Hijack this log Scour.com virus help needed

[Kaugustino]

Hello
Seems i got infected with a scour google redirect virus. i think i cleaned it out mostly. but both IE7 and firefox 3.* still will attempt to do a redirect on a few search terms. Maybe i missed something. Heres the log. any suggestions on a fix would be great

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:24:21 PM, on 1/6/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17093)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\CyberLat\CyberLat RAM Cleaner 2,0\CLRamCleaner.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\WINDOWS\system32\HDDSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\mIRC\mirc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\NewsBin\nbpro.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\archived\HiJackThis\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.g4tv.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.ca
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\s wg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [lxdxmon.exe] "C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe"
O4 - HKLM\..\Run: [lxdxamon] "C:\Program Files\Lexmark 3600-4600 Series\lxdxamon.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Kaugustino\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe"
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E117 12C84EA7E12B.dll/cmsidewiki.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.worktrace.com
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} (Lexmark eDiagnostics Class) - https://ediagnostics.lexmark.com/serval.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: lxdxCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdxse rv.exe
O23 - Service: lxdx_device - - C:\WINDOWS\system32\lxdxcoms.exe

--
End of file - 5625 bytes

[Bonie81]

Hello
Seems i got infected with a scour google redirect virus. i think i cleaned it out mostly. but both IE7 and firefox 3.* still will attempt to do a redirect on a few search terms. Maybe i missed something. Heres the log. any suggestions on a fix would be great

hope this may help, but not 100% cure.

Google .Inc is illegally involved in Port Scanning without any prior consent is a major breach of Privacy.
I guess many - millions in this world are infected so I posted "Port Scan Attack from Google. Inc" in Others (Non-Related) . Google was smartly using same server as Bing.

Some smarty wanna be over-smart and delete the pic from original post, so posting here again.
Cuz i wanna really F**K the Google badly.


should I think twice before posting above image??? BiG NO.........................
coz Google never thought twice to steal data from my computer over more than a year.


As you have scanned through Hijack This, please email your log to Micro Trend or post it in Micro Trend forum without any fear coz they do offer free assistance on Hijack-This.

Alternatively, you have two (in fact more than two) choices,

choice # 1
you may feel free to ask Google. Inc legal department, if you wish.
If you need address please follow my above link.

choice # 2
everytime google redirects your browser to google.com,
you may shout out of loud "**** YOU GOOGLE!!!"

[Kaugustino]

yup, i already posted there as well

[TBoneit]

There is also a possibility that the router has been changed by the infection.
You may have to reset the router to clear up the redirects. There are viruses that go into the router and play with DNS so you get redirected.

[DarrellS]

I spent two days trying to get rid of that crap. Finally gave up and reinstalled an image of my boot drive.

Before I noticed the Scour crap, I had noticed very slow internet on both Firefox and IE with frequent crashes for about a week. Since reinstalling the image, I still have intermittent slowdowns on my internet connection. How can you tell if your router has been infected?

[hech54]

Just go to:
http://www.hijackthis.de/
and paste your log file in there....it will analyze it for you to give you some hints.

[Bonie81]

In line with DarrellS,

I spent two days trying to get rid of that crap. Finally gave up and reinstalled an image of my boot drive. ...

1) Make sure your boot image is clean.
2) It always better to have Fresh start with fresh clean OS installation by wiping out (secure delete) all data and partition both.
3) For safety measure before fresh installation of OS, try to delete all data in System Volume Folder (graveyard for virus ghosts), and get rid of hyberfil.sys and pagefile.sys (How to access system volume folder and reduce hiberfil.sys n pagefile.sys to zero byte, search on Microsoft Tech Forum or on search on the net.

[hech54]

Malwarebytes
SuperAntiSpyware
SpywareBlaster
CCleaner

[Poppa_Meth]

Malwarebytes
SuperAntiSpyware
SpywareBlaster
CCleaner

Even after running all these, the redirect viruses still tend to be persistent. I've run into them too many times. Combofix seems to be one of the few things that works for this but it can be dangerous to use. Chances are some software may be broken by running combofix and need reinstalled. It does download the Windows Recovery Console for you just in case.

[Bonie81]

@ Poppa_Meth

there two major type of viruses, one is computer persistent which resides either in pagefile.sys or system volume folder. second type is web-auto-loader downloads automatically from the websites you visit. You can deal with first one by sweeping/wiping the hdd completely. To deal with second one is no solution except keep only those GARBAGE files in pc which you do not mind even if thousands of people steal your information.
That's what I did more than years by now! They are smart in stealing informations, and I am pretty-smart to let them steal what I want.

[hech54]

From the little bit of Google searching I just did...Malwarebytes takes care of it.

[Bonie81]

@ hech54

Thanks for the inputs.
i guess, there no 100% secure application which can secure PC communication over 65535 TCP/UDP ports. No matter how many free or licensed security software you install, any application can leak any port out of 65535. Or application may itself be a silent stealer. If anyone want to secure all 65535 ports, he or she can not get connected. Only the way to get 100% security is to keep Internet door shut. That's why i really do not care much about security while surfing on the net. If I get some GOODIES, i LUV to share with others coz in ocean-wide resources, one can get it from anywhere, so why not from me. i also trash bad things which can harm or hurt others.