Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Google Redirect Virus Not Gone!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Google Redirect Virus Not Gone!

Unread postby sammi » September 10th, 2013, 6:51 pm

Hi, I'm new to the forum. I know very little about computers, so please bear with me. I apparently acquired a Google Redirect Virus -- my computer slowed down considerably plus all the redirects. I ran Malwarebytes, which supposedly removed the virus, however redirects are still occasionally happening despite subsequent virus scans showing no infection. Computer speed is back to normal, though. Here are my DDS and Attach logs. I hope I did this correctly. Thank you for any help you can offer!

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16660
Run by Owner at 18:35:30 on 2013-09-10
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2940.1490 [GMT -4:00]
.
AV: Webroot SecureAnywhere *Enabled/Updated* {9C0666FC-6C7D-3E97-3C40-0C6B33FC7401}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Webroot SecureAnywhere *Enabled/Updated* {27678718-4A47-3119-06F0-3719487B3EBC}
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Webroot\WRSA.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\taskhost.exe
C:\Program Files\Webroot\WRSA.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files (x86)\VERIZONDM\bin\sprtsvc.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\VERIZONDM\bin\tgsrvc.exe
C:\windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
C:\Windows\System32\rundll32.exe
C:\windows\SysWOW64\rundll32.exe
C:\windows\system32\RunDll32.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files (x86)\VERIZONDM\bin\sprtcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Ask.com\Updater\Updater.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\windows\system32\igfxext.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\windows\system32\svchost.exe -k SDRSVC
C:\windows\system32\taskeng.exe
C:\windows\system32\taskeng.exe
C:\windows\system32\rundll32.exe
C:\windows\system32\vssvc.exe
C:\windows\System32\svchost.exe -k swprv
C:\windows\System32\sdclt.exe
C:\Program Files (x86)\Microsoft\BingBar\7.2.241.0\SeaPort.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uWindow Title = Internet Explorer, optimized for Bing and MSN
uProxyOverride = <local>
uURLSearchHooks: UrlSearchHook Class: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
mWinlogon: Userinit = userinit.exe,
BHO: MRI_DISABLED - <orphaned>
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.2.241.0\BingExt.dll
BHO: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\7.2.241.0\BingExt.dll
uRun: [Mozilla] rundll32 "C:\Users\Owner\AppData\Local\SupportSoft\Mozilla\ndnk.dll",DllRegisterServer
uRun: [Leadertech Update] regsvr32.exe C:\Users\Owner\AppData\Local\Leadertech\nmwcdclsx64.dll
mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"
mRun: [VERIZONDM] "C:\Program Files (x86)\VERIZONDM\bin\sprtcmd.exe" /P VERIZONDM
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
mRun: [WRSVC] "C:\Program Files\Webroot\WRSA.exe" -ul
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
StartupFolder: C:\Users\Owner\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MONITO~1.LNK - C:\windows\System32\RunDll32.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{22DB2F9D-437F-4B1B-9D42-0DBD67E386DA} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{3DFFF366-1296-4DF0-B26B-429D10505D4A} : DHCPNameServer = 168.94.0.14 168.94.0.15
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.66\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg64.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [cAudioFilterAgent] "C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe"
x64-Run: [SmartAudio] "C:\Program Files\CONEXANT\SAII\SAIICpl.exe" /t
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [TPwrMain] C:\Program Files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
x64-Run: [SmoothView] C:\Program Files (x86)\Toshiba\SmoothView\SmoothView.exe
x64-Run: [00TCrdMain] C:\Program Files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
x64-Run: [TosVolRegulator] "C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe"
x64-Run: [TosSENotify] "C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe"
x64-Run: [TosNC] C:\Program Files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
x64-Run: [TosReelTimeMonitor] C:\Program Files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\zxfbijwc.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_171.dll
.
============= SERVICES / DRIVERS ===============
.
R0 WRkrn;WRkrn;C:\windows\System32\drivers\WRkrn.sys [2012-2-4 112616]
R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);C:\Program Files (x86)\VERIZONDM\bin\sprtsvc.exe [2011-5-16 206120]
R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);C:\Program Files (x86)\VERIZONDM\bin\tgsrvc.exe [2011-5-16 185640]
R2 WRSVC;WRSVC;C:\Program Files\Webroot\WRSA.exe [2012-2-4 740328]
R3 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\7.2.241.0\SeaPort.EXE [2013-7-23 240288]
R3 FwLnk;FwLnk Driver;C:\windows\System32\drivers\FwLnk.sys [2010-11-25 9216]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\windows\System32\drivers\L1C62x64.sys [2010-3-4 75816]
R3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2010-11-25 51512]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-2-5 137560]
S2 BBSvc;BingBar Service;C:\Program Files (x86)\Microsoft\BingBar\7.2.241.0\BBSvc.EXE [2013-7-23 193696]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\System32\drivers\RtsUStor.sys [2010-11-25 232992]
S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2011-6-3 59392]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2011-6-3 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2013-09-10 09:10:09 76232 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E46412E7-A9F0-4552-8875-3D5D19B51BC4}\offreg.dll
2013-09-10 09:09:07 9515512 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E46412E7-A9F0-4552-8875-3D5D19B51BC4}\mpengine.dll
2013-09-04 11:52:04 -------- d-----w- C:\Users\Owner\AppData\Local\Leadertech
2013-08-13 23:20:55 224256 ----a-w- C:\windows\System32\wintrust.dll
2013-08-13 23:20:55 184320 ----a-w- C:\windows\System32\cryptsvc.dll
2013-08-13 23:20:55 175104 ----a-w- C:\windows\SysWow64\wintrust.dll
2013-08-13 23:20:55 1472512 ----a-w- C:\windows\System32\crypt32.dll
2013-08-13 23:20:55 140288 ----a-w- C:\windows\SysWow64\cryptsvc.dll
2013-08-13 23:20:55 139776 ----a-w- C:\windows\System32\cryptnet.dll
2013-08-13 23:20:55 1166848 ----a-w- C:\windows\SysWow64\crypt32.dll
2013-08-13 23:20:55 103936 ----a-w- C:\windows\SysWow64\cryptnet.dll
2013-08-13 23:10:18 1888768 ----a-w- C:\windows\System32\WMVDECOD.DLL
2013-08-13 23:10:18 1620992 ----a-w- C:\windows\SysWow64\WMVDECOD.DLL
2013-08-13 23:09:52 663552 ----a-w- C:\windows\SysWow64\rpcrt4.dll
2013-08-13 23:09:52 1217024 ----a-w- C:\windows\System32\rpcrt4.dll
2013-08-13 22:55:41 39936 ----a-w- C:\windows\System32\drivers\tssecsrv.sys
2013-08-13 22:55:39 1910208 ----a-w- C:\windows\System32\drivers\tcpip.sys
.
==================== Find3M ====================
.
2013-08-09 14:11:28 150160 ----a-w- C:\windows\SysWow64\WRusr.dll
2013-08-09 14:11:28 112616 ----a-w- C:\windows\System32\drivers\WRkrn.sys
2013-08-09 14:11:28 102792 ----a-w- C:\windows\System32\WRusr.dll
2013-07-26 05:13:37 2241024 ----a-w- C:\windows\System32\wininet.dll
2013-07-26 05:12:08 3958784 ----a-w- C:\windows\System32\jscript9.dll
2013-07-26 05:12:04 136704 ----a-w- C:\windows\System32\iesysprep.dll
2013-07-26 05:12:03 67072 ----a-w- C:\windows\System32\iesetup.dll
2013-07-26 03:35:08 2706432 ----a-w- C:\windows\System32\mshtml.tlb
2013-07-26 03:13:24 1767936 ----a-w- C:\windows\SysWow64\wininet.dll
2013-07-26 03:12:04 2877440 ----a-w- C:\windows\SysWow64\jscript9.dll
2013-07-26 03:12:00 61440 ----a-w- C:\windows\SysWow64\iesetup.dll
2013-07-26 03:12:00 109056 ----a-w- C:\windows\SysWow64\iesysprep.dll
2013-07-26 02:49:14 2706432 ----a-w- C:\windows\SysWow64\mshtml.tlb
2013-07-26 02:39:38 89600 ----a-w- C:\windows\System32\RegisterIEPKEYs.exe
2013-07-26 01:59:38 71680 ----a-w- C:\windows\SysWow64\RegisterIEPKEYs.exe
2013-07-19 01:58:42 2048 ----a-w- C:\windows\System32\tzres.dll
2013-07-19 01:41:01 2048 ----a-w- C:\windows\SysWow64\tzres.dll
2013-07-09 06:03:30 5550528 ----a-w- C:\windows\System32\ntoskrnl.exe
2013-07-09 05:54:22 1732032 ----a-w- C:\windows\System32\ntdll.dll
2013-07-09 05:53:12 243712 ----a-w- C:\windows\System32\wow64.dll
2013-07-09 05:03:34 3968960 ----a-w- C:\windows\SysWow64\ntkrnlpa.exe
2013-07-09 05:03:34 3913664 ----a-w- C:\windows\SysWow64\ntoskrnl.exe
2013-07-09 04:53:47 1292192 ----a-w- C:\windows\SysWow64\ntdll.dll
2013-07-09 04:52:33 5120 ----a-w- C:\windows\SysWow64\wow32.dll
2013-07-09 04:45:07 44032 ----a-w- C:\windows\apppatch\acwow64.dll
2013-07-09 02:49:42 25600 ----a-w- C:\windows\SysWow64\setup16.exe
2013-07-09 02:49:41 7680 ----a-w- C:\windows\SysWow64\instnm.exe
2013-07-09 02:49:39 14336 ----a-w- C:\windows\SysWow64\ntvdm64.dll
2013-07-09 02:49:38 2048 ----a-w- C:\windows\SysWow64\user.exe
.
============= FINISH: 18:36:20.34 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 6/2/2011 8:34:13 PM
System Uptime: 9/8/2013 9:19:53 AM (57 hours ago)
.
Motherboard: TOSHIBA | | Portable PC
Processor: Intel(R) Celeron(R) CPU 925 @ 2.30GHz | CPU | 2294/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 221 GiB total, 173.146 GiB free.
D: is CDROM (UDF)
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP242: 8/14/2013 3:00:16 AM - Windows Update
RP243: 8/18/2013 7:00:15 PM - Windows Backup
RP244: 8/20/2013 8:16:59 AM - Windows Update
RP246: 8/27/2013 7:29:19 AM - Windows Update
RP247: 8/30/2013 9:38:09 AM - Windows Update
RP248: 8/31/2013 1:52:47 PM - Windows Update
RP249: 9/1/2013 7:01:56 PM - Windows Backup
RP250: 9/4/2013 8:10:22 PM - Windows Backup
RP251: 9/6/2013 10:34:01 AM - Windows Update
RP252: 9/8/2013 7:03:05 PM - Windows Backup
RP253: 9/10/2013 5:08:43 AM - Windows Update
.
==== Installed Programs ======================
.
Adobe Flash Player 11 ActiveX 64-bit
Adobe Flash Player 11 Plugin
Adobe Reader XI (11.0.03)
Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
Atheros Driver Installation Program
Best Buy pc app
Bing Bar
Conexant HD Audio
D3DX10
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
HP Deskjet 1050 J410 series Basic Device Software
HP Deskjet 1050 J410 series Help
HP Deskjet 1050 J410 series Product Improvement Study
HP Photo Creations
HP Update
HPDiagnosticAlert
Intel® Matrix Storage Manager
Internet TV for Windows Media Center
Java(TM) 6 Update 17
Junk Mail filter update
Label@Once 1.0
Malwarebytes Anti-Malware version 1.75.0.1300
Mesh Runtime
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office 2010
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Office 64-bit Components 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared 64-bit MUI (English) 2007
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox 10.0.1 (x86 en-US)
MSVCRT
MSVCRT_amd64
PlayReady PC Runtime amd64
PlayReady PC Runtime x86
Realtek USB 2.0 Card Reader
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Support.com Toolbar
Support.com Toolbar Updater
Synaptics Pointing Device Driver
Toshiba App Place
TOSHIBA Application Installer
TOSHIBA Assist
Toshiba Book Place
TOSHIBA Bulletin Board
TOSHIBA Disc Creator
TOSHIBA Hardware Setup
TOSHIBA HDD/SSD Alert
TOSHIBA Media Controller
TOSHIBA Media Controller Plug-in
TOSHIBA Quality Application
TOSHIBA Recovery Media Creator
TOSHIBA ReelTime
TOSHIBA Service Station
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
ToshibaRegistration
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939)
Verizon Download Manager
Webroot SecureAnywhere
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Language Selector
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live Remote Client
Windows Live Remote Client Resources
Windows Live Remote Service
Windows Live Remote Service Resources
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Media Center Add-in for Flash
.
==== Event Viewer Messages From Past Week ========
.
9/8/2013 8:37:59 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {0C0A3666-30C9-11D0-8F20-00805F2CD064} and APPID {9209B1A6-964A-11D0-9372-00A0C9034910} to the user Owner-PC\Owner SID (S-1-5-21-220767598-3805166269-1260382394-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
9/7/2013 4:05:51 PM, Error: Service Control Manager [7031] - The WRSVC service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
9/6/2013 5:36:30 PM, Error: iaStor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.
9/3/2013 10:53:16 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Wlansvc service.
.
==== End Of File ===========================
sammi
Regular Member
 
Posts: 22
Joined: September 10th, 2013, 6:19 pm
Advertisement
Register to Remove

Re: Google Redirect Virus Not Gone!

Unread postby Gary R » September 12th, 2013, 11:09 am

Looking over your logs, back soon.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21866
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Google Redirect Virus Not Gone!

Unread postby Gary R » September 12th, 2013, 11:22 am

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the "Infected? Virus, malware, adware, ransomware, oh my!" forum and wait for help.


Unless informed of in advance, failure to post replies within 3 days will result in this thread being closed.


Hi sammi

I'm Gary R,

Before we start: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

As an added safety precaution, before we start removing anything, I'd like you to make a backup of your Registry, which we can restore to if necessary.

Please click on THIS link, and follow the instructions for installing TCRB and creating a backup of your Registry.

Please observe these rules while we work:
  • Do not edit your logs in any way whatsoever.
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
  • Don't attempt to install any new software (other than those I ask you to) until we've got your computer clean.
  • Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process. If your defensive programmes warn you about any of those tools, be assured that they are not infected, and are safe to use.
If you can do these things, everything should go smoothly.
  • As you're using Windows 7, it will be necessary to right click all tools we use and select ----> Run as Administrator

It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


Not too much showing in your DDS logs, but there are one or two things that need attention. Before that I'd like you to run a few further scans for me, so I can get a better idea what we're up against.

First ...

I'd like to have a look at what Malwarebytes found on your computer ....

  • Launch Malwarebytes Anti-malware
  • Click on the Logs tab
  • Scan down through the list of logs to find the one created when you ran the scan that detected and removed the malware on your computer (they are ordered by date/time, most recent at the bottom)
  • Double click on it to open the log.
  • Copy/Paste it into your next reply please.

Next ...

  • Please download ... ADWCleaner to your Desktop.

    NOTE: If using Internet Explorer and you get an alert that stops the program downloading click on Tools > Smartscreen Filter > Turn off Smartscreen Filter then click on OK in the box that opens. Then click on the link again.
  • Close your browser and double click on this icon to launch ADWCleaner ... Image
  • Click on the Scan button, accept any prompts that appear, and allow it to run. It may take several minutes to complete.
  • When it is done click on the Report button and a report log will open on your Desktop.
  • Please post the log in your next reply.

Next ...

Download OTL by OldTimer to your Desktop.

If you already have a copy of OTL delete it and use this version.

  • Double click OTL.exe to launch the programme.
  • Check the following.
    • Scan all users.
    • Standard Output.
    • Lop check.
    • Purity check.
  • Under Extra Registry section, select Use SafeList
  • Click the Run Scan button and wait for the scan to finish (usually about 10-15 mins).
  • When finished it will produce two logs.
    • OTL.txt (open on your desktop).
    • Extras.txt (minimised in your taskbar)
  • Please post me both logs.

Summary of the logs I need from you in your next post:
  • Malwarebytes log
  • ADWCleaner log
  • OTL.txt
  • Extras.txt


Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21866
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Google Redirect Virus Not Gone!

Unread postby sammi » September 12th, 2013, 4:22 pm

Hi Gary R,
Thank you very much for your reply! I scanned your instructions and it seems very overwhelming to me. Everything you've written is like a foreign language to me. I will have to spend a lot more focused time going through your instructions to see if I feel comfortable enough to execute them, but I have to ask:

1) Being that I'm computer illiterate, would it be better (safer) for me just to take the computer back to where I purchased it? The store has its own technical team and I'm wondering if this situation might be better off in their capable hands? If you think so, would you also know about how much it should cost to have my computer cleaned up of malware? I wouldn't know if it should cost $20 or $200. Is TIME an important factor in getting this cleaned up?

2) If I were to do nothing about this, would the redirect remain just a minor inconvenience to me? or would it ultimately progress to more dire circumstances?

Thanks again,
sammi
sammi
Regular Member
 
Posts: 22
Joined: September 10th, 2013, 6:19 pm

Re: Google Redirect Virus Not Gone!

Unread postby Gary R » September 12th, 2013, 6:54 pm

First of all, I appreciate that the whole procedure of cleaning a computer of infection online can be a bit intimidating for someone who is trying it for the first time, but if you take the time to read through what I've written so far, you'll see that essentially it's a fairly straightforward procedure, and shouldn't be beyond most people.

Essentially all I've asked you to do so far is ....

  • Look at the logs created by a program that is already installed on your machine (Malwarebytes) and copy/paste it into this topic.
  • Download a couple of free standing (you don't have to install them) programs, and run a couple of scans, then post the logs they create.

You've already been able to run and post DDS logs, so I'm not really asking you to do anything more difficult than that.

Whether you should pay someone to do the whole cleanup for you is something only you can decide. Most "professional" shops will likely just reformat your machine rather than go through the sometimes labour intensive process of cleaning an infection.

If that happens you will lose your personal files and folders unless you back them up to an external device first. So if you decide to get your machine "repaired" at a shop, then backup your personal files and folders to an external device first, and/or make clear to the shop that your personal files/folders are important to you, and that you can not afford to lose them, so request they make backups that can be restored to your computer once it is clean.

Leaving a re-director in place is not really an option. It's not just the inconvenience of having your searches not go to where you want them to that you have to think about, but also the overall security of your computer. Re-direction is just the outward sign of the infection, and in fact a whole lot more is going on. The sites you visit on the internet are no doubt being logged, and reported to the installer of your infection, along with any other personal information they may choose to take from your machine. If you've ever bought anything online using your computer, this could also include banking and credit card details.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21866
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Google Redirect Virus Not Gone!

Unread postby sammi » September 12th, 2013, 7:52 pm

Thank you for this information, Gary R. When I tell you that I'm not tech savvy, I'm embarrassed to say that I even have to look up how to format a disc for backup! It's 8 p.m. here, so I will wait until tomorrow morning (when my brain is fresh) to tackle the procedure you outlined. :)
sammi
Regular Member
 
Posts: 22
Joined: September 10th, 2013, 6:19 pm

Re: Google Redirect Virus Not Gone!

Unread postby Gary R » September 13th, 2013, 1:47 am

You shouldn't need to format a disk to back up your files, most plug-in drives come pre-formatted.

At this stage we're just running scans, so although I recommended you back up your personal files and folders, if it's causing you concern, then you can leave that bit out for the moment, and I can step you through the backup process at a later stage, before we actually have to make any "changes" to your computer.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21866
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Google Redirect Virus Not Gone!

Unread postby sammi » September 13th, 2013, 1:02 pm

Hi Gary R,
I successfully backed up my files and folders to a disk. The system does prompt me to format the disk, which was no problem.

I began your instructions above and, as I expected, hit a wall very early on. In "Backing up your Registry with TRCB", in the Command Window, bullet 3 says to "Enter the drive letter for the OS, then enter a semicolon, then hit the return key. When I did this, I got the following message:

"'D' is not recognized as an internal or external command, operable program or batch file."

Please advise what to do next.
Thanks,
sammi
sammi
Regular Member
 
Posts: 22
Joined: September 10th, 2013, 6:19 pm

Re: Google Redirect Virus Not Gone!

Unread postby Gary R » September 13th, 2013, 3:37 pm

You shouldn't need to enter a drive number when making a backup, did you follow the directions in ... http://www.malwareremoval.com/forum/vie ... 68#p619968
User avatar
Gary R
Administrator
Administrator
 
Posts: 21866
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Google Redirect Virus Not Gone!

Unread postby sammi » September 13th, 2013, 4:38 pm

Hi Gary R,
I'll outline the exact steps I took to backup my Registry as per the instructions you provided above in the following sentence:

"Please click on THIS link, and follow the instructions for installing TCRB and creating a backup of your Registry."

I clicked on "THIS" and arrived at "Backing up your Registry with TCRB". I then clicked on "Windows 7" instructions and proceeded as per the instructions below:
o Restart your computer and press F8 until the Advanced Options Menu appeared. (Done)
o Select "Repair your computer". (Done)
o Select language and click on "Next". (Done)
o Enter password and click "OK". (Done)
o Arrive at screen, "System Recovery Options". My screen said at the top, "Operating System: Microsoft Windows 7 on C; Local Disk.
o Click on the "Command Prompt" button to open the Command Window, which will display: . . . x:\Windows\system 32> (Done)
o Enter the drive letter for the OS (Done -- Please note I tried entering C; first [see bullet 5], but got the same result as when I then entered D;, that is . . .

'C' is not recognized as an internal or external command, operable program or batch file."

I hope this clarifies where I had to stop.
Thanks again,
sammi
sammi
Regular Member
 
Posts: 22
Joined: September 10th, 2013, 6:19 pm

Re: Google Redirect Virus Not Gone!

Unread postby sammi » September 13th, 2013, 4:47 pm

I forgot to add Gary R, that I never saw the screen that you get at this link and never saw the "Tweaking.com" icon:
vie ... 68#p619968

Was I supposed to go to"Tweaking.com" instead of the instructions via "THIS"?
sammi
Regular Member
 
Posts: 22
Joined: September 10th, 2013, 6:19 pm

Re: Google Redirect Virus Not Gone!

Unread postby Gary R » September 13th, 2013, 5:46 pm

You didn't read the instructions properly, and instead of going to the "creating a backup" instructions, you've attempted to use the "restoring from a backup" instructions.

Take care to read the instructions at ... viewtopic.php?p=619967#p619967 ... carefully, and you will see a link labelled ... creating a backup ... which leads to this post ... viewtopic.php?p=619968#p619968 ... follow these instructions, and you should find backing up your registry is a relatively simple task.

To be honest, I didn't believe anybody could misinterpret the TCRB instructions, it would seem I was overly optimistic. ;) :D
User avatar
Gary R
Administrator
Administrator
 
Posts: 21866
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Google Redirect Virus Not Gone!

Unread postby sammi » September 13th, 2013, 5:55 pm

I warned you about myself. I'm very adept at misinterpreting! I'll try this after dinner. Thanks, sammi.
sammi
Regular Member
 
Posts: 22
Joined: September 10th, 2013, 6:19 pm

Re: Google Redirect Virus Not Gone!

Unread postby Gary R » September 13th, 2013, 5:56 pm

No worries, I'm generally pretty patient :). Talk to you again once you've posted the logs I've asked for.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21866
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Google Redirect Virus Not Gone!

Unread postby sammi » September 13th, 2013, 7:09 pm

Hi Gary R,
1) Registry has been successfully backed up!! :cheers: :oops:

2) Here is my Malwarebytes Log:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.07.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16660
Owner :: OWNER-PC [administrator]

9/7/2013 6:46:29 PM
mbam-log-2013-09-07 (18-46-29).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 360621
Time elapsed: 49 minute(s), 59 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\Users\Owner\AppData\Local\Leadertech\nmwcdclsx64.dll (VirTool.Vbcrypt) -> Delete on reboot.

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Owner\AppData\Local\Leadertech\nmwcdclsx64.dll (VirTool.Vbcrypt) -> Delete on reboot.

(end)
sammi
Regular Member
 
Posts: 22
Joined: September 10th, 2013, 6:19 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 14 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware