SERIOUS Virus. Please Help!!

September 30, 2009 at 14:33:26
Specs: Windows Vista
For about a week now, I have noticed when I search in Google, the resulting links redirects me to ads and/or other search engines the first time I click them. I have read other forums on how to fix this problem and ran Malwarebytes, Spybot, Ad-Aware, and AVG in Windows Safe Mode all at separate times. The problem persisted. I downloaded CCleaner and after running it, the problem seemed to be fixed. Then I logged on my computer again today and went to Google and it started again! Is this a serious virus/adware/spyware? Can it be fixed?

EDIT:
Also from time to time, this message pops up:

Your browser is under the threat of infection. Windows requires your permission to install online protection tool.Your browser is run in unsafe mode. Running the protection mode will help you to keep your computer safe. Staying at the suspicious website in unsafe mode may lead to the loss of personal data and computer breakage. To run the web browser in protected mode Windows requires installing the certified antivirus scanner software and online protection tool.
Name: Online Protection Tool
Publisher: Microsoft Windows

It looks like a legit Windows warning, but I am afraid to allow it to install the protection tool because it may just be one of those false anti-virus softwares.


See More: SERIOUS Virus. Please Help!!

Report •


#1
September 30, 2009 at 15:10:01
you can run unhackme:
http://www.greatis.com/unhackme/dow...
Use the beginners guide on the left of the page and run the tests untill ALL the infections are cleared up. It will save you loads of time. Most of the redirects are rootkits and unhackme will remove those.

Any things you are not sure of, you can post back here and I'll let you know if it is safe to delete. Read ALL the prompts in unhackme. It will tell you what the problem is and if it is a windows program, etc.
Good Luck
DON'T delete anything you are not sure of

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#2
September 30, 2009 at 15:24:08
Thank you so much. I just ran UnhackMe, and when it comes to registry files, I am computer dumb so I hope you don't mind if I ask you about these.

UnhackMe found 10 suspicous and 1 warning.

Item Name: Pml Driver HPZ12
Author: Unknown
Related File: C:\Windows\system32\HPZipm12.dll
Type: Svchost DLLs

Item Name: Net Driver HPZ12
Author: Unknown
Related File: C:\Windows\system32\HPZinw12.dll
Type: Svchost DLLs

Item Name: hpqddsvc
Author: Unknown
Related File: C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll
Type: Svchost DLLs

Item Name: RSELSVC
Author: TOSHIBA Corporation
Related File: C:\Program Files\TOSHIBA\RSelect\RSelSvc.exe /Service
Type: Auto Services

Item Name: TOSHIBA eco Utility Service
Author: TOSHIBA Corporation
Related File: "C:\Program Files\TOSHIBA\TECO\TecoService.exe"
Type: Auto Services

Item Name: TOSHIBA HDD SSD Alert Service
Author: TOSHIBA Corporation
Related File: "C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe"
Type: Auto Services

Item Name: 00TCrdMain
Author:
Related File: %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
Type: Registry Run

Item Name: SmartFaceVWatcher
Author:
Related File: %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
Type: Registry Run

Item Name: Teco
Author:
Related File: "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r
Type: Registry Run

Item Name: TosSENotify
Author: TOSHIBA Corporation
Related File: C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
Type: Registry Run

Item Name: BootExecute
Author: Unknown
Related File: autocheck autochk *\n lsdelete
Partizan
Type: Bootexecute


Report •

#3
September 30, 2009 at 15:34:30
when you find those entries, click on the leaf that says learn more (not sure on the wording unless I am using the prog)
There it will tell you if the problem is good or bad.
EDIT: or if it is a windows component.

Which one was the warning?

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

Related Solutions

#4
September 30, 2009 at 15:44:21
The program just listed how many warnings and suspicious files found. It didn't specify which was which.

This one came back as unknown after clicking on the leaf for help:
Item Name: RSELSVC
Author: TOSHIBA Corporation
Related File: C:\Program Files\TOSHIBA\RSelect\RSelSvc.exe /Service
Type: Auto Services

I scanned it and it doesn't say it has any malware but it was 1 unknown. Should I remove this?

EDIT:
Re-scanned this and it was 100% good.


Report •

#5
September 30, 2009 at 15:53:21
EDIT: if RSELSVC.exe was classed as good, then mark it as a false positive and let it scan again
Here's news on some of the others:
***********************************************************************************
These 3 are part of your printer so you could name them false positives
Item Name: Pml Driver HPZ12
Author: Unknown
Related File: C:\Windows\system32\HPZipm12.dll
Type: Svchost DLLs

Item Name: Net Driver HPZ12
Author: Unknown
Related File: C:\Windows\system32\HPZinw12.dll
Type: Svchost DLLs

Item Name: hpqddsvc
Author: Unknown
Related File: C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll
Type: Svchost DLLs

*******************************************************************************

Download HijackThis
http://download.cnet.com/Trend-Micr...
and post your log here, thanks

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#6
September 30, 2009 at 15:58:13
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:58:45 PM, on 9/30/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\TOSHIBA Web Camera Application\TWebCameraSrv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\TOSHIBA\RSelect\RSelSvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TECO\TEco.exe
C:\Program Files\TOSHIBA\TANU\TANU.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\UnHackMe\Unhackme.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe
C:\Program Files\UnHackMe\reanimator.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [cfFncEnabler.exe] "C:\Program Files\TOSHIBA\ConfigFree\cfFncEnabler.exe"
O4 - HKLM\..\Run: [TWebCamera] "%ProgramFiles%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
O4 - HKLM\..\Run: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
O4 - HKLM\..\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TANU] %ProgramFiles%\TOSHIBA\TANU\TANU.exe
O4 - HKLM\..\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/get...
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: TOSHIBA Web Camera Service (camsvc) - TOSHIBA - C:\Program Files\TOSHIBA\TOSHIBA Web Camera Application\TWebCameraSrv.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: IntelĀ® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: IntelĀ® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: TOSHIBA Modem region select service (RSELSVC) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\RSelect\RSelSvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA eco Utility Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TECO\TecoService.exe
O23 - Service: TOSHIBA HDD SSD Alert Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe

--
End of file - 12514 bytes


Report •

#7
September 30, 2009 at 16:15:46
Your Hijack log is fine. You may want to update your Java.

Oh, I did forget, you said Ccleaner fixed it for awhile and now it's back? Did you turn off system restore and then clean it out? If not, try that and don't forget to turn it back on after the problem is fixed

Is your PC still giving you that pop-up?

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#8
September 30, 2009 at 16:18:51
Yes it popped up a little while ago. The Google redirect is still occuring. I don't understand! Do I need to take my computer to someone? I don't want my information to get stolen..

EDIT:
How do I turn off system restore? Is it in CCleaner? Also, in CCleaner, there are two IP addresses in my Cookies to Delete. The last time there was an IP address in there, I (stupidly, probably) typed it in my address bar to see what it was, and it was one of the ads I am get redirected to. I did this AFTER the problem had started though and only bc I had never noticed an IP in my CCleaner.


Report •

#9
September 30, 2009 at 16:24:35
as asked EDIT:
How to turn off system restore in Vista:
http://www.howtogeek.com/howto/wind...

Also in Ccleaner, click on the registry icon and delete all it finds.

You can uninstall unhackme from add/remove

You can try Trojan Remover, it has a fully functional 30 day trial and remove all it finds:
http://www.simplysup.com/tremover/d...
Another thing I've used in the past is Avast Free. Load it and let it do a bootscan on reboot.
http://www.filehippo.com/download_a...

I was positive unhackme would find it, I've used it many times.

I don't use Combo-fix as a rule, but I understand it is a powerful tool if used properly. I never had the chance to try it. Possibly another malware specialist could help you with that.

PS: I'll be going out for a few hrs and I'll be back on...thanks
xp

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#10
September 30, 2009 at 16:44:35
I did the system restore step and ran CCleaner. I tried out Google and it seemed to be working normally. But it is STILL doing the redirect, so I am going to try the Trojan Remover and Avast. Thanks for all your help so far! Whenever you get back on and reply, an email will alert me on my phone and I will update with whatever Avast and Trojan Remover finds.

Report •

#11
September 30, 2009 at 18:48:59
ok, I'm back, how did the other scans go?
Thanks

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#12
September 30, 2009 at 19:47:11
The other scans have found NOTHING!! And I'm still having Google redirects. A pop-up ad just random came up as I was typing this message. I am about to pull my hair out over this!

Report •

#13
September 30, 2009 at 22:22:36
Hi,I notified another helper and hopefully he can help out with
this problem
Thanks,
XpUser4Real

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#14
September 30, 2009 at 22:46:22
I don't think the problem with my posting is the computer-it seems the forum doesn't want to post a ComboFix log. I get sent to http://www.computing.net/cgi-bin/ww... when I try to post it. Otherwise, I would supply you with it.

EDIT:
I am going to bed now, but I will be back on tomorrow. If you or the other helper come up with any possible solutions, please post them. Thank you again for your help!


Report •

#15
October 1, 2009 at 13:20:32
Note: I can help you remove malware manually. Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible. First Track this topic. Then follow:

1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode and make sure you are connected to internet. If avz.exe doesn't start, then try to rename the file avz.exe to game.pif and try to run it again. Pause/Stop your antivirus, firewall software (if any), close games, text editors and all other programs; leave Internet Explorer/Firefox running, before following the steps below.

i) To create the log file, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.

You should now see the main window of the AVZ utility.

--> Please navigate to "File" => "Custom Scripts". Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteAVUpdate;
end.


Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script.

--> Choose from the menu "File" => "Standard scripts" and mark the "Advanced System Analysis with malware removal mode enabled" check box. Click on the "Execute selected scripts" button.
Automatic scanning, healing and system check will be executed. A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip. Upload virusinfo_syscure.zip to rapidshare.com and paste the link here.
* It is necessary now to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan. All applications will work properly after the system restart.

Image Tutorial

2) Download and Run DDS which will create a Pseudo HJT Report as part of its log: DDS Tool Download Link. When done, DDS will open two (2) logs

   1. DDS.txt
   2. Attach.txt

Upload the logs to rapidshare.com and paste download link in your next reply.
Note: Disable any script-blocking programs and then double-click on the DDS.scr icon to start the program. If you did not disable a script-blocker that may be part of your antimalware program, you may receive a warning from your antimalware product asking if you would like DDS.scr to run. Please allow it to do so.

In your next reply, please include download links to the following:
[*] virusinfo_syscure.zip
[*] DDS Logs

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#16
October 1, 2009 at 16:17:10
Ok so I came home from school for the weekend and we don't have wireless Internet here. I will still do the above mentioned BUT a minute ago I fell asleep watching a video on my computer and woke up to a dinging noise. Turns out SpyWare Doctor ran automatically and found a whopping 201 infections?!?! I am assuming it found them this time bc I am not connected to the Internet?

Report •

#17
October 1, 2009 at 16:27:59
Then now would be the time to update and run Malwarebyte's Antimalware , if you can .

Report •

#18
October 1, 2009 at 16:31:12
I am running Malwarebytes now. I didn't connect to the Internet and update bc at this point I am almost afraid that will make it come back?..I updated it last night though..

EDIT:
I got online and I can't decide if my computer is still doing the redirect or not bc the internet here is a 3G card through Verizon; the service is not as fast. When I click a link, sometimes it will try to send me through but it just sits there like maybe it is trying to do the redirect but my connection is too slow? I can see at the bottom it's trying to send me somewhere but I never go there. It just sits.


Report •

#19
October 2, 2009 at 21:59:05
To update my situation:
I took my computer to a computer tech that always handles my family's computers whenever we have problems. He had the thing all day and said there is absolutely nothing on it. Google just redirects me for some odd reason. I guess if he says there's nothing on my computer then I believe him, and I won't waste anyone's time anymore. I can deal with the redirects as long as I know there's nothing hacking my information. I switched to Firefox as the tech recommended and so far the redirect has only happened once. Thanks to everyone who helped me out with this because I was freaking out that something was seriously wrong with my computer..

EDIT:
I am working on the AVZ log right now just to double check nothing is hiding..


Report •

#20
October 3, 2009 at 07:59:22
Hi,

some viruses can work alongside spyware to make detection and removal extremely difficult. You should delete all temp files and also use registry cleaner because it involves the use of different applications that do a large bulk of the work in malware or spyware detection.

Windows Xp Registry Cleaner


Report •

#21
October 3, 2009 at 13:39:47
hottytoddy88, jdk is the person that is going to help you.

Also, Ccleaner will do all, if not more than the Windows XP Registry Cleaner mentioned in response 20. Ccleaner is TOTALLY free.

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#22
October 3, 2009 at 13:42:20
'I took my computer to a computer tech that always handles my family's computers whenever we have problems. He had the thing all day and said there is absolutely nothing on it. Google just redirects me for some odd reason.'

I find that hard to believe, you would NOT get re-directed if the PC was fine. I would suggest running JDK's scans.

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#23
October 3, 2009 at 14:17:26
I ran the AVZ scanner last night but was unable to upload before leaving my house this morning bc my mom was using the 3G internet card. I will have the report up when I get home in about 30 minutes and start on the second part of the scans requested. Sorry it takes me so long to get things posted.. I am missing my high speed wireless back at school!

EDIT:
AVZ log:
http://rapidshare.com/files/2883268...

DDS Logs:
http://rapidshare.com/files/2883924...


Report •

#24
October 3, 2009 at 23:42:30
Hello HottyToddy88,
if you still have the google redirect problem then try this hijacker removal guide
http://darfuns.com/remove-google-se...
Your computer is infected by a browser hijacker that hijacks and redirects Search engine (google, bing, yahoo search) search queries to other sites (possible spam). you should fix the browser hijacker attck to get rid of the problem
Good luck and Happy Virus Free Computing

Report •

#25
October 4, 2009 at 20:11:28
Follow these Steps in order numbered. Don't proceed to next step unless you have successfully completed previous step:

1) Attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.co...

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please upload that file to rapidshare.com and paste the link here.

2) Please zip up C:\qoobox\quarantine and upload it, to a filehost such as http://rapidshare.com/ Then, Private Message me the Download links to the uploaded files.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#26
October 5, 2009 at 20:05:32
ComboFix Log:
http://rapidshare.com/files/2892215...

C:\qoobox\quarantine
http://rapidshare.com/files/2892213...


Report •

#27
October 5, 2009 at 20:20:14
Follow these Steps in order numbered. Don't proceed to next step unless you have successfully completed previous step:

1) Uninstall Combofix by: pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) > Start > run > type combofix /u > ok.

2) Please download RootRepeal Rootkit Detector and save it to your Desktop.

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.
* Create a new folder on your hard drive called RootRepeal (C:\RootRepeal) and extract (unzip) RootRepeal.zip. (click here if you're not sure how to do this. Vista users refer to this link.)
* Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
* Click on the Report tab at the bottom of the program window
* Click the Scan button
* In the Select Scan dialog, check:

    * Drivers
    * Files
    * Processes
    * SSDT
    * Stealth Objects
    * Hidden Services

* Click the OK button
* In the next dialog, select all drives showing
* Click OK to start the scan
* When the scan has completed, a list of files will be generated in the RootRepeal window.
* Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
* Upload rootrepeal.txt to rapidshare.com and post the download link in your next reply.
* Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#28
October 6, 2009 at 10:51:36
RootRepeal.txt
http://rapidshare.com/files/2894894...

Report •

#29
October 8, 2009 at 17:01:05
Seems like you infected with new variant of virus.

Download and run Kaspersky AVP tool in safe mode: http://devbuilds.kaspersky-labs.com...
Once you download and start the tool in safe mode:

# Check below options:

    * Select all the objects/places to be scanned. 
    * Settings > Customize > Heuristic analyzer > Enable deep rootkit search

# Click Scan
# Fix what it detects
# Zip/Rar Scan log/Summary and upload it to rapidshare.com. Post download link in your next message.

Illustrated tutorial: http://img32.imageshack.us/img32/76...

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#30
Report •

#31
October 12, 2009 at 02:32:12
As always... first set about recovering your data/files etc.?

Use a Knoppix or Ubuntu CD/DVD to boot up, After-which copy all those files to optical media; verify they are accessible on at least one other system. Then perhaps go as on post-31 immediately above - and wipe/rebuild the system (if all other attempts to remove the problem fail)?


Report •

#32
October 12, 2009 at 14:42:18
Are you still having problems?

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#33
October 14, 2009 at 20:37:46
jdk-i haven't noticed any redirects happening on google so maybe you have helped me fix the problem!! were all the logs clean?

Report •


Ask Question