Google redirect popup virus

Lenovo / 8922bgf
March 15, 2009 at 13:47:39
Specs: Microsoft Windows Vista Édition Familiale Basique, 1.6 GHz / 1013 MB
Hi,
like many I seem to have a google redirect popup virus.

When I click on a google links a popup apear of some spyware detector or some wierd search engine.

Also when I run AVG and Ad-aware, i'm not able to do the automatic update. It's blocked

I've read some other post and tried some advise but now, i'm stock.

I hop some body can help me

I've run Malwarebyte and hijack this

Here are the log:

Malwarebytes' Anti-Malware 1.34
Version de la base de données: 1749
Windows 6.0.6001 Service Pack 1

2009-03-15 15:38:27
mbam-log-2009-03-15 (15-38-27).txt

Type de recherche: Examen rapide
Eléments examinés: 62290
Temps écoulé: 7 minute(s), 4 second(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 4
Valeur(s) du Registre infectée(s): 11
Elément(s) de données du Registre infecté(s): 12
Dossier(s) infecté(s): 1
Fichier(s) infecté(s): 8

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8ca5ed52-f3fb-4414-a105-2e3491156990} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fqbewlna.bemv (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fqbewlna.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MicroAV (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.

Valeur(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur66d9.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur686f.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur6ce2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur708a.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurf6d8.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur66d9.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur686f.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur6ce2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur708a.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurf6d8.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\SSDPSRV (Backdoor.Bot) -> Quarantined and deleted successfully.

Elément(s) de données du Registre infecté(s):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.146,85.255.112.76 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{629517ec-8fca-4436-9c63-26da7052b482}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.146,85.255.112.76 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9c260e6b-e5f9-4353-b3e0-8e59e6cac4d8}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.146,85.255.112.76 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9c260e6b-e5f9-4353-b3e0-8e59e6cac4d8}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.146,85.255.112.76 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.146,85.255.112.76 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{629517ec-8fca-4436-9c63-26da7052b482}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.146,85.255.112.76 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9c260e6b-e5f9-4353-b3e0-8e59e6cac4d8}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.146,85.255.112.76 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9c260e6b-e5f9-4353-b3e0-8e59e6cac4d8}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.146,85.255.112.76 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.146,85.255.112.76 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{629517ec-8fca-4436-9c63-26da7052b482}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.146,85.255.112.76 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{9c260e6b-e5f9-4353-b3e0-8e59e6cac4d8}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.146,85.255.112.76 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{9c260e6b-e5f9-4353-b3e0-8e59e6cac4d8}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.146,85.255.112.76 -> Quarantined and deleted successfully.

Dossier(s) infecté(s):
C:\Program Files\PCHealthCenter (Trojan.Fakealert) -> Quarantined and deleted successfully.

Fichier(s) infecté(s):
C:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\sc.html (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\autorun.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-7-6-47-100003619-100007141-100013396-9323.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\ssdpsrv.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Users\Olivier\AppData\Local\Temp\windfr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Olivier\AppData\Local\Temp\sfsrv.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


See More: Google redirect popup virus

Report •


#1
March 15, 2009 at 17:43:22
Please post your HijackThis log as well.

Did you reboot after scanning with MalwareBytes?


------
MOS Master Certified
MCP Certified
CCNA Certificate Pending
A+ Certificate Pending

"I have gone to find myself. If I get back before I return, please tell myself to wait." :


Report •
Related Solutions


Ask Question