1,105,402 Community Members

go.google.com hijack, big mess

Member Avatar
dongsy normus
Newbie Poster
5 posts since Sep 2008
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

My computer gets bogged down almost instantly on the net now. Can't load antivirus sites and thanks to the virus I can't even get to http://www.besttechie.net/tools/mbam-setup.exe for the program, it times out. If I try to go through a proxy it doesn't allow me to download it (the software encrypts the file name and messes it up!)

Didn't mention whenever i search google now, anything I click goes to go.google.com/xxx and I have to use the cached pages to see anything.

Heres my HJT log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03:33 PM, on 9/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PrivacyView Software\Private Proxy\PrivateProxy.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\PrivacyView Software\Private Proxy\plink.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=localhost:1234
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 3188 bytes

Member Avatar
jholland1964
Posting Expert
5,610 posts since Jul 2008
Reputation Points: 650 [?]
Q&As Helped to Solve: 343 [?]
Skill Endorsements: 3 [?]
Team Colleague
Featured
 
0
 

Hi welcome to daniweb,
Have you tried Safe Mode with networking to see if you can access, especially the Malwarebytes' program?
Judy

Member Avatar
dongsy normus
Newbie Poster
5 posts since Sep 2008
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Should mention avira can update but other programs cant. heres the avira log, nothing to note really because the problem persists.

Avira AntiVir Personal
Report file date: Saturday, September 27, 2008 23:11

Scanning for 1646367 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: HP_Administrator
Computer name: NN

Version information:
BUILD.DAT : 8.1.0.331 16934 Bytes 8/12/2008 11:46:00
AVSCAN.EXE : 8.1.4.7 315649 Bytes 6/26/2008 14:57:53
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 13:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 18:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 13:58:52
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 16:33:34
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 6/24/2008 19:54:15
ANTIVIR2.VDF : 7.0.6.217 3773440 Bytes 9/26/2008 01:27:16
ANTIVIR3.VDF : 7.0.6.219 14336 Bytes 9/27/2008 01:27:04
Engineversion : 8.1.1.35
AEVDF.DLL : 8.1.0.5 102772 Bytes 2/25/2008 15:58:21
AESCRIPT.DLL : 8.1.0.76 319867 Bytes 9/19/2008 01:23:23
AESCN.DLL : 8.1.0.23 119156 Bytes 7/10/2008 18:44:49
AERDL.DLL : 8.1.1.2 438644 Bytes 9/19/2008 01:23:22
AEPACK.DLL : 8.1.2.3 364918 Bytes 9/25/2008 01:27:08
AEOFFICE.DLL : 8.1.0.25 196986 Bytes 9/19/2008 01:23:21
AEHEUR.DLL : 8.1.0.59 1438071 Bytes 9/19/2008 01:23:21
AEHELP.DLL : 8.1.0.15 115063 Bytes 7/10/2008 18:44:48
AEGEN.DLL : 8.1.0.36 315764 Bytes 9/19/2008 01:23:18
AEEMU.DLL : 8.1.0.7 430452 Bytes 7/31/2008 14:33:21
AECORE.DLL : 8.1.1.11 172406 Bytes 9/19/2008 01:23:17
AEBB.DLL : 8.1.0.1 53617 Bytes 7/10/2008 18:44:48
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 14:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 15:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 9/19/2008 01:23:16
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 17:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 18:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 18:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 19:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 19:34:37

Configuration settings for the scan:
Jobname..........................: Manual Selection
Configuration file...............: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\PROFILES\folder.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Saturday, September 27, 2008 23:11

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'plink.exe' - '1' Module(s) have been scanned
Scan process 'PrivateProxy.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'dllhost.exe' - '1' Module(s) have been scanned
Scan process 'mcrdsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'ehSched.exe' - '1' Module(s) have been scanned
Scan process 'ehrecvr.exe' - '1' Module(s) have been scanned
Scan process 'arservice.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'LEXPPS.EXE' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'LEXBCES.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
31 processes with 31 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD3
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD4
[INFO] No virus was found!
[WARNING] System error [21]: The device is not ready.
Master boot sector HD5
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '56' files ).


Starting the file scan:

Begin scan in 'C:\' <HP_PAVILION>
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A56NQFCH\click[1].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '4948054a.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A56NQFCH\guest[1].htm
[DETECTION] Contains recognition pattern of the JS/Dldr.IFrame.FL Java script virus
[NOTE] The file was moved to '49440559.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\EVQL4N01\CAL48RPT.htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '492b052d.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\EVQL4N01\log[1].htm
[DETECTION] Contains recognition pattern of the JS/Dldr.IFrame.FD Java script virus
[NOTE] The file was moved to '49460561.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\EVQL4N01\news[1].htm
[DETECTION] Contains recognition pattern of the JS/Dldr.IFrame.FK Java script virus
[NOTE] The file was moved to '49560557.qua'!


End of the scan: Sunday, September 28, 2008 00:18
Used time: 1:07:05 Hour(s)

The scan has been done completely.

10272 Scanning directories
379155 Files were scanned
5 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
5 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
379148 Files not concerned
8596 Archives were scanned
5 Warnings
5 Notes

Member Avatar
jholland1964
Posting Expert
5,610 posts since Jul 2008
Reputation Points: 650 [?]
Q&As Helped to Solve: 343 [?]
Skill Endorsements: 3 [?]
Team Colleague
Featured
 
0
 

Can you disable this program?
C:\Program Files\PrivacyView Software\Private Proxy\plink.exe

This is what is probably causing this problem you note here

(the software encrypts the file name and messes it up!)

because this is exactly what the program is supposed to do. From what I could find it does the following

encrypts all the Internet files you download including images, movies, cookies, history and temp files.

I know nothing about this program and I don't know if this is something you use all the time or just tried today but for now anyway it is no help whatsoever. If you use it all the time you are either going to have to uninstall it and then put it back on later or turn it off. If it is something you just installed today then get rid of it. I don't even think that the HJT log is accurate.
Judy

Member Avatar
hughv
Veteran Poster
1,132 posts since Oct 2007
Reputation Points: 104 [?]
Q&As Helped to Solve: 93 [?]
Skill Endorsements: 0 [?]
 
0
 

I solved this by running Malabyte in Safe Mode.

Member Avatar
dongsy normus
Newbie Poster
5 posts since Sep 2008
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Can you disable this program?
C:\Program Files\PrivacyView Software\Private Proxy\plink.exe

This is what is probably causing this problem you note here because this is exactly what the program is supposed to do. From what I could find it does the following

I know nothing about this program and I don't know if this is something you use all the time or just tried today but for now anyway it is no help whatsoever. If you use it all the time you are either going to have to uninstall it and then put it back on later or turn it off. If it is something you just installed today then get rid of it. I don't even think that the HJT log is accurate.
Judy

This program was downloaded after the virus. I was referring to proxy portals like unblockbess.com, pimpmyip.com and anonymouse.org. The software that's on my computer doesn't encrypt the names and was off when I tried to download the file. Per others' stories, this virus keeps you for visiting antivirus sites, getting downloads and the like, which is why I can't download the file (the virus times out the connection with the site).

Member Avatar
dongsy normus
Newbie Poster
5 posts since Sep 2008
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Can anyone upload the malbytes software to like rapidshare for me so I can get it there?

Member Avatar
dongsy normus
Newbie Poster
5 posts since Sep 2008
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

got someone to send me malwarebytes

cleaned it up!!


report

Malwarebytes' Anti-Malware 1.28
Database version: 1219
Windows 5.1.2600 Service Pack 2

9/28/2008 1:58:25 PM
mbam-log-2008-09-28 (13-58-25).txt

Scan type: Full Scan (C:\|D:\|L:\|)
Objects scanned: 215075
Time elapsed: 1 hour(s), 13 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 15
Files Infected: 31

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\jokwmp.bsgd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\jokwmp.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{92fdcb62-e2cf-45cf-9c86-1c7888620dd5} (Spyware.Sters) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9a4d6763-f6a2-420c-94e6-e2fcad01cd05} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf482d01-1a4e-4f25-a280-103869895127} (Spyware.Sters) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6ba27973-068d-4f85-be84-1251e0b20fd3} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{83aff385-2051-4ada-8001-549f0a671402} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OLE\p2p networking (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\drv32dta (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\addIns (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\addIns\Php (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\addIns\Php\dlls (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\addIns\Php\sessiondata (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\addIns\Php\uploadtemp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\htdocs (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\htdocs\myAdmin (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\htdocs\system (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\htdocs\upload (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\htdocs\user (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\htdocs\user\admin (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\websvr\addIns\Php\php.exe (Spyware.Pakes) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\map.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\addIns\Php\php.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\addIns\Php\php4ts.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\addIns\Php\dlls\php_sockets.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\addIns\Php\dlls\readme.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\htdocs\!HDD by HTTP.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\htdocs\phpinfo.php (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\htdocs\myAdmin\Download phpmyadmin from sourceforge into this dir.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\htdocs\system\BACK.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\htdocs\system\BLANK.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\htdocs\system\COMPRESSED.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\htdocs\system\dnserror.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\htdocs\system\dnserror_de.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\htdocs\system\FILE.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\htdocs\system\FOLDER.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\htdocs\system\HTML.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\htdocs\system\PAGERROR.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\htdocs\system\PHP.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\htdocs\system\PICTURE.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\htdocs\system\REFRESH.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\htdocs\system\UPFOLDER.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\htdocs\user\test.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\websvr\htdocs\user\admin\htaccess.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\spacer.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\ (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\rs.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Unist1.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Uninst2.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\cina.ini (Malware.Trace) -> Quarantined and deleted successfully.

Member Avatar
jholland1964
Posting Expert
5,610 posts since Jul 2008
Reputation Points: 650 [?]
Q&As Helped to Solve: 343 [?]
Skill Endorsements: 3 [?]
Team Colleague
Featured
 
0
 

That looks like a lot was removed. Can you now do the ESET Online Scanner?
* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.
Reboot the computer. Run a new HJT scan then and save the log and post back here with the ESET log and the new HJT log.
Judy

Member Avatar
nanosani
Technize.net addict
1,764 posts since Jul 2004
Reputation Points: 20 [?]
Q&As Helped to Solve: 58 [?]
Skill Endorsements: 1 [?]
Team Colleague
 
0
 

Although the thread is old but I have successfully fixed this problem and written about google redirect virus on my blog. I'm reproducing the steps here so that people who are having this problem may be able to solve it ..

1- Run Hijackthis and look for R3 Enteries. Delete those enteries which you find suspecious.

2- Go to your Hosts file and make sure you don't have anything nasty there. The default hosts file only includes the localhost entry.

3- Look at the processes running under your username in the Task Manager. Make sure you don’t have anything suspicious running in background.

4- Make sure that you have a legitimate primary and secondary DNS Servers in your network settings. In case you don’t know your ISP DNS, you can use OpenDNS whose primary and secondary DNS IP addresses are given as under:

208.67.222.222

208.67.220.220

5- Now disable System Restore and Re-enable again to make sure that all your restore points data is lost and the virus is not residing in the System Restore data file.

6- Also run CCleaner to clean the temporary and junk files to make sure everything is gone.

7- Reboot your computer and see if the problem persists.

You
This article has been dead for over three months: Start a new discussion instead
Post:
Start New Discussion
Tags Related to this Article