HELP! Search Hijacking Virus

Hello, my computer is infected with a virus that keeps redirecting me to advertisement/spam sites whenver i search in Google… It is also preventing me from opening Microsoft Security Essentials, which I just installed right now… Please help me remove it!

My specs:
-Windows 7 64bit
-HP-G62-144DX Laptop
-450 GB Hitachi Hard drive

My security setup:
-Microsoft Security Essentials(as real-time protection, but disabled because of virus)
-Windows Firewall on
-Malwarebytes(On-demand scanner)
-SuperAntispyware(On-demand scanner)

What I have done so far:
-I booted into safe mode and scanned with Norton Internet security 2011(subscriptiion ran out today), Superantispyware ,Malwarebytes,and Microsoft Secure Scanner.

I scanned in regular boot mode with Norton Internet Securtiy 2011, Malwarebytes, SuperAntispyware, HitmanPro, Norton Power Eraser,and Comodo Cloud Scanner.

All the viruses they found I was able to remove except one Microsoft Secure Scanner found which was Adware:Opencandy/Win32. I think this might be the culprit.

I dont know what else to do, pleaase help!

Welcome to comodo forums (:WAV)…
i wiil be back in a second!..

alright! i am back i have something for you…
ESET Online scanner ;D

*download eset online scanner from here:

*double-click on saved file and follow on screen instructions for installation eset online scanner.

*Open the scanner window after the installation.

*Go to scan menu.

*Under the settings option enable the following:
enable anti-stealth technology.
enable scan for tracking cookies.
enable scan for potentially unwanted aplictions.

*After the scan is complete,click report and post the generated log on next comment.

Important!:Make sure that your computer stays connected to the internet.If no threats are found no log will be shown.

I found a manual removal procedure here in case you are experienced enough to work with the registry as part of the removal.

Thank you so much both of you for helping me, i posted in other forums but no one responds.
I am currently scanning with eset and will try your manual proceduer. I will update with results when finished

i followed your manual procedure but i did not find any traces of adware.opencandy anywhere.

You can try other scanners to see if they can find the malware responsible for the redirecting. There are various online scanners from av companies you can use.

Can you post a Hijack This log here?

Here it is as requested:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:49:53 AM, on 8/11/2011
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16800)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
C:\Program Files (x86)\AWS\WeatherBug\Weather.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files (x86)\PdaNet for Android\PdaNetPC.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Users\User\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\User\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\User\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\User\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\User\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\ESET\ESET Online Scanner\OnlineScannerApp.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\User\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\User\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\User\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\User\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer, optimized for Bing and MSN
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: IEPlugin Class - {11222041-111B-46E3-BD29-EFB2449479B1} - C:\PROGRA~2\ArcSoft\MEDIAC~1\INTERN~1\ARCURL~1.DLL
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM..\Run: [QlbCtrl.exe] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM..\Run: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files (x86)\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [GrooveMonitor] “C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe”
O4 - HKLM..\Run: [Adobe ARM] “C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe”
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe”
O4 - HKLM..\Run: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [avgnt] “C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe” /min
O4 - HKCU..\Run: [Google Update] “C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe” /c
O4 - HKCU..\Run: [DAEMON Tools Lite] “C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe” -autorun
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU..\Run: [Weather] C:\Program Files (x86)\AWS\WeatherBug\Weather.exe 1
O4 - HKCU..\Run: [swg] “C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe”
O4 - HKCU..\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files (x86)\LimeWire\LimeWire.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: PdaNet Desktop.lnk = C:\Program Files (x86)\PdaNet for Android\PdaNetPC.exe
O4 - Global Startup: Philips GoGear VIBE Device Manager.lnk = ?
O8 - Extra context menu item: Google Sidewiki… - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra ‘Tools’ menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite…x/qtplugin.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: RtVOsdService Installer (RtVOsdService) - Realtek Semiconductor Corp. - C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Intel(R) Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)


End of file - 12293 bytes

First thing my eye falls on is the proxy override: “R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local”

Can you take a look in Internet Options → Connections → Local Area Network Settings and see if there is a proxy set. If so then disable it and see if the redirects are still happening or not.

I have a question. I am not familiar with x64 platform. I see two different paths for the system32 folder in the HJT log: C:\Windows[b]s[/b]ystem32\ and C:\Windows[b]S[/b]ystem32. Can you check with Explorer to see if you have one or two system32 folder in the Windows folder?

Does anybody have an explanation for the two folder names; one with “s” and one with capital “s”? Is it an anomaly of running HJT in x64 environment, or something else?

Ok i checked and i only see Windows/System32 folder i dont see Widndows/system 32
However i see a Windows/system folder with just one file in it which is lame_enc.dll

Also, i checked for proxy and it is not checked.

the redirects seem to dissapear when i clear everything with ccleaner.
Then after a while of surfing the net they seem to reapper

the redirects are still occuring…
and i just scanned my system with avira and it found this:
The file ‘C:\Windows\SysWOW64\KBDDIV2S.dll’
contained a virus or unwanted program ‘TR/Crypt.XPACK.Gen’ [trojan]
Action(s) taken:
An error has occurred and the file was not deleted. ErrorID: 26003.
The file could not be deleted!
Attempting to perform action using the ARK library.
The file could not be copied to quarantine!
An exception has been identified!
The file could not be selected for deletion after the restart. Possible cause: Access is denied.
.
For the final repair, a restart of the computer is instigated.

the final could not be cleaned or deleted

Please try other (online) scanners as well.

The KBDDIV2S.dll file could be a legit Windows file though. To know for sure that KBDDIV2S.dll is an official Windows file you can use Sigcheck to see if it is digitally signed by Microsoft.

Download this zip archive and unpack it to C:\Program Files\SysinternalsSuite\ . When done run sigcheck.reg to add it to the registry.

When this is done navigate to the SysWoW64 folder, look up and select KBDDIV2S.dll, click right and choose Signature from the context menu. A black command box will pop up. See if it is signed or not.

well i checked and there is no file called KBDDIV2S.dll just a KBDDIV2.dll without the “s”, maybe it is a virus? I have some news, the google redirecting seems to have stopped after i scanned with tdds killer and it found sptd.sys to be infected. I looked up the file to make sure it was not important, and when i was looking it up almost every site i clicked on was redirected, as if the virus knew i found it and was trying to stop it. Anyway, i managed to find out i could remove it, so i did, and now the redirecting has seemed to stop.

Now, my new problem is that whenever i try to open Windows Defender it opens and then closes immediately . Same thing was happening a few days ago when i was installed Microsoft Security Essentials to try and clean my system. Also, when I try to use Microsoft Malicious Removal tool, it extracts, but then it stops and doesnt run at all.

It looks like you gave one ■■■■ to whatever is messing with your system but there are still bad guys out there apparently.

Try other (online) scanners and see if they bring any luck.

The legit sptd.sys file is used by programs like Alcohol 120% and Daemon Tools to create virtual CD/DVD players.

yea i researched and it said that… so anything else i can do?

Not sure what that means, Eric :wink:

Excellent! & correct :-TU
You were faster , but that’s what I was going to post , since I’m using the said Software for ages
Moreover, sptd.sys was deliberately designed using rootkit-like technology therefore any rootkit scanner will flag it , but again it is legit

Important message to the original poster and all members of this forum:

Please!!! stop responding to any posts (here and in another forums) by malwarekiller!!!
He is just dangerous !!! I’ve tried many times already here and there in other forums / ■■■ / or whatever - nothing can stop this CLOWN!
Read carefully and analyze his posts. Thats’ really pathetic! You will damage your system beyond repair way before you can get any decent help by the professionals

======= Back to the matter:

MaxPayne,

Please stop spontaneous attempts to fix things

Go to the forum referred below. Read the instruction carefully

All Tools mentioned there for preliminary investigation can be run from USB stick

If you have a chance (since you are suspecting an infection/redirections) please download the said Utilities using any available clean PC.

Update EmsiSoft Emergency Kit (EEK) there prior to running Smart Scan as suggested , but you can consider running Deep Scan - that never hurts.

Connect USB or any external drive to infected PC

Disable any real-time residents of existing security before running EEK.

Do not quarantine / delete anything as suggested - just save current report

Find site/instruction here

Cheers!

MaxPayne described that one symptom had gone but others were still there.

Excellent! & correct :-TU You were faster , but that's what I was going to post , since I'm using the said Software for ages Moreover, [b][i]sptd.sys[/i][/b] was deliberately designed using rootkit-like technology therefore any rootkit scanner will flag it , but again it is legit
:)
[i]Important message to the original poster and all members of this forum:[/i]

Please!!! stop responding to any posts (here and in another forums) by malwarekiller!!!
He is just dangerous !!! I’ve tried many times already here and there in other forums / ■■■ / or whatever - nothing can stop this CLOWN!
Read carefully and analyze his posts. Thats’ really pathetic! You will damage your system beyond repair way before you can get any decent help by the professionals

Don’t worry. He has our attention.

In your hijack this log, it shows “unknown owner” and “missing files” (important system files to be exact)

Go to your Start Menu and type in ‘cmd’. Right-click on the link that appears and select ‘Run as Administrator’ to start an elevated command prompt In the command prompt window type in ‘sfc /scannow‘ and click enter.

:slight_smile:

P.S.
Since most computer don’t come with windows 7 repair discs(32x or 64x), go get one here and download it. Then burn the .iso file to disc using (nero or any burner that can burn image files)

Windows 7 Repair Disc 32-bit ISO
http://www.proposedsolution.com/download/7rd32.iso

Windows 7 Repair Disc 64-bit ISO
http://www.proposedsolution.com/download/7rd64.iso

Also remember that system repair discs can’t be used for installing windows 7 :cry:

Also this website(below) will show you how to use it, if you don’t know how to use it :slight_smile:

First,we have easy ways than disc repair and all that stuff which can cost u your time. 8)

i would suggest u to follow a expert removal guide :):

*then download malwarebytes from here:
download.cnet.com/Malwarebytes…/3000-8022_4-10804572.html

*update and a full scan should do the trick.