google redirect virus

July 4, 2009 at 00:36:25
Specs: Windows XP
I have a google redirect virus and need help getting rid of it. Anyone know how to get rid of this? I have malwarebytes which doesn't detect this virus. I also have adaware from lavasoft, panda cloud and pctool firewall and threatfire. Here is my latest Hijackthis report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:15:46 AM, on 7/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\RegCure\RegCure.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/reqs.php#/p...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\smss.exe,
O1 - Hosts: ::1 localhost
O1 - Hosts: 209.44.111.62 antispy.microsoft.com
O1 - Hosts: 209.44.111.62 antiaware-pro.com
O1 - Hosts: 209.44.111.62 www.antiaware-pro.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKLM\..\Run: [dscactivate] c:\dell\dsca.exe 3
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cwcptray] C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
O4 - HKLM\..\Run: [PSUNMain] "C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" /Traybar
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cwalsp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ContentWatch (CwAltaService20) - ContentWatch, Inc. - C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Update Service (gupdate1c990c86f5e22a) (gupdate1c990c86f5e22a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MrHealthy (MrHealthyService) - Symantec Corporation - C:\Program Files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
O23 - Service: NanoServiceMain - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 10960 bytes

What do i do?


See More: google redirect virus

Report •


#1
July 4, 2009 at 07:30:14

Report •

#2
July 4, 2009 at 08:41:50
Panda keeps popping up saying that it has neutralized a virus every once in while. It seems there are a lot of viruses having fun on my computer lately. Here is the Panda report:

Event More details Date/Time Status
Trojan detected Trj/CI.A Location: C:\Program Files\drv\drv.dll 7/4/2009 8:31:21 AM Neutralized
Item unblocked Location: C:\Program Files\drv\drv.dll 7/4/2009 8:30:04 AM Panda Cloud Antivirus has established that the program can be used
Hacking tool detected Rootkit/Agent.LNB Location: C:\WINDOWS\system32\drivers\lfwacn.sys 7/4/2009 12:00:07 AM Neutralized
Trojan detected Trj/CI.A Location: C:\Program Files\drv\drv.sys 7/3/2009 11:32:04 PM Neutralized
Item unblocked Location: C:\Program Files\drv\drv.sys 7/3/2009 11:29:39 PM Panda Cloud Antivirus has established that the program can be used
Trojan detected Trj/CI.A Location: C:\Program Files\drv\drv.dll 7/3/2009 10:51:20 PM Neutralized
Item unblocked Location: C:\Program Files\drv\drv.dll 7/3/2009 10:50:57 PM Panda Cloud Antivirus has established that the program can be used
Suspicious file detected Location: C:\Documents and Settings\Curtis\Local Settings\temp\7zS36.tmp\MSIStart.exe 7/3/2009 10:03:08 PM Neutralized
Suspicious file detected Location: C:\Documents and Settings\Curtis\Local Settings\temp\7zS35.tmp\MSIStart.exe 7/3/2009 10:02:26 PM Neutralized
Item unblocked Location: C:\WINDOWS\system32\wbem\proquota.exe 7/3/2009 7:29:49 PM Panda Cloud Antivirus has established that the program can be used
Trojan detected Trj/CI.A Location: C:\Program Files\drv\drv.dll 7/3/2009 7:27:28 PM Neutralized
Item unblocked Location: C:\Program Files\drv\drv.dll 7/3/2009 7:27:22 PM Panda Cloud Antivirus has established that the program can be used
Scan Scanning: My Computer 7/3/2009 1:41:48 PM Finished
Suspicious file detected Location: C:\WINDOWS\Downloaded Installations\{BBDA860C-E4CC-4246-93D2-7E1E7698BB91}\NETGEAR WG111v3 wireless USB 2.0 adapter.msi[unk_0093][unload.tmp1] 7/3/2009 1:36:00 PM Neutralized
Suspicious file detected Location: C:\Qoobox\Quarantine\C\Documents and Settings\Isaiah\Local Settings\Application Data\umkyw.exe.vir 7/3/2009 1:32:51 PM Neutralized
Trojan detected Trj/CI.A Location: C:\Program Files\drv\drv.sys 7/3/2009 1:26:33 PM Neutralized
Trojan detected Trj/CI.A Location: C:\Program Files\drv\drv.dll 7/3/2009 1:23:59 PM Neutralized
Cookie detected Cookie/BurstBeacon Location: C:\Documents and Settings\Yukino\Cookies\yukino@www.burstbeacon[2].txt 7/3/2009 1:05:12 PM
Cookie detected Cookie/Target Location: C:\Documents and Settings\Yukino\Cookies\yukino@target[1].txt 7/3/2009 1:05:12 PM
Cookie detected Cookie/Go Location: C:\Documents and Settings\Yukino\Cookies\yukino@go[2].txt 7/3/2009 1:05:09 PM
Cookie detected Cookie/BurstNet Location: C:\Documents and Settings\Yukino\Cookies\yukino@burstnet[2].txt 7/3/2009 1:05:08 PM
Cookie detected Cookie/Bluestreak Location: C:\Documents and Settings\Yukino\Cookies\yukino@bluestreak[1].txt 7/3/2009 1:05:08 PM
Cookie detected Cookie/Azjmp Location: C:\Documents and Settings\Yukino\Cookies\yukino@azjmp[2].txt 7/3/2009 1:05:07 PM
Cookie detected Cookie/Atwola Location: C:\Documents and Settings\Yukino\Cookies\yukino@atwola[1].txt 7/3/2009 1:05:07 PM
Cookie detected Cookie/BurstBeacon Location: C:\Documents and Settings\Natsumi\Cookies\natsumi@www.burstbeacon[1].txt 7/3/2009 1:03:21 PM
Cookie detected Cookie/Toplist Location: C:\Documents and Settings\Natsumi\Cookies\natsumi@toplist[1].txt 7/3/2009 1:03:21 PM
Cookie detected Cookie/Target Location: C:\Documents and Settings\Natsumi\Cookies\natsumi@target[2].txt 7/3/2009 1:03:21 PM
Cookie detected Cookie/Starware Location: C:\Documents and Settings\Natsumi\Cookies\natsumi@h.starware[1].txt 7/3/2009 1:03:20 PM
Cookie detected Cookie/Go Location: C:\Documents and Settings\Natsumi\Cookies\natsumi@go[1].txt 7/3/2009 1:03:19 PM
Cookie detected Cookie/BurstNet Location: C:\Documents and Settings\Natsumi\Cookies\natsumi@burstnet[2].txt 7/3/2009 1:03:19 PM
Cookie detected Cookie/Azjmp Location: C:\Documents and Settings\Natsumi\Cookies\natsumi@azjmp[1].txt 7/3/2009 1:03:19 PM
Cookie detected Cookie/Atwola Location: C:\Documents and Settings\Natsumi\Cookies\natsumi@atwola[1].txt 7/3/2009 1:03:19 PM
Cookie detected Cookie/Xiti Location: C:\Documents and Settings\Isaiah\Cookies\isaiah@xiti[1].txt 7/3/2009 12:59:58 PM
Cookie detected Cookie/BurstBeacon Location: C:\Documents and Settings\Isaiah\Cookies\isaiah@www.burstbeacon[2].txt 7/3/2009 12:59:57 PM
Cookie detected Cookie/Go Location: C:\Documents and Settings\Isaiah\Cookies\isaiah@go[2].txt 7/3/2009 12:59:56 PM
Cookie detected Cookie/BurstNet Location: C:\Documents and Settings\Isaiah\Cookies\isaiah@burstnet[2].txt 7/3/2009 12:59:55 PM
Cookie detected Cookie/Azjmp Location: C:\Documents and Settings\Isaiah\Cookies\isaiah@azjmp[1].txt 7/3/2009 12:59:55 PM
Cookie detected Cookie/Com.com Location: C:\Documents and Settings\Isaiah\Cookies\isaiah@com[1].txt 7/3/2009 12:59:55 PM
Cookie detected Cookie/Bluestreak Location: C:\Documents and Settings\Isaiah\Cookies\isaiah@bluestreak[1].txt 7/3/2009 12:59:55 PM
Cookie detected Cookie/Atwola Location: C:\Documents and Settings\Isaiah\Cookies\isaiah@atwola[1].txt 7/3/2009 12:59:55 PM
Trojan detected Generic Malware Location: C:\Documents and Settings\Isaiah\Application Data\Macromedia\Shockwave Player\xtras\download\TheGrooveAlliance\3DGrooveXtrav181\Groove.x32 7/3/2009 12:59:43 PM Neutralized
Trojan detected Trj/Agent.MKW Location: C:\Documents and Settings\Curtis\Local Settings\Temporary Internet Files\Content.IE5\1WKF0XNV\uaobttgu[1].htm 7/3/2009 12:44:36 PM Neutralized
Trojan detected Trj/CI.A Location: C:\Documents and Settings\Curtis\Local Settings\temp\~TM59.tmp 7/3/2009 12:44:07 PM Neutralized
Potentially unwanted program detected Application/Psexec.A Location: C:\Documents and Settings\Curtis\Desktop\curtis.exe[32788R22FWJFW\psexec.cfexe] 7/3/2009 12:34:33 PM Neutralized
Potentially unwanted program detected Application/Psexec.A Location: C:\Documents and Settings\Curtis\Desktop\ComboFix.exe[32788R22FWJFW\psexec.cfexe] 7/3/2009 12:34:33 PM Neutralized
Cookie detected Cookie/BurstBeacon Location: C:\Documents and Settings\Asako\Cookies\asako@www.burstbeacon[1].txt 7/3/2009 12:22:17 PM
Cookie detected Cookie/Go Location: C:\Documents and Settings\Asako\Cookies\asako@go[1].txt 7/3/2009 12:22:17 PM
Cookie detected Cookie/BurstNet Location: C:\Documents and Settings\Asako\Cookies\asako@burstnet[2].txt 7/3/2009 12:22:16 PM
Trojan detected Trj/CI.A Location: c:\program files\drv\drv.dll 7/3/2009 12:20:36 PM Neutralized
Cookie detected Cookie/Yadro Location: C:\Documents and Settings\Curtis\Cookies\curtis@yadro[1].txt 7/3/2009 12:13:13 PM
Cookie detected Cookie/Xiti Location: C:\Documents and Settings\Curtis\Cookies\curtis@xiti[1].txt 7/3/2009 12:13:13 PM
Cookie detected Cookie/BurstBeacon Location: C:\Documents and Settings\Curtis\Cookies\curtis@www.burstbeacon[2].txt 7/3/2009 12:13:00 PM
Cookie detected Cookie/Tucows Location: C:\Documents and Settings\Curtis\Cookies\curtis@tucows[1].txt 7/3/2009 12:12:52 PM
Cookie detected Cookie/Toplist Location: C:\Documents and Settings\Curtis\Cookies\curtis@toplist[1].txt 7/3/2009 12:12:50 PM
Cookie detected Cookie/Target Location: C:\Documents and Settings\Curtis\Cookies\curtis@target[1].txt 7/3/2009 12:12:48 PM
Cookie detected Cookie/Go Location: C:\Documents and Settings\Curtis\Cookies\curtis@go[2].txt 7/3/2009 12:12:11 PM
Cookie detected Cookie/FastClick Location: C:\Documents and Settings\Curtis\Cookies\curtis@fastclick[1].txt 7/3/2009 12:12:06 PM
Cookie detected Cookie/Enhance Location: C:\Documents and Settings\Curtis\Cookies\curtis@enhance[2].txt 7/3/2009 12:12:04 PM
Cookie detected Cookie/Doubleclick Location: C:\Documents and Settings\Curtis\Cookies\curtis@doubleclick[1].txt 7/3/2009 12:12:02 PM
Cookie detected Cookie/did-it Location: C:\Documents and Settings\Curtis\Cookies\curtis@did-it[2].txt 7/3/2009 12:12:01 PM
Cookie detected Cookie/Com.com Location: C:\Documents and Settings\Curtis\Cookies\curtis@com[1].txt 7/3/2009 12:11:57 PM
Cookie detected Cookie/BurstNet Location: C:\Documents and Settings\Curtis\Cookies\curtis@burstnet[2].txt 7/3/2009 12:11:52 PM
Cookie detected Cookie/Azjmp Location: C:\Documents and Settings\Curtis\Cookies\curtis@azjmp[2].txt 7/3/2009 12:11:47 PM
Cookie detected Cookie/Atwola Location: C:\Documents and Settings\Curtis\Cookies\curtis@atwola[2].txt 7/3/2009 12:11:47 PM
Cookie detected Cookie/Atlas DMT Location: C:\Documents and Settings\Curtis\Cookies\curtis@atdmt[1].txt 7/3/2009 12:11:46 PM
Cookie detected Cookie/Apmebf Location: C:\Documents and Settings\Curtis\Cookies\curtis@apmebf[1].txt 7/3/2009 12:11:43 PM
Cookie detected Cookie/NewMedia Location: C:\Documents and Settings\Curtis\Cookies\curtis@anm.co[1].txt 7/3/2009 12:11:43 PM
Cookie detected Cookie/YieldManager Location: C:\Documents and Settings\Curtis\Cookies\curtis@ad.yieldmanager[1].txt 7/3/2009 12:11:36 PM
Scan Scanning: My Computer 7/3/2009 12:04:56 PM Started
Trojan detected Trj/CI.A Location: C:\WINDOWS\system32\wbem\proquota.exe 7/3/2009 12:00:15 PM Neutralized
Suspicious file detected Location: C:\WINDOWS\strt_1246573211.exe 7/3/2009 11:59:52 AM Neutralized
Trojan detected Trj/Agent.MKW Location: C:\tcburi.exe 7/3/2009 11:59:50 AM Neutralized
Suspicious file detected Location: C:\Documents and Settings\Curtis\Desktop\curtis.exe 7/3/2009 11:55:53 AM Neutralized
Suspicious file detected Location: C:\Documents and Settings\Curtis\Local Settings\temp\installb[1].exe 7/3/2009 11:55:51 AM Neutralized
Suspicious file detected Location: C:\Documents and Settings\Curtis\Desktop\ComboFix.exe 7/3/2009 11:55:51 AM Neutralized
Trojan detected Trj/CI.A Location: C:\Documents and Settings\Curtis\Local Settings\Temporary Internet Files\Content.IE5\56KB91SO\pdrv[1].exe 7/3/2009 11:55:51 AM Neutralized
Trojan detected Trj/CI.A Location: C:\Documents and Settings\Curtis\Local Settings\Temporary Internet Files\Content.IE5\ZWHVUF1H\installb[1].exe 7/3/2009 11:55:51 AM Neutralized
Suspicious file detected Location: C:\Documents and Settings\Curtis\Local Settings\Temporary Internet Files\Content.IE5\JEFLBVFE\fb.49[1].exe 7/3/2009 11:55:51 AM Neutralized


Is the google redirect virus mentioned there?


Report •

#3
July 4, 2009 at 08:44:14
Follow these steps in order numbered:

1) Download GMER: http://gmer.net/download.php
[This version will download a randomly named file (Recommended).]

2) Disconnect from the Internet and close all running programs.

3) Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

4) Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.

5) GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)

6) If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.

7) Now click the Scan button. If you see a rootkit warning window, click OK.

8) When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log and upload it rapidshare.com. Post the download link to the uploaded file in your post.

9) Exit GMER and re-enable all active protection when done.

Note: Please give me the exact name of the file you downloaded in step 1 + post your log from step 8 in your next post.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

Related Solutions

#4
July 4, 2009 at 14:41:32
Here's the exact name of the file downloaded in step 1:

GMER1.0.15.14972

Here's the link from rapidshare.com:

http://rapidshare.com/files/2519851...

When I paste the log in I am not able to submit. I'll try it in a separate submission.


Report •

#5
July 4, 2009 at 14:46:45
Note: I can help you remove malware manually. Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible. First Track this topic. Then follow:

1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again. Make sure you have your web browser open in background before following the steps below.

i) To create the log file, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteAVUpdateEx( 'http://avz.virusinfo.info/avz_up/', 1, '','','');
ExecuteStdScr(3);
RebootWindows(true);
end.


Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Image Tutorial

2) Download and Run DDS which will create a Pseudo HJT Report as part of its log: DDS Tool Download Link. When done, DDS will open two (2) logs

   1. DDS.txt
   2. Attach.txt

Upload the logs to rapidshare.com and paste download link in your next reply.
Note: Disable any script-blocking programs and then double-click on the DDS.scr icon to start the program. If you did not disable a script-blocker that may be part of your antimalware program, you may receive a warning from your antimalware product asking if you would like DDS.scr to run. Please allow it to do so.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#6
July 4, 2009 at 14:47:49
OK, the GMER log is so big that even chopping it in half doesn't allow me to copy and paste it here. Are you able to see it off of the rapidshare.com link or do I need to try to cut it into littler pieces and paste it here? Thanks for all of your help by the way.

Report •

#7
July 4, 2009 at 14:48:34
Follow Response Number 5. Yes i got it via rapidshare.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#8
July 4, 2009 at 16:57:38
OK, you're dealing with someone with a low computer IQ here. I unzipped the avz folder and can't find anything that is labeled "avz.exe." Where can I find this?

Report •

#9
July 4, 2009 at 17:01:44
Its in the avz folder that you extracted or should be. Read directions carefully and look at image tutorial its pretty simple.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#10
July 4, 2009 at 18:45:21
Base
avz Help File
avz.cnt
avz (with russian looking characters after it)
avz internet shortcut (goes to a web page with a whole bunch of russian writing on it)
version.txt

These are the 6 choices that pop up under avz.

If you click on the base folder there are a bunch of icons that end in avz. Is one of these cryptically avz.exe?


Report •

#11
Report •

#12
Report •

#13
July 5, 2009 at 06:25:17
First is one wrong need .zip file.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#14
July 25, 2009 at 00:49:03
Sorry, have been on vacation for a few weeks. Is this the right file here:

http://rapidshare.com/files/2597917...


Report •


Ask Question