Help google redirect virus?

alm721

Hi I wondered if anyone could help? I seem to have some sort of virus but am struggling to remove it. If I try and search goolge I'm getting redirected and then getting messages saying 302 moved, the document has move here. With the word here looking like a link which I haven't clicked. The laptop iof a works laptop and part of a network although I am using it as a stand alone. Our techies are all off for two weeks now so unless I can sort it myself I'm a bit stuck. The antivirus used is Sophos which and I've tried spybot and adaware but the'yre not finding anything,not really sure what I'm doing so if anyone can help I'd be grateful. Thanks

davb

The best thing is to scan with MalwareBytes - install, update, full scan, fix and post the log here. Then reboot and use HijackThis - full scan, don't fix anything, just post the log.

alm721

Thanks, have just downloaded malware btyes after reading another thread, have done quick scan log below, will do full scan now and post back. ThanksMalwarebytes' Anti-Malware 1.42Database version: 3409Windows 5.1.2600 Service Pack 3Internet Explorer Unknown22/12/2009 19:05:33mbam-log-2009-12-22 (19-05-33).txtScan type: Quick ScanObjects scanned: 186578Time elapsed: 14 minute(s), 37 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 2Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\93628836 (Rogue.Multiple) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\14946428 (Rogue.Multiple) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Documents and Settings\MACKENZIEA\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.

rammy007

We have had the same problem when we try to use google we get directed to something else then this system security virus pops up

alm721

Hi I've just run a full scan and its found no more errors. (There were 3 when I ran the quick scan but I ticked to fix these).ThanksMalwarebytes' Anti-Malware 1.42Database version: 3409Windows 5.1.2600 Service Pack 3Internet Explorer Unknown22/12/2009 20:30:07mbam-log-2009-12-22 (20-30-07).txtScan type: Full Scan (C:\|)Objects scanned: 358023Time elapsed: 1 hour(s), 13 minute(s), 52 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Will go and do the hijack thing now. Thanks again

alm721

Hi hope the log is readable, it ssems to be copying it in the above format,rather than in lines iyswim. Thanks

aliEnRIK

Post #3 is wrong. have you ticked 'word wrap' in notepad? We really could do with a proper log. Also, you only ran a QUICK scan, id seriously recommend a FULL scan

For example ~
Malwarebytes' Anti-Malware 1.41
Database version: 3137
Windows 6.0.6002 Service Pack 2

10/11/2009 07:13:03
mbam-log-2009-11-10 (07-13-03).txt

Scan type: Full Scan (C:\|D:\|J:\|)
Objects scanned: 384239
Time elapsed: 1 hour(s), 59 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
J:\azureus downloads\vista_x86\Vista.All.x86.OneClick.Activator-CLoNY\VistaActivator.exe (Trojan.Agent) -> Quarantined and deleted successfully.


reboot

Download HIJACK THIS (Make sure you click 'DOWNLOAD LATEST VERSION')
http://www.filehippo.com/download_hijackthis/
Click SCAN (Takes seconds) then post the log so we can see whats running
(do NOT do anything else with Hijack but scan and post the FULL log)

alm721

ok this is the hijack thing. Hope this makes sense to someone, it doesn't to me ThanksLogfile of Trend Micro HijackThis v2.0.2Scan saved at 20:34:26, on 22/12/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\AAWService.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\agrsmsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\HPZipm12.exeC:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exeC:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exeC:\Program Files\Sophos\AutoUpdate\ALsvc.exeC:\Program Files\Sophos\Remote Management System\RouterNT.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exec:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exeC:\Program Files\TightVNC\WinVNC.exeC:\Program Files\Lavasoft\Ad-Aware\AAWTray.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Toshiba\Toshiba Applet\thotkey.exeC:\WINDOWS\system32\TPSMain.exeC:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exeC:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\TPSBattM.exeC:\WINDOWS\system32\igfxsrvc.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\Activ Software\Activdriver\ActivControl2.exeC:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Sophos\AutoUpdate\ALMon.exeC:\Program Files\3\3Connect\AutoUpdateSrv.exeC:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\Documents and Settings\MACKENZIEA\My Documents\mbam-setup.exeC:\DOCUME~1\MACKEN~1\LOCALS~1\Temp\is-P5VUM.tmp\mbam-setup.tmpC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\system32\NOTEPAD.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.moneysavingexpert.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O1 - Hosts: ::1 localhostO1 - Hosts: 91.212.127.220 intsecure.microsoft.comO1 - Hosts: 91.212.127.220 intsecure-2009.comO1 - Hosts: 91.212.127.220 https://www.intsecure-2009.comO1 - Hosts: 78.159.110.47 https://www.google.comO1 - Hosts: 78.159.110.47 https://www.google.deO1 - Hosts: 78.159.110.47 https://www.google.frO1 - Hosts: 78.159.110.47 https://www.google.co.ukO1 - Hosts: 78.159.110.47 https://www.google.com.brO1 - Hosts: 78.159.110.47 https://www.google.itO1 - Hosts: 78.159.110.47 https://www.google.esO1 - Hosts: 78.159.110.47 https://www.google.co.jpO1 - Hosts: 78.159.110.47 https://www.google.com.mxO1 - Hosts: 78.159.110.47 https://www.google.caO1 - Hosts: 78.159.110.47 https://www.google.com.auO1 - Hosts: 78.159.110.47 https://www.google.nlO1 - Hosts: 78.159.110.47 https://www.google.co.zaO1 - Hosts: 78.159.110.47 https://www.google.beO1 - Hosts: 78.159.110.47 https://www.google.grO1 - Hosts: 78.159.110.47 https://www.google.atO1 - Hosts: 78.159.110.47 https://www.google.seO1 - Hosts: 78.159.110.47 https://www.google.chO1 - Hosts: 78.159.110.47 https://www.google.ptO1 - Hosts: 78.159.110.47 https://www.google.dkO1 - Hosts: 78.159.110.47 https://www.google.fiO1 - Hosts: 78.159.110.47 https://www.google.ieO1 - Hosts: 78.159.110.47 https://www.google.noO1 - Hosts: 78.159.110.47 search.yahoo.comO1 - Hosts: 78.159.110.47 us.search.yahoo.comO1 - Hosts: 78.159.110.47 uk.search.yahoo.comO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /STARTO4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exeO4 - HKLM\..\Run: [TPSMain] TPSMain.exeO4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exeO4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [ActivControl] C:\Program Files\Activ Software\Activdriver\ActivControl2.exeO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXEO4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logonO4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Startup: Copy of TEACHER Shortcut.lnk = Teacher Admin\TEACHER ADMIN Startup.batO4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exeO4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exeO4 - Global Startup: Update Agent.lnk = ?O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1261231678703O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1261231657203O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wscampus.netO17 - HKLM\Software\..\Telephony: DomainName = wscampus.netO17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wscampus.netO17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wscampus.netO20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLLO23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exeO23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exeO23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exeO23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exeO23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exeO23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exeO23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exeO23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exeO23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exeO23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program Files\TightVNC\WinVNC.exe--End of file - 10966 bytes

aliEnRIK

Im sorry alm but I cant possibly read that. I ask again, do you have 'word wrap' ticked in notepad?

alm721

No I don't I'm not sure why its doing that, it doesn't look like that on the log? Any idea how I can make it copy correctly?

aliEnRIK

How ARE you copying it?

All I do (And both methods work fine for me) is HIGHLIGHT the text and right click then COPY and PASTE

or I RIGHT CLICK and SELECT ALL then COPY then PASTE