Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Google Redirect Virus

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Google Redirect Virus

Unread postby jonahb360 » July 11th, 2011, 2:30 pm

Hi! My fight against the Google Redirect Virus is what brought me here, as I haven't been able to get rid of it in the three months that I've had it. I did a hijackthis scan (in safe mode with networking), the log file of which I will paste below. In case it's needed, I am running Windows 7, and this is the redirect virus that also stops Starcraft 2 from running. Also, do I need to do a scan with any other programs?

Here is the HijackThis log file (DDS is below it):

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:01:45 PM, on 7/11/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16800)
Boot mode: Safe mode with network support



Running processes:
C:\Windows\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\Explorer.exe
C:\Program Files\HiJackThis\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: NetAssistantBHO Class - {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - C:\Program Files\Freeze.com\My.Freeze.com NetAssistant\NetAssistant.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: NetAssistantBHO - {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - C:\Program Files\Freeze.com\My.Freeze.com NetAssistant\NetAssistant.dll
O2 - BHO: SMTTB2009 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\HyperCam Toolbar\tbcore3.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\RunOnce: [BrowserChoice] browserchoice.exe
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\steam.exe" -silent
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://oas.support.microsoft.com/ActiveX/MSDcode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/ ... 10.115.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.5.0.cab
O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Updater) - https://www.battlefieldheroes.com/stati ... 0.53.0.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 6970 bytes



And here is the DDS Log:

.
DDS (Ver_2011-06-23.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23
Run by Jonah at 14:49:01 on 2011-07-11
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2038.1191 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\Explorer.exe
C:\Program Files\HiJackThis\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\explorer.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: NetAssistantBHO Class: {e38fa08e-f56a-4169-abf5-5c71e3c153a1} - c:\program files\freeze.com\my.freeze.com netassistant\NetAssistant.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: NetAssistantBHO Class: {e38fa08e-f56a-4169-abf5-5c71e3c153a1} - c:\program files\freeze.com\my.freeze.com netassistant\NetAssistant.dll
BHO: SMTTB2009 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\hypercam toolbar\tbcore3.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRunOnce: [BrowserChoice] browserchoice.exe
mRunOnce: [GrpConv] grpconv -o
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://oas.support.microsoft.com/ActiveX/MSDcode.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shoc ... tor/sw.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/ ... 10.115.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/v ... .2.5.0.cab
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/stati ... 0.53.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{152A5D39-8990-47FF-ABD9-3DFA5852BA95} : DhcpNameServer = 167.206.251.130 167.206.251.129
TCP: Interfaces\{CADC91D2-337F-4AA1-A8CE-391873FA8C60} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{CADC91D2-337F-4AA1-A8CE-391873FA8C60}\43432302F4365616E6 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{CADC91D2-337F-4AA1-A8CE-391873FA8C60}\4496A7A797D41676E6F6C69616 : DhcpNameServer = 167.206.251.130 167.206.251.129
TCP: Interfaces\{CADC91D2-337F-4AA1-A8CE-391873FA8C60}\4496A7A797D41676E6F6C69616D27657563747 : DhcpNameServer = 167.206.251.130 167.206.251.129
TCP: Interfaces\{CADC91D2-337F-4AA1-A8CE-391873FA8C60}\4497E65687 : DhcpNameServer = 192.168.2.1 167.206.251.130 167.206.251.129
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\jonah\appdata\roaming\mozilla\firefox\profiles\131o895b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\jonah\appdata\local\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\users\jonah\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\jonah\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\windows\system32\wat\npWatWeb.dll
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
S1 MpKsl807186aa;MpKsl807186aa;c:\programdata\microsoft\microsoft antimalware\definition updates\{4a30272c-25c2-4d53-bc08-e6f627ff4379}\MpKsl807186aa.sys [2011-7-10 28752]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2011-7-9 21992]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-4 39984]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SaiH0461;SaiH0461;c:\windows\system32\drivers\SaiH0461.sys [2008-3-26 136832]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-2-23 1343400]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-13 17920]
.
=============== Created Last 30 ================
.
2011-07-10 18:26:18 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{4a30272c-25c2-4d53-bc08-e6f627ff4379}\MpKsl807186aa.sys
2011-07-10 18:25:32 7074640 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{4a30272c-25c2-4d53-bc08-e6f627ff4379}\mpengine.dll
2011-07-10 10:59:09 -------- d-----w- c:\program files\CCleaner
2011-07-10 10:19:53 388096 ----a-r- c:\users\jonah\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-07-09 20:34:54 21992 ----a-w- c:\windows\system32\drivers\cpuz135_x32.sys
2011-07-09 20:34:53 -------- d-----w- c:\program files\CPUID
2011-07-09 09:52:05 293376 ----a-w- c:\windows\system32\browserchoice.exe
2011-07-08 20:58:24 -------- d-----w- c:\program files\Core Temp
2011-07-08 11:23:18 7074640 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-07-05 04:32:27 439632 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{34abaa8b-6ca3-4752-a2d2-82d3980ed362}\gapaengine.dll
2011-07-05 04:21:02 -------- d-----w- c:\program files\Microsoft Security Client
2011-07-05 04:20:30 240008 ----a-w- c:\windows\system32\drivers\netio.sys
2011-07-05 04:04:14 7074640 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{e4f658e4-6f5b-4471-9a02-874ac0aebe6a}\mpengine.dll
2011-07-05 02:26:33 -------- d-sh--w- C:\$RECYCLE.BIN
2011-07-05 01:58:57 98816 ----a-w- c:\windows\sed.exe
2011-07-05 01:58:57 518144 ----a-w- c:\windows\SWREG.exe
2011-07-05 01:58:57 256000 ----a-w- c:\windows\PEV.exe
2011-07-05 01:58:57 208896 ----a-w- c:\windows\MBR.exe
2011-07-04 01:09:39 -------- d-----w- c:\program files\StarCraft II
2011-06-29 18:35:34 294912 ----a-w- c:\windows\system32\umpnpmgr.dll
2011-06-29 18:35:27 1401856 ----a-w- c:\windows\system32\mssrch.dll
2011-06-29 18:35:26 1553920 ----a-w- c:\windows\system32\tquery.dll
2011-06-29 18:35:25 666624 ----a-w- c:\windows\system32\mssvp.dll
2011-06-29 18:35:25 428032 ----a-w- c:\windows\system32\SearchIndexer.exe
2011-06-29 18:35:25 337408 ----a-w- c:\windows\system32\mssph.dll
2011-06-29 18:35:24 86528 ----a-w- c:\windows\system32\SearchFilterHost.exe
2011-06-29 18:35:24 59392 ----a-w- c:\windows\system32\msscntrs.dll
2011-06-29 18:35:24 197120 ----a-w- c:\windows\system32\mssphtb.dll
2011-06-29 18:35:24 164352 ----a-w- c:\windows\system32\SearchProtocolHost.exe
2011-06-27 01:59:38 -------- d-----w- c:\program files\POWERISO
2011-06-25 19:06:46 -------- d-----w- C:\Riot Games
2011-06-25 18:39:36 -------- d-----w- c:\program files\League of Legends
2011-06-25 18:38:42 -------- d-----w- c:\users\jonah\appdata\local\PMB Files
2011-06-25 18:38:37 -------- d-----w- c:\programdata\PMB Files
2011-06-25 18:38:02 -------- d-----w- c:\program files\Pando Networks
2011-06-25 17:02:30 -------- d-----w- c:\users\jonah\appdata\roaming\RIFT
2011-06-24 08:12:17 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-06-24 08:12:17 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-06-24 07:53:15 469256 ----a-w- c:\program files\common files\windows live\.cache\c3f8aeea1cc32432b\InstallManager_WLE_WLE.exe
2011-06-24 07:41:44 15712 ----a-w- c:\program files\common files\windows live\.cache\29e932531cc324220\MeshBetaRemover.exe
2011-06-24 07:33:43 94040 ----a-w- c:\program files\common files\windows live\.cache\ac2d3d51cc324118\DSETUP.dll
2011-06-24 07:33:43 525656 ----a-w- c:\program files\common files\windows live\.cache\ac2d3d51cc324118\DXSETUP.exe
2011-06-24 07:33:43 1691480 ----a-w- c:\program files\common files\windows live\.cache\ac2d3d51cc324118\dsetup32.dll
2011-06-24 07:33:40 94040 ----a-w- c:\program files\common files\windows live\.cache\9201a341cc324117\DSETUP.dll
2011-06-24 07:33:40 525656 ----a-w- c:\program files\common files\windows live\.cache\9201a341cc324117\DXSETUP.exe
2011-06-24 07:33:40 1691480 ----a-w- c:\program files\common files\windows live\.cache\9201a341cc324117\dsetup32.dll
2011-06-24 07:30:00 -------- d-----w- c:\users\jonah\appdata\local\Windows Live
2011-06-24 03:26:11 -------- d-----w- C:\$AVG
2011-06-24 02:42:07 -------- d-----w- c:\users\jonah\appdata\roaming\ManyCam
2011-06-24 02:42:07 -------- d-----w- c:\program files\ManyCam 2.4
2011-06-24 02:41:47 -------- d-----w- c:\program files\Ask.com
2011-06-24 01:42:27 -------- d-----w- c:\users\jonah\appdata\roaming\AVG10
2011-06-24 01:38:40 -------- d-----w- c:\programdata\AVG10
2011-06-24 01:37:07 -------- d-----w- c:\program files\AVG
2011-06-24 01:34:06 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-24 01:13:56 -------- d--h--w- c:\programdata\Common Files
2011-06-24 01:13:05 -------- d-----w- c:\programdata\MFAData
2011-06-24 01:07:59 152848 ----a-w- c:\windows\system32\COMDLG32.OCX
2011-06-24 01:07:58 -------- d-----w- c:\program files\Fake Webcam
2011-06-24 01:07:58 -------- d-----w- c:\program files\common files\fwc
2011-06-15 23:56:02 4005936 ----a-w- c:\windows\system32\GameMon.des
2011-06-15 23:55:50 5174 ----a-w- c:\windows\system32\nppt9x.vxd
2011-06-15 23:55:50 4682 ----a-w- c:\windows\system32\npptNT2.sys
2011-06-15 23:55:29 -------- d-----w- c:\program files\common files\INCA Shared
2011-06-15 12:26:01 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-15 12:26:01 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-15 12:24:54 96256 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-15 12:24:54 222720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-15 12:24:54 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-15 08:23:56 60156 ----a-w- c:\windows\system32\drivers\scdemu.sys
2011-06-12 01:44:24 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-06-12 01:44:24 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-06-12 01:44:24 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-06-12 01:44:24 1850328 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-06-12 01:44:24 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-06-12 01:44:23 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
==================== Find3M ====================
.
2011-05-29 13:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-28 03:00:02 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-05-03 04:50:29 740864 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 02:57:34 311296 ----a-w- c:\windows\system32\drivers\srv.sys
2011-04-29 02:57:21 309760 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-04-29 02:57:13 114176 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-04-27 02:33:46 78336 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-04-22 19:36:05 26496 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-04-22 19:31:50 981504 ----a-w- c:\windows\system32\wininet.dll
2011-04-22 19:31:26 44544 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-22 18:23:59 386048 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 14:51:14.38 ===============
jonahb360
Active Member
 
Posts: 2
Joined: July 11th, 2011, 2:12 pm
Advertisement
Register to Remove

Re: Google Redirect Virus

Unread postby Scolabar » July 15th, 2011, 3:54 am

Hi jonahb360,

Firstly, welcome to the Malware Removal Forum. :)
My name is Scolabar, and I'll be helping you with your malware problems.
Logs can take a while to research, so please be patient.

I am currently working under the guidance of the MRU teachers, everything I post to you, will need to be reviewed by them.
This additional review process can add some extra time to my responses, but hopefully not too much.
;)

Please note the following important guidelines before proceeding:
  1. The instructions that will be provided are for YOUR computer and system only!
    Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable
    !
  2. If you have any questions or do not understand something, please do not hesitate to ask, don't guess or assume.
  3. Only post your problem at One help site. Applying fixes from multiple help sites can cause problems.
  4. Only reply to this thread, do not start another. Please, continue responding, until I give you the All Clean.
    Absence of symptoms does not necessarily mean that everything is clear.
  5. DO NOT run any other fix or removal tools unless instructed to do so!
  6. DO NOT install any other software (or hardware) during the cleaning process. This adds more items to be researched.
  7. Print each set of instructions, if possible. Your Internet connection will not be available during some fix processes.
  8. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  9. Note: No Reply Within 3 Days Will Result In Your Topic Being Closed!

Please Note: If you haven't done so already, please read this topic ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.

Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

In light of this, it would be advisable for you to back up any important files and folders that you don't want to lose before we start.


If you follow these guidelines, things should proceed smoothly. :)
I am currently reviewing your log and will return, as soon as possible, with additional instructions.

Thank you for your patience.

Scolabar
User avatar
Scolabar
MRU Honors Grad Emeritus
 
Posts: 1172
Joined: April 22nd, 2009, 3:10 pm

Re: Google Redirect Virus

Unread postby jonahb360 » July 17th, 2011, 6:49 am

Sorry for no response, I'm on vacation. I'll edit this as soon as I can.
jonahb360
Active Member
 
Posts: 2
Joined: July 11th, 2011, 2:12 pm

Re: Google Redirect Virus

Unread postby Scolabar » July 19th, 2011, 3:52 am

Hi jonahb360,

jonahb360 wrote:I'm on vacation. I'll edit this as soon as I can.
Thank you for the update. If possible, please let me know when you intend to return so I can keep this thread open. ;)

Thank you again for your patience. :)

Was there a particular reason for running HijackThis in Safe Mode with Networking? Did you run DDS also in the same manner?

Please read these instructions carefully before executing and perform the steps, in the order given.
lf, you have any questions about or problems with, executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

Before we proceed please make sure any open programs are closed.

Step 1:
ERUNT - Emergency Recovery Utility NT

First we will try to make sure we have a backup of the Registry with ERUNT:

Modifying the Registry can create unforeseen problems, so it's always wise to create a backup before doing so.
ERUNT (Emergency Recovery Utility NT) by Lars Hederer is a free program that allows you to create a complete backup of your registry and restore it when needed.

  1. Please download ERUNT and save it to your Desktop.
    Note: VISTA users must right-click on erunt-setup-exe and select "Run As Administrator" to run the installation process.
  2. Double-click on erunt-setup-exe to run the installation process.
    Note: If the Open File - Security Warning window pops up, click on the Run button.
  3. Install ERUNT by following the prompts using the default installation settings.
  4. Make sure the first two check boxes Create ERUNT desktop icon and Create NTREGOPT desktop icon are checked.
  5. When you reach the section that asks you to add ERUNT to the Start-Up folder click on the No button. This later can be enabled later, if required.
  6. In the final screen make sure the Show documentation option is unchecked. Then click on the Finish button.
  7. Click on the OK button in the Welcome! screen.
  8. Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT\DD-MM-YYYY (where DD-MM-YYYY is the date of the backup) which is fine.
  9. under Backup options make sure both of the first two options: System registry and Current user registry are checked.
  10. Click on the Yes button to allow the folder to be created.
    After a short duration the Registry backup is complete! pop-up message will appear.
  11. Now click on OK. A registry backup has now been created.

< STOP > If you are unable to complete this step successfully, < STOP > do not continue with any fix steps, let me know immediately in your next post!

Step 2:
OTL - Scan

  1. Please download OTL by Old Timer. Save it to your Desktop.
  2. Double click on OTL.exe to run the program.
    Vista - W7 users: Right-click on OTL.exe and select "Run As Administrator" to launch the program. If you receive a UAC prompt, please allow it.
  3. Under Output, ensure that the Minimal Output option is selected.
  4. Click the Scan All Users checkbox.
    Note: Please leave the remaining selections on the default settings.
  5. Click on Run Scan at the top left hand corner.
  6. When done, two Notepad files will automatically open:
    • OTL.txt <-- Will be opened, maximized.
    • Extras.txt <-- Will be minimized on task bar.
  7. Please Copy and Paste the entire contents of both OTL.txt and Extras.txt files into your next reply.

Step 3:
GMER

The downloaded file will have a random filename. This prevents malware from detecting and blocking it.

Please download GMER ... random named.exe by GMER. An alternative (zip file) download is available here.
IMPORTANT: Do not run any programs while GMER is running.
CAUTION: Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries.

  1. Double-click on the random named.exe to execute. If asked, allow the gmer.sys driver load.
    Vista - W7 users: Right-click on random named.exe and select "Run As Administrator" to launch the program. If you receive a UAC prompt, please allow it. If asked, allow the gmer.sys driver load.
  2. If it gives you a warning about rootkit activity and asks if you want to run a scan click on NO. <--- Important!
  3. On the right side panel, several boxes have been checked. Please UNCHECK the following: (See image below.)
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C: drive)
    • Show All <-- don't miss this one

    Image
    Click on image to enlarge

  4. If you don't get a warning, then click on the Rootkit/Malware tab at the top of the GMER window.
  5. Click on the Scan button.
  6. Once the scan has finished, click on Save. The Save window will open.
  7. Save the scan results as gmerroot.log to your Desktop.
  8. Double-click on the gmerroot.log file on the Desktop to open it in Notepad.
  9. Copy and Paste the entire contents of gmerroot.log into your next reply.

Step 4:
MGA Diagnostics

  1. Please download this tool from Microsoft and Save it to your Desktop.
  2. Double-click on the MGADiag.exe icon to launch the program.
    Vista - W7 users: Right-click on MGADiag.exe and select "Run As Administrator" to launch the program. If you receive a UAC prompt, please allow it.
    If you receive an Open File Security Warning click on the Run button.
  3. Click on the Continue button to proceed.
  4. The program will now run. It will take a short while to complete its diagnosis, please be patient.
  5. When it has finished click on the Copy button.
  6. Open Notepad by clicking Start > Run, type in Notepad then click OK.
  7. Paste the copied contents into the new Notepad window and Save the file as mgadiag.txt to your Desktop.
  8. Click on the OK button to exit the MGA Diagnostics program.
  9. Then Copy and Paste the entire contents of mgadiag.txt into your next reply.

Step 5:
CKScanner

  1. Please download CKScanner and Save it to your Desktop.
    Make sure that CKScanner.exe is on your Desktop before running the application!
  2. Double-click on the CKScanner.exe icon to launch the program and then click on the Search For Files button.
    Vista - W7 users: Right-click on CKScanner.exe and select "Run As Administrator" to launch the program. If you receive a UAC prompt, please allow it.
  3. When the scan has finished (- the hourglass cursor will disappear when the scan has completed) click on the Save List To File button.
    A text file will be created on your desktop named ckfiles.txt.
  4. Click on the Exit button to close the program.
  5. Double-click on the ckfiles.txt file to open it.
  6. Then Copy and Paste the entire contents of the file into your next reply.

Step 6:
Include in Next Post

  1. Did you have any problems carrying out the instructions?
  2. Was there a particular reason for running HijackThis in Safe Mode with Networking?
  3. Did you run DDS also in the same manner?
  4. OTL.txt.
  5. Extras.txt.
  6. gmerroot.log.
  7. mgadiag.txt.
  8. ckfiles.txt.
  9. Do you have the original Windows installation media for your PC?
  10. How is the computer now running?

Scolabar
---------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed
User avatar
Scolabar
MRU Honors Grad Emeritus
 
Posts: 1172
Joined: April 22nd, 2009, 3:10 pm

Re: Google Redirect Virus

Unread postby Scolabar » July 21st, 2011, 12:10 pm

Hi jonahb360,

As you have not responded so far to my previous post, please could you confirm the computer in question will not be used at all whilst you are away?
If not this kind of defeats the whole object of the malware removal process and it would be best to create a new topic and wait for a new helper upon your return.

Please confirm one way or the other, thank you.

Scolabar
---------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed
User avatar
Scolabar
MRU Honors Grad Emeritus
 
Posts: 1172
Joined: April 22nd, 2009, 3:10 pm

Re: Google Redirect Virus

Unread postby Cypher » July 23rd, 2011, 4:36 am

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 40 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware