Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Virus dug in deep, firefox oddly not overtly affected


04 Sep 2012   #1
ShenmueAdvocate

Windows 7 Home Premium x64
 
 
Virus dug in deep, firefox oddly not overtly affected

Hello, I am having a problem with a google redirect virus, and have been spending more than a week to get rid of it. It affects all my web browsers (IE, Firefox, and Google Chrome) and is displaying all of the symptoms i.e. all search engines results will redirect to different websites than what has been shown (plus malware), the virus itself is embedded somewhere and scans can not rout it out, and tabs close for "some reason". Help? I have HijackThis already installed if you need a log.


My System SpecsSystem Spec
04 Sep 2012   #2
shawn77

32 bit
 
 

  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller
My System SpecsSystem Spec
04 Sep 2012   #3
ShenmueAdvocate

Windows 7 Home Premium x64
 
 

Quote:
RogueKiller V8.0.2 [08/31/2012] by Tigzy mail: tigzyRKgmailcom Feedback: RogueKiller - Geeks to Go Forums Blog: tigzy-RK Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : Paul [Admin rights] Mode : Scan -- Date : 09/04/2012 23:52:12 Bad processes : 1 [SUSP PATH][DLL] rundll32.exe -- C:\Windows\SysWOW64\rundll32.exe : -> KILLED [TermProc] Registry Entries : 5 [RUN][BLACKLIST DLL] HKCU\[...]\Run : Desura (rundll32.exe "C:\Users\Paul\AppData\Local\DigitalPersona\Desura\fokuzeyjp.dll",CreateInstance) -> FOUND [RUN][BLACKLIST DLL] HKUS\S-1-5-21-1802773089-3845710631-1931485571-1000[...]\Run : Desura (rundll32.exe "C:\Users\Paul\AppData\Local\DigitalPersona\Desura\fokuzeyjp.dll",CreateInstance) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Paul\AppData\Local\{64900c6e-38ca-c2b9-df73-c150899d184b}\n.) -> FOUND Particular Files / Folders: [ZeroAccess][FILE] @ : C:\Windows\Installer\{64900c6e-38ca-c2b9-df73-c150899d184b}\@ --> FOUND [ZeroAccess][FOLDER] U : C:\Windows\Installer\{64900c6e-38ca-c2b9-df73-c150899d184b}\U --> FOUND [ZeroAccess][FOLDER] L : C:\Windows\Installer\{64900c6e-38ca-c2b9-df73-c150899d184b}\L --> FOUND [ZeroAccess][FILE] @ : C:\Users\Paul\AppData\Local\{64900c6e-38ca-c2b9-df73-c150899d184b}\@ --> FOUND [ZeroAccess][FOLDER] U : C:\Users\Paul\AppData\Local\{64900c6e-38ca-c2b9-df73-c150899d184b}\U --> FOUND [ZeroAccess][FOLDER] L : C:\Users\Paul\AppData\Local\{64900c6e-38ca-c2b9-df73-c150899d184b}\L --> FOUND Driver : [NOT LOADED] Infection : ZeroAccess HOSTS File: --> C:\Windows\system32\drivers\etc\hosts MBR Check: +++++ PhysicalDrive0: WDC WD5000BEVT-60A0RT0 ATA Device +++++ --- User --- [MBR] cb17807c5932fe63468973aa25389ba1 [BSP] 63e48fae74cc71a2b4fd22d45a2c498b : Windows Vista/7 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 455597 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 933472256 | Size: 21039 Mo 3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 976560128 | Size: 103 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[1].txt >> RKreport[1].txt

_____________________

Okay, so I can tell this is bad. The program said I have ZeroAccess on here, and opened a link to a webpage with a tutorial on how to remove it. Should I follow it, or is this something else? Also, thanks for the help already.
My System SpecsSystem Spec
05 Sep 2012   #4
shawn77

32 bit
 
 

Select all and click DELETE

Restart the PC and

Please download Rkill by Grinler and save it to your desktop.
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • The log should be saved on the desktop
  • Post it here
My System SpecsSystem Spec
05 Sep 2012   #5
ShenmueAdvocate

Windows 7 Home Premium x64
 
 

Rkill 2.3.4 by Lawrence Abrams (Grinler)
Bleeping Computer - Computer Help and Discussion
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
RKill - What it does and What it Doesn&#39;t - A brief introduction to the program

Program started at: 09/05/2012 03:17:22 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop.

* No malware services found to stop.

Checking for processes to terminate.

* C:\Program Files\Java\jre6\bin\jusched.exe (PID: 2348) [FI]

1 proccess terminated!

Checking Registry for malware related settings.

* Explorer Policy Removed: NoActiveDesktopChanges [HKLM]

Backup Registry file created at:
C:\Users\Paul\Desktop\rkill\rkill-09-05-2012-03-17-32.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks.

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

* Windows Firewall Authorization Driver (mpsdrv) is not Running.
Startup Type set to: Manual

* AppMgmt [Missing Service]
* BFE [Missing Service]
* CscService [Missing Service]
* iphlpsvc [Missing Service]
* MpsSvc [Missing Service]
* PeerDistSvc [Missing Service]
* UmRdpService [Missing Service]
* WinDefend [Missing Service]
* wscsvc [Missing Service]

* SharedAccess [Missing ImagePath]

Searching for Missing Digital Signatures:

* No issues found.

Program finished at: 09/05/2012 03:17:46 PM
Execution time: 0 hours(s), 0 minute(s), and 23 seconds(s)
My System SpecsSystem Spec
05 Sep 2012   #6
shawn77

32 bit
 
 

You are missing critical services.This tool can help you restore it

Windows Repair (All In One)
My System SpecsSystem Spec
06 Sep 2012   #7
ShenmueAdvocate

Windows 7 Home Premium x64
 
 

Hey, should I skip the chkdsk step? It keeps hanging at 2 of 3 steps, and I do not know if that's because I am missing files...
My System SpecsSystem Spec
06 Sep 2012   #8
shawn77

32 bit
 
 

Skip it
My System SpecsSystem Spec
07 Sep 2012   #9
ShenmueAdvocate

Windows 7 Home Premium x64
 
 

Alright, I have ran the windows repair program. Now what?

Also, I have noticed an add-on that seems to be incompatible with Firefox, but I do not even remember installing it before. A bProtector?
My System SpecsSystem Spec
11 Sep 2012   #10
ShenmueAdvocate

Windows 7 Home Premium x64
 
 

Bumping for help. Has this from yesterday, using rkill again.

Quote:
Rkill 2.3.4 by Lawrence Abrams (Grinler)
Bleeping Computer - Computer Help and Discussion
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
RKill - What it does and What it Doesn&#39;t - A brief introduction to the program

Program started at: 09/10/2012 01:02:17 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop.

* No malware services found to stop.

Checking for processes to terminate.

* C:\Program Files\Java\jre6\bin\jusched.exe (PID: 3456) [FI]

1 proccess terminated!

Checking Registry for malware related settings.

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks.

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

* AppMgmt [Missing Service]
* CscService [Missing Service]
* iphlpsvc [Missing Service]
* PeerDistSvc [Missing Service]
* UmRdpService [Missing Service]
* WinDefend [Missing Service]

Searching for Missing Digital Signatures:
I still do not know how to get rid of the virus, and now windows can not update itself thanks to it not being a genuine copy. Also, I do not know if I can make a copy of this hard drive without something screwing up. Help?
My System SpecsSystem Spec
Reply

 Virus dug in deep, firefox oddly not overtly affected




Thread Tools



Similar help and support threads for2: Virus dug in deep, firefox oddly not overtly affected
Thread Forum
Images are a rigid file not affected by virus or failing hard drive? Installation & Setup
How to create backup not affected by virus? Backup and Restore
Solved diagnostics help windows behaving oddly General Discussion
Solved Affected by virus, user accounts dont display System Security
My laptop's wireless has oddly been disabled Network & Sharing
Redirect Virus for Opera and Firefox System Security
Had Virus and Malware, can't open firefox or IE8 System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 10:23 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App