Guys, i wanna know how to destroy a virus that have been attacking my computer by diverting my search result in google to other affiliate website..

It is freaking annoying cos i need to click few times just to get to the website i want..

I've tried spybot snd and kaspersky... both doesn't work..


Any ideas on destroying this virus/ malware???


thks for helping!

Good topic, I've been in this problem before. My Norton 360 also can't detect it. Then I format my computer.
I wish, somebody can come with better solution. I really want to know. What is the proper method

you can try to restore your pc

Download Hijackthis, post the log here.

http://www.filehippo.com/download_hijackthis/

I got download hijack this... but it comes out alot of software list and running list i not sure which to delete...

Everything looks like virus to me.. Hahaha


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:48:05 PM, on 6/21/2011
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
G:\Program Files (x86)\GIGABYTE\Gamer HUD Lite\HUD.exe
G:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
G:\Program Files (x86)\DiGi Internet\DiGi Internet.exe
G:\Windows\Xriroa.exe
G:\Users\Lenneth\AppData\Local\Google\Chrome\Application\chrome.exe
G:\Users\Lenneth\AppData\Local\Google\Chrome\Application\chrome.exe
G:\Windows\SysWOW64\rundll32.exe
G:\Users\Lenneth\AppData\Local\Google\Chrome\Application\chrome.exe
G:\Users\Lenneth\AppData\Local\Google\Chrome\Application\chrome.exe
G:\Users\Lenneth\AppData\Local\Google\Chrome\Application\chrome.exe
G:\Users\Lenneth\AppData\Local\Google\Chrome\Application\chrome.exe
G:\Users\Lenneth\AppData\Local\Google\Chrome\Application\chrome.exe
G:\Users\Lenneth\AppData\Local\Google\Chrome\Application\chrome.exe
G:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = G:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - G:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - G:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - G:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SDTray] "G:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "G:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "G:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "G:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Google Update] "G:\Users\Lenneth\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [4ECYTQ9SIC] G:\Users\Lenneth\AppData\Local\Temp\Xqq.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] G:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] G:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-257417401-2119986261-3670922916-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-257417401-2119986261-3670922916-1001\..\RunOnce: [mctadmin] G:\Windows\System32\mctadmin.exe (User 'UpdatusUser')
O4 - Startup: GIGABYTE Gamer HUD Lite.lnk = G:\Program Files (x86)\GIGABYTE\Gamer HUD Lite\HUD.exe
O4 - Startup: setup_9.0.0.722_16.06.2011_12-55.lnk = G:\Users\Lenneth\Desktop\Virus Removal Tool\setup_9.0.0.722_16.06.2011_12-55\startup.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{CBA35CB3-A2A0-4111-B13C-78FCEC183A39}: NameServer = 210.48.195.134 210.48.195.133
O20 - Winlogon Notify: SDWinLogon - SDWinLogon.dll (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - G:\Windows\System32\alg.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - G:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - G:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - G:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - G:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - G:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - G:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - G:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - G:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - G:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - G:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - G:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - G:\Windows\system32\lsass.exe (file missing)
O23 - Service: Spybot-S&D 2 Firewall Service (SDFirewallService) - Safer-Networking Ltd. - G:\Program Files (x86)\Spybot - Search & Destroy 2\SDFWSvc.exe
O23 - Service: Spybot-S&D 2 Monitoring Service (SDMonitorService) - Safer-Networking Ltd. - G:\Program Files (x86)\Spybot - Search & Destroy 2\SDMonSvc.exe
O23 - Service: Spybot-S&D 2 Scanner Service (SDScannerService) - Safer-Networking Ltd. - G:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
O23 - Service: Spybot-S&D 2 Updating Service (SDUpdateService) - Safer-Networking Ltd. - G:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
O23 - Service: Spybot-S&D 2 Security Center Service (SDWSCService) - Safer-Networking Ltd. - G:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - G:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - G:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - G:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - G:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - G:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - G:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - G:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - G:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - G:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - G:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - G:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 8840 bytes


Which one is the redirecting virus???

Lol, need help on spotting it...

Do you have any idea on this:

G:\Windows\Xriroa.exe

If don't, please close all active applications including browsers, and the re-run HJT again. Post the new log here.

no idea wat issit... never check up these things also.. swt...
I'll send u another log on sunday night... now went back hometown.. paiseh

TS,if dunno what program,juz kill the process. then go to msconfig,untick the program on startup. u also can trace whre the program and delete it either on normal windows or safe mode. Then use CCleaner to clean all unneed files n folders.

this happen in all ur browser
or certain browser like IE only?
if so,don use IE lo.. use opera
or firefox which is more realiable...

try reinstalling the browser.. upon uninstalling clean all surfing profiles

Reinstalling browsers won't work because his MBR code has been infected. This is a TDSS variant rootkit infection and a complete rewrite of the existing MBR code is necessary.

Plus I doubt TS needs any help. lol

MBR infected? can't really confirm about that until we see the hosts file

I can bet it is indeed MBR infected. Host file? You won't find anything there.

http://community.trendmicro.com/t5/Malware...tion/td-p/25978


http://www.prevx.com/blog/139/Tdss-rootkit...ns-the-net.html

How to relate MBR infection with host file?

And we can see user's host file since the beginning if you know how HJT works.

Final word from me, do not spam old thread. I was actually still waiting for his reply and it's useless we give more speech to TS since he is gone for months.

i'm facing the same problem...anyone can help me out?

Post your detail at https://forum.lowyat.net/TechnicalSupport please.

Reset your hosts file..

~seems like there's a problem with your host file..

Locate your hosts file. You should find it at %systemroot% \system32\drivers\etc (most commonly it will be c:\windows\system32\drivers\etc) Open the hosts file with notepad and check if no unusual values are added to it.

These are the default values. Yours should be the same.



For Windows XP



For Windows Vista


For Windows 7



This post has been edited by fotosintesis: Oct 9 2011, 10:42 PM