# Forum in English  > Malware Removal Service  >  Google redirect virus in sptd?

## gostram

I am the victim of a google redirect virus.

The virus redirects to other pages when hitting search results. These pages vary, but they often contain themselves viruses. tht virus often redirects to www.google.com although my homepage is www.google.ca

I run AVG anti-virus and am under Windows XP. The virus is active in Firefox. I haven't tested with IE.

I have run a full scan of AVG. It did not find the virus. I have run a full scan of SpyBot S&D and it did not find it.

I have downloaded both the Kapersky virus removal tool as well as tdsskiller.

tdsskiller found a "threat" in sptd.sys. I put it under quarantine but the virus is still active

I would be grateful for your help.

gostram

*Добавлено через 8 минут*

Unfortunately, the forum won't let me upload the zip file with the system info. Is there any way to pm it?

----------


## Никита Соловьев

> Unfortunately, the forum won't let me upload the zip file with the system info. Is there any way to pm it?


What error shows?

----------


## gostram

The error doesn't show. The browser simply close down completely when I click on "upload". I just tried again, and the window simply closes as well as all other instances of Firefox.

I posted the log online: http://www.mediafire.com/?nung1rglf28elma

thank you for your help.

----------


## Никита Соловьев

Are you using IE now?

Execute following script in avptool:


```
begin
 ClearQuarantine;
 QuarantineFile('C:\WINDOWS\System32\winlogon.exe','');
 QuarantineFile('C:\WINDOWS\system32\appconf32.exe','');
 CreateQurantineArchive('C:\quarantine.zip');
end.
```

upload *C:\quarantine.zip* here

----------


## gostram

Thank you for the prompt answer.

I tried to upload but Firefoc crashed when trying to upload

I uploaded the quarantine file on mediafire:

http://www.mediafire.com/?ng0c7xpnkclehtu

I also tried to use IE and tested google. It automatically tried (and apparently managed) to install a trojan which AVG detected

----------


## Никита Соловьев

Scan your PC with Kaspersky Live CD

----------


## gostram

Thank you again for your rapid answer. I managed to burn the CD but can not seem to be able to launch the application. Is there a file in the folders I can click on to launch it. Autoplay won't open it, and I browsed the folders but couldn't find anything that seemed to be able to launch it.

Edit from 17:06 CET: I did not see the pdf for the manual, I will follow the instructions and report


Thanks

----------


## Никита Соловьев

+ Execute following script in avptool:


```
begin
 ClearQuarantine;
 SearchRootkit(true, true);
 SetAVZGuardStatus(true);
 DeleteFile('C:\WINDOWS\system32\appconf32.exe');
 BC_ImportALL;
 ExecuteSysClean;
 ExecuteWizard('TSW',2,2,true);
 BC_Activate;
 RebootWindows(true);
end.
```

Make a new log file of avptool

----------


## gostram

Thanks a lot for answering. I was still fighting with creating the USB bootable disk.
I am not done doing it.

I did run the script you sent. I did put the log file online to avoid the issue with uploading it to the forum

http://www.mediafire.com/?53bf39wb2b4xo6s

----------


## Никита Соловьев

> I am not done doing it.


Skip this step. Check PC with CureIt

Change all your online passwords.

----------


## gostram

I checked the PC with the Cureit over night.

It found several threats

- Win32.Dat.8 in winlogon.exe in c:\WINDOWS\System32  (DESINFECTED)

- Win32.Dat.8 in explorer.exe in c:\WINDOWS\explorer.exe (DESINFECTED)

- Program.PopcapLoader in Popcaploader.dll in c:\windows\downloaded program files (REMOVED)

I am now on my way to change the online passwords

*Добавлено через 5 минут*

The new log is posted here:

http://www.mediafire.com/?yyp9e9ii53824jz

*Добавлено через 34 минуты*

Ok. I changed most of my passwords, focusing on the most sensitive ones

*Добавлено через 9 часов 59 минут*

Everything seems to work ok now.

I will wait to see if it resurfaces. Is the virus supposed to be gones completely??

Is there any way to show my immense gratitude for your services?

----------


## Никита Соловьев

Execute script in avptool:


```
begin
 ClearQuarantine;
 QuarantineFile('C:\WINDOWS\System32\winlogon.exe','');
 QuarantineFile('C:\WINDOWS\explorer.exe','');
 CreateQurantineArchive('C:\virus.zip');
end.
```

upload *C:\virus.zip* *here*

----------


## gostram

I just did upload the file (with IE, firefox crashes)

----------


## Никита Соловьев

Reinstall FireFox.
Files ok. Problem solved?

----------


## gostram

I just reinstalled Firefox. Everything seems to work ok. I am incredibly thankful for your help. 
Not sure what it was exactly, but it now works well

----------


## CyberHelper

Статистика проведенного лечения:
Получено карантинов: *2*Обработано файлов: *4*В ходе лечения обнаружены вредоносные программы:
 c:\\windows\\system32\\appconf32.exe - *Trojan-Banker.Win32.MultiBanker.zy* ( DrWEB: Trojan.PWS.Banker.23813, BitDefender: Trojan.Generic.4920480, AVAST4: Win32:Crypt-HRS [Drp] ) c:\\windows\\system32\\winlogon.exe - *Trojan.Win32.Patched.kl* ( DrWEB: Win32.Dat.8, BitDefender: Win32.Loader.Q, NOD32: Win32/Bamital.EC trojan, AVAST4: Win32:Bamital-AC )

----------

