Sorry to hear of the redirect problems you are experiencing. Unfortunately, no single antivirus program will necessarily detect every piece of malware floating around the Internet these days. It's a good idea to also have an antimalware program available to supplement your major AV software.
Have you tried downloading and running a full scan with an anti-malware program such as Malwarebytes? (Malwarebytes has both a FREE and paid version. You only need the FREE version)
The Malwarebytes program can be downloaded at the following link:
Thanks for the responses but the problems are getting worse...
In safe mode I ran a full scan, stinger, and getsusp. Stinger did not find anything, the scan found some tracking cookies, but getsusp found a trojan and winupd.exe.
Winup.exe (with some number variant) tries to load evertime I start my computer and turns on automatically. I can turn it off in the processes which, stops it from attempting to run, but I can't get rid of it.
Getsusp says its in my appdata/temp, but I cannot find it there. When I search I can find the shortcut which causes it to turn on when I log in, but I cant find the exe file.
After running in safe mode my windows does not have a registry key as I deleted temp download files (can this result in losing the registration key)?.
The google redirect is still there as well.... It was through the redirect that I was infected with winupd.exe (I was redirected to a website and was smacked with 4 boxes of winupd trying to run.
below is an excerpt from the getsusp log. I managed to delete the dll and an earlier copy of the winupd, but cannot find the one listed here (even when searching in the temp?
:\PROGRA~1\MI1933~1\Office12\MLSHEXT.DLL ... is OK.
C:\PROGRA~1\MI1933~1\Office12\OLKFSTUB.DLL ... is OK.
C:\PROGRA~1\MI1933~1\Office12\ONFILTER.DLL ... is OK.
C:\PROGRA~1\WI4EB4~1\wmpband.dll ... is OK.
C:\Users\Dustin\AppData\Local\Temp\winupd.exe ... is Suspicious !!!
C:\Users\Dustin\AppData\Local\usrGLhid\DirectEventxx.dll ... is Suspicious !!!
C:\Windows\ehome\ehPrivJob.exe ... is OK.
C:\Windows\ehome\ehRecvr.exe ... is OK.
Thanks for your help!!
Which Stinger did you use? Also did you use GetSusp to submit files to McAfee...it detects anything suspicious but can't clean anything.
I suggest using the FakeAlert Stinger followed by the free Malwarebytes (after updating it). See the link I posted for the download links.
Sorry Ex_Brit, I'm still not getting anywhere. I ran stinger fake alert followed by malwarebytes... nada.
When I turn on my comp in normal mode I first cant access my product key, then I am prompted to allow winupd.exe to open. Winupd shows in my processes where I can manually shut it down. I deleted the w suspicious files above that getsusp found, but did not touch the other two (related to an hp printer).
No search discovers winsusp anywhere.....
Whats going on?
Rather than go to virus removal which is a chargeable service you could try this.
Post a Hijackthis log on one of the followingmforums for expert advice. They may, depending on what they see, suggest various tools or procedures which we can't really recommend here/
This is an old tool but still useful where all else fails and you need something to gather information to obtain help elsewhere. Run "Hijackthis" and post its log on one of the specialist forums below to see what action is recommended. They will check it and help you get rid of whatever ails your machine. Don't try to fix it yourself.
It has been updated to be compatible with Windows 7 and still serves a useful purpose in getting the ball rolling with help in the forums mentioned below. Any other tools will be recommended by them in due course of the investigation.
Note: Hijackthis is not intended as a removal tool per se, and should only be used under the guidance of the specialist forums.
Do not post Hijackthis logs here, we can't help you with those !
Post the logs at a specialist Forum:
Be sure to read all the sticky announcements/instructions at the top of each malware forum!
Those two files detected by Getsusp are malware. ThreatExpert classes winupd.exe as :
A malicious backdoor trojan that runs in the background and allows remote access to the compromised system
Kaspersky knows it as "Backdoor.Win32.Agent.bitb". McAfee's name for it will be different - I haven't found it yet.
A file with the same name is associated with a program called "Generic Trial Program Starter" from ILYA-Corp. Soft Group, a Russian (?software house), according to Runscanner; ILYA's product page contains the warning
DO NOT USE THIS TOOLS FOR COMMERCIAL hacking software products
- so possibly someone has done just that.
winupd.exe is invoked at startup by an instruction placed in the registry. What is unusual is that the file is in ...\appdata\local\temp, where it can be easily deleted. Previously it was being dropped into the ...\system32 folder. The ThreatExpert submission report (HERE) confirms that this is where the file is now being dropped, which perhaps indicates that it is expendable once it has been created and has run.
See this submission report for DirectEventxx.dll. The analysis of reports of winupd.exe (HERE) lists malware with which it is or has been associated. McAfee links it with at least four different instances of malware.
These files have been known to crash Firefox. If that happens on your machine, see http://support.mozilla.com/en-US/kb/Firefox%20crashes/discuss/1877 for advice on a quick fix.
I would have thought that by now McAfee would have included the malware that is causing this in the latest DAT file. Try updating McAfee to get that latest DAT, and then run a full scan and see if anything is detected. Then get hold of CCleaner (the free version) to purge all your temp files, cookies, and browser cache files. Check as many boxes in the list on the left as you want, but leave unchecked the one beside 'McAfee AntiVirus' (in 'Applications') or you'll lose all your log files; and you might need those. Same goes for the Windows log files.
To prevent the exe being invoked at startup you could disable it in AutoRuns (other utilities allow you to do that, but Autoruns is extremely informative about everything that gets invoked at startup).