Redirect virus - need some help please

[lownotesb]

looks like I finally caught a virus. been trying to clean this up but striking out. The crew here at techspot seems pretty good so I'm gonna ask for some help.

Here's my status.

Clicked on a link on a weird website about 10 days ago and noticed something strange popup. Things started getting weird from that point on.

First symptom was the Firefox would start with an error message about jqsnotify.exe. popup with an error. Then I noticed my google searches were getting redirected.

I started searching around and taking some measures, scanning, spybot, avg. nothing turning up. Tried CCCleaan (I think I was following a thread here). I ran ccclean and didn''t see instructions here and I DID check clear prefetch data. Since then can't run browsers at all.

After this first round of battle and running CC I then was unable to run Firefox or IE. IE just hourglasses for 10 secs and then nothing, no processes running. Firefox now launches application error "The instruction at "0x7c5b73a3" referenced memory at "0x7c5b73a3". The memory could not be "read". Click OK to terminate the program. Tried uninstall and reinstall FF3 & 2 but can get it to run at all. Same error.

Downloaded Chrome so at least I can browse on the PC. Chrome runs good but google search redirects, and even yahoo search redirects.

Looking for help at this point. I'm following 8 steps and am now ready to post logs.

Thanks for helping here, really appreciate it. Attaching logs.

What next

 

[touch]

Hello lownotesb

Remove/uninstall from " Programs and Features " in controlpanel:
One of your antivirus programs

AVG8 or Comodo

Please download combofix here ->
ComboFix
Before Saving it to Desktop, please rename it to 123.com to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

 

[lownotesb]

Thanks for your help

I've followed instructions and run combofix.

attached is log file. looks like I've got the skynet rootkit.

Comodo Firewall keeps poping up about catchme.sys and similar files. I blocked them and then the log file finally came up.

 

[touch]

Open notepad and copy/paste the text in the quotebox below into it:
Name the file as CFScript
and Save it on the desktop

Killall::
Snapshot::
File::
c:\windows\system32\drivers\lvuvc.hs
c:\windows\system32\drivers\logiflt.iad

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

Combofix will create a logfile and display it after your computer has rebooted.
Usually located in c:\combofix.txt, please attach it to your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

[lownotesb]

thanks

here is the log file

I really appreciate your help.

 

[touch]

It looks clean. Please tell how things are running ?

 

[lownotesb]

smooth sailing

yes, things seem to be running better. no redirects and all browsers working.

Much appreciate your assistance and expertise. Thank you!!!!!

 

[lownotesb]

question about installed apps

what can I do at this point to reduce my overhead on the machine. should I keep all the new apps running and installed.

also, do I need spybot & super spy

thanks

 

[touch]

You don´t need spybot & superantispyware, if you keep malwarebyte.

You should Create a New Restore Point to prevent possible reinfection from an old one.
The easiest and safest way to do this is:
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.

Please download: OTCleanIt.exe
Save it to desktop.
This will remove all the tools we used to clean your computer.
Double-click OTCleanIt.exe. Click CleanUp. Say Yes to the "Begin cleanup Process?"
When asked if you want to proceed with the cleanup process, click Yes. Restart your computer when prompted.
Please note. It will NOT remove Mbam, Ccleaner and SuperAntispyware.

To learn more about how to protect yourself while on the internet, please read Tony Klein´s guide:
How did I get infected in the first place?

 

[m106]

This happened to me and is still happening. happen 50% of the time I'm browsing on firefox. I already tried scanning with Malwarebytes and it still here.
Here is my Hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:07:36 PM, on 7/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
D:\Program Files\FormatFactory\FormatFactory.exe
D:\Program Files\FormatFactory\FFModules\mencoder.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\ORSP Client\fsorsp.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 2136 bytes