Google redirect trojan

Greetings,

I picked up a trojan that redirects me to 209.85.171.9 if I click on a google search result, in any browser.

I have run Malware bytes. It found two infections and cleaned them but the issue continues.

I am unable to open a command prompt in order to run dds.scr. I have tried running the FixPath from the SDFix, but no joy.

I have Webroot anivirus and antisypware.

I have also run Panda and Kaspersky's web scans but they did not find anything.

I've uploaded my latest hijackthis log

Your help would be greatly appreciated.

Hi,

Please download DaonolFix from the link below and save it to your Desktop
Download Mirror #1

• Double-click DaonolFix.exe to run it.
• Select 1. Find Daonol (no fix) by typing 1 and pressing Enter.
• You will see a lot of files being listed - don't worry, they are just being scanned.
• A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called DaonolFix.txt).

Download ComboFix by sUBs from here or here

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

**Save it to your desktop**

Double click on ComboFix.exe & follow the prompts. If you are prompted to install the Recovery Console I recommend you go ahead and hit yes.
When finished, it shall produce a log for you. Please save that log to post in your next reply along with a fresh HJT log

Notes:

• Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
• ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
• Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.
• ComboFix disconnects your machine from the internet when it runs. This connection should be automatically restored when ComboFix completes its run. If ComboFix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

I need to see another log from HijackThis.

• Run Hijackthis.
• Click on Open the Misc Tools section.
• Next click on Open uninstall manager.
• Press the Save list button.
• Save the file to your desktop, with the default name of uninstall_list
• Copy & Paste the entire contents of that file in your in your next post.

Thanks.

Hi PJ,

Thanks for your help in this!

I am uploading the doanolfix log, the hijackthis uninstall log and the latest highjackthis log.

The combofix did not complete and I had to restart the computer. It had completed at least 5 steps but I am not sure how many exactly.

Shawn

Edited by srfmode, 16 March 2009 - 11:53 PM.

I have successfully run combofix. Here is the log and another hijack this uninstall log.

Hi,

1. Please open Notepad

• Click Start , then Run
• Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"="wdmaud.drv"
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{871c95fe-d407-11db-9dfd-0011d88e5e6c}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95c73b93-482a-11db-9d48-0011d88e5e6c}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b0769388-a9a5-11dc-9ee2-0011d88e5e6c}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cdb91f8c-88e3-11dc-9ebe-0011d88e5e6c}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

Let me know how the computer is running after that.

Thanks.

My computer seems to be functioning well: no more redirects from google searches. Thank you very much for your assistance!

I've uploaded the last combofix and hijackthis logs.

I dragged the script you wrote onto combofix. Once it started it offered to download an update. I agreed. I assume the script continued to run.

Hi srfmode

Logs looks good


Click Start >> Run, and then type ComboFix /u and hit enter.
You can now delete any other tools I had you download and use, unless you wish to keep them.


Now that your system appears to be clean, there's just a few steps I'd like you to take to prevent any future infections.

• Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (using Internet Explorer) and download and install all critical updates on a regular basis.
  
  
• You don't appear to be running any third party Firewall software.
  
  Install a firewall! Without a firewall you are very susceptible to being hacked, and people could gain access to your computer. If you don't have a firewall I strongly recommend you download ONE of the following:
  1) Comodo
  2) Agnitum
  3) Sunbelt/Kerio
  
  
• Make sure you update your Anti-Virus software regularly, new viruses are being developed all the time.
  
  
• Some more programs that it would be useful to have [OPTIONAL but RECOMMENDED]:
  
  Download Spybot Search and Destroy 1.5 from here
  Check for Updates/ Immunize and run a Full System Scan on a regular basis.
  
  SpywareBlaster is another real-time scanner that prevents most spyware from even being installed.
  Freely available: Download SpywareBlaster
  
  Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.

Also, please read this great article by Tony Klein: So How Did I Get Infected In First Place

Glad we could be of assistance.

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

Stay Clean!

jpshortstuff