dimondwoof Posted December 20, 2010 ID:363198 Share Posted December 20, 2010 I have tried everything I can find, but to no avail. I have a Dell XPS M1730 laptop that has the google redirect virus. The symptoms are from either FireFox or IE 8, every time I click on a link from a search engine result list, I get redirected to a random page and every once in a while the web page that I'm looking at will randomly jump to a new page unless I stop loading the page. I usually open result links in a new tab and then use the Alt-left arrow to back up to the original page.I have used Symantec SEP (version 11), SuperAntiSpyware 4.47, Malwarebyte's Anti-Malware, and Spyware Doctor. Nothing has detected anything except cookies.Can anyone give me a hand getting this cleaned up? I'd really appreciate it! Link to post Share on other sites More sharing options...
dimondwoof Posted December 20, 2010 Author ID:363199 Share Posted December 20, 2010 Also, I'm running Windows 7. Here are other things that I've tried so far:I have SEP 11, SuperAntiSpyware 4.45. Neither of them recognize any threats. I've also run Malwarebyte's Anti-Malware, TDSSKiller, Spyware Doctor, Dr. Web CureIt!, Win32/Olmarik, the latest Windows Malicious Software Removal Tool, all to no avail.I was going to run ComboFix, but then read that I shouldn't run it without help from one of you "trained professionals" , so I thought I'd post here and wait for instructions.I'm an IT tech, so I'm not afraid to get down into the nuts and bolts, so to speak. I haven't had a virus on a machine in 20 years, so it is especially frustrating that I can't get rid of this one! lolAny help I can get would be greatly appreciated. ===========================================DDS.txt:======DDS (Ver_10-12-12.02) - NTFSx86Run by Keith at 16:40:44.13 on Tue 12/14/2010Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3070.1169 [GMT -8:00]AV: Spyware Doctor with AntiVirus *Disabled/Updated* {2F668A56-D5E0-2DF1-A0AE-CB1284F42AB2}AV: Symantec Endpoint Protection *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}SP: Spyware Doctor *Disabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}SP: Symantec Endpoint Protection *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}FW: Symantec Endpoint Protection *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\nvvsvc.exeC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\rundll32.exeC:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exeC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\system32\Dwm.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Windows\Explorer.EXEC:\Windows\System32\spoolsv.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Windows\system32\taskhost.exeC:\Windows\system32\svchost.exe -k apphostC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exeC:\Users\Keith\AppData\Local\CrossLoop\CrossLoopService.exeC:\Windows\system32\svchost.exe -k hpdevmgmtC:\Windows\system32\inetsrv\inetinfo.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exec:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exeC:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exeC:\Windows\System32\svchost.exe -k HPZ12C:\Windows\System32\svchost.exe -k HPZ12c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exeC:\Windows\system32\svchost.exe -k imgsvcC:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exeC:\Windows\system32\svchost.exe -k iissvcsC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXEC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exeC:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exeC:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exeC:\Windows\OEM02Mon.exeC:\Windows\system32\svchost.exe -k HPServiceC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedC:\Program Files\HP\HP Software Update\hpwuSchd2.exeC:\Windows\system32\SearchIndexer.exeC:\Program Files\ClipX\clipx.exeC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exeC:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\I8kfanGUI\I8kfanGUI.exeC:\Program Files\Windows Media Player\wmpnetwk.exeC:\Program Files\Yahoo!\Messenger\YahooMessenger.exeC:\Program Files\Windows Sidebar\sidebar.exeC:\Program Files\TiVo\Desktop\TiVoServer.exeC:\Program Files\TiVo\Desktop\TiVoTransfer.exeC:\Program Files\TiVo\Desktop\TiVoNotify.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Users\Keith\AppData\Roaming\Dropbox\bin\Dropbox.exeC:\Windows\System32\svchost.exe -k LocalServicePeerNetC:\Windows\system32\wbem\wmiprvse.exeC:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exeC:\Windows\system32\DllHost.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\plugin-container.exeC:\Windows\system32\ctfmon.exeC:\Windows\system32\ctfmon.exeC:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXEC:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEC:\Users\Keith\Downloads\Malware Tools\dds.scrC:\Windows\system32\conhost.exe============== Pseudo HJT Report ===============uStart Page = hxxp://www.google.com/igBHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dllBHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dllBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dllBHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dllBHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dllBHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dllBHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLLBHO: Foxit Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dllBHO: Java Link to post Share on other sites More sharing options...
Staff screen317 Posted December 21, 2010 Staff ID:363668 Share Posted December 21, 2010 Hi and welcome to Malwarebytes.Please update MBAM, run a Quick Scan, and post its log.Download the file TDSSKiller.zip and extract it into a folder on the infected PC.Execute the file TDSSKiller.exe by double-clicking on it.Wait for the scan and disinfection process to be over.When its work is over, the utility prompts for a reboot to complete the disinfection.By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).The log is like UtilityName.Version_Date_Time_log.txt.for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.Please post that log here. Link to post Share on other sites More sharing options...
dimondwoof Posted January 14, 2011 Author ID:374007 Share Posted January 14, 2011 My apologies for the delay. I just started a new job and got extremely busy, but I'm ready to tackle this issue now.Attached are the 2 logs you requested.Thanks so much for your help.TDSSKiller.2.4.6.0_07.11.2010_06.46.58_log.txtmbam_log_2011_01_14__08_26_49_.txt Link to post Share on other sites More sharing options...
dimondwoof Posted January 14, 2011 Author ID:374010 Share Posted January 14, 2011 Attached are the 2 logs you requested.Thanks so much for your help.DOH! Wrong TDSS log. Here is the correct one from today. Sorry about that.TDSSKiller.2.4.11.0_14.01.2011_08.30.37_log.txt Link to post Share on other sites More sharing options...
Staff screen317 Posted January 15, 2011 Staff ID:374329 Share Posted January 15, 2011 Hi,Again, please update MBAM first, then run a Quick Scan, and post its log. Link to post Share on other sites More sharing options...
dimondwoof Posted January 17, 2011 Author ID:375109 Share Posted January 17, 2011 Hi,Again, please update MBAM first, then run a Quick Scan, and post its log.Sorry. Here you go.mbam_log_2011_01_16__21_35_43_.txt Link to post Share on other sites More sharing options...
Staff screen317 Posted January 18, 2011 Staff ID:375959 Share Posted January 18, 2011 Hi,Please visit this webpage for instructions for running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofixWhen the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.-screen317 Link to post Share on other sites More sharing options...
dimondwoof Posted January 22, 2011 Author ID:377700 Share Posted January 22, 2011 Hi,Please visit this webpage for instructions for running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofixWhen the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.-screen317Here is the ComboFix.txt. However, I can't find instructions on how to get the DDS log. What program do I use for that?ComboFix.txt Link to post Share on other sites More sharing options...
Staff screen317 Posted January 22, 2011 Staff ID:377730 Share Posted January 22, 2011 Hi,I see the Ask Toolbar in your log.I strongly recommend you remove Ask Toolbar from your computer because:It promotes its toolbars on sites targeted at kids.It promotes its toolbars through ads that appear to be part of other companies' sites.It promotes its toolbars through other companies' spyware.It is Installed without any disclosure whatsoever and without any consent from the user whatsoever.It Solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.It makes confusing changes to user's browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.You can read more about Ask.com hereTo remove it:Click Start-->Control Panel-->Programs and FeaturesClick on the program name AskBarDis to highlight itFrom the menu at the top, select Uninstall or Remove.Please reboot the computer.Next, please run a free online scan with the ESET Online ScannerNote: You will need to use Internet Explorer for this scan.Tick the box next to YES, I accept the Terms of Use.Click StartWhen asked, allow the ActiveX control to installClick StartMake sure that the options Remove found threats and the option Scan unwanted applications is checkedClick ScanWait for the scan to finishUse Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txtCopy and paste that log as a reply to this topicNext, download my Security Check from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt; please post the contents of that document.Let me know how things are running now and what issues remain.-screen317 Link to post Share on other sites More sharing options...
dimondwoof Posted January 22, 2011 Author ID:377858 Share Posted January 22, 2011 [*]Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt/SecurityCheck.exe"]here.Here are the 2 logs. No viruses found with ESET, but my computer seems to not be redirecting anymore. Hopefully it'll stick! If you see anything in the logs that might be a problem, please post. I'll check back on this thread over the next couple of days to see if you post anything else. Thanks so much!log.txtcheckup.txt Link to post Share on other sites More sharing options...
Staff screen317 Posted January 26, 2011 Staff ID:379660 Share Posted January 26, 2011 Hi, My apologies for the delay; somehow this topic slipped through the cracks.Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstallThis uninstalls all of ComboFix's components.Delete SecurityCheck.After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program:Adobe Reader 9.4.1 Restart your computer.Get the latest version of Adobe Reader.Let me know what issues remain.-screen317 Link to post Share on other sites More sharing options...
Staff screen317 Posted February 8, 2011 Staff ID:386146 Share Posted February 8, 2011 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts