My Pc is affecting from search redirection virus. Even though I was able to start and scan with Malwarebyte Antivirus, it is not able to detect the virus, but all my google search result click are redirect to some other pages. I am attaching the HijackThis logs. Could you please provide me some help in removing this virus?


Thanks in Advance

Please do not attach your logs. Paste them into your post instead.

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Download the update from here if you have problems.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Make sure that you restart the computer.

Post new HJT log.

I have attached and also posted below the malwarebytes log file and hijackthis logfile. Please help me in solving this problem.

I have scanned with malwarebytes and the contents of the logfile are

Malwarebytes' Anti-Malware 1.39
Database version: 2440
Windows 5.1.2600 Service Pack 3

7/16/2009 11:12:01 AM
mbam-log-2009-07-16 (11-11-55).txt

Scan type: Full Scan (C:\|)
Objects scanned: 337428
Time elapsed: 1 hour(s), 24 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{fa29a810-4e30-4c71-bc79-38335f93426b} (Password.Stealer) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\spnmld.dll (Password.Stealer) -> No action taken.

hijackthis log contents :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:24 PM, on 7/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\program files\lotus\notes\ntmulti.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RealVNC\VNC4\vncviewer.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\cmd.exe
C:\cygwin\bin\bash.exe
C:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe
C:\Documents and Settings\reddan01\My Documents\Downloads\HiJackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://monitor-plus/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://monitor-plus/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\285c5aed-13d7-4ac6-a8ad-37d74a8d3e54.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\reddan01\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.apdev01
O15 - Trusted Zone: *.apdev02
O15 - Trusted Zone: *.d1uap
O15 - Trusted Zone: *.d2uap
O15 - Trusted Zone: http://project.enterprisenet.org
O15 - Trusted Zone: *.enterprisenet.org
O15 - Trusted Zone: *.i2uap
O15 - Trusted Zone: *.i7uap
O15 - Trusted Zone: *.iuapdc
O15 - Trusted Zone: *.iuapuatdc
O15 - Trusted Zone: *.livemeeting.com
O15 - Trusted Zone: *.nielsen.com
O15 - Trusted Zone: communitysharepoint.nielsenmedia.com
O15 - Trusted Zone: coresharepoint.nielsenmedia.com
O15 - Trusted Zone: d1uap.nielsenmedia.com
O15 - Trusted Zone: d2uap.nielsenmedia.com
O15 - Trusted Zone: i2uap.nielsenmedia.com
O15 - Trusted Zone: i7uap.nielsenmedia.com
O15 - Trusted Zone: localsharepoint.nielsenmedia.com
O15 - Trusted Zone: mtssharepoint.nielsenmedia.com
O15 - Trusted Zone: nationalsharepoint.nielsenmedia.com
O15 - Trusted Zone: nlighten.nielsenmedia.com
O15 - Trusted Zone: nmrsharepoint.nielsenmedia.com
O15 - Trusted Zone: p2uap.nielsenmedia.com
O15 - Trusted Zone: p3uap.nielsenmedia.com
O15 - Trusted Zone: umi-c001-m1.nielsenmedia.com
O15 - Trusted Zone: umi-c001-m2.nielsenmedia.com
O15 - Trusted Zone: umi-c001-m3.nielsenmedia.com
O15 - Trusted Zone: umi-c004-m7.nielsenmedia.com
O15 - Trusted Zone: umi-c005-m1.nielsenmedia.com
O15 - Trusted Zone: umi-c005-m2.nielsenmedia.com
O15 - Trusted Zone: umi-c005-m5.nielsenmedia.com
O15 - Trusted Zone: umi-c005-m7.nielsenmedia.com
O15 - Trusted Zone: *.p2uap
O15 - Trusted Zone: *.p3uap
O15 - Trusted Zone: *.puap01
O15 - Trusted Zone: *.puapcr
O15 - Trusted Zone: *.umi-c001-m1
O15 - Trusted Zone: *.umi-c001-m2
O15 - Trusted Zone: *.umi-c001-m3
O15 - Trusted Zone: *.umi-c004-m7
O15 - Trusted Zone: *.umi-c005-m1
O15 - Trusted Zone: *.umi-c005-m2
O15 - Trusted Zone: *.umi-c005-m5
O15 - Trusted Zone: *.umi-c005-m7
O15 - Trusted Zone: iti-sharedservices.vnuinc.org
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://courtside.nba.com/qp2.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/063854f625b5fdcc6d06/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240250948637
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://viewers.streamingfaith.com/common/mbrowser/MINIBrowser.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = enterprisenet.org
O17 - HKLM\Software\..\Telephony: DomainName = enterprisenet.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = enterprisenet.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = enterprisenet.org
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: BrlAPI - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lotus Notes Single Logon - Unknown owner - C:\WINDOWS\System32\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\program files\lotus\notes\ntmulti.exe
O23 - Service: Symantec Ghost Client Agent (NGClient) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 8880 bytes

Ok, but when I asked not to attach the logs, that is what I meant :).
Anyway, you never posted the MBA-M log, just one and a half hijackthis logs.

I have posted the MBA-M log also, bacause of wrong formatting it is not showing up there i think. That's why I have attached the file. Anyway I am pasting the log again here.


Malwarebytes' Anti-Malware 1.39
Database version: 2440
Windows 5.1.2600 Service Pack 3

7/16/2009 11:12:01 AM
mbam-log-2009-07-16 (11-11-55).txt

Scan type: Full Scan (C:\|)
Objects scanned: 337428
Time elapsed: 1 hour(s), 24 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{fa29a810-4e30-4c71-bc79-38335f93426b} (Password.Stealer) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\spnmld.dll (Password.Stealer) -> No action taken.

MBA-M log says you took no action when I requested that you remove what is found. Did you remove or did you post the wrong log?

==

If you have any online bank accounts, change the passwords.

==

Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.

  • You will need to use Internet Explorer to complete this scan.
  • You will need to temporarily Disable your current Anti-virus program.
  • Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
  • When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

NOTE: If you are unable to complete the ESET scan, please try another from the list below:

• Kaspersky Online Scanner • Panda Active Scan • Trend Micro HouseCall • F-Secure Online Virus Scanner

I have removied all the threats shown in MBA-M scan. the Log I posted is before cleaning.

I have scanned with eset scanner and the log is as below.

ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=6
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.5886
# api_version=3.0.2
# EOSSerial=e0551230719f684d992d29bfeca11601
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-07-17 01:24:36
# local_time=2009-07-17 09:24:36 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# scanned=224772
# found=2
# cleaned=2
# scan_time=2523
C:\Documents and Settings\reddan01\Local Settings\Temp\UAC46.tmp Win32/Olmarik.IF virus (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\reddan01\Local Settings\Temp\~TM11.tmp a variant of Win32/Kryptik.WR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C


C:\Documents and Settings\reddan01\Local Settings\Temp\UAC46.tmp Win32/Olmarik.IF virus deleted - quarantined
C:\Documents and Settings\reddan01\Local Settings\Temp\~TM11.tmp a variant of Win32/Kryptik.WR trojan cleaned by deleting - quarantined

Ok. How is your PC now?

Ok. How is your PC now?

I don't see any better now. The google search results clicks still getting redirected to something else.

Anything else that i can do?

Which browser is affected?

Which browser is affected?

firefox and ie both. But my chrome works fine. I have tried uninstatlling firefox and installed fresh, but doesn't work.


Any suggestions wiil be helpful. Thanks in advance.

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

  • Double-click GooredFix.exe to run it.
  • Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: Do not run Option #2 yet.

Got it solved myself. I have installed microsft onecare trial version. Which cleaned up all the viruses from my pc, even though it made my system slower while it is running.


Thanks Crunchie for helping me to some extent.


Thanks again

Did you try gooredfix?

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.