Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Constant redirects from google, can't download virus updates

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Constant redirects from google, can't download virus upd

Unread postby bigcam59 » January 19th, 2011, 6:54 pm

is it possible to just delete the Java File by accessing it through the c drive?
bigcam59
Regular Member
 
Posts: 17
Joined: January 16th, 2011, 10:48 pm
Advertisement
Register to Remove

Re: Constant redirects from google, can't download virus upd

Unread postby Gary R » January 19th, 2011, 7:32 pm

OK don't worry about the Java for the moment, we'll come back to that later.

Did re-setting the router help with the re-directions ?

If not please do the following .....

Download ComboFix from one of these locations and save it to your Desktop: (if you already have a copy of Combofix, delete it and use this version)

Link 1
Link 2

IMPORTANT !!! ComboFix.exe must be run from your Desktop

  • Disable your AntiVirus and AntiSpyware applications, they may otherwise interfere with Combofix. There are details for disabling many programmes here.
  • Double click on ComboFix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install Microsoft Windows Recovery Console.

**Please note: If Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Image

Once Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you.

Please include this log in your next reply. ......... (it can also be found at C:\ComboFix.txt)

IMPORTANT
  • Do not use your computer while Combofix is running.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.
If you have any problems with these instructions, a detailed Tutorial for how to use Combofix is available here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21872
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Constant redirects from google, can't download virus upd

Unread postby bigcam59 » January 19th, 2011, 9:16 pm

here is the combofix log:

ComboFix 11-01-16.04 - Chris 01/19/2011 19:54:55.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.703 [GMT -5:00]
Running from: D:\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\CFLog
c:\documents and settings\All Users\Application Data\.wtav
C:\install.exe
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf
c:\windows\XSxS
H:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-12-20 to 2011-01-20 )))))))))))))))))))))))))))))))
.

2011-01-18 14:09 . 2011-01-18 14:09 -------- d-----w- c:\program files\ERUNT
2011-01-18 01:42 . 2011-01-18 01:42 388096 ----a-r- c:\documents and settings\Chris\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-01-18 01:42 . 2011-01-18 01:42 -------- d-----w- c:\program files\Trend Micro
2011-01-17 21:47 . 2011-01-17 21:47 -------- d-----w- c:\documents and settings\Chris\Application Data\Malwarebytes
2011-01-17 21:47 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-17 21:47 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-17 21:46 . 2011-01-17 21:46 -------- d-----w- C:\TDSSKiller_Quarantine
2011-01-17 01:56 . 2011-01-17 01:58 -------- d-----w- c:\documents and settings\Chris\Application Data\.clamwin
2011-01-17 01:56 . 2011-01-17 01:56 -------- d-----w- c:\program files\ClamWin
2011-01-17 01:56 . 2011-01-17 01:56 -------- d-----w- c:\documents and settings\All Users\.clamwin
2011-01-15 02:51 . 2011-01-17 04:15 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\PhoenixViewer
2011-01-15 01:40 . 2011-01-15 01:40 -------- d-----w- c:\documents and settings\Chris\Application Data\MSNInstaller
2011-01-15 01:19 . 2011-01-17 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-17 21:39 . 2006-02-28 12:00 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-02-27 135168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"nwiz"="nwiz.exe" [2007-12-05 1626112]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-24 185896]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2010-12-06 86016]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 15:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2011-01-17 01:31 1242448 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-04-24 03:01 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Steam\\steamapps\\theantirap\\half-life 2 deathmatch\\hl2.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Steam\\steamapps\\theantirap\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/29/2010 7:22 PM 691696]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [5/11/2010 1:31 PM 1051976]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2/25/2010 9:18 AM 10064]
S0 adwarealert;adwarealert;c:\windows\system32\DRIVERS\adwarealert.sys --> c:\windows\system32\DRIVERS\adwarealert.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/22/2010 11:27 PM 135664]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 rtl8180;Belkin 11Mbps Wireless Desktop Network Card Driver;c:\windows\system32\DRIVERS\Bel6001.sys --> c:\windows\system32\DRIVERS\Bel6001.sys [?]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys --> c:\windows\system32\drivers\ScreamingBAudio.sys [?]
S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2011-01-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-23 04:27]

2011-01-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-23 04:27]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_03\bin\jusched.exe
SafeBoot-klmdb.sys
MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe
MSConfigStartUp-D-Link AirPlus G - c:\program files\D-Link\AirPlus G\AirGCFG.exe
MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\YahooMessenger.exe
MSConfigStartUp-Zune Launcher - c:\program files\Zune\ZuneLauncher.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-19 20:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-01-19 20:04:00
ComboFix-quarantined-files.txt 2011-01-20 01:03

Pre-Run: 72,546,279,424 bytes free
Post-Run: 72,493,617,152 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - B5460FFF25DC478BF80706A4B66833D5
bigcam59
Regular Member
 
Posts: 17
Joined: January 16th, 2011, 10:48 pm

Re: Constant redirects from google, can't download virus upd

Unread postby Gary R » January 20th, 2011, 3:30 am

OK, nothing much there, still a few things to check.

First

Please download SystemLook from one of the links below and save it to your Desktop.

For 32 bit Systems
Download Mirror #1
Download Mirror #2


For 64 bit Systems
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
Code: Select all
:filefind
sppt.sys
a1wk3il6.SYS
SjyPkt.sys

:regfind
sppt.sys
a1wk3il6.SYS
SjyPkt.sys


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Next

Lets change your DNS servers
Please print these instructions out or save them as a TXT document on your desktop. In the unlikely event something goes wrong or a number is input wrong. You may not be able to access the internet to see these instructions.


  • Click Start > Control Panel.
  • Locate and open Network Connections
  • Double-Click your default Network Connection from the available list (If you use wireless choose that one.)
  • Click Properties
  • Highlight Internet Protocol (TCP/IP) and click on Properties again
  • Click on: Use the following DNS server addresses

Type these numbers into the preferred DNS block first
208.67.222.222

and these into the alternate DNS
208.67.220.220

Image

Click OK until all those windows are all closed

Now reboot your computer.

Let me know if you are still being re-directed.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21872
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Constant redirects from google, can't download virus upd

Unread postby bigcam59 » January 20th, 2011, 10:31 am

It looks likes I'm not being re-directed anymore! Holding of on the champagne til I hear from you.

here is the Systemlook results:

SystemLook 04.09.10 by jpshortstuff
Log created at 08:51 on 20/01/2011 by Chris
Administrator - Elevation successful

========== filefind ==========

Searching for "sppt.sys"
No files found.

Searching for "a1wk3il6.SYS"
No files found.

Searching for "SjyPkt.sys"
No files found.

========== regfind ==========

Searching for "sppt.sys"
No data found.

Searching for "a1wk3il6.SYS"
No data found.

Searching for "SjyPkt.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SjyPkt]
"ImagePath"="\??\C:\WINDOWS\System32\Drivers\SjyPkt.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SjyPkt]
"ImagePath"="\??\C:\WINDOWS\System32\Drivers\SjyPkt.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\SjyPkt]
"ImagePath"="\??\C:\WINDOWS\System32\Drivers\SjyPkt.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SjyPkt]
"ImagePath"="\??\C:\WINDOWS\System32\Drivers\SjyPkt.sys"
bigcam59
Regular Member
 
Posts: 17
Joined: January 16th, 2011, 10:48 pm

Re: Constant redirects from google, can't download virus upd

Unread postby Gary R » January 20th, 2011, 1:48 pm

I'd like to run a further couple of scans before I give you an all clear.

First

Lets see if you can update Malwarebytes Anti-Malware.

If you can please update to the latest definitions then run a scan and post me the log. If not let me know.

Next

Please run a scan with ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.
  • Please go HERE then click on: Image
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Copy and paste that log in your next reply please.
  • Now click on: Image (Selecting Uninstall application on close if you so wish)

Summary of the logs I need from you in your next post:
  • MBAM log
  • E-Set log


Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21872
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Constant redirects from google, can't download virus upd

Unread postby bigcam59 » January 20th, 2011, 2:42 pm

Here is the Malware scan. It did let me upload the new virus definitions

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/20/2011 1:33:00 PM
mbam-log-2011-01-20 (13-33-00).txt

Scan type: Quick scan
Objects scanned: 123244
Time elapsed: 7 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
bigcam59
Regular Member
 
Posts: 17
Joined: January 16th, 2011, 10:48 pm

Re: Constant redirects from google, can't download virus upd

Unread postby bigcam59 » January 20th, 2011, 4:40 pm

heres the Eset log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=8cf3b42facc5764dbd6476e488fef570
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-01-20 08:35:57
# local_time=2011-01-20 03:35:57 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1032 16777189 100 95 0 38605321 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=156171
# found=3
# cleaned=0
# scan_time=6602
C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\setup.exe probably a variant of Win32/Agent.HZHBURL trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.32.1\setup.exe probably a variant of Win32/Agent.HZHBURL trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{30E16779-58C7-4CE6-A58E-20403265D93A}\RP1388\A0158122.exe a variant of Win32/Adware.HotBar.H application (unable to clean) 00000000000000000000000000000000 I
bigcam59
Regular Member
 
Posts: 17
Joined: January 16th, 2011, 10:48 pm

Re: Constant redirects from google, can't download virus upd

Unread postby Gary R » January 20th, 2011, 6:28 pm

Set up files are often false flagged as malware because of their functionality, I suspect the first 2 files in the E-Set report are just heuristic detections.

Do you know what these 2 files are installers for ?

C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\setup.exe
C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.32.1\setup.exe


Are they something that you have installed ?

If you need to keep them then we can run further scans to ensure they're safe, or if you're not bothered then we can just remove them.

The other file is an infected System Restore file, it can't re-infect you unless you restore to it, but we'll remove it before we finish, I just need to know first whether you have any reason for wanting to keep the other 2 files or whether you're happy for them to be removed.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21872
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Constant redirects from google, can't download virus upd

Unread postby bigcam59 » January 20th, 2011, 9:25 pm

let's get rid of them.
bigcam59
Regular Member
 
Posts: 17
Joined: January 16th, 2011, 10:48 pm

Re: Constant redirects from google, can't download virus upd

Unread postby Gary R » January 21st, 2011, 3:06 am

The following will remove the 2 files I asked about, the infected SR file will be removed when we remove Combofix ....

  • Double click OTL.exe to launch the programme.
  • Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.
Code: Select all
:Files
C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\setup.exe
C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.32.1\setup.exe

  • Click the Run Fix button.
  • OTL will now process the instructions.
  • When finished a box will open asking you to open the fix log, click OK.
  • The fix log will open.
  • No need to post me the log unless OTL is unsuccessful in removing the files.

Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.

Presuming that it has no problems, then as far as I can see there's no further Malware on your computer, in which case ....

Wait a few days to ensure your computer is behaving the way you'd expect it to, before removing the programs we've used to clean it. Once those programs are removed, any backups they made are lost. To remove them ....

First

Let's clear out Combofix and the files/folders it created
  • Click Start > Run
  • Copy/Paste ComboFix /Uninstall into the Run box.
  • Click OK
  • Combofix will now delete its files and folders and also perform the following function.
    • Clears System Restore cache and creates a new Restore point. This will remove any "malicious" System Restore files, which may have been created whilst your computer was infected.
IMPORTANT
  • Do not use your computer while Combofix is running.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Next

Let's clear out OTL and the files and folders it created. This will also remove SystemLook and GMER (except for the random named GMER file on your desktop which you'll need to delete manually).
  • Double click OTL.exe to launch the programme.
  • Click on the CleanUp! button.
  • OTL will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access.
  • You will be prompted to allow the clean up procedure, click Yes
  • When finished exit out of OTL
  • Now delete OTL.exe (if still present).

Next

ERUNT can be uninstalled using Control Panel > Add/Remove Programs

As far as I can see, your computer looks clear of infection now.

Are you still noticing any problems ?
  • If you are let me know about them.
  • If not it's time to make your computer more secure.

Please read the article below which will give you a few suggestions for how to minimise your chances of getting another infection.

If your computer is running slowly after your clean up, please read.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21872
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Constant redirects from google, can't download virus upd

Unread postby Gary R » January 23rd, 2011, 3:28 am

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21872
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 22 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware