Google Redirect Virus

September 28, 2008 at 19:34:03
Specs: Window XP, 512MB Ram

Hehe, sorry I can't fix this redirect virus on my own. My case is extremely similar to HardRock's. Extremely similar. I managed to download both Malware bytes and Hijackthis by downloading them through other sites (the links posted wouldn't direct me). If anyone could take some time to look at it, that would be AWESOME. I've already perused through his case and tried to get a step ahead so as to not waste the time of any generous people passing through (and judging by the amount of fixes I've seen on this site I'm sure there are quite a few).

--Malwarebytes log--

Malwarebytes' Anti-Malware 1.28
Database version: 1221
Windows 5.1.2600 Service Pack 2

9/28/2008 10:13:42 PM
mbam-log-2008-09-28 (22-13-42).txt

Scan type: Quick Scan
Objects scanned: 49569
Time elapsed: 9 minute(s), 4 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
C:\WINDOWS\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{072039ab-2117-4ed5-a85f-9b9eb903e021} (Adware.CWS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/system32/nowstarter.ocx (Adware.CWS) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\NowStarter.ocx (Adware.CWS) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\ (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\NowStarter.ocx (Adware.CWS) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Local Settings\Temp\World War I Honors Assignment ? Life in the Trenches.doc (Trojan.Extension.Exploit) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\windf.hlp (Trojan.Agent) -> Quarantined and deleted successfully.

-Hijack This Log--

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:30 PM, on 9/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\HAURI\Common\Base\VRMONNT.EXE
C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse Driver\StartAutorun.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMConfig.exe
C:\Program Files\HAURI\ViRobot Desktop 5.0\AntiVirus\hrres.exe
C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMProcess.exe
C:\Program Files\HAURI\Common\hsvcmod.exe
C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMWDSrv.exe
C:\Program Files\HAURI\Common\Base\vrmonsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\\bin\tgcmd.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\HAURI\Common\Base\VRMONNT.EXE
O4 - HKLM\..\Run: [HAURI Update] C:\Program Files\HAURI\ViRobot Desktop 5.0\HUpdate.EXE 1
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [HEProtect] C:\Program Files\HAURI\ViRobot Desktop 5.0\AntiSpam\HSockPE.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KMCONFIG] C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse Driver\StartAutorun.exe KMConfig.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKLM\..\Policies\Explorer\Run: [DF] C:\WINDOWS\system32\drivers\windf.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: PC등록도구를 실행.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {4F32B3DD-507D-4C44-A60F-B15856FEBACD} (HFMeida Control) -
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) -
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) -
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ViRobot for WinNT(tm) Folder Protect (HFACSVC) - hauri - C:\Program Files\HAURI\ViRobot Desktop 5.0\AccessControl\HFACSvc.exe
O23 - Service: Hauri Common Service (hsvcmod) - Unknown owner - C:\Program Files\HAURI\Common\hsvcmod.exe
O23 - Service: Keyboard And Mouse Communication Service (KMWDSERVICE) - UASSOFT.COM - C:\Program Files\Micro Innovations\Wireless Keyboard & Mouse Driver\KMWDSrv.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: Hauri Firewall (vrfwsvc) - HAURI - C:\Program Files\HAURI\ViRobot Desktop 5.0\PCFirewall\vrfwsvc.exe
O23 - Service: ViRobot Desktop Monitoring (vrmonsvc) - HAURI - C:\Program Files\HAURI\Common\Base\vrmonsvc.exe

End of file - 6484 bytes

Thanks again! (If anyone helps :P)

hehe whoops sorry

See More: Google Redirect Virus

Report •

September 28, 2008 at 19:40:05

You certainly have a baddie, but unfortunately you posted a Hijack This log without being requested to (against forum rules) so this post will get deleted by the moderator.

Once it is deleted post again and state only the problem, no logs please.

Report •

September 28, 2008 at 20:18:07

Well don't I feel stupid!
Thanks for telling me, I'll be sure to do as you say when this gets deleted :P
at least i have the logs now right?
so time saved either way huzzah!
any idea when the moderator will get around to it?

hehe whoops sorry

Report •

September 28, 2008 at 20:24:19

erk before this gets deleted I ran malwarebytes again (a full scan)

seems as if i've caught the perp red handed!

well not really
anyways it deleted something and now google doesn't redirect me all over!

Do I still have a problem?

hehe whoops sorry

Report •

Related Solutions

September 28, 2008 at 21:29:29

This is bad:

O4 - HKLM\..\Policies\Explorer\Run: [DF] C:\WINDOWS\system32\drivers\windf.exe

Report •

September 30, 2008 at 18:41:37

Found it, saw it, destroyed it.


(virus busting sure is fun :P)

hehe whoops sorry

Report •

Ask Question