and HijackThis. If they're clean and the problem is resolved, I'll have you remove the cleaning tools and old restore points.

 

[bruceb58]

Did ESET and Hijack and attached logs.

Looks like I hada few more things detected.

 

[Bobbye]

Not to worry! The 3 entries in the Eset log for System Volume are in the restore points. I have you drop the old restore points and set a new clean one when we have finished.

I am concerned about this one though:
C:\WINDOWS\system32\drivers\atapi.sys Win32/Olmarik.TM trojan cleaned - quarantined

I'd like to try the script on this once more:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::

Folder::

FCopy::
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.

Then rescan with Eset. Important> note that I do not want Eset to remove anything!
Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

 

[bruceb58]

I am having problems again getting ESET working again. Gets proxy error when downloading virus signature database.

I do have the combofix log however.

 

[Bobbye]

What is the proxy error you're getting?
Unless your ISP required this, you can remove this entry in the HijackThis log:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

You have so much going on Bruce- it's hard to know where to look! Reboot after having HJT fix the above, then try the Eset scanner again. IF you get the proxy error again, I need to know exactly what it says.

We need one more AV scan though, so if Eset won't work, try this:
Open
Kaspersky Online Scanner in Internet Explorer

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Click Accept and the web scanner will begin to load
• If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
• You will be prompted to install an ActiveX component from Kaspersky, click Install
• If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT and then Scan Settings
• In the scan settings make that the following are selected:
  [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
  [o] Scan Options: Scan Archives> Scan Mail Bases
• Click OK
• Now under select a target to scan:
  [o] Select My Computer
• The program will start to scan your system.
• Once the scan is complete, click on the Save as Text button and save the file to your desktop

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

I notice in the Combofix report :
2010-03-03 05:41 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
This is for the AV Counterspy or Vipre from Sunbelt. Did you get a trial of this? IF so, it will expire. If not, it should be removed.
Let me see log and if clean, I'll have you remover the cleaning tools.

 

[bruceb58]

Was able to get an ESET run completed.

I notice in the Combofix report :
2010-03-03 05:41 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
This is for the AV Counterspy or Vipre from Sunbelt. Did you get a trial of this? IF so, it will expire. If not, it should be removed.

I do not remember ever installing this program.

 

[Bobbye]

No problem- lets get rid of it:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\windows\system32\drivers\SBREDrv.sys
Folder::
Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe. You do not have to post the resulting log.

Remove all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

• Download OTCleanIt by OldTimer
• Save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• If you are prompted to Reboot during the cleanup, select Yes.
• Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

The tool will delete itself once it finishes.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".

• Go back and follow the path to > System Tools.
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

I would encourage you to go through the installed programs and processes, old files, documents, folders, etc. on the system. There's a lot of duplication, a lot of old files that look to be 'left over' from something you removed.

If I can be of more help in the future, please let me know.