BleepingComputer.com: Google re-direct virus

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Google re-direct virus Can't get rid of it

#1 User is offline   jamilh 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 1
  • Joined: 20-November 09

Posted 20 November 2009 - 04:30 PM

I have somehow obtained the google re-direct virus, possibly through installing cracked programs. I have tried to use restore points to go back before the programs were installed, but it is still there.

I have downloaded dds.scr, but my computer is recognizing it as an Autocad LT script file and when I double click on it, a blank opens in Notepad named dds and my cursor just sits there with an hourglass. Nothing happens.

Here is the root repeal log:


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/20 14:26
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB13A4000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBADD8000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAEF7C000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x89ce75e0

#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb13fd6b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb13fd574

#: 047 Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x89ce7b08

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0x89ce7a90

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x89ce78b0

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0x89d24d10

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb13fda52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb13fd14c

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb13fd64e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb13fd08c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb13fd0f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb13fd76e

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "<unknown>" at address 0x89ce7658

#: 186 Function Name: NtReadVirtualMemory
Status: Hooked by "<unknown>" at address 0x89ce74f0

#: 192 Function Name: NtRenameKey
Status: Hooked by "<unknown>" at address 0x89d210a8

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb13fd72e

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x89ce7748

#: 226 Function Name: NtSetInformationKey
Status: Hooked by "<unknown>" at address 0x89cc00a8

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x89ce79a0

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x89ce77c0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb13fd8ae

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x89ce7928

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x89ce76d0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x89ce7a18

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x89ce7838

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x89ce7568

Stealth Objects
-------------------
Object: Hidden Module [Name: tdlcmd.dll]
Process: svchost.exe (PID: 968) Address: 0x10000000 Size: 20480

Object: Hidden Module [Name: tdlwsp.dll]
Process: firefox.exe (PID: 3352) Address: 0x01060000 Size: 32768

Object: Hidden Module [Name: tdlclk.dll]
Process: explorer.exe (PID: 536) Address: 0x00c10000 Size: 20480

Object: Hidden Module [Name: tdlwsp.dll]
Process: explorer.exe (PID: 536) Address: 0x10000000 Size: 32768

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]
Process: System Address: 0x89b03e78 Size: 392

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x89b2a6d0 Size: 343

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE]
Process: System Address: 0x89b533a0 Size: 742

Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]
Process: System Address: 0x89ba0d58 Size: 471

Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]
Process: System Address: 0x89bc2f00 Size: 257

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89bc08a8 Size: 1880

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89bb6898 Size: 343

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]
Process: System Address: 0x89c4b0a8 Size: 98

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]
Process: System Address: 0x89c8e478 Size: 279

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89c4afa8 Size: 88

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89b53268 Size: 1054

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89ba8ba0 Size: 958

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89b757d0 Size: 239

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89c98f20 Size: 225

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89b74120 Size: 135

Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89c2a6b8 Size: 567

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89c3b560 Size: 359

Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89c8e8a0 Size: 135

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP]
Process: System Address: 0x89c585b0 Size: 511

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x89713218 Size: 135

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89733218 Size: 135

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8973d168 Size: 135

Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]
Process: System Address: 0x89744240 Size: 135

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89c51680 Size: 135

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x89c53b78 Size: 135

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89c470c8 Size: 551

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89c53678 Size: 135

Object: Hidden Code [Driver: Tcpip, IRP_MJ_PNP]
Process: System Address: 0x89c442a0 Size: 135

Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x89771230

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x8979f020

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x89787020

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x897870a8

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x897a9a30

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x8979c940

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x897712a8

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x89c2e2c8

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x897a7150

==EOF==


Please let me know what I need to do. Thanks!

#2 User is offline   DocSatan 

  • Bleepin' Wanna-Be
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Members
  • Posts: 2,156
  • Joined: 30-August 07
  • Gender:Male
  • Location:Boston, Ma.

Posted 28 November 2009 - 07:49 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
All Other Things Being Equal, The Simplest Solution Is The Best.
Anti-Spyware Scanners - Anti-Virus Scanners - Online Scanners - Firewalls
Protect Yourself and Surf More Secure

#3 User is offline   SpySentinel 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Staff Emeritus
  • Posts: 2,090
  • Joined: 23-February 07
  • Gender:Male
  • Location:The United States

Posted 07 December 2009 - 02:06 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with the link to this thread.

Everyone else please start a new topic.
Posted Image
Unified Network of Instructors and Trained Eliminators

Posted Image

My help is always free, but if you can, please Posted Image to help me continue the fight against malware.

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users