Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect? No viruses found but active when active scripting enabled


  • Please log in to reply
5 replies to this topic

#1 Tadmen

Tadmen

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 21 April 2009 - 11:10 AM

Hi,
I've been fighting with some sort of redirect virus. Checked my computer with Malwarebates in Safe MOde, Normal Mode, etc. It did find some viruses but removed them and nothing is present anymore. I also checked my comp with BitDefender online scanner, SuperAntiSpyware, HijackTHis. They don't find any viruses. Computer works fast, although aftre all this checking and removal I found that sometimes when I click two windows too fast it locks and I have to reboot it by reset button.
Now the annoying part is that when I do Google search it still redirects me to various random sites. I also found that when I disable active scripting it does not do that, but then I cannot view YOuTube movies, etc.
Is ther a way to analyze and search for scripts that cause this. I assume it's just some stupid script that gets activated when I'm on line, because none of the AV programs I use finds any viruses anymore.
Any help would be appreciated
Thanks

BC AdBot (Login to Remove)

 


#2 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:23 PM

Posted 21 April 2009 - 07:21 PM

Could you please post the log files from all the programs you ran? (MBAM and SUPERantispyware) Do NOT post the Hijackthis log.

Edited by xblindx, 21 April 2009 - 07:21 PM.


#3 Tadmen

Tadmen
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 22 April 2009 - 12:17 PM

Here are the 2 logs from the scans I did today. Malwarebytes found and removed a Trojan DNS that was not showing before. Superantispyware found some cookies, etc. Thanks for looking into this.

Malwarebytes' Anti-Malware 1.36
Database version: 2026
Windows 5.1.2600 Service Pack 3

4/22/2009 11:07:26 AM
mbam-log-2009-04-22 (11-07-26).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 336864
Time elapsed: 43 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Tad\Local Settings\Application Data\codecsetup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gxvxccounter (Trojan.DNSchanger) -> Quarantined and deleted successfully.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/22/2009 at 09:37 AM

Application Version : 4.26.1000

Core Rules Database Version : 3857
Trace Rules Database Version: 1809

Scan type : Complete Scan
Total Scan Time : 00:49:00

Memory items scanned : 718
Memory threats detected : 0
Registry items scanned : 6206
Registry threats detected : 0
File items scanned : 25797
File threats detected : 32

Adware.Tracking Cookie
C:\Documents and Settings\Tad\Cookies\tad@doubleclick[2].txt
C:\Documents and Settings\Tad\Cookies\tad@bridge1.admarketplace[2].txt
C:\Documents and Settings\Tad\Cookies\tad@ads.bleepingcomputer[2].txt
C:\Documents and Settings\Tad\Cookies\tad@hit.stat[1].txt
C:\Documents and Settings\Tad\Cookies\tad@www.shopica[1].txt
C:\Documents and Settings\Tad\Cookies\tad@admarketplace[2].txt
C:\Documents and Settings\Tad\Cookies\tad@shopica[1].txt
C:\Documents and Settings\Tad\Cookies\tad@2o7[1].txt
C:\Documents and Settings\Tad\Cookies\tad@atdmt[1].txt
C:\Documents and Settings\Tad\Cookies\tad@iacas.adbureau[3].txt
C:\Documents and Settings\Tad\Cookies\tad@banners.iop[1].txt
C:\Documents and Settings\Tad\Cookies\tad@a1.interclick[1].txt
C:\Documents and Settings\Tad\Cookies\tad@ad.yieldmanager[1].txt
C:\Documents and Settings\Tad\Cookies\tad@adknowledge[1].txt
C:\Documents and Settings\Tad\Cookies\tad@admarketplace[1].txt
C:\Documents and Settings\Tad\Cookies\tad@ads.pointroll[1].txt
C:\Documents and Settings\Tad\Cookies\tad@atdmt[2].txt
C:\Documents and Settings\Tad\Cookies\tad@bridge1.admarketplace[1].txt
C:\Documents and Settings\Tad\Cookies\tad@doubleclick[1].txt
C:\Documents and Settings\Tad\Cookies\tad@iacas.adbureau[2].txt
C:\Documents and Settings\Tad\Cookies\tad@interclick[2].txt
C:\Documents and Settings\Tad\Cookies\tad@stopzilla[2].txt
C:\Documents and Settings\Tad\Cookies\tad@www.stopzilla[1].txt

Trace.Known Threat Sources
C:\Documents and Settings\Tad\Local Settings\Temporary Internet Files\Content.IE5\8VV35NL0\shopica_logo_bott[1].gif
C:\Documents and Settings\Tad\Local Settings\Temporary Internet Files\Content.IE5\QAWYZTM3\footer_dots[1].gif
C:\Documents and Settings\Tad\Local Settings\Temporary Internet Files\Content.IE5\8VV35NL0\style[1].css
C:\Documents and Settings\Tad\Local Settings\Temporary Internet Files\Content.IE5\NUIF31PW\releted_dot[1].gif
C:\Documents and Settings\Tad\Local Settings\Temporary Internet Files\Content.IE5\NUIF31PW\js[1].js
C:\Documents and Settings\Tad\Local Settings\Temporary Internet Files\Content.IE5\DWG3XAJL\favicon[5].ico
C:\Documents and Settings\Tad\Local Settings\Temporary Internet Files\Content.IE5\QAWYZTM3\shopica_logo_top[1].gif
C:\Documents and Settings\Tad\Local Settings\Temporary Internet Files\Content.IE5\DWG3XAJL\sp[1].gif
C:\Documents and Settings\Tad\Local Settings\Temporary Internet Files\Content.IE5\QAWYZTM3\virusremover2009[1].jpg

#4 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:23 PM

Posted 22 April 2009 - 02:23 PM

Reboot your computer and re-run Malwarebytes and post the new log file here please.

#5 Tadmen

Tadmen
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 22 April 2009 - 05:40 PM

It's still there after reboot

Malwarebytes' Anti-Malware 1.36
Database version: 2026
Windows 5.1.2600 Service Pack 3

4/22/2009 4:40:45 PM
mbam-log-2009-04-22 (16-40-45).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 335225
Time elapsed: 41 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gxvxccounter (Trojan.DNSchanger) -> Quarantined and deleted successfully.

#6 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:23 PM

Posted 22 April 2009 - 05:43 PM

Hate to be the bearer of bad news, but you have a very nasty infection.

C:\WINDOWS\system32\gxvxccounter (Trojan.DNSchanger)

These items are part of a very nasty rootkit.

IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component. Rootkits and backdoor Trojan are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

? "When should I re-format? How should I reinstall?"
? "Help: I Got Hacked. Now What Do I Do?"
? "Where to draw the line? When to recommend a format and reinstall?"

Read the post by DaChew here


Your best bet is to move to the HJT forums. Please read this: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users