Google Redirect Virus

[a50a50]

I have had this "Google Redirect Virus" for about 2 months perhaps. I have tried getting rid of it myself and have succeeded but only temporarily.

There have been different issues with searching. For awhile, when I would search Google, I would get very few if any results. The results I did receive were oddball sites, often including napster. If I would click on the left side of the Google screen and choose to show results from the "Past Year," things seemed to work okay and I could click a link and go to the desired site. Later, the same links would direct me to some random oddball sites even when I did hit the "Past Year" feature.

I did some research but couldn't find many recent posts on this matter. Eventually, I found some helpful suggestions and ran some programs in safe mode to try to eliminate the virus. I used your malwarebytes program as a matter of fact as well as my antivirus program (AVG). I'm not sure what worked, but the virus went away (for a couple of days).

Then, it returned. Now, Google will return normal looking links without having to hit "Past Year." However, I am getting stranger sites and lots of redirects when clicking on a search-result link.

Google Images has not been working at all either. When I click on that, either I get a new page that says, "This page cannot be shown," or basically nothing happens and I stay on the main Google page.

Even more weird is this.... I just went back to experiment with Google to review exactly what was happening so I could convey them accurately here. Guess what?! The Google search worked correctly! What is going on? Even the images are working. This happened about two weeks ago and then it got screwed up again.

Before I started this report, I did run malwarebytes (Quick Scan) as directed on your site. It found nothing. I am attaching that report along with the other two reports you request.

Thanks for anything you can do to help me remove this virus.

DDS (Ver_09-12-01.01) - NTFSx86

Run by Steve at 15:39:26.12 on Tue 07/24/2012

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.5.1

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.647 [GMT -4:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\AVG9\avgchsvx.exe

C:\Program Files\AVG9\avgrsx.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVG9\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe

C:\Program Files\AVG9\avgwdsvc.exe

C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE

C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe

C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\AVG9\avgam.exe

C:\Program Files\AVG9\avgnsx.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\RUNDLL32.EXE

K:\Program Files\Roxio 2010\Roxio Burn\RoxioBurnLauncher.exe

C:\PROGRA~1\AVG9\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\VxBlockServer.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\AVG9\avgemc.exe

C:\Program Files\AVG9\avgcsrvx.exe

C:\Program Files\AVG9\avgcsrvx.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\notepad.exe

C:\Documents and Settings\Steve\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg9\avgssie.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ApplicationHistory] rundll32.exe "c:\documents and settings\steve\local settings\application data\capcom\applicationhistory\puevmxe.dll",CreateInstance

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\12.0\sharedcom\RoxWatchTray12.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [Desktop Disc Tool] "k:\program files\roxio 2010\roxio burn\RoxioBurnLauncher.exe"

mRun: [AVG9_TRAY] c:\progra~1\avg9\avgtray.exe

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto

mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - k:\program files\microsoft office\office\OSA9.EXE

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: roxio.com

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

Filter: text/html - {4701c73e-066e-4f3b-a117-6ad3d045087f} -

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg9\avgpp.dll

Notify: avgrsstarter - avgrsstx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steve\applic~1\mozilla\firefox\profiles\q7of971q.default\

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\documents and settings\steve\local settings\application data\unity\webplayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll

FF - plugin: c:\windows\system32\npDeployJava1.dll

FF - plugin: c:\windows\system32\npptools.dll

FF - plugin: c:\windows\system32\npwmsdrm.dll

FF - plugin: k:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: k:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-10-23 52872]

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-7-23 64288]

R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [2010-6-30 21488]

R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [2010-6-30 15856]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-4 216400]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-5-13 29712]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-4 243152]

R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [2008-4-27 244736]

R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [2010-6-30 25584]

R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\roxio\backontrack\disaster recovery\SaibSVC.exe [2009-6-2 457200]

R2 acedrv11;acedrv11;c:\windows\system32\drivers\ACEDRV11.sys [2008-1-23 501560]

R2 avg9emc;AVG E-mail Scanner;c:\program files\avg9\avgemc.exe [2010-6-21 921952]

R2 avg9wd;AVG WatchDog;c:\program files\avg9\avgwdsvc.exe [2010-6-21 308136]

R2 CinemaNow Service;CinemaNow Service;c:\program files\cinemanow\cinemanow media manager\CinemaNowSvc.exe [2009-6-23 127352]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-7-24 40776]

S0 oqovp;oqovp; [x]

S0 Winda43;Winda43;c:\windows\system32\drivers\winda43.sys --> c:\windows\system32\drivers\Winda43.sys [?]

S1 MpKsla8ba781a;MpKsla8ba781a;\??\c:\program files\windows live safety center\mpksla8ba781a.sys --> c:\program files\windows live safety center\MpKsla8ba781a.sys [?]

S1 MpKslbe4c5fe5;MpKslbe4c5fe5;\??\c:\program files\windows live safety center\mpkslbe4c5fe5.sys --> c:\program files\windows live safety center\MpKslbe4c5fe5.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\common files\roxio shared\10.0\sharedcom\roxliveshare10.exe" --> c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [?]

S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\common files\roxio shared\12.0\sharedcom\RoxWatch12.exe [2009-7-24 219632]

S2 SessionLauncher;SessionLauncher;c:\docume~1\steve\locals~1\temp\dx9\sessionlauncher.exe --> c:\docume~1\steve\locals~1\temp\dx9\SessionLauncher.exe [?]

S3 RoxMediaDB12;RoxMediaDB12;c:\program files\common files\roxio shared\12.0\sharedcom\RoxMediaDB12.exe [2009-7-24 1116656]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2012-07-24 18:50:44 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-07-17 03:07:16 11684 ----a-w- c:\documents and settings\steve\.recently-used.xbel

==================== Find3M ====================

2012-07-03 17:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-02 19:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll

2012-06-02 19:18:58 214256 ----a-w- c:\windows\system32\muweb.dll

2012-05-28 04:34:12 178688 ----a-w- c:\windows\system32\unrar.dll

2012-05-04 23:29:22 772504 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-05-04 23:29:16 687504 ----a-w- c:\windows\system32\deployJava1.dll

============= FINISH: 15:41:07.09 ===============

mbam-log-2012-07-24 (15-08-43).txt

DDS.txt

Attach.txt

[MrCharlie]

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

[a50a50]

Thanks for your quick reply, MrC! I ran the program like you requested and posted the report.

RKreport1.txt

[MrCharlie]

It's getting late here, so I'll be back tomorrow am, MrC

------------------------------------------------------

OK, run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest:

¤¤¤ Registry Entries: 4 ¤¤¤

[bLACKLIST DLL] HKCU\[...]\Run : ApplicationHistory (rundll32.exe "C:\Documents and Settings\Steve\Local Settings\Application Data\CAPCOM\ApplicationHistory\puevmxe.dll",CreateInstance) -> FOUND

[bLACKLIST DLL] HKUS\S-1-5-21-796845957-839522115-496803368-1004[...]\Run : ApplicationHistory (rundll32.exe "C:\Documents and Settings\Steve\Local Settings\Application Data\CAPCOM\ApplicationHistory\puevmxe.dll",CreateInstance) -> FOUND

Now click Delete on the right hand column under Options

--------------------------------

Next.......

Please make sure system restore is running and create a new restore point before continuing.

XP <===> Vista & W7

XP users > please back up the registry using ERUNT.

-----------------------------------------

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

------------------------

Click the Start Scan button.

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

MrC

[a50a50]

Your directions were clear, but I made a little mistake. When running TDSSKiller, I forgot to check the 2 boxes under additional options and stopped the program during while it was running to go back and check those boxes. There was a malicious threat found in the first scan but not the second. I am attaching both of the reports in case you need to see them.

TDSSKiller.2.7.48.0_25.07.2012_10.36.38_log.txt

TDSSKiller.2.7.48.0_25.07.2012_10.38.48_log.txt

[MrCharlie]

As you can see by the log that TDSSKiller "nailed" the infection!

Lets run ComboFix to clean up any other malware:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

[a50a50]

Here is the report after running Combofix.

Should I now remove the Recovery Console and uninstall ComboFix?

ComboFix.txt

[MrCharlie]

Should I now remove the Recovery Console and uninstall ComboFix?

No not yet, ComboFix contains all the backup info.

I suggest you keep the recovery console, here's a tweak so the computer will boot faster:

http://www.geekstogo...71#entry1800871

-----------------------------------------------

Please Update and run a Quick Scan with MBAM, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

[a50a50]

The last MBAM didn't find anything so there was nothing to remove. I've attached the report.

My computer appears to be running well at this time. Google Search (and Yahoo Search) are working fine. Also, Google Images is working.

I surely should have come here earlier. I like to try to solve problems myself, but this time I couldn't do it. Thanks so much for your help, MrC! I certainly appreciate the service you are providing here.

Is there anything else I should do at this point? And, when I was working with ComboFix, it did say something about deleting it from the computer when your problem was solved. However, if you think it's best to leave installed on my computer, I will. I'm curious what it even does -- does it do anything in the background?

Also, should I delete all the items that have been quarantined with Malwarebytes?

mbam-log-2012-07-25 (14-55-47).txt

[MrCharlie]

We'll uninstall ComboFix and it's files.

You can leave the quarantined files in MB alone or you can select them all and delete, makes no difference.

--------------------------------------------

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)

---------------------------------

Please download OTL from one of the links below: (you may already have OTL on the system)

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com

Save it to your desktop.

Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)

Any other programs or logs you can manually delete.

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, etc....

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

[a50a50]

Thanks again MrC for your help in this matter. Everything seems to be working fine now. I appreciate your personal efforts and everyone else here at the forum.

[LDTate]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!