redirect virus on work computer

Dell / OPTIPLEX GX520
May 15, 2009 at 08:19:35
Specs: Microsoft Windows XP Professional, 3.391 GHz / 2038 MB
I've got a redirect virus. I thought I cleaned it up a few weeks ago, but now it's back. I haven't gotten one-on-one help yet, but now that I'm ready to destroy this computer, I'm ready to get some help. Please. This virus is infecting a computer at the public library where I work--it is a staff work computer and whatever the redirect virus is, it also conflicts with our circulation software so we are not able to use this machine for ANYTHING. Productivity is lagging. . .help?? I have a Hijackthis log ready to post.
thanks, steev baker kewaskum public library

See More: redirect virus on work computer

Report •


#1
May 15, 2009 at 08:28:06
Hi,
Can you please post your AVZ log:

1) To create the logfile, download AVZ by clicking HERE(http://www.z-oleg.com/avz4.zip). Please save this file to your desktop or "My Documents" folder.

2) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

3) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteStdScr(3);
RebootWindows(true);
end.

Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and past the link here.


Report •

#2
May 15, 2009 at 08:34:27
Wow! That was prompt! Ok, I'm downloading and starting the process right now. I'll post again soon.

steev


Report •

#3
Report •

Related Solutions

#4
May 15, 2009 at 08:57:16
You log is clean AVG and Ad-ware running.

Attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.co...

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause AVG/Ad-Aware until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.


Report •

#5
May 15, 2009 at 09:01:24
Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post.

Report •

#6
May 15, 2009 at 09:24:33
Alright, I'm beginning the process. I'll post again later.

steev


Report •

#7
May 15, 2009 at 09:49:26
ComboFix 09-05-14.07 - Staff 05/15/2009 11:31.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1644 [GMT -5:00]
Running from: c:\documents and settings\Staff\Desktop\toola.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\oeds.srb

.
((((((((((((((((((((((((( Files Created from 2009-04-15 to 2009-05-15 )))))))))))))))))))))))))))))))
.

2009-05-15 14:59 . 2009-05-15 14:59 -------- d-----w c:\program files\Trend Micro
2009-05-07 23:20 . 2009-05-07 23:20 -------- d-----w c:\program files\7-Zip
2009-04-17 13:02 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-17 13:02 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-17 13:02 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 13:02 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-17 13:02 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 13:02 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 13:02 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 13:02 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 13:02 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 13:02 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 13:00 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 13:00 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-15 14:53 . 2009-04-06 22:46 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-12 19:30 . 2006-10-02 15:26 -------- d-----w c:\program files\Google
2009-05-04 14:12 . 2008-05-30 14:58 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-04 14:12 . 2008-05-30 14:58 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-27 23:51 . 2009-04-07 01:36 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-27 23:50 . 2009-04-06 23:50 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-06 23:36 . 2009-04-06 23:36 -------- d-----w c:\program files\Lavasoft
2009-04-06 22:03 . 2006-10-10 17:06 -------- d-----w c:\program files\MARC Magician
2009-04-06 20:32 . 2009-04-06 22:46 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2009-04-06 22:46 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-06 19:12 . 2009-04-06 19:12 -------- d-----w c:\program files\Sirsi
2009-04-06 19:11 . 2006-10-02 15:23 -------- d-----w c:\program files\Java
2009-03-09 10:19 . 2008-12-12 16:12 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-11 22:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2004-08-11 22:00 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-11 22:00 81920 ----a-w c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-04 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-27 516440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-04 14:12 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/6/2009 6:50 PM 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/30/2008 9:58 AM 325896]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/30/2008 9:58 AM 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 953168]
S2 gupdate1c954b213100a60;Google Update Service (gupdate1c954b213100a60);c:\program files\Google\Update\GoogleUpdate.exe [12/2/2008 2:13 PM 133104]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{233337c8-954d-11dd-a815-001372873149}]
\Shell\AutoRun\command - PortableApps\PortableAppsMenu\PortableAppsMenu.exe
.
Contents of the 'Scheduled Tasks' folder

2009-05-11 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 23:50]

2009-05-15 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-02 19:13]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061002
mStart Page = hxxp://www.dell.com
FF - ProfilePath - c:\documents and settings\Staff\Application Data\Mozilla\Firefox\Profiles\cklqua79.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.sharelibraries.info/
FF - component: c:\program files\Google\Google Gears\Firefox\components\gears.dll
FF - plugin: c:\program files\Google\Google Earth Plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-15 11:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\SMJSMon.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\OpenOffice.org 2.4\program\soffice.exe
c:\program files\OpenOffice.org 2.4\program\soffice.bin
.
**************************************************************************
.
Completion time: 2009-05-15 11:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-15 16:36

Pre-Run: 65,245,691,904 bytes free
Post-Run: 65,647,616,000 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

134 --- E O F --- 2009-05-14 01:01


Report •

#8
May 15, 2009 at 10:55:45
There isn't any trace of virus or any kind of infection. As for software conflict it seems it could be because of AVG. Just side note you might also want to switch to http://www.opendns.com . It might solve your redirect issue. However if you want to rest TCP/IP and internet explorer setting to default you can run this script in AVZ:

Please Run this script in AVZ same way as before:
Also note after you run this script it will reset your SPI/LSP & TCP/IP & internet explorer settings to default you might not be able connect to internet and would have to set your network information again if your network requires manual setup.


begin
 ExecuteRepair(2);
 ExecuteRepair(3);
 ExecuteRepair(4);
 ExecuteRepair(14);
 ExecuteRepair(15);
 RebootWindows(true);
end.



Report •

#9
May 15, 2009 at 11:44:33
Everything is working perfectly now. I don't understand how the redirect thing could work if it is not a virus. . .and I haven't heard of any problems with AVG and our library software. I guess I'll have to look into it further. For now, as I said, everything is working great.

Thanks so much for taking the time to help. I really really appreciate it.

steev


Report •

#10
May 15, 2009 at 12:21:05
If its usually not virus then its either of this two:
1) browser plugin
2) dns server ( Use- http://www.opendns.com/start )

Combofix reset ur tcp setting some what. Did you run the last AVZ script i gave you?


Report •

#11
May 15, 2009 at 12:27:27
Don't forget to Uninstall Combofix by: pause AV > Start > run > type combofix /u > ok. Or Start > run > type toola /u > ok.

Report •


Ask Question