Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect trojan


  • Please log in to reply
6 replies to this topic

#1 srfmode

srfmode

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 15 March 2009 - 05:10 PM

Greetings,

I picked up a trojan that redirects me to 209.85.171.9 if I click on a google search result, in any browser.

I have run Malware bytes. It found two infections and cleaned them but the issue continues.

I am unable to open a command prompt in order to run dds.scr. I have tried running the FixPath from the SDFix, but no joy.

I have Webroot anivirus and antisypware.

I have also run Panda and Kaspersky's web scans but they did not find anything.

I've uploaded my latest hijackthis log

Your help would be greatly appreciated.

Attached Files



BC AdBot (Login to Remove)

 


#2 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:25 PM

Posted 16 March 2009 - 11:03 AM

Hi,

Please download DaonolFix from the link below and save it to your Desktop
Download Mirror #1
  • Double-click DaonolFix.exe to run it.
  • Select 1. Find Daonol (no fix) by typing 1 and pressing Enter.
  • You will see a lot of files being listed - don't worry, they are just being scanned.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called DaonolFix.txt).
Download ComboFix by sUBs from here or here

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

**Save it to your desktop**

Double click on ComboFix.exe & follow the prompts. If you are prompted to install the Recovery Console I recommend you go ahead and hit yes.
When finished, it shall produce a log for you. Please save that log to post in your next reply along with a fresh HJT log

Notes:
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  • Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.
  • ComboFix disconnects your machine from the internet when it runs. This connection should be automatically restored when ComboFix completes its run. If ComboFix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
I need to see another log from HijackThis.
  • Run Hijackthis.
  • Click on Open the Misc Tools section.
  • Next click on Open uninstall manager.
  • Press the Save list button.
  • Save the file to your desktop, with the default name of uninstall_list
  • Copy & Paste the entire contents of that file in your in your next post.
Thanks.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#3 srfmode

srfmode
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 16 March 2009 - 11:48 PM

Hi PJ,

Thanks for your help in this!

I am uploading the doanolfix log, the hijackthis uninstall log and the latest highjackthis log.

The combofix did not complete and I had to restart the computer. It had completed at least 5 steps but I am not sure how many exactly.

Shawn

Attached Files


Edited by srfmode, 16 March 2009 - 11:53 PM.


#4 srfmode

srfmode
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 17 March 2009 - 01:03 AM

I have successfully run combofix. Here is the log and another hijack this uninstall log.

Attached Files



#5 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:25 PM

Posted 17 March 2009 - 06:17 AM

Hi,

1. Please open Notepad
  • Click Start , then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"="wdmaud.drv"
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{871c95fe-d407-11db-9dfd-0011d88e5e6c}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95c73b93-482a-11db-9d48-0011d88e5e6c}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0769388-a9a5-11dc-9ee2-0011d88e5e6c}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cdb91f8c-88e3-11dc-9ebe-0011d88e5e6c}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
Let me know how the computer is running after that.

Thanks.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#6 srfmode

srfmode
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 18 March 2009 - 08:31 PM

My computer seems to be functioning well: no more redirects from google searches. Thank you very much for your assistance!

I've uploaded the last combofix and hijackthis logs.

I dragged the script you wrote onto combofix. Once it started it offered to download an update. I agreed. I assume the script continued to run.

Attached Files



#7 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:25 PM

Posted 19 March 2009 - 02:55 AM

Hi srfmode

Logs looks good :thumbup2:


Click Start >> Run, and then type ComboFix /u and hit enter.
You can now delete any other tools I had you download and use, unless you wish to keep them.


Now that your system appears to be clean, there's just a few steps I'd like you to take to prevent any future infections.
  • Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (using Internet Explorer) and download and install all critical updates on a regular basis.

  • You don't appear to be running any third party Firewall software.

    Install a firewall! Without a firewall you are very susceptible to being hacked, and people could gain access to your computer. If you don't have a firewall I strongly recommend you download ONE of the following:
    1) Comodo
    2) Agnitum
    3) Sunbelt/Kerio

  • Make sure you update your Anti-Virus software regularly, new viruses are being developed all the time.

  • Some more programs that it would be useful to have [OPTIONAL but RECOMMENDED]:

    Download Spybot Search and Destroy 1.5 from here
    Check for Updates/ Immunize and run a Full System Scan on a regular basis.

    SpywareBlaster is another real-time scanner that prevents most spyware from even being installed.
    Freely available: Download SpywareBlaster

    Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.
Also, please read this great article by Tony Klein: So How Did I Get Infected In First Place

Glad we could be of assistance.

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

Stay Clean!

jpshortstuff
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users