Tech Problem Aggregator

Infected with Windows XP Recovery w/ TDSS (Google redirect and phantom audio playing)

Q: Infected with Windows XP Recovery w/ TDSS (Google redirect and phantom audio playing)

My wife accidentally downloaded the Iexplore.exe virus/Windows XP Recovery virus from her spam e-mail. It has hidden all of the desktop shortcuts and redirects any Google search as well as plays random audio from videos or ads at random intervals while the computer is in use. Attempted to use rkill and MalwareBytes to remove it in the past using the help guide but the virus has come back stronger than ever. Help!

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_23
Run by Administrator at 18:03:08 on 2011-06-30
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.486 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
svchost.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\psapi32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\lzexpand32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = www.yahoo.com
uSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
mStart Page = hxxp://go.compaq.com/1Q00CDT/0409/bl7.asp
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
uInternet Settings,ProxyOverride = *.local
BHO: {0d086b0a-a8ec-470d-b67c-d202c0833a13} - c:\windows\system32\avtapi32.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: 6c75261a: {c32f6545-efe0-c5bf-043d-e178de1d3db8} - c:\windows\system32\setupapi32.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [dRBAHQLTbF] c:\documents and settings\all users\application data\dRBAHQLTbF.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [srmclean] c:\cpqs\scom\srmclean.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{403837A9-DF27-4D2D-9BA8-9B9B6E97DA8F} : DhcpNameServer = 192.168.1.254
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\setupapi32.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\q9qvqppm.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {97EE8841-E63D-459D-AB63-FB35C9DFEEEC} - c:\documents and settings\administrator\local settings\application data\{97EE8841-E63D-459D-AB63-FB35C9DFEEEC}
FF - Ext: XUL Cache: {19d83726-09b1-4563-93d5-99b3873fcda7} - %profile%\extensions\{19d83726-09b1-4563-93d5-99b3873fcda7}
FF - Ext: XUL Cache: {268fdd74-a487-46c8-9f72-60e100c470d5} - %profile%\extensions\{268fdd74-a487-46c8-9f72-60e100c470d5}
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 NetDDEdsdm32;Network DDE DSDM ;c:\windows\system32\psapi32.exe [2011-6-18 764416]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-11 366640]
S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-11 39984]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
.
=============== Created Last 30 ================
.
2011-06-30 21:58:10 362496 ---ha-w- c:\documents and settings\all users\application data\15589156.exe
2011-06-30 18:25:10 446464 ---ha-w- c:\documents and settings\all users\application data\dRBAHQLTbF.exe
2011-06-24 17:20:03 -------- d--h--w- c:\program files\Spybot - Search & Destroy
2011-06-24 17:20:03 -------- d--h--w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-06-24 17:16:22 -------- d--h--w- c:\program files\CCleaner
2011-06-24 17:15:35 -------- d--h--w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-06-24 17:15:35 -------- d--h--w- c:\documents and settings\administrator\application data\SUPERAntiSpyware.com
2011-06-24 17:15:21 -------- d--h--w- c:\program files\SUPERAntiSpyware
2011-06-21 22:05:06 0 ---ha-w- c:\documents and settings\administrator\qgcelfoquw.tmp
2011-06-18 05:06:39 764416 ---ha-w- c:\windows\system32\lzexpand32.exe
2011-06-18 05:06:36 764416 ---ha-w- c:\windows\system32\psapi32.exe
2011-06-18 05:06:34 349696 ---ha-w- c:\windows\system32\avtapi32.dll
2011-06-18 05:06:29 764416 ---ha-w- c:\documents and settings\administrator\0.44235668642221726.exe
2011-06-12 04:58:34 175616 ---ha-w- c:\windows\system32\setupapi32.dll
2011-06-11 06:02:12 -------- d-s---w- c:\documents and settings\administrator\UserData
2011-06-11 05:43:58 -------- d--h--w- c:\documents and settings\administrator\application data\AVG10
2011-06-11 05:41:34 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-06-11 05:29:32 -------- d--h--w- c:\documents and settings\all users\application data\AVG10
2011-06-11 05:26:27 -------- d--h--w- c:\program files\AVG
2011-06-11 05:23:59 -------- d--h--w- c:\documents and settings\administrator\application data\Malwarebytes
2011-06-11 05:23:27 39984 ---ha-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-11 05:23:25 -------- d--h--w- c:\documents and settings\all users\application data\Malwarebytes
2011-06-11 05:23:22 -------- d--h--w- c:\program files\Malwarebytes' Anti-Malware
2011-06-11 05:20:03 -------- d--h--w- c:\documents and settings\all users\application data\MFAData
2011-06-11 03:32:19 4224 ---ha-w- c:\windows\system32\beep.sys
.
==================== Find3M ====================
.
2011-05-18 17:42:53 0 ---ha-w- c:\windows\Otecejinur.bin
.
============= FINISH: 18:03:44.90 ===============

A: Infected with Windows XP Recovery w/ TDSS (Google redirect and phantom audio playing)

Hello and welcome. Please follow these guidelines while we work on your PC:Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I?ve given you the ?All clear.? Absence of symptoms does not mean your machine is clean! Please do not run any scans or install/uninstall any applications without being directed to do so.Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed. Download ComboFix from one of the following locations:Link 1 Link 2 VERY IMPORTANT !!! Save ComboFix.exe to your Desktop * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this linkDouble click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.Notes:1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.Please include the following in your next post:ComboFix log

22 more replies
Answer Match 101.22%

I was advised to post in this new topic. Working with one of the moderators, I have been unable to clean up my system. It is suffering from Google redirects, audio commericals playing without the browser open. TDSSKiller and FixTDSS will not run.This is the reference to my original forum post:http://www.bleepingcomputer.com/forums/topic475997.html/page__gopid__2902904#entry2902904I was advised to run DDS.com and attach the logs.DDS.txtDDS (Ver_2012-11-20.01) - NTFS_AMD64 Internet Explorer: 9.0.8112.16455Run by Administrator at 19:25:34 on 2012-11-22Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4010.1192 [GMT -5:00].SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}.============== Running Processes ===============.C:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\nvvsvc.exeC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\system32\WLANExt.exeC:\Windows\System32\spoolsv.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Program Files (x86)... Read more

A:Infected with TDSS? - Google redirect issues! Audio Commericals!

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top o... Read more

34 more replies
Answer Match 99.96%

Hi team,

I'll try to keep this as brief as possible. I was firstly infected with the Antimalware Doctor virus along with the google redirect virus. By scanning your forums and trying to find the files to delete in my comp/registry and also downloading Malware Bytes Anti-Malware, I thought I had removed the problem. But the viruses keep on coming back and seem to be multiplying. After countless system restores to get my comp back to working points and to stop the viruses blocking MBAM (i have since realised i can rename it to make it run), I did a system restore which almost ruined my comp for good. Upon rebooting the system restore couldn't finish and every file i tried to open I was asked "which program do i want to use to open this file". After working out how to run MBAM again, I cleared around 25 more infected files including once again Antimalware Doctor and a number of other nasties. This was just a few days ago. The reason I've given some history is:

1. The viruses keep coming back when I think I have cleaned them.
2. The google redirect virus remains, along with audio ads that are seemingly not associated with any executable program.
3. To let you know I have run numerous system restores and attempted deleting registry files although I am a pure novice.

I have joined up as now it seems my computer is in the exact state as another poster that you have just helped "ChrisPowers" about a week ago. Same viruses EXACTLY (including audio ad... Read more

A:Infected with google redirect/TDSS/antimalware doctor/random audio ads and more

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 3 1. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the r... Read more

12 more replies
Answer Match 95.34%

My computer got infected with Windows XP recovery and I followed the instructions on http://www.bleepingcomputer.com/virus-removal/remove-windows-xp-recovery - I was still having trouble so I tried following the instructions here: http://www.bleepingcomputer.com/virus-removal/remove-windows-xp-recovery I can't get TDSSKiller.exe to run, even when I rename the file. I'm not getting any more results when I run Malwarebytes' Anti-Malware, but am still having some issues.

I followed the instructions on http://www.bleepingcomputer.com/forums/topic400541.html/page__p__2290106__hl__windows+recovery__fromsearch__1#entry2290106 and ran DeFogger and DDS.

Here are the results from dds.txt and I can attach the attach.txt if requested:
.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Owner at 12:30:12 on 2011-06-13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.126 [GMT -4:00]
.
AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\e... Read more

A:Windows XP Recovery, Google redirect, TDSS infection

Hi,Sorry for delayed response. Forums have been really busy. If you still need help with this do following, please.Download DDS and save it to your desktop from here or here or here.Disable any script blocker, and then double click dds file to run the tool. When done, DDS will open two (2) logs: DDS.txt Attach.txtSave both reports to your desktop. Post them back to your topic.

16 more replies
Answer Match 93.66%

Hi,My computer was infected with the Windows XP Recovery Virus. I ran several scans and managed to rid the computer of the visual effects of the Windows XP Recovery Virus. However, my browser (IE 8) continually redirects on all searches and my systems folders (system tools & various others) are still hidden. I tried using Malwarebytes, SuperAntiSpyware, CCCleaner, SpyBot, ExterminateIt, all to no avail. I have uninstalled all anti spyware programs loaded to detect the problem. I am running Windows XP and IE 8.6.Here are my DDS Logs:.DDS (Ver_2011-06-02.03) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21Run by Don at 21:27:01 on 2011-06-02.============== Running Processes ===============.C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Java\jre6\bin\jqs.exec:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exeC:\WINDOWS\System32\alg.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Delicious Add-on for Internet Explorer\De... Read more

A:Infected with TDSS & Windows XP Recovery Virus & Search redirect

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

19 more replies
Answer Match 91.98%

Hello.

Last week, my laptop was infected with Windows Recovery Virus.
With googling, I successfully removed the virus manually, and restored hidden files and start menu.
However, google keeps redirected and TDSSKiller does not run on my laptop although I change its name and extension many times.
I ran Combofix, but still have the same symptom.

I attach the log files from DDS, GMER, and RTHooker.
I am using Korean Windows 7, so some characters are broken in the reports.
And, not to interrupt fixing tools, I uninstalled all the anti-virus software on the infected laptop.

Somebody can help me?

A:Infected with Windows Recovery Virus, TDSS, and google redirecting

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

21 more replies
Answer Match 91.98%

I tried the TDSS tool again, and still it won't run. Nothing so far has worked to rid my PC of these problems. Here is the data that was requested

A:Infected with Google Redirect, Random Audio Playing and multiple script errors

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

3 more replies
Answer Match 91.98%

Hello,

I am a new user and have been dealing with the "Windows XP Repair" virus for several days. I managed to clear the symptoms of the fake AV/ repair using a combination of Malwarebytes, Superantispyware and Trend Micro Office Scan - although I'm not entirely sure which program actually helped. The pop-up warnings and messages have stopped, all files appear visible and accessible.

However, the problems with the web browser redirect problems still remain. I have managed to access certain websites such as this one after researching on other computers and pasting the URL. I previously was limited to researching the problem on my PDA with little patience and being ignorant of the do's and don't recommended on this forum. As such, I went through a series of attempts to use the AV programs listed above without resolving the problem and potentially complicating things. I peformed the "forbidden" and ran Combofix without your guidance, which fortunately does not seem to have completely destroyed my computer. It did not resolve the problems, so I downloaded TDSSKiller and ran it. TDSKiller would not run, even after at least 10 attempts and changing the file names to various names ending in ".com".

Before reading the full instructions here, I re-ran Combofix and found that it will not run citing an error stating "Cannot write to file C:\32788R22FWJFW". From there I stopped and started reading the complete instructions fro... Read more

A:Infected with Windows XP Repair/ TDSS Google Redirect

Hi,Please do the following:Download ComboFix from one of the following locations:Link 1 Link 2 VERY IMPORTANT !!! Save ComboFix.exe to your Desktop * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here Double click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.When finished, it shall produce a log for you. Please include the C:\C... Read more

16 more replies
Answer Match 91.98%

Hi BleepingComputer,
 
I am infected with this audio ads malware, probably named start saving. I tried to remove some related programs (scorpion saver etc.) and its extension in Google Chrome. But the start savin extension is not removable even when I deleted its registry entries and appdata files. 
 
I tried several anti-malware tools such as Adware Cleaner, Junkware Removal Tool, TDSSKiller, Malwarebytes & its Anti-rootkit tool, 360 safety guard, HitmanPro etc., but problem still exists.
 
I really appreciate it!
 
 
Here is my DDS report:
 
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 9.0.8112.16526  BrowserJavaVersion: 10.51.2
Run by ZR at 11:05:14 on 2014-01-20
Microsoft Windows 7 Professional   6.1.7601.1.936.86.1033.18.7915.4498 [GMT -8:00]
.
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
AV: 360安全卫士 360 SafetyGuard *Enabled/Updated* {2B66EE1E-E5C8-C2F7-648F-4E55AC68D37D}
SP: 360安全卫士 *Enabled/Updated* {90070FFA-C3F2-CD79-5E3F-7527D7EF99C0}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
... Read more

A:Infected with Start Saving & Phantom audio ads keep playing

Hello shangzr I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same",... Read more

26 more replies
Answer Match 91.14%

Hello, I am running a 64-Bit Windows Vista Home edition. I recently got the Vista Restore Malware( the one that tells me that part of my hard drive is corrupted and that I need to buy their software in order to fully remove it). I also believe that I have a Google Redirect Trojan of some sort (usually the first time I click on a Google link, I'm redirected to some website that's a similar but different website). Here's the DDS File. Thank you in advance! =]

.
DDS (Ver_2011-06-12.02) - NTFSAMD64
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_13
Run by Krishan at 19:33:51 on 2011-06-13
Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.4085.2373 [GMT -7:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Anti-Virus Free *Enabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spyware Doctor *Disabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k... Read more

A:Infected with TDSS (Google Redirect) and Windows Vista Restore

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

21 more replies
Answer Match 90.3%

On the morning of 7/13, I was infected by "System Repair." After following the removal guide at - http://www.bleepingcomputer.com/virus-removal/remove-system-repair - I thought I had cleared the infection. Unfortunatly I seem to also be infected with a root kit that is hijacking my browser's search options and google links. If I type the links in directly, or copy link and paste, they seem to work most times. Occasionally google links will work themseleves unless related to anti-virus or anti-spyware searches, which then all links become redirected. Main AV software is McAfee Antivirus Enterprise 8.7i, downloaded and updated Malware Bytes during original removal process, currently niether product seems to find any infection. After initial cleaning under the system repair, I cleared tempfiles and history as well as the quarantine files from the computer in attempts to self clean, still no luck. Along with the browser hijack, all audio files played in IE do not provide sound (youtube clips, etc...) however video works fine. Sound for other media types played in media player work just fine. All scans have been run in normal mode. DDS log follows with attach.txt and ark.txt attached:

DDS:
DDS (Ver_2011-07-14.01) - NTFS_x86
Internet Explorer: 8.0.7601.17514
Run by Robert at 18:31:02 on 2011-07-14
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3579.2158 [GMT -5:00]
.
AV: McAfee VirusScan Enterprise *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB046... Read more

A:Infected by "Windows Repair" and probable TDSS Infection with google redirect

Hi,Please do the followingRefer to the ComboFix User's Guide Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Place ComboFix.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
You can get help on disabling your protection programs here
Double click on ComboFix.exe & follow the prompts.
Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled.

---------------------------------------------------------------------------------------------

14 more replies
Answer Match 84.84%

My computer was infected with Windows Recovery XP and I cleaned it with Malwarebytes. Since then all my programs were hidden which is now fixed and my IE browser still redirects everything to multiple sites. I've tried running TDSSKILLER and it will not run. Also I just tried creating a GMER log 2 times and both times after 5-10 minutes my computer flashed the blue screen forceing me to shut off and restart my computer. Here are the DDS logs

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Run by Amber K at 8:44:15 on 2011-05-22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.262 [GMT -7:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Common Files\SupportSoft\bin\bcont.e... Read more

A:Infected with Windows Recovery XP and google redirect

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

3 more replies
Answer Match 84.84%

I am attempting to repair a computer that has been infected with 'Windows Recovery' and the search engine redirect malware. After reading some forum posts, I have tried the following attempts to clean the computer.

Started in Safe Mode. Ran 'CleanUp!' to clean up files.
Scanned with:
SUPERAntiSpyware - cleared some cookies.
Malwarebytes' Anti-Malware - cleared some cookies.
SpyBot Search & Destroy - cleared some cookies.
HijackThis - log file attached*

Restarted computer, in normal mode, redirect malware still exists. Followed instructions on this forum:

Ran DDS - log file attached*
Ran GMER - log file attached*

RKill iExplore - the following process was stopped (C:\Windows\System32\grpconv.exe)
Hitman Pro 3.5 - cleared some cookies.
Avira AntiVir scan - log file attached*

Downloaded TDSSKiller. Extracted to desktop, clicked 'run as administrator' - though nothing happens.

Any help would be greatly appreciated.


--------
DDS LOG
--------

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by liz at 13:18:59.69 on Fri 25/03/2011
Internet Explorer: 8.0.6001.19019
Microsoft? Windows Vista? Home Basic 6.0.6002.2.1252.61.1033.18.1525.731 [GMT 11:00]
.
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.... Read more

A:Infected with Google Redirect / Windows Recovery

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

3 more replies
Answer Match 84.42%

My daughter's computer has become infected with what appears to be a TDSS trojan. The symptoms are Google redirects in both Firefox and Internet Explorere. Chrome appears to be unaffected. Kaspersky's TDSSKiller doesn't run, and Symantec's FixTDSS fails with the message "Pre-boot operation failed, unable to continue" even after booting into Safe Mode and running rkill and fixexec.

I have followed the instructions in the "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help" topic and am posting the DDS log below. I have also attached the attach.txt log. I did not run GMER because the computer is running Windows 7 Pro, an 64-bit operating system.

Any help would be greatly appreciated.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_26
Run by x120 at 23:48:11 on 2012-05-13
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1641.612 [GMT -6:00]
.
AV: Microsoft Forefront Endpoint Protection 2010 *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Forefront Endpoint Protection 2010 *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows... Read more

A:Infected with TDSS--Google redirect

Hi,My name is Casey and I will be helping you with your malware problems.Whilst we work through the problems in your logs, it is very important that you do not make any changes to this PC. Specifically, do not run any further malware removal tools or try to remove anything yourself.You may wish to "Watch Topic" so that you are immediately informed of any replies I make. I also ask that you reply to my posts within 5 days else your topic will be closed as stale.Throughout the removal process, if you have any questions then you should ask them. If you are unsure of my instructions or something does not go as planned - then please tell me. Conversely, it is also important that you answer any questions I have and that you keep me updated on the state of the PC.It looks like you've run ComboFix so I'd like to see the log please. It will be located at C:\ComboFix.txtRegards,Casey

18 more replies
Answer Match 84.42%

Last week, I discovered the Windows XP Recovery virus on my computer. I followed BleepingComputer's instructions for removal, but the TDSS steps wouldn't work. For example, TDSSKiller refuses to run, even after I properly renamed it (including file extension). I'm suffering from Google redirects and disembodied voices coming from phantom iexplorer.exe's in task manager. Malwarebytes' Anti-Malware solved many of the problems, but I'm still dealing with typical TDSS symptoms. Basically, I could use some expert assistance.

.
DDS (Ver_2011-06-02.03) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_16
Run by Henry at 13:18:50 on 2011-06-02
.
============== Running Processes ===============
.
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\WZCBDL Service\WZCBDLS.exe
E:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
E:\WINDOWS\System32\alg.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
E:\WINDOWS\BCMSMMSG.exe
E:\Program Files\Microsoft IntelliPoint\ipoint.exe
E:\Program Files ... Read more

A:Infected with TDSS and Google redirect

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

12 more replies
Answer Match 84%

Hi,I contracted the Windows Vista Recovery virus on my laptop (Vista) together with a google redirect. First, I removed Windows Vista Recovery from the startup using msconfig.Second, I used the instructions at bleepingcomputer to remove Windows Vista Recovery:I was not able to download any of the required files from the laptop, so I downloaded all files on a clean computer and transferred them to the laptop using an USB stick.I first ran iExplore (Rkill):iexplore removes different files each time I run it after a reboot, including:grpconv.exeI renamed Tdsskill.exe into abs123.com and started it from the desktop. However, it failed to start.Afterwards, as recommended, I tried to start Malwarebyte, but it also failed to start. Then I rebooted and tried Malwarebyte again, and this time it worked. I did a full scan, and it found three entries related to Windows Vista Recovery that were removed.However, the google redirect is still hauting the computer, I still can?t get to most webpages, including this blog, and I still can not run TdssKill.Then I downloaded and ran spybot. It found three tracking cookies as well as two more Windows Vista Recovery related registry entires, all these were removed. However, all this made no differece. Now I am stuck and would appreciate your help. ThanksDr Rocks\\.DDS (Ver_11-05-19.01) - NTFSx86 Internet Explorer: 7.0.6000.16916Run by Jochen at 21:40:44 on 2011-05-29Microsoft? Windows Vista? Business 6.0.6000.0.1252.61.1033.18.2046.110... Read more

A:Infected with Windows Vista Recovery and Google Redirect

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator&#... Read more

32 more replies
Answer Match 84%

hi! my computer became infected with the windows xp removal virus 2 days ago. google also redirects no matter what i type in the search engine, or click on within that search. my computer shuts down at random moments. i have not had any success trying to remove the virus on my own. any assistance would be most appreciated!

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Owner at 23:11:02 on 2011-05-25
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.148 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Olympus\ib\olycamdetect.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\... Read more

A:infected with windows xp recovery w/google redirect issue

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

32 more replies
Answer Match 83.58%

I keep hearing random audio ads or music coming from my speakers every now and then. I also noticed that in Windows Task Manager it shows two iexplorer.exe processes are running, and whenever I try to End Process they pop back up a few seconds later and I'm not sure if this is normal but svchost.exe is using a lot of memory. Also often when I search for websites on google it redirects me to random websites. And when following the "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help" when I double click the Windows Firewall icon in the control panel I get a error window stating "Due to an unidentified problem, Windows cannot display Windows Firewall settings." I could not create a GMER Log, during the scanning process I always eventually get the blue screen of death.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_32
Run by Brent at 18:53:15 on 2012-07-23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.1922 [GMT -10:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Common Files&#... Read more

A:Audio ads playing in background, google redirect, windows firewall "unidentified problem" error

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

18 more replies
Answer Match 83.58%

Hello, I was directed to this sight by a fellow Bleeping computer user handle EYEC.Using Windows XP pro SP3 version 2002 with Firefox.I'm infected with a JS survey redirect that occurs when the keyword google is used. See image below.When JS is disabled I get an OOPs screen telling me to enable Java.I have competed these steps already.All run in SAFE mode:1. I have run the Kapersky TDSS Kill, it found nothing.2. Ran MBAM, it found three threats and removed them the first pass, second pass none.3. Spybot S&D found one and removed, second pass nothing.4. Deleted and replaced the hosts file.5. Found a related RichVideo.exe and asssociated uninstallrichvideo.exe and several registry components, I was finally able to remove using Moveon Boot utility.I have run the DDS tool and have the logs available if needed.I'm now going to MBAM scan again in normal mode.

A:Win xp pro infected with TDSS and google survey redirect

Hi,Please do the following:Please download DDS from either of these linksLINK 1 LINK 2and save it to your desktop.Disable any script blocking protection Double click dds to run the tool. When done, two DDS.txt's will open. Save both reports to your desktop.---------------------------------------------------Please include the contents of the following in your next reply:DDS.txtAttach.txt. NEXTDownload GMER Rootkit Scanner from here to your desktop. It will be a randomly named executable. Double click the exe file. If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.
Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Ensure the following are unchecked IAT/EAT Drives/Partition other than Systemdrive (typically C:\) Show All (don't miss this one) Then click the Scan button & wait for it to finish. Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and attach it in reply.**Caution**Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

17 more replies
Answer Match 83.58%

Hi (: I had a TDSS virus on my computer recently and I removed it, but some bits seem to have stayed on my laptop and is now making Google redirect the search links i click on and who knows what else. Also my brother and mom use my laptop often so I'm not sure about what programs they have downloaded and such, but if any look suspicious from the reports I could remove them. Any help you could give me would be greatly appreciated (:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Candice at 19:56:19.23 on Sun 05/15/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2972.1846 [GMT -5:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\AccelerometerSt.Exe
C:\... Read more

A:Infected with TDSS that makes Google Redirect me

Hello candicates, Welcome to Bleeping Computer.
My name is fireman4it and I will be helping you with your Malware problem.

Please take note of some guidelines for this fix:
Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.1.Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case uTorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagati... Read more

10 more replies
Answer Match 83.58%

I am running Windows Vista and Win Vista 2012 Antivirus appeared to install itself from a Drudge Report ad, but that is another topic in itself.

I followed the directions at http://www.bleepingcomputer.com/virus-removal/remove-vista-home-security-2012

I've run FixNCR.reg (http://download.bleepingcomputer.com/reg/FixNCR.reg) from a removable thumb drive, everything appears to be applied successfully.

I've run iExplore.exe & RKill, RKill only finds two processes (MLBNextDef & Google Updater, it terminates them both)

I've run Malwarebytes' Anti-Malware, ran a full scan (took 1 hour 30 minutes) and it found 8 different infected files and removed them all.

I re-booted and the TDSS Rootkit issue still remains.

Next I viewed the instructions at http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller. I've downloaded & run TDSSKiller, 230 objects scanned and 0 threats found (I've also run it with "Verify driver digital signatures" & "Detect TDLFS file system" enabled).

Next I ran DDS.scr and created the log files DDS.txt & Attach.txt that I can post if you would like.

Next I ran GMER and created a log file ark.txt and can post that if you would like, I am on a 64 bit machine but for some reason the program worked (although only "Services", "Registry" and "Files" check boxes could be selected, all other check boxes were greyed out so I could no... Read more

A:Infected with TDSS Rootkit/Google Redirect

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

20 more replies
Answer Match 83.58%

Greetings,I have an XP system that redirects browser URLs. McAfee finds TDSS e!rootkit but cannot successfully remove it. Malwarebytes finds nothing. DDS runs for about 3 minutes then hangs the machine. I've attached the GMER log. In case it's helpful, I've pasted the OTL log below and attached Extras.txt.Thanks for your help!OTL logfile created on: 7/3/2011 10:30:01 AM - Run 1OTL by OldTimer - Version 3.2.25.0 Folder = C:\Documents and Settings\shera\DesktopWindows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstationInternet Explorer (Version = 8.0.6001.18702)Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 1014.42 Mb Total Physical Memory | 270.18 Mb Available Physical Memory | 26.63% Memory free2.07 Gb Paging File | 1.36 Gb Available in Paging File | 65.91% Paging File freePaging file location(s): C:\pagefile.sys 1200 1512 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program FilesDrive C: | 33.24 Gb Total Space | 7.12 Gb Free Space | 21.42% Space Free | Partition Type: NTFS Computer Name: EARWIG | User Name: shera | Logged in as Administrator.Boot Mode: Normal | Scan Mode: Current userCompany Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - C:\Documents and Settings\shera\Desktop\OTL.exe (OldTimer Tool... Read more

A:infected with Google redirect / TDSS e!rootkit

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

20 more replies
Answer Match 83.58%

I am running Windows 7 Home Premium 64bit Service pack 1 on my acer aspire 5552-3691 laptop. Main problem is that google searches redirect. After doing research, I believe that it is a rootkit or TDSS. Other issue is that computer was quarantined by campus wifi network and the school's computer lab were unable to remove the infection with tdsskiller, malwarebytes or microsoft security essentials. Main site redirect that I see is "ihavenet.com" I believe., if that helps narrow down culprit. Thanks for you time and effort. I hope you guys can help where everyone else has failed
Here is the log:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.5.1
Run by kristina at 11:21:50 on 2012-08-24
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3835.2095 [GMT -4:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client ... Read more

A:Infected with TDSS rootkit, google redirect

Please do the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) ... Read more

20 more replies
Answer Match 83.58%

Hi, I believe that I have been infected with the Google redirect virus/TDSS. Searches in Google appear to return normal results, but when the results are clicked on it would randomly redirect in rapid succession to different websites, some of which are: www.get-information.com, www.stopzilla.com, www.yellowpages.ca. Tried malwarebytes, avg, avast and cannot get rid of it. Re-installing firefox after manually removing mozilla directories did not help either. From some internet suggestions before I found this site, I have actually tried combofix (crashes with BSOD) and TDSSkiller (initializes to 80% then msg pops up that program stopped working). Tried both in normal as well as safe mode and cannot get either to work. Your help is very appreciated! Attached are the logs.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Caroline at 20:15:56.95 on Sun 04/24/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2000.1077 [GMT -4:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNe... Read more

A:Infected with Google redirect, possible TDSS ? help request

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

20 more replies
Answer Match 83.58%

Hello, I accidentally ran a program before scanning it and seem to have infected myself with a Google redirect virus. Whenever I try to search via google,I get redirected to all sorts of websites. For example if I search "tech" and go to techcrunch(dot)com, I instead get redirected to localdouble(dot)com .I see you've got a lot of threads on this virus already, and I looked through them and tried what I could (excluding ComboFix). So far I've run MBAM, Spybot, TDSSkiller, Sophos Anti-rootkit, and probably a handful of others that I don't recall. I caught some stuff with spybot and tdsskiller, but it's all been cleaned now (problems persist unaffected).Sadly nothing seems to work and I've run out of ideas, any help would be appreciated. Thanks in advance.Important notes: -I ran GMER but most of the options were greyed out, when I scanned it found nothing. I'm guessing this is because I'm on x64?-I also ran ComboFix, it deleted 4 system files, restarted my computer, and my OS wouldn't boot. I had to go to a restore point (Combofix said it was making one, but there was only another a bit further back. I'll have to reinstall a few things, oh well.)DDS.txt:
.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Krugz at 21:46:51 on 2011-07-26
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.9207.6560 [GMT -4:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3... Read more

A:Infected with TDSS / Google Redirect Virus

bump.. no attention for a while.

I think I must have a virus, else a faulty harddrive or something, because almost everything that requires a restart ( Ex: MS sec. essentials needed me to restart after catching a virus overnight) it just ruins my OS boot. I have to use a restore point to get anything functional again. The strange thing is that MS Sec. Essentials, in particular, has it's active protection deactivated because I already had this happen once and wanted to avoid having to restart/wipe. So maybe it's a virus that detected MSSE and tried to protect itself by asking me to restart into a broken boot, hence putting the virus I removed back?

Honestly, at this point I'm seriously considering backing everything important to my external and formatting, with my fingers crossed that it's not like embedded somewhere on my external already too. I was having issues upgrading my windows via winupdate before all this craziness hit me, and at that time I used a Dell factory image restore. The problem at that time persisted but somehow I got updates to work earlier without any hiccups. I'm worried somehow this problem will also persist even through a format and then I'll just be wasting huge chunks of time for nothing when I have to set everything up again.

*sigh* this really sucks, it's crippling everything I need to be doing right now.

5 more replies
Answer Match 83.58%

Web browsers redirects to advertisement after a search and clicking link. Bookmarks do not redirect when first clicked on but will redirect afterwards. Sometimes web pages slow down or stop responding and I will receive a warning that script is running and I am asked if I want to stop it or not. We have an outside IT, he looked at it and ran a couple of programs TDSS killer, ComboFix, and others to no avail. Please help. Thanks.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by gdouglas at 19:04:47 on 2012-01-23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1233 [GMT -5:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Bonjour\mDNSResp... Read more

A:Infected with TDSS Bing and Google redirect

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing... Read more

34 more replies
Answer Match 82.74%

Hi,

My google results in my Chrome browser redirect to other websites but it does not do that in IE. I have tried checking my hosts file and I have used Tdsskiller, Malwarebytes, SUPERAntiSpyware, Ad-Aware, and the trojan has not been detected. I have also ran Combofix before I came to this site and read that I should not run it until told to do so. However, I have not taken any action after running Combofix. Below is my DDS.txt log. Thank you for your help and have an awesome day!
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Spencer at 20:07:45 on 2012-01-30
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3037.1334 [GMT -8:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
FW: COMODO Firewall *Enabled* {4D6F75E0-14AF-2E9E-AACD-24CDCF08AA2A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\COMODO\COMODO Intern... Read more

A:Infected with TDSS and Google search results redirect

Also I noticed the redirects after downloading and installing Microsoft Phone Tools from piratebay. Below is the date of installation and I have uninstalled the program a few days after I installed it.

2011-12-16 05:55 . 2011-12-16 05:56 -------- d-----w- c:\program files\Motorola Phone Tools

Thank you!

27 more replies
Answer Match 82.74%

I was asked to ask help for my virus problem on this forum. Here is the original post I had on the "Am I Infected? What do I do?" forum:This is from my latest MBAM log. I keep getting these two viruses back just about every time I run MBAM.C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP4\A0000548.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.C:\WINDOWS\system32\tdlclk.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.Any help would be greatly appreciated. Thanks in advance. As per instructions, here is the DDS report:DDS (Ver_09-11-24.02) - NTFSx86 Run by Administrator at 22:43:02.65 on Tue 11/24/2009Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_15Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.622 [GMT -6:00]AV: avast! antivirus 4.8.1351 [VPS 091124-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exesvchost.exesvchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Lavasoft\Ad-Aware... Read more

A:Infected with Rootkit (TDSS) causing Google Redirect

Hello MistyckWelcome to BleepingComputer ==========================Download OTL to your desktop.Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.When the window appears, underneath Output at the top change it to Minimal Output.Under the Standard Registry box change it to All.Under Custom scan's and fixes section paste in the below in bold
netsvcs
%SYSTEMDRIVE%\*.exe
%SYSTEMDRIVE%\eventlog.dll /s /md5
%SYSTEMDRIVE%\scecli.dll /s /md5
%SYSTEMDRIVE%\netlogon.dll /s /md5
%SYSTEMDRIVE%\cngaudit.dll /s /md5
%SYSTEMDRIVE%\sceclt.dll /s /md5
%SYSTEMDRIVE%\ntelogon.dll /s /md5
%SYSTEMDRIVE%\logevent.dll /s /md5
%SYSTEMDRIVE%\iaStor.sys /s /md5
%SYSTEMDRIVE%\nvstor.sys /s /md5
%SYSTEMDRIVE%\atapi.sys /s /md5
%SYSTEMDRIVE%\IdeChnDr.sys /s /md5
%SYSTEMDRIVE%\viasraid.sys /s /md5
%SYSTEMDRIVE%\AGP440.sys /s /md5
%SYSTEMDRIVE%\vaxscsi.sys /s /md5
Check the boxes beside LOP Check and Purity Check.Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.===============================Download This file. Note its name and save it to your root folder, such as C:\.Disconnect from the Internet and close all running programs.Temporarily disable... Read more

25 more replies
Answer Match 82.74%

Hey guys, I'm new here and I think I may have some computer problem(s). My computer has not been acting up lately but it has been redirecting me to different sites when I click a link in a search. I think it's the TDSS virus but I ran TDSSKiller with no threats under the name TDSS ...yet I'm still being directed? I have AVG, SUPERAntiSpyware, and TDSSKiller installed. Help me?

A:System might be infected with TDSS/Google Redirect virus, Help?

Please download TDSSKiller from here and save it to your DesktopDoubleclick on TDSSKiller.exe to run the application, then click on Change parameters


Check Loaded Modules  and Detect TDLFS file system.  Do not check Verify file digital signatures (even though it is checked in the example)If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now


Click Start Scan and allow the scan process to run

If threats are detected select Skip for all of them unless I instruct you otherwiseClick Continue


Click Reboot computerPlease post the contents of  TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)in your reply===================================================aswMBR--------------------Download aswMBR and save it to your desktop.
Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.If you need help to disable your protection programs see here and here.Double click the aswMBR.exe file to run it. Please allow when you are asked to download AVAST antivirus engine defs.Wait until the AV update is done, then click on the Scan button to start. The program will launch a scan.

When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.

Please post the contents of the log in your next reply.NOTE:  aswMBR will create M... Read more

9 more replies
Answer Match 82.74%

Infected with Google Redirect. Ran TDSS; no threats found unless I change parameters to include Verify File Digital Signatures & Detect TDLFS file system. Then, 2 threats found: Unsigned File:ENTECH and Unsigned File USBAAPL. Unable to cure these two threats & quarantene does not do anything.

Ran full Malware Scan, did not find anything either.

Here is my DDS log. Let me know if youwant my Attach.txt log.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by JOSH MAHONEY at 21:25:31 on 2012-05-27
Microsoft? Windows Vista? Home Basic 6.0.6002.2.1252.1.1033.18.2047.912 [GMT -7:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Win... Read more

A:Infected with Google Redirect & TDSS Scan did not fix the problem

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE:... Read more

18 more replies
Answer Match 81.9%

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resouce! To tell me this, please click on http://www.bleepingcomputer.com/logreply/411661 and follow the instructions there. If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following inf... Read more

A:Infected with System Repair, TDSS Google Search Redirect

You have stated that you no longer need help with this issue, therefore I am closing this topic. If that is not the case and you need or wish to continue with this topic, please send any Moderator a Personal Message (PM) that you would like this topic re-opened.As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

2 more replies
Answer Match 78.96%

A few weeks ago my computer cashed. Restarting it, I was faced with a black screen with no desktop or icons, and the only thing that would open was something along the lines of "Vista Restore". It was clearly illegitimate, and would perform a "scan" of the system, only to finish by saying that it couldn't fully fix the problem without me purchasing some sort of advanced "patch" for ~$80.

Yeah, right.

After booting and rebooting a few times, I was finally able to keep Malwarebytes running long enough to knock off a bunch of trojans, which seemed to slow it down a bit, after which I performed a system restore back about 3 days. Rebooting once again, everything seemed normal (desktop, icons, etc.), but to my dismay all my documents and pictures were MIA, though thankfully my music was intact. The rest was not of very much importance, so I decided not to trouble myself with getting it back. Thinking that was the end of it, I carried on with my business, only to have audio advertisements, sound effects, music, and what sounds like TV or movies begin playing in the background without any obvious source. I was able to tolerate this for a while though it's grown more prevalent recently, and it's hard to concentrate on typing an e-mail when your computer is shouting at you to buy Fabreze air freshener or to go and get checked for colon cancer.

On top of that, I've also been the victim of some sort of Google redirect virus, which re... Read more

A:Audio ads playing in background + Google Redirect

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

18 more replies
Answer Match 78.96%

I had the PC Performance and Stability Analysis Report pop up and followed directions on another thread to remove it. I ran rkill, SAS, MBAM, TDDS killer, and ESET online scan. Find my topic here: http://www.bleepingcomputer.com/forums/topic426019.html/page__gopid__2464127#entry2464127

I am still getting redirects in google and random audio playing advertisement when no audio program is visibly running.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by AshleeWood at 23:08:10 on 2011-11-04
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3767.1602 [GMT -4:00]
.
AV: BitDefender Antivirus *Enabled/Updated* {982ADE23-275B-0766-37C5-DE01A484098E}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: BitDefender Antispyware *Enabled/Updated* {234B3FC7-0161-08E8-0D75-E573DF034333}
FW: BitDefender Firewall *Enabled* {A0115F06-6D34-063E-1C9A-77345A574EF5}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe... Read more

A:Google Redirect and Audio Advertisements playing

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/426397 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

19 more replies
Answer Match 78.96%

Hi,
I've got an older desktop that is primarily used for a media server that has picked up a rather nasty piece of malware.
Multiple runs of MBAM, Spybot both declare the system clean. The problem started with the Goggle Redirects and when that appeared fixed using the Gooredfix, the random audio started playing. It appears to be some sort of script running in the background that tries to direct a hidden IE window to a random site, some of them being internet radio sites. If it is valid, audio from that station just starts playing. The second I hit a key to try and see what process is running, it stops and leaves no trace that I can find.
If the random site doesn't work, I get an "ie script error window" pop up on my destop indicating a line error in the process of redirecting.

The google redirect keeps coming back no matter what I try.

Below is my HJT log.

Thanks for all your help in advance!

D
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:23:54 PM, on 4/19/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\... Read more

A:Random audio playing along with Google Redirect

BUMP-

After much reading through the forums, I downloaded and ran Combofix.
I saved and renamed it on my desktop. When I ran it, I get the warning the MCaffee AV is running and needs to be disabled. I uninstalled Mcaffee several months ago and double checked and it was not running. I let Combofix run and it said it detectected the Volsnap.sys Rootkit. I clicked OK and let is attempt to fix. It ran for about 20 minutes then appeared to stall out.

Here is the Catchme.log it generated-

File "C:\WINDOWS\system32\drivers\volsnap.sys" added successfully
File list cleared
Any help would be greatly appreciated.

D
 

2 more replies
Answer Match 78.12%

So my office mate at work has had his PC infected by a redirect malware of some kind. It takes him to some variant of this address

http://213.174.148.4/service/?706503214601bdb9157e6530780b084b_0

He is also experiencing some random audio playing at different times.

TIA for help.

A:Infected with redirect and random audio is playing

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/465487 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

18 more replies
Answer Match 77.28%

Hi,I've been trying to deal with an infection on my grandma's computer for some time now, it seems to just not want to die. Malwarebytes, Spybot, Ad-aware, and McAfee all come back clean. TDSS killer tells me that c:\windows\system32\drivers\atapi.sys is infected by TDSS rootkit, but when I restart, it doesn't get rid of it. There is a process that starts itself occasionally called ew0lanus.exe that seems to initiate internet explorer. It also sometimes will be listed in the task manager 20+ times. I've been getting google redirects for anything computer related, and random commercial audio that cuts out after about 5-10 seconds. I've posted/attached my DDS logs, but for some reason it lists no running processes, which is obviously not the case. I'll wait for instructions on what to do about that. Unfortunately GMER crashes my computer before it finishes.DDS (Ver_10-03-17.01) - NTFSx86 Run by Sharon at 8:36:11.07 on Thu 05/13/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17============== Running Processes ============================= Pseudo HJT Report ===============uStart Page = hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:officialuSearch Bar = mSearch Bar = uSearchAssistant = uCustomizeSearch = uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%suURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\... Read more

A:Google redirect, commercial audio playing at random times

Hello , And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.I will be working on your malware issues, this may or may not solve other issues you may have with your machine.Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen. Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.-----------------------------------------------------------If you have since resolved the original problem you were having, we would appreciate you let... Read more

15 more replies
Answer Match 77.28%

Can someone please help me work out how to remove this! I think it's a root-kit?

I can't run TDSSKiller at all, RKill doesn't find anything, Malwarebytes seems like it's only fixing a few obvious things? I changed my IE connection options to use a proxy server 0.0.0.0 because the audio (I'm guessing advertisements) was driving me crazy and script errors keep popping up.

I don't actually use IE, I'm using Firefox, and I'm getting the Google redirect problem as well.

Thank you in advance for your help!

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Amy at 13:54:16.42 on Sat 05/07/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3071.1848 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Window... Read more

A:Google Redirect, Script Errors, Audio Playing in the Background

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

16 more replies
Answer Match 76.86%

Hello,

My computer got infected with Windows XP Recovery. Almost all my files were hidden and internet explorer is continuously running in the background.

I tried to follow this guide: http://www.bleepingcomputer.com/virus-removal/remove-windows-xp-recovery but when I run rkill, it gives an "Access denied" warning in the rkill window. So, I tried following the advice on: http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller to use tdsskiller, but this will not run either.

I foolishly tried a system restore, hoping this would help, but it didn't. Though my files are no longer hidden- the computer is running slowly, and internet explorer is still running in the bckground and periodically interrupting with audio.

I'm following the advice from: http://www.bleepingcomputer.com/forums/topic34773.html

1) D/led Defogger, disabled CD Emulation Drivers and hit ok, to reboot
2) D/led and ran DDS
3) Ran Gmer but it crashed the two times I ran it, so just posting DDS log

The DDS log from dds.txt follows, and I'm attaching the attach.txt file.
 attach.txt   19.34KB
  1 downloads

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Run by Neel at 16:04:54 on 2011-05-29
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.491 [GMT -5:00]
.
AV: VirusScan Enterprise + AntiSpyware Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF... Read more

A:Infected with TDSS + Windows XP Recovery

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

21 more replies
Answer Match 76.86%

I booted up my computer for the first time in about 3 weeks to find the Windows XP recovery plastered all over my screen and after doing some quick research on an alternate device discovered it was bogus. Tried following the directions on your guide to remove Windows XP recovery and then read a bit closer and discovered that I likely had a TDSS infection as well. I had a difficult time getting the logs from DDS and GMER because anything I saved to the desktop disappeared due to the infections. I finally managed to unhide a folder where I could save the logs and run GMER from. I also at one point tried to get Malwarebytes to update but it would download the update repeatedly and then fail to finalize or install it.

.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 6.0.2900.2180
Run by HP_Administrator at 20:33:49 on 2011-06-16
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.411 [GMT -4:00]
.
FW: Norton Internet Worm Protection *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:�... Read more

A:Infected with Windows XP Recovery and TDSS

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.The first thing I would like you to do is run this for me - http://download.bleepingcomputer.com/grinler/unhide.exe after it is complete restart the computer and continue with these stepsDownload and run OTLDownload OTL by Old Timer and save it to your Desktop.Double click on OTL.exe to run it.Under Output, ensure that Minimal Output is selected.Under Extra Registry section, select Use SafeList.Click the Scan All Users checkbox.Under the Custom Scan box paste this in

%TEMP%\smtmp&... Read more

36 more replies
Answer Match 76.86%

There was a photo spread from the Yahoo main page last night for an artist named Edward Mueller who does sidewalk art. It listed his website, www.metanmorph.com, which my wife visited and infected my computer (pop ups started immediately). Your uninstall guide said it would not help if I was infected with the TDSS rootkit, which I have as my google searches are being redirected. My desktop has disappeared completely, and I had to unhide all the files to access them. My desktop is black. Additionally, although Yahoo messenger is running, no received messages appear in the message boxes.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by David Branson at 22:49:31.85 on Mon 05/16/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.586 [GMT -4:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS... Read more

A:Infected with Windows XP Recovery and TDSS

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
If I instruct you to download a specific tool in which you already have, please delete the copy that you hav... Read more

21 more replies
Answer Match 76.86%

I was getting the "fake" Windows XP Recovery screen (and google is redirecting) so I tried to remove per instructions on this site but couldn't continue b/c tdsskiller would not run even after renaming. So I followed the Prep Guide before using Malware removal tools and Requesting help and here I am. DDS seemed to run but the 2 logs would not generate after hitting OK in the message box. GMER ran and Ark.txt log is attached... Thank you prematurely for your help!!! ...Kim

A:Windows XP Recovery - TDSS & Google redirecting

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator&#... Read more

11 more replies
Answer Match 76.86%

Hello; this is my first post to this forum so I hope I am following all of the rules properly. Somehow, my computer was recently hit by a blast of viruses - I have no idea what happened. Suddenly .exe files were closing themselves and I was getting false virus alerts from something that desperately wanted me to install it. Then AVG alerted me to a keylogger and several of my online accounts were compromised.I've run MBAM and Trojan Remover but neither detect any problems. TDSS Killer identifies the infection, and supposedly "deletes" it, but it is still infected upon reboot. Other than google redirects and slow browsing I have not experienced any problems but many of the other programs I received in this fun "bundle" were particularly malicious, so I'm worried. Below are the relevant logs:DDS (Ver_10-03-17.01) - NTFSx86 Run by Derk at 2:21:45.29 on Mon 05/17/2010Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.2746 [GMT -7:00]AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}============== Running Processes ===============C:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\AVG\AVG9\avgchsvx.ex... Read more

A:TDSS-like rootkit; google redirect, reinstall after TDSS-Killer

Hello and welcome to Bleeping Computer.My name is km2357 and I will be helping you to remove any infection(s) that you may have.I will be giving you a series of instructions that need to be followed in the order in which I give them to you.If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.Please do not start another thread or topic, I will assist you at this thread until we solve your problems.Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.Sorry for the delay in replying, the forum is very busy. If you still need help, please post fresh DDS Logs (DDS and Attach.txt)

3 more replies
Answer Match 76.44%

Commercial audio tracks are playing choppily in the background regardless of what websites are selected, and even play with IE not running. Windows 7, IE 9.0.8. Previously had problem on mlb.com with IE continuing to play audio of baseball highlight clips if the highlight was stopped in the middle. May be related. DDS.txt pasted below, Attach.txt file attached, gmer.log file attached:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by jabaley at 12:06:30 on 2012-07-14
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2000.344 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Symantec Endpoint Protection *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral... Read more

A:Phantom Audio playing commercials

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. Please do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you... Read more

18 more replies
Answer Match 76.44%

Had family over for the holidays & was left with audio ads constantly running in the background of my comp, even with multiple removal software and reboots. I have only been able to isolate the audio by adjusting volume levels (note attachment "Name Not Available"). I am at my wits end. I have tried every suggestion listed:
MalwareBytes
Adwcleaner
JRT
SuperAntispy
Sophos
Rogue Killer
Hitman
e.t.c.
Any assistance or advice would be greatly appreciated.

A:phantom audio ads playing on my computer

Please download TDSSKiller and install it.  Then run the scan.

10 more replies
Answer Match 76.44%

Hello, llcnotell.
My name is etavares and I will be helping you with this log.
 
Here are some guidelines to ensure we are able to get your machine back under your control.
 
Please do not run any unsupervised scans, fixes, etc.  We can work against each other and end up in a worse place.
Please subscribe to this topic if you have not already done so.  Please check back just in case, as the email system can fail at times.
Just because your machine is running better does not mean it is completely cleaned.  Please wait for the 'all clear' from me to say when we are done.
Please reply within 3 days to be fair to other people asking for help.
When in doubt, please stop and ask first.  There's no harm in asking questions!

 
 
 
Step 1
 
Please download Farbar Recovery Scan Tool and save it to a flash drive.
 
Plug the flashdrive into the infected PC.
 
If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.
 
If you are using Vista or Windows 7 enter System Recovery Options. 
 
To enter System Recovery Options from the Advanced Boot Options:

Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select US as the keyboard language settings, and then... Read more

A:phantom audio ads playing on my computer

Hi, do you still need help?  This thread will be closed in 2 days if there is no reply.

33 more replies
Answer Match 76.44%

Sometime last week I got hit with a rogue anti-virus program, can't remember it's name, but I got rid of that rather easily. However, since then google has been redirecting me when I do searches, Internet Explorer script errors appear even though I don't have IE installed, and random audio ads play in the background without any program being open. These ads last anywhere from 15 seconds for the shortest to 15 minutes. I had almost a full radio show from a Christian radio station play last night. I would really appreciate any help with this! I have work in about two hours and then again tomorrow morning so my replies may be a bit slow, but please bear with me. Thanks in advance.

What already worries me is that I uninstalled Avira AntiVir PersonalEdition quite awhile, like months, ago.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Mello at 23:40:22.57 on Tue 04/26/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1418 [GMT -5:00]
.
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8617F204-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862AA43C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {861B7894-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8623A62C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Upda... Read more

A:Google redirect, Audio ads playing in background, and IE script error messages.

Hello NinjasAreMammalsToo, Welcome to Bleeping Computer.
My name is fireman4it and I will be helping you with your Malware problem.

Please take note of some guidelines for this fix:
Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Finally, please reply using the ADD Reply button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
I will be analyzing your log. I will get back to you with instructions.1.I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cau... Read more

20 more replies
Answer Match 76.44%

Dear Experts,

Hi, here is a description of my issues. I got the XP System Restore virus for the second time earlier this week. I rebooted in safe mode, restored an earlier version, and selected to show the hidden files. I thought my troubles were over because this worked like a charm the first time. However, upon going about my business, I noticed two things I have never dealt with before. Malwarebytes, Superantispyware, Spybot, and AVG have not resolved the situation.

First of all, when I click any search results in Google or Yahoo, I am redirected multiple times to various sites like the yellow pages. If I use startpage.com for searching, I have no problem with search redirects.

Secondly, I have audio playing randomly for a few minutes even though I don't have anything running (all browsers and players are closed that I am aware of). I have heard what sounds like news from England, random movie/tv quotes, and celebrity gossip talk. There is never any commercials or any information about what station/program I might actually be listening to.

I have read the Preparation Guide several times and have done my best to follow the directions perfectly. I have pasted the contents of my DDS.txt log below. I have also attached my Attach.txt file as well as the Ark.txt log from GMER.

Please let me know if there is any other information you need. I thank you ahead of time for volunteering your time to share you professional expertise to folks who don't know how to... Read more

A:Google/Yahoo search results redirect + Random audio playing

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

29 more replies
Answer Match 76.02%

My problem is that a fake anti-virus named "Windows XP Recovery" keeps starting up sending false alarms etc. Now I tried to do exactly what one of the guides on this site recommended but I can't update MBAM and I tried TDSSKiller but it found nothing so I'm not sure whats going on to why it wont update. Sorry if Im not detailed enough.

Guide used: http://www.bleepingcomputer.com/virus-removal/remove-windows-xp-recovery

Here is a DDS log:

.
DDS (Ver_2011-06-03.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by at 18:06:02 on 2011-06-08
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.110 [GMT -7:00]
.
AV: Panda Cloud Antivirus *Enabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Intel&#... Read more

A:Infected with windows xp recovery and possibly TDSS

Hello and welcome to Bleeping Computer.My name is km2357 and I will be helping you to remove any infection(s) that you may have.I will be giving you a series of instructions that need to be followed in the order in which I give them to you.If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.Please do not start another thread or topic, I will assist you at this thread until we solve your problems.Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.Sorry for the delay in replying, the forum is very busy. If you still need help, please do the following:Step # 1 Download and run DDSDownload DDS and save it to your desktop from here or here or hereDisable any script blocker, and then double click dds.scr to run the tool. When done, DDS will open two (2) logs: DDS.txt Attach.txtSave both reports to your desktop. Post them back to your topic.Step # 2: Download and Run GmerPlease download gmer.zip from Gmer and save it to your desktop.***Please close any open programs ***Double-click gmer.exe. The program will begin to run.**Caution**These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security AnalystIf possible rootkit activity is found, you will be asked if you would like to perform a full scan. Cli... Read more

3 more replies
Answer Match 76.02%

Dear all,One of the computers of my association was infected by Windows Vista Recovery malware.I found great tutorial to remove it on : http://www.bleepingcomputer.com/virus-removal/remove-windows-vista-recovery- I first disabled the start program in msconfig : CLAnalysisWhat stopped Windows Vista Recovery activities (pop-up messages of fake alerts and so on)- Then I downloaded and used RKill succesfully- But unfortunately TDSSKiller cannot run, even renaming it in xxx.com or xxx.exe.- Mbam was already installed on this PC, but it is a none updated version (1.46). So when I try to update, he downloads the latest version and installation fails.(Note I didn't try to scan with Mbam 1.46 yet)The PC is under Vista SP1.Here are the log of DDS and the attached one as indicated. GMER's one following.Thank you!.DDS (Ver_11-03-05.01) - NTFSx86 Run by Nouveau at 16:23:08,14 on 15/05/2011Internet Explorer: 8.0.6001.19048 BrowserJavaVersion: 1.6.0_07Microsoft? Windows Vista? ?dition Familiale Premium 6.0.6001.1.1252.33.1036.18.3070.1946 [GMT 2:00].AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\... Read more

A:Infected by TDSS and Windows Vista Recovery

Please, is there someone who know how to help me ?The GMER report above (ark_1.txt) is not complete, here is the full one :GMER reportPlease, I really have no idea how to solve that.Alexis

38 more replies
Answer Match 75.6%

Here's the link to the topic in the "Am I infected?" forum that I posted up: http://www.bleepingcomputer.com/forums/topic460619.html

As stated in the topic above, Google redirects to other sites when I use their search engine. I also hear random audio advertisements with no visible browser and Microsoft Security Essentials is disabled for some reason. I ran a Malwarebytes scan, removed a few malware, then restarted my computer. Promptly after booting up again, my computer again played audio ads after about an hour or so. In addition, all of the other problems continued to happen.

Currently, all my programs still work correctly, including all browsers and games. My computer runs Windows 7 32-bit Professional.

Any and all help is appreciated!
DDS Log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514
Run by Telesis at 0:25:27 on 2012-07-16
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3068.1761 [GMT -7:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C... Read more

A:Google redirect, random audio ads playing, Microsoft Security Essentials disabled

Hi,Please run the followingRefer to the ComboFix User's Guide Download ComboFix from the following location:

Link

* IMPORTANT !!! Place ComboFix.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
You can get help on disabling your protection programs here
Double click on ComboFix.exe & follow the prompts.Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled.

---------------------------------------------------------------------------------------------NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

12 more replies
Answer Match 75.6%

Hello,I've been having a problem with Google searching (it keeps redirecting me to sites other than where I want to go) and random audio ads playing in the background with no open browser window. I tried running a Malwarebytes scan and got rid of several malware. However, I re-scanned right after I restarted my system (to finish the scan) to be sure I got rid of everything and, to my surprise, it still picked up one malicious item: Rootkit.0Access. I tried to quarantine this again, but the ads kept playing, Google kept redirecting to the wrong sites, and the virus kept showing up in recurring scans. As of now, all programs work fine such as my video games (I'm a gamer at heart) and Firefox, IE, Malwarebytes, etc., but I'm still having these problems. I should note that I am running Windows 7 Professional as well. I also noticed that Microsoft Security Essentials was disabled - I tried to restart it but said it wasn't an installed service. Scans show that I did have Security Essentials at one point but is now disabled. Any help/ideas? This problem has been happening for a while now (it might have been infected 2-3 weeks ago, but I've recently been on vacation so I couldn't fix it)P.S. I should also mention that I had the Live Security Platinum virus on my system as well, which I removed successfully by using the self-guide on this site. I'm not sure if I was too late in removing it, and if it left some trace of it on my computer.

A:Google Redirect and Random Audio ads playing, Microsoft Security Essentials disabled

Welcome aboard Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

1 more replies
Answer Match 75.18%

Hello,

Several days back my computer was infected by malware. While I don't know for sure, the symptoms it exhibited were similar to the Windows XP Fix description. Besides the usual constant popups that my computer was unsecured, it made all my files hidden, disabled task manager, etc. Using a combination of pretty much all the major freeware malware removal programs (Spybot, Ad-aware, MBAM, SuperAntiSpyware, Avast) and doing some of my own regedit edits, I managed to remove most of the major issues.

However, I still have four issues that are still causing problems.

1. I have the rogue svchost problem where an svchost process keeps launching Internet Explorer in the background, and IE constantly keeps trying to hit dubious URLs. I've put a band-aid on this for now by simply setting IE to be in "Work Offline" mode.

2. Google hijacks, probably TDSS rootkit. Google links are getting redirected in all browsers I try (Firefox, Chrome, and IE). Interestingly, after I set IE to "Work Offline," some Google links work without issue now, although not always.

3. When I run Visual Studio 2008, and I go to run any Windows Forms projects with a debugger, the debugger is no longer attaching. Basically, I hit F5, Visual Studio pauses for a moment, and then returns as if I closed the executable. I can run my projects WITHOUT debugging. This may be out of the scope of the usual problems people report, but I mention it in case anyone has heard of somet... Read more

A:Infected by Windows XP Fix, TDSS redirect, and possibly more

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:***************************************************First, I need to know if you still need help! To tell me this, please click on http://www.bleepingcomputer.com/logreply/408785 and follow the instructions there. If you do not still need help, this is all you need to do. If you do need help please continue below.***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
Please do this even if you have p... Read more

1 more replies
Answer Match 74.76%

hi there. I've made an account cuz I figure people here could help me. I have a gateway NV54 - bought as a gift for Christmas 2010. I had it reformatted about a year ago.. reinstalled Windows 7. but I don't have a Windows boot disk, I don't think.. so I want to avoid having to bring it in to the shop and pay them to get rid of this

basically the past couple weeks I've been getting glitched-out "half-time" audio when I'm playing youtube or an mp3.. then eventually it stops and starts playing normally.. now it gets steadily worse... I'm getting frequent "unresponsive script errors" which freeze up my browser - firefox. I disabled youtube2mp3 coverter but still have the problem.. now when i type, for instance in this reply window, it frequently freezes for a while, only to spit out the words I typed 30 seconds later...

but today the real kicker was.. twice today when I opened my laptop back up, even though I hadn't entered my user password yet to get into windows, audio immediately starts playing from some live improv comedy I don't recognize.. nothing off my hard drive that's for sure.. same one both times..

girls saying "things that make ..... cry!" then somebody does a rendition of Two Ladies from the movie Cabaret.. but it's is not playing off *any* open browser window.. just a phantom

I've had this before a few years ago.. tried to download a Sopranos episode off this "youkku&quo... Read more

A:possible trojan virus playing phantom audio! beginner - please help!

16 more replies
Answer Match 74.76%

I got this problem about 2 months ago.Might as well repair everything. I run Windows XP Home edition on a laptop.Problems that still exist:1. Commercials, in audio form, starts playing after computer start-up. No application was open.2. Google search redirects, on Mozilla only. I use Chrome, and this used to happen on Chrome too, but I renamed Chrome.exe). Redirects to Tazinga!, Lycos page, Mevio, etc. 3. Notifications pop-ups. One type is the Internet Explorer Script Error, containing "Line, Char, Error, Code, URL" infos, and the option is Yes/No.The other type is Adobe update, asking whether do I want to install it or not. Both will interrupt whatever application is on the top (including full-screen games!).Also, I can't run TDSSKiller, but for some reason able to run SuperAntiSpyware. Scanned with Avira AntiVir, nothing. Scanned with that SAS, found a lot of cache memories, deleted, reboot computer, problems still there. Scanned with Stinger, can't do anything.Hope this supplies enough info to start.I need this laptop for college, and I have too much precious music and software (I'm a musician) to be re-formatted.Pro help will be hugely appreciated.Ayam

A:Audio playing in background, script error notifs pop up repeatedly, Google redirect virus.

What do you mean when you say you can't do anything?

Can you post the logs from Super Anti-Spyware?

8 more replies
Answer Match 74.34%

Hi,Since Friday my computer started to run slow and kept crashing. I also noticed it would redirect Google searches to various webpages and not the actual link it was meant to...I have McAfee Security Centre (updated daily), so ran a scan. It revealed some trojans, namely "Spy-Agent.bw!mem, DNSChanger!ba and Generic FakeAlert!cd". Some of it was removed/quarantined while 1 or 2 files couldnt be fixed by McAfee.I then ran MBAM which managed to clear everything. Here is the log from then (28th Aug):[/color][/color]-----------------------------------------------------------------------------------------------------------------------------------------------Malwarebytes' Anti-Malware 1.40Database version: 2709Windows 5.1.2600 Service Pack 328/08/2009 18:07:25mbam-log-2009-08-28 (18-07-25).txtScan type: Full Scan (C:\|)Objects scanned: 165024Time elapsed: 36 minute(s), 47 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 6Registry Values Infected: 1Registry Data Items Infected: 2Folders Infected: 1Files Infected: 12Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\C... Read more

A:Infected with Google redirect & Rootkit TDSS and Rootkit.Agent/Gen-Rustock[KBI]

UPDATE:Did an online scan with Eset, it reported the following: C:\Documents and Settings\Amit Sinha\Application Data\Sun\Java\Deployment\cache\6.0\56\3c28cc78-2a20046a probably a variant of Win32/Agent trojan deleted - quarantinedSo lloks like there are still some remanents...Anyone?===========Hello While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are... Read more

4 more replies
Answer Match 73.92%

Hey, I got the Vista Recovery Virus, but I was able to remove it and get my computer mostly functional again. I ran the unhide.exe but it wasn't able to unhide many things. Now I have ads playing on my speakers-- which stop when I close internet explorer in the task manager (I never use internet explorer!) and Google redircts me in firefox. I tried running rkill in safe mode and then runing the Kaspersky TDSS Killer, and even renaming it and renaming the extension but it just doesn't run.Also this error message comes up at startup, and also whenever I try to click on Windows Defender--"Application failed to initialize: 0x80070006. The Handle is Invalid"Help would be appreciated, here is my DDS log--.DDS (Ver_11-05-19.01) - NTFSx86 Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_22Run by Administrator at 17:34:58 on 2011-05-30Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.1.1033.18.3326.1945 [GMT -5:00].AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\nvvsvc.exeC:\Windows\system32&#... Read more

A:Infected with TDSS, Google Redirects, and TDSS killer won't run

I figured it out it myself. Sorry for wasting anyone's time. Please close this thread.

2 more replies
Answer Match 73.5%

On 21 Apr 11, I got hit with "Windows Diagnostics" virus/malware. I managed to remove it after ~6 hrs battle (mostly trying to regain whatever little use left of IE/Firefox so that I could investigate the solution). I removed it using RKill, followed by Malwarebytes, and Unhide.

However, since then, I had intermittent/random Google Redirection problems, audio ads running in the background by themselves, and fairly frequent IE Script error pop-ups (even though I wasn't running IE. I have IE installed but I use Firefox). I ran Malwarebytes, AVG, and Norton A/V but they did not find anything. I even downloaded the "NoScript" add-on for Firefox but that didn't help either.

I read a similar problem in this forum (topic394041.html) but am hesitant to follow it exactly as the step on CFScript looks customized for that particular user.

Can someone please tell me what I need to do to get rid of these problems? Thanks in advance.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by haryadi at 19:04:02.63 on 02/05/2011
Internet Explorer: 7.0.5730.13
.
============== Running Processes ===============
.
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C: ... Read more

A:Infected with Google Redirect, Audio Ads, and IE Script Errors

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

15 more replies
Answer Match 73.5%

May 6th 2011, my cousin was having problems with google redirecting to various sites, then audio ads started to appear with nothing visible in the task manager to track. It has been 20 years since I dealt with this stuff as a former tech you can understand my position, its like I have been frozen in time with all the new advances that I have not kept up with. I am a little out gunned here, so I really need you help. You guys are the best, so that is why I am here. I have been reading Chris.wrx post who was working with Gringo, and I was impressed with the solid effort he put forth. I dont assume that the same fix will work here because the systems are set up different as well as trhe installed software so the only thing I deleted before I read this post was messenger running in the back ground thinking it would eliminate the audio ads. Of course I ran just about every available virus protection program out there with no change. I have to be honest before I read the post I did down load combo fix and realized it should not have been done because I was in an old post that had me rename it to username123. My apology for that mistake. So, without making any more changes I downloaded defogger and dds to be able to get the logs to you guys look over. Maybe it fixed it or maybe it damaged it, not sure, anyway after reading all the work you guys did for everybody, I prefer to trust your judgement over mine

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by LB at 11:16:20.94 on Sun 05/15/2... Read more

A:Infected with Google redirect, audio ads, and IE script errors

Good evening. I did down load combo fix and realized it should not have been done because I was in an old post that had me rename it to username123.Did you run it, or just download it?

4 more replies
Answer Match 73.5%

get a phantom audio file and google redirect, need help please...

More replies
Answer Match 73.5%

I'm having two issues. First, IE8 and Chrome redirect when a link is clicked on a search. Second, I get phantom radio signals over my speakers that last 5-10 seconds and then stop. I've run Malwarebytes and run Panda antivirus. Both periodically come up with viruses/malware, but not every time. Also, I can install the latest Windows XP security update. It has failed 6 times even when Panda and Malwarebytes come up clean before attempting the update.

HELP!!!



DDS (Ver_10-12-12.02) - NTFSx86
Run by Peter and Esther at 16:12:48.79 on Sun 02/20/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.1891 [GMT -8:00]

AV: Panda Internet Security 2011 *Enabled/Updated* {4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0}
FW: Panda Personal Firewall 2011 *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Panda Security\Panda Internet Security 2011\TPSrv.exe
svchost.exe
C:\PROGRAM FILES\PANDA SECURITY\PANDA INTERNET SECURITY 2011\WebProxy.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\COMODO\COMODO System-Cleaner\Cleaner_Validator.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\WD\WD Anywhere Backup\MemeoBackgroundService.exe
C:\Program Files\M... Read more

A:Brower redirect and phantom audio noise

Hello and welcome to TSF. My name is Taylor and I'll be helping you with your fix.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please be patient with me during this time.

17 more replies
Answer Match 72.66%

Hi there,

My computer has been infected since Tuesday. I had the hard drive diagnostic virus where I kept getting critical error messages and lost most of my desktop icons. I ran malwarebytes and was able to restore all my desktop items. I thought my computer was cured, but then I noticed my google and yahoo searches being redirected.

Aside from the search redirects, I also hear audio ads at random times, but I can?t see any ad or video. Sometimes they are ads for things like auto insurance, last night I heard a clip from American Idol. Lastly, I am using firefox, but at random times IE will launch a blank page.

Thanks in advance for your help, this is driving me mad!
Here?s my DDS log:

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_25
Run by Ashley Admin at 23:29:37 on 2011-05-27
Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.3069.1790 [GMT -7:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\Syste... Read more

A:Infected with Google Redirect, Invisible Audio Ads, and IE Blank Popups

Hi,Please do the following:Please download TDSSKiller.zipExtract it to your desktopDouble click TDSSKiller.exePress Start Scan
Only if Malicious objects are found then ensure Cure is selectedThen click Continue > Reboot nowCopy and paste the log in your next reply
A copy of the log will be saved automatically to the root of the drive (typically C:\)NEXTRefer to the ComboFix User's Guide Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Place ComboFix.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
You can get help on disabling your protection programs here
Double click on ComboFix.exe & follow the prompts.
Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled.

---------------------------------------------------------------------------------------------

19 more replies
Answer Match 72.66%

The title pretty much sums it up. My machine is basically infected with some kind of rootkit virus, I believe, the major symptoms of which are that browser search result links are redirected to bull$#!t sites, horribly annoying audio ads play at random, and frequent pop-ups appear alerting me that a script from some random site has stopped responding and asking if I would like to continue to allow it to run.I have Avira installed, which didn't prevent or remove it. I downloaded and ran MalwareBytes free version, which didn't remove it either. I then ignorantly followed the advice from another site which linked to ComboFix as if it were a virus scanning tool, at which point I ran it, rebooted, and when that didn't work, found BleepingComputer and followed the instructions on how to proceed properly there.Thank you in advance for any help you can provide. My DDS and GMER logs follow:.
DDS (Ver_11-03-05.01) - NTFSx86
Run by ChrisPowers at 23:50:29.29 on Sun 04/10/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2048.1414 [GMT -4:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system3... Read more

A:Infected with Google Redirect, Audio Ads, Browser Script Popups

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

16 more replies
Answer Match 72.66%

Whenever I click on a Google search links, its being re-direct to ad-spam site, and also my window update gets an error. I think I have a TDSS Rookit since I ran GMER on my desktop (see below log) it states: Device -> Driveratapi DeviceHarddisk0DR0 86EAEEE4---- Files - GMER 1.0.15 ----File C:WINDOWSsystem32driversatapi.sys suspicious modification---- EOF - GMER 1.0.15 ----I also try to use TDSSKiller.exe but it did not remove the rookit. Please help!Below is my full log from GMER:GMER 1.0.15.15252 - http://www.gmer.netRootkit quick scan 2010-05-06 13:51:22Windows 5.1.2600 Service Pack 3Running: gmer.exe; Driver: C:DOCUME~1ERICHO~1LOCALS~1Tempawldikog.sys---- System - GMER 1.0.15 ----Code SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x9D14722B]Code SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0x9D1471AB]Code SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x9D147255]Code SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0x9D1471BF]Code SystemRootsystem32driversmfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0x9D1471EB]Code ... Read more

A:TDSS Rookit. Please Help! Google search links redirect, windows update error

My HijackThis Log FileLogfile of Trend Micro HijackThis v2.0.4Scan saved at 3:11:11 PM, on 5/7/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\basfipm.exeC:\Program Files\Asset Services Management\eSMARTUM.exeC:\Program Files\Dell\OpenManage\Client\Iap.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\IBM\Lotus\Notes\nslsvice.exeC:\Program Files\McAfee\Common Framework\FrameworkService.exeC:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exeC:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exeC:\Program Files\IBM\Lotus\Notes\ntmulti.exeC:\Program Files\Asset Services Management\ASMAgent.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exeC:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exeC:\Program Files\McAfee\VirusScan ... Read more

12 more replies
Answer Match 72.24%

Hello. This morning, upon visiting a MySpace page, a download box quickly flashed on my screen that seemingly resembled a Java update followed by a popup saying I won a $1000 gift card from Wal-Mart at "redeemyourprize.com". Now, several popups seem to randomly appear while I'm browsing the internet, as well as google searches being redirected. The popups include google searches for "111211url.cptgt.com", "http://www.nationalcreditfixers.com", and "www.checkedstats.com". In addition, popups come up with ads persuading me to visit "epicvideoarcade.com" and "collegeconduit.com". I use Nod32 as my anti-virus, and have run that as well as Ad-Aware, Spybot S&D, Malwarebyte's Anti-Malware, and SUPERAntiSpyware, however nothing was found from any of the programs. I am unable to restart in Safe Mode, as the computer locks up before it loads Windows. It seems as though the popups do not start until I have opened my browser, as when I restarted to run all of the malware/virus scans, I was able to use all the scanners without a single popup/voice ad. However, upon opening my browser, I began to receive popups and phantom voice ads despite not having any browser open. Upon opening my Windows Task Manager, I found several instances of iexplore.exe despite not having any browsers open, and several instances of rundll32.exe that ranged from 5k to 30k of memory usage. Upon closing out of all of these, the popups app... Read more

A:Google redirect/IE popups/phantom voice ads

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the resu... Read more

3 more replies
Answer Match 71.82%

My computer got infected by the "Windows 7 Repair" virus which shutdown the computer and made the computer nearly unusable. After following the "Automated Removal Instructions for Windows 7 Repair using Malwarebytes' Anti-Malware" guide and (naively) using Combofix, I was able to get the computer in a working state, but I still have issues with Google redirects. I also tried following the instructions to use TDSSKiller -- http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller -- but when I ran the program, nothing was cured.

My next step was to create a help topic here, as per this website: http://www.bleepingcomputer.com/forums/topic34773.html. Below and attached are the DDS and GMER logs, as requested.

Any help would be much appreciated. Thanks!
--------------------DDS Log:---------------------------

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_26
Run by John at 22:57:54 on 2011-07-03
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3063.1735 [GMT -4:00]
.
AV: Norton Security Suite *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows&#... Read more

A:Infected with TDSS & Google keeps redirecting after "Windows 7 Repair Virus"

Good news! I was able to stop the Google redirects by running an updated version of TDSSkiller to remove the rootkit. From this point on, there are no more problems I can notice. However, if there is anything I can do to improve my computer's speed/security, I would appreciate the help at your earliest convenience. I would be glad to provide any logs you feel are necessary. Thanks!

2 more replies
Answer Match 71.82%

I downloaded a .gif the other day of the rage guy to use on a web forum for some bad news, i wasn't paring attention to it and it contained a virus. It must have been that as it happened instantly after it saved.I had the windows 7 fake repair system pop up i knew instantly it was a problem, so i left my laptop over night running a McAfee scanwhich found nothing.... uselessI google searched and found your site and major geeks guides on removing malwareI installed following this;superantivirusspybot search and destroyComboFixunhide.exeMalwarebytesI've used them all and they seemed to remove a lot of stuff and following them the windows 7 repair virus seemed to disapearbut my browser has slowed down, when i open it it can't connect to proxy and google searches redirect to random sitesthe proxy issue seems to be firefox's settings are changed to manual proxy settings, which even when changed back to auto, on each launch they are back to manualI used Norton power eraser then and the redirect issue seems to be different, it redirects but then redirects again back to the google search and I've hit a brick wall and i can't remove any morei need some help please.DDS (Ver_2011-06-12.02) - NTFSx86 Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_23Run by Chris at 16:42:01 on 2011-06-18Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.3037.1771 [GMT 1:00].AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B1... Read more

A:Infected with a TDSS, Google redirects, had/have fake windows 7 repair

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator&#... Read more

18 more replies
Answer Match 71.82%

Dear ExperstsI have been a spectator for a while using this website to widen my knowledge and it is very much appreciated what you guys are doing here.Let me thank you guys/gals in advance for your time and help.Last week my machine was infected with a rootkit virus and I have failed to remove it. I am a computer guy and I fixed hundreds of infected machines in the past but this one gets me!The symptoms are:1. Google links are redirected. 2. Every so often (sometimes 5 times an hour sometimes once very two hours) explorer.exe will open up multiple tcp connections to servers and ip addresses that I don't recognize and play random but repetative commertials/radio stations sounds bytes. Ususally not a complete commercial and it usually last for 5-10 seconds.3. Once in a while (once or twice a day) a window titled "message from webpage" will be opened by explorer.exe with a lable "Thanks" and a button "OK".I used AVG, ESET, Microsoft Security Essentials, Exterminate It, Malwarebytes, CCleaner and ComboFix and by now all scans gives the computer a clean bill of health but the symptoms are not removed.Five days ago eset gave me this report but now it gives a clean report.C:\$RECYCLE.BIN\S-1-5-21-266775593-2276910581-870900397-1000\$R3DXH1U.txt Eicar test file cleaned by deleting - quarantinedC:\Windows\Installer\{b815768f-eb22-5c7b-fbca-993571e2f1aa}\U\00000008.@ Win64/Agent.BA trojan cleaned b... Read more

A:Infeced Machine - Google Links Redirected, Sounds Phantom Playing

My post was too long so I broke in into two postsOTL Extras logfile created on: 7/28/2012 11:54:05 AM - Run 1OTL by OldTimer - Version 3.2.55.0 Folder = C:\Users\Sean Einy\Downloads64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstationInternet Explorer (Version = 9.0.8112.16421)Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 5.91 Gb Total Physical Memory | 2.94 Gb Available Physical Memory | 49.81% Memory free11.82 Gb Paging File | 6.99 Gb Available in Paging File | 59.13% Paging File freePaging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)Drive C: | 581.71 Gb Total Space | 210.03 Gb Free Space | 36.11% Space Free | Partition Type: NTFS Computer Name: SEANEINY-LT | User Name: Sean Einy | Logged in as Administrator.Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit ScansCompany Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== 64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>].html[@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation).url[@ = InternetShortcut] -- C:\windows\SysNative\rundll32.exe (Microsoft Corporation) [HKEY_LOCAL_MACHINE�... Read more

43 more replies
Answer Match 71.4%

It's time to seek professional help.
When connected to LAN, I am experiencing these symptoms:
- Google redirects using Firefox (only browser I use) intermittantly
- What I call "Pop-Up Radio" - No pop-up window, just pop-up sound, Ads and talk. Browser does not have to be open.
- Real-Time Protection software (MBAM or Norton) blocks repeated intrusion or outgoing attempts to 3 sets of IP addresses: 94.102.60.6, 178.238.36.17, and 112.175.243.22 - by "set" I mean that the last octet varies

Norton Internet Security reports that I am infected by a "Bamital Trojan", and various attempts to remove it, over a couple of weeks, have all failed.

Over the course of 2 weeks, I have tried:
- TDSSkiller and Sophos Anti-Rootkit - found nothing
- Malwarebytes MBAM - ran the trial version of MBAM with "real-time" monitoring - it constantly blocked "outgoing attempts" to the IP addresses described above.
- rkill and then MBAM - still found nothing
- Bit Defender Rescue CD - nothing; Kaspersky Rescue CD would not run.

I had ZoneAlarm Security Suite installed when I got infected - first virus in many years! After the above, I abandoned ZA, and have installed Norton Internet Security 2012, which now blocks the "intrusions", but does not find any virus to remove. Then I tried Norton's tools:
- Norton Power Eraser - finds 3 "BAD" Windows files: explorer.exe, svchost.exe, winlogon.exe.
The Norton recommen... Read more

A:Bamital Trojan, Google Redirect, Phantom "Pop-Up Radio"

Hello and Welcome to the forums!My name is Gringo and I'll be glad to help you with your computer problems.Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 31. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the runn... Read more

18 more replies
Answer Match 70.98%

Hello all,

In advance I'd like to really thank you for the help. I really wish I were posting for entirely different reasons, but oh well...I will try to recreate the events to the best I can remember them:

A few weeks ago my laptop, a Toshiba Sattelite P205D running Vista, was infected with a Windows Repair Virus. From the outset, I tried to nip this in the bud and I find myself chasing my tail.

I performed a scan using the McAfee AT&T Internet Security Suite, followed by a several attempts to run Malwarebytes, to which the computer would simply shut down before the scan was complete.

I then downloaded Trojankiller and ran it and thought I fixed the Windows Repair Virus Problem. I then downloaded and ran an Unhide program to restore my desktop and start menu icons.

From there, I again ran the McAfee, and the Malwarebytes. This time I ran the Malwarebytes in safe mode. I then downloaded HitmanPro and Superantispyware and ran those to see if that could solve the problems unleashed by the initial infection. Nope.

From here though the laptop was running really slow and a check to the Task Manager, processes tab showed the CPU usage to be running at 100% with iexplore.exe seemingly taking the most usage.

If the process isn't ended by the computer itself, I end up ending it manually as doing so brings the CPU usage down between 2 and 30%. (Interestingly tonight a window popped up with the message "iexplore.exe - Application Error","The... Read more

A:Infected with Windows Repair Virus, TDSS & Google Searches Get Redirected

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resouce! To tell me this, please click on http://www.bleepingcomputer.com/logreply/412451 and follow the instructions there. If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following inf... Read more

11 more replies
Answer Match 70.56%

Okay- Here are the symptoms:Windows Recovery Software/Internet Security 2011 antivirus pop-ups. Background audio ads, search engine redirect from google and script errors listing random websites. I ran malwarebytes twice today. The first scan neted 15 files, but the second was clean and the problem remains. Although, i don't seem to be getting the internet secuirty 2011 pop-up any more.I ran DDS and only the DDS.txt file was produced. Attach.txt did not pop up..DDS (Ver_11-03-05.01) - NTFSx86 Run by Eric at 13:15:48.30 on Sat 04/23/2011Internet Explorer: 8.0.6001.18702Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3318.2410 [GMT -4:00]..============== Running Processes ===============.I:\WINDOWS\system32\svchost.exe -k DcomLaunchsvchost.exeI:\Program Files\Windows Defender\MsMpEng.exeI:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeI:\WINDOWS\system32\spoolsv.exeI:\WINDOWS\Explorer.EXEsvchost.exeI:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeI:\Program Files\Bonjour\mDNSResponder.exeI:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exeI:\WINDOWS\eHome\ehRecvr.exeI:\WINDOWS\eHome\ehSched.exeI:\Program Files\Flip Video\FlipShare\FlipShareService.exeI:\Program Files\Java\jre6\bin\jqs.exeI:\... Read more

A:Infected- Internet Security 2011, Google redirect, background audio, script errors

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system. If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your ... Read more

29 more replies
Answer Match 70.14%

Hi, first time poster, always have been a lurker and a fan of the site.. Anyway, I've seen other threads of this but apparently the help that was given to the user was unique to their computer. I'm on Windows 7 64 bit. Recently (maybe 2-3 days ago) I've been having the Google Redirect problem.. I've had this problem on this computer before, but fixed it with system restore. This time around, I guess I waited too long and a day later I got hit with the hide all programs virus, but I fixed that with the unhide.exe from this site. Just yesterday, I started getting ads playing with just audio, and no programs open. These ads play maybe every 30 mins to an hour. Again I've seen threads with the same problem, but I don't want to run programs that aren't meant for my computer or something along the lines. AVG has been giving me error messages of a trojan, from Explorer.exe, but only gives me an option to ignore and not remove the virus. I don't know if these problems go hand in hand, so sorry if it's off topic a little. Thanks for any help/comments in advance!

A:Audio ads playing in background, hide virus, Google redirect virus

Bump, I really just wanna get these audio ads out of here, the other problems aren't so bad

6 more replies
Answer Match 69.72%

About a day or two ago I was infected with a virus of the XP Antivirus/Home Security 2012 family. I uninstalled it with a serial number I found on a blog, but since then I've been experiencing link redirection when using Google, my default browser being switched from Firefox to IE and with a hijacked homepage, instances of ghost audio, and a program hiding itself as "ping.exe" and using up in excess of 400MB of memory and 100% of CPU power. I've found that I can't specifically access certain sites like Windows Update due to constant connection reset errors (including this one when trying to post a topic, so I'm posting this from another machine). Instances of ghost audio consist of unwarranted system sounds, mouse click sounds, and audio advertisements. Before all of this, I noticed that I couldn't activate real-time virus protection under Norton Antivirus. Trying to activate the service manually proved ineffective.

I suspect my computer has been used as a proxy in a DDOS attack and otherwise opened to virii that connect to the internet. Scanning with fully updated Norton Antivirus, SUPERAntiSpyware, Malwarebytes' Anti-Malware, Microsoft Security Essentials, HijackThis, Spybot: Search and Destroy, and Trend Micro's Housecall have not proven successful, removing some Trojans but not the root of my problems. I have been booting my computer and running these scans in Safe Mode with Networking and continue to do so until this situation is re... Read more

A:Infected with Google Redirect/IE Browser Hijack, ping.exe Usage Spike, Ghost Audio Rootkit(s)

Hello and Welcome to the forums!My name is Gringo and I'll be glad to help you with your computer problems.Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 31. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the runn... Read more

23 more replies
Answer Match 68.46%

Hello, my computer has the Windows XP Recovery and TDSS rootkit infections. My start menu programs are hidden. Sometimes unknown audio plays. I ran rkill which made my desktop icons visible. I scanned with malwarebytes which detected and deleted things. Nothing seems to have entirely worked. As the tutorial on posting to the forum suggests, I've disabled my CD emulation software. The guide I was following suggested that because I cannot run TDSSkiller I should post in the forums. Below is the DDS log and attached are the attached.txt and GMER logs..DDS (Ver_11-05-19.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17Run by Adam at 10:11:24 on 2011-05-23Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.647 [GMT -7:00]..============== Running Processes ===============.C:\WINDOWS\system32\svchost.exe -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\System32\WLTRYSVC.EXEC:\WINDOWS\System32\bcmwltry.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exeC:\WINDOWS\Explorer.EXEC:\Program F... Read more

A:Windows XP Recovery and Google Redirect

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
If I instruct you to download a specific tool in which you already have, please delete the copy that you hav... Read more

61 more replies
Answer Match 68.46%

Hello,

My wife experienced a Windows Recovery "program" telling me I had a problem with my hard drive. I shut down the computer and when I rebooted the program came up again. I then started losing shorcuts on my desktop, my wallpaper, the All Programs list start was enventually empty, all of "my favorites" are gone in IE and I am getting redirects on Google (have not tried other search engines). I used system restore to get the computer to function. I ran MBAM and antivirus but cannot correct. I appreciate any help that you may be able to give. Thank you.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by robinson at 18:48:48.26 on Sat 03/26/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.308 [GMT -4:00]
.
AV: CA Anti-Virus Plus *Enabled/Updated* {6B98D35F-BB76-41C0-876B-A50645ED099A}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\caamsvc.exe
C:\... Read more

A:Windows Recovery then Google redirect

found four trojans with Super anti spyware. used recovery cd to reformat and reinstall OS. This was the only way I felt I could be safe with this computer.

2 more replies
Answer Match 68.04%

From what I've read, typical symptoms: google link redirect, random IE running in the background... I'm afraid it's a little beyond my depth

A:TDSS/Google redirect

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

14 more replies
Answer Match 68.04%

I'm confused about what could cause my problem. System's slower than normal, especialy while browsing. I know it can be cause by a rootkit because I've pluged my external hdd in an infected computer (so I was told afterward).

It doesn't affect a lot by redirecting, but I've experienced it few times, on google results, but also when I click on middle mouse to get a link to open in a new tab.
Edit: it now opens new tabs... on this : hxxp://adf.ly/2BCJD
Also, I've noticed since few days that my firewall isn't working. When I try to reactivate it, its gives me 0x8007042c error.

Here's what I collected on DDS.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_24
Run by Philou at 17:15:37 on 2011-12-05
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.2.1033.18.2048.1043 [GMT -4:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestr... Read more

A:Google redirect and probably more (tdss ?)

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/430922 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

12 more replies
Answer Match 68.04%

I JUST installed ubuntu on my computer...wiped windows completely. 5 days later now it looks like i have this tdss virus, Google is redirecting to a bunch of different websites (although for now it seems like removing the cookies has stopped it for the moment). Anyways, I'm getting desperate here. Not sure what to do. Any and all help that can be offered will be greatly, greatly appreciated.
Thanks
Max Gardner

A:Google redirect/TDSS help me please!!!

Hello MaxI moved this to the Am I Infected forum. Please follow our Removal Guide here How to remove Google Redirects. You will move to the Automated Removal InstructionsIf it finds something make sure Cure is selectedNext click Continue then Reboot nowA log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.Next run MBAM (MalwareBytes):Please download Malwarebytes Anti-Malware and save it to your desktop.Download Link 1Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.
For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.If you encount... Read more

5 more replies
Answer Match 68.04%

Google redirect virus. Tried to follow instructions on your site to remove. Got as far as downloading/renaming TDSS Remover-it would not launch after rename. Received an IE error while running GMER scan so not sure if that completed properly. Not sure how to proceed.
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Jennifer Bahe at 18:29:59 on 2011-06-30
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.448 [GMT -5:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe... Read more

A:Google Redirect-TDSS?

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

14 more replies
Answer Match 68.04%

two days ago or so when searching on Google I started getting wierd results (mostly asklots.com redirect) and then difficulty reaching anti-spyware sites, IE would do its usual thing for no connection. Have read trhough other posts and I have noticed drop outs on audio, heard some kind of voice announcement I couldn't quite make out, noticed a bunch of odd clicks. Thought I was just getting tired from running scans, but after seeing other people with symptoms, I know I'm having them.I figured spyware of some type and ran AVG, Spybot S&D, Malwarebytes. Got some stuff (Trojan launchers in rar files) that was supposedly cleaned up, but same issues happened again. Ran the three plus SUPERAntispyware in Safe Mode. SUPERAS got the tdss root kit, but it came back after reboot. Ran Defogger and all the things recommended on this site. Attached are the logs that I have - I am working from a laptop, the intected machine is a desktop. The GMER has been running since 3:21 Eastern, I made a short report from that.Attached: DDS, ARK (partial) Hijack this logs

A:Seem to have TDSS or some Google redirect

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.Double click DeFogger to run the tool. The ap... Read more

35 more replies
Answer Match 68.04%

A friend came to me with her laptop that is having issues. It is a Gateway ID49C07u running Windows 7 Home Premium x64. Google redirects ceaselessly, MBAM and TDSSKiller don't find anything. Microsoft Security Center is shut down and won't start. Microsoft Security Essentials is shut down and won't run. Windows Malicious Software Removal tool won't run. Please bear with me on any replies because my friend won't relinquish her laptop regardless of the issue. Any reply and suggested course of action will have to wait until I have the comp in front of me again. Sorry for any inconvenience.

Here is the requested DDS log file:

.
DDS (Ver_11-03-05.01) - NTFS_AMD64
Run by user at 20:02:08.01 on Wed 03/23/2011
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_24
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3767.2201 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\W... Read more

A:Google redirect, TDSS???

I just wanted to say that I know you all are busy and I wanted to let you know I received help elsewhere. Figured I'd tell you so you wouldn't waste any time or resources. Thanks anyway!!! Moderators, you can mark this thread closed. Thanks again!

2 more replies
Answer Match 68.04%

Google redirect virus. Occurs in IE and Firefox. Interestingly, using google SSL beta thwarts it. None of the stock tools detect it (Malwarebytes, etc) and not even in safe mode. Of curiosity, housecall fails to install, and MS Security essential) fails to start the service (once I hit start, it stops either immediately or a few seconds later).

This is far, far beyond me. Any help is greatly appreciated. As per the posting guidelines, the logs are below:

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by at 15:27:57 on 2011-08-11
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2998.2000 [GMT -4:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\s... Read more

A:Google redirect. TDSS?

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

15 more replies
Answer Match 68.04%

I seem to have been infected with an incredibly persistent variant of the TDSS / Google redirect rootkit. Symptoms include:Windows Security Center is disabled and cannot be restartedWindows Security Essentials is disabledGoogle (and other) searches redirect incorrectlyI have pretty much tried every documented removal strategy/tool with no success. Please find attached the requested documentation. Note that GMER did not allow me to select/deselect the options you require (another symptom of the rootkit?)Appreciate any help you can provide.Cheers/Ph..DDS (Ver_11-05-19.01) - NTFSx86 Internet Explorer: 8.0.7600.16385Run by Phil.Geyskens at 9:31:01 on 2011-05-22Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3958.2047 [GMT -4:00].AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}AV: Sophos Anti-Virus *Enabled/Updated* {479CCF92-4960-B3E0-7373-BF453B467D2C}SP: Sophos Anti-Virus *Enabled/Updated* {FCFD2E76-6F5A-BC6E-49C3-843740C13791}SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC... Read more

A:TDSS / Google Redirect

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

35 more replies
Answer Match 68.04%

Not detected by tdsskiller.exe, which says the system is clean.
 
Google randomly redirects to advertising sites, whether with Internet Explorer or with Mozilla Firefox.
 
Before coming to your site I treid ComboFix - sounds as if I might have boobed there, sorry! - any help you can give will be greatly appreciated.
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Owner at 17:02:29 on 2013-05-26
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3071.2161 [GMT 1:00]
.
AV: Panda Antivirus Pro 2012 *Enabled/Updated* {EEE2D94A-D4C1-421A-AB2C-2CE8FE51747A}
.
============== Running Processes ================
.
C:\WINDOWS\system32\IFXTCS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\vsnpstd.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avatron\Air Display\AirDisplay.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Ant.com\IE add-on\AntUpdaterService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Infineon\Security Platform Software\PSDsrvc.EXE
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Infineon\Securi... Read more

A:TDSS Google redirect

Please download Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.Double-click to run it. When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

13 more replies
Answer Match 67.62%

Hello! I've been reading around, as I've seen this virus has been hitting a lot of people recently. I was first hit with the Windows XP Recovery Virus yesterday, ran MBAM and Spybot S&D and completely removed it, among other things, from my computer. I am running Windows XP SP3. I decided to make a topic because I wasn't sure if my case was any different, so I figured I'd rather be safe than sorry.

However, even after that fact, I noticed there was still a Google Redirection virus, along with a rogue "iexplore.exe" process that would return after being killed. I believe the two are connected, and I ended up changing the name of iexplore.exe to _iexplore.exe, killed the process, and it has yet to return, but I am still having the redirection problem. I've run searches through MBAM, Spybot, and Trojan Hunter (both in and out of safe mode), nothing has come up. TDSS Killer will not run. Any help would be appreciated!

Not sure where to start, but I have a few logs from MBAM and Hijack this, if needed, let me know. Thank you very much!

More replies
Answer Match 67.62%

Hi guys,I was doing work on my 3-year old Sony Vaio VGN-CR390 (Core 2 Duo, Windows Vista) last night. I went to go get something in another room last night, and when I came back I suddenly had what seems like a popular "Windows Vista Recovery notice" pop up. Soon thereafter, I was getting silly error messages (such as my hard drive being fully used and my RAM memory being used completely as well) so I decided to do a system restore to June 1 to try to get some functionality back. When I went to go do a system restore, the following things happened:When the system attempted to reboot after system restore, whether I chose Safe Mode, Start Windows Normally, or any of the other prompts, it would reveal a "ADVAPI32.DLL" registry error and go back to restart. It continued to do this for about an hour and I couldn't even get into Windows.
I created a Windows Vista Recovery disk on another computer as a solution, and put it into my computer. At this point, I was able to system restore back to June 1 and get into Windows.
Late last night, after I got functionality back with my computer, I realized that I had a Google Redirect problem. I was trying to search on google several times, and when I tried to click on a link it would redirect me to different websites. It is still doing this when I try to search.
I also tried to create a log file this morning using HiJackThis, but it's blocking my ability to create one. I tried to rename the file, but it still comes... Read more

More replies
Answer Match 67.62%

Recently, my computer was infected with what I believe to be the Windows 7 Recovery virus. Prior to posting here, I did find another topic (link below) that provided steps for correcting the issue. I followed the steps in this posting and it appears to have corrected the Windows 7 Recovery virus, but the Google redirects that the post mentions still remain. The steps that address the Google redirects did not resolve this issue. I did execute multiple virus detection and removal programs to try eliminating the problem, but to no avail.

The link to the post containing the steps I performed is here (if relevant):

www.bleepingcomputer.com/virus-removal/remove-windows-7-recovery

Below is the DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by Anthony at 16:53:17 on 2012-04-10
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3070.1682 [GMT -4:00]
.
AV: Norton Internet Security *Enabled/Updated* cached-Wed, 25 May 2016 23:19:50 +00009
SP: Windows Defender *Enabled/Updated* cached-Wed, 25 May 2016 23:19:50 +00008
SP: Norton Internet Security *Enabled/Updated* cached-Wed, 25 May 2016 23:19:50 +00007
FW: Norton Internet Security *Enabled* cached-Wed, 25 May 2016 23:19:50 +00006
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system3... Read more

A:Windows 7 Recovery Virus with Google Redirect

Hello josh ! Welcome to BleepingComputer Forums! My name is Georgi and and I will be helping you with your computer problems. Before we begin, please note the following:I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.The logs can take some time to research, so please be patient with me.Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.Instructions that I give are for your system only!Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Please perform all steps in the order received. If you can't understand something don't hesitate to ask.Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.Please download ComboFix from the link below:ComboFixSave it to your Desktop, but do not run it yet <-- Important!!!Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.
Double click it & follow the prompts.
If you receive a UAC prompt asking if you want to continue running the program, you should press the Continue button.
When f... Read more

14 more replies
Answer Match 67.62%

About a week ago, I got Windows XP Recovery virus. I followed your solutions, then Windows XP Recovery window doesn't come up any more, but now I have Google Redirect problem. I also don't know if Window XP Recovery virus has been completely cleaned. The followings are the steps I took, but basically TDSSKiller doesn't run. DDS also doesn't create the log files, so I only attach GMER log. In advance, thank you so much. I cannot believe this site exists.

1. Run RKill in Normal mode, then tried TDSSKiller, but it donesn't do anything when I double-click it. I changed the name of the file to 123.com, but it doesn't work.
2. Skipped TDSSKiller and run Malwarebytes' Anti-Malware. Found 3 or 4 objects, so removed them. After re-booted the computer, Windows XP Recovery started running again.
3. This time run Malwarebytes' Anti-Malware in SafeMode. Found 4 or 5 objects, so removed them. After re-booting in Normal Mode, Windows XP Recovery didn't start anymore. Deleted Windows XP Recovery icon from Desktop, and deleted 3 or 4 files which seems created on the same day. I forgot where I saw the files.
4. I've noticed I also have Google Redirecting issue, so I tried to run TDSSKiller, but when I doble-click it, it doesn't do anything. Even I changed the name of the file, it doesn't run.
5. In order to post this topic, I run DDS, it seems running, but after it displays 50 #s on the command window, it just freezes. I tried 3 times, but it ne... Read more

A:Windows XP Recovery virus then Google Redirect

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator&#... Read more

16 more replies
Answer Match 67.62%

http://www.bleepingcomputer.com/forums/topic398620.html/page__p__2272528#entry2272528

There is the thread that includes the detailed problem, I was asked told to include that link into here, and to add on to the information in there, I am now discovering that random radio ads are starting to play in the background of my pc every time I'm on the net.

DDS.txt log;

.
DDS (Ver_2011-06-01.06) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Kids at 0:26:53 on 2011-06-02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.254.18 [GMT -4:00]
.
AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Lexmark 2500 Series\lxddmon.exe
C:\Program Files\Lexmark 2500 Series\lxddamon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToo... Read more

A:Google Redirect/Windows Recovery Virus

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator&#... Read more

17 more replies
Answer Match 67.62%

Greetings,This is my very first post on these forums and unfortunately it isn't one to introduce myself. To cut to the point, my computer has been infected by malware and I believe it took a toll on my hard-drive, or so it seems. My OS is: windows XP32. To make things easier for you, since you guys are frequently busy, I shall comprise a list of: symptoms,what happened,actions-taken, and results of my actions-taken. Here they are:What Happened?This is exactly in the order of what happened:Avg has detected a threat in Adobe flash player reader, would you like to allow or not allow (I clicked allow).I then ran MBAM (Malwarebytes' Anti-Malware). In the midst of the scan, a message popped up saying "Hard-drive error a reboot is needed" (I clicked 'OK'). Before my computer was able to turn-off, a fake Windows scan (the windows XP recovery virus looking one) showed up. I knew that it was a fake and so I canceled it immediately and my computer turned off. And so when I turned my computer back on I saw the following:Whats wrong?Desktop Icons are gone (However I see everything that is on my hard-drive on the Add/remove list in the control panel section!)"Start--->All programs---->empty"The classic google redirect issue (Browser: Internet Explorer 8)Task manager is disabled by adminUpon start up (IN NON-SAFEMODE) I receive the following error: "Error loading C:\WINDOWS\vbscle32.dllThe specified module could not be found.&qu... Read more

A:Windows XP Recovery and Google Redirect Virus

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator&#... Read more

40 more replies
Answer Match 67.62%

Okay, so, like hundreds of other users here, I have unfortunately come into a couple of computer issues. Specifically, as the title indicates, the Google redirect virus (yet again) and the windows xp recovery virus. Here's how it all started;Around two days ago, I had gotten off of school, was surfing the net, I may or may not have been looking at porn, and suddenly, out of nowhere, a box popped up that said something about my hardrives loosing memory, or that they were in critical condition, and that I needed to reboot my computer ASAP. After trying to ignore the message for about three minutes, I finally decided to reboot the computer, like the pc said, only to find a completely blank, black screen on my desktop with all of my icons gone, once I restarted it. Now take note that beforehand, my desktop was already fully black via the fact that I had not put up a desktop background, since my dad likes to claim that doing so can harm the computer somehow. But anyways, I see this, and, like any other person, I start freaking out (lol.) And then, yet again out of nowhere, a window popped up saying that Windows XP Recovery needed to do some type of scan of some sort. I waited for the scan to finish, and as most viruses seem to do, it stated that there were many things wrong with my computer.Now given that I have dealt with viruses before in the past, I knew instantly that something was up. So after I rebooted my computer again to be met with the same results, since I wa... Read more

A:Google Redirect/Windows Recovery Virus

I am very sorry for having to do this in another post, but I can't edit my topic, and I made a mistake with it;

I am using Windows XP Professional, not Home. Yet again, I apologize for bumping this up like this.

4 more replies
Answer Match 67.62%

My computer was apparently infected with the Windows XP Recovery fake alert. I started getting the warnings of Hard Drive failure around 10am on June 19th. (I did not opt to buy the supposed fix.) I did get a warning from McAfee that ?fakealert.grb? was detected ? but by then it was too late.After restarting in Safe mode, I ran Malwarebytes (several times) and a McAfee scan. Most of them found and quarantined things.I also noticed in my Documents & Settings/Application Data folder that I had a file called EYcdebEQBm6 (from Procfeatures Sysinternals) which was ?last modified? around the time the problems with the computer started. I also noticed (by running MSCONFIG) that this program was in my startup menu. I deleted the file from the Application Data folder and unchecked it in the Start Up menu. I then restarted the computer in normal mode and got a message saying the computer was using a ?selective startup.? All of the options underneath are checked (Process System.ini file, etc.) except there?s a green box in the ?load start up items? section. The computer has been starting up this way ever since. For now, I?m just clicking OK and leaving it as-is. By this point, the Hard Drive failure warnings had stopped and everything appeared normal ? except for almost all my files being hidden. But then I started to notice some Google searches being re-directed to random websites. The computer also shut down twice on its own while I was online (attempting to register h... Read more

A:Windows XP Recovery Infection & Google redirect

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

31 more replies