Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google link redirect virus


  • Please log in to reply
7 replies to this topic

#1 NeCr0mStR

NeCr0mStR

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 13 August 2009 - 07:17 PM

Ok so a few nights ago my gf noticed that my parents laptop had something wrong and I looked and saw a virus of some sort happening so I started with my usual virus removal. I have Eset Nod32 up to date doesn't find anything nor does Norton, Spyware Doctor, Malwarebytes Anti-malware. Pc is Media Center Edition Windows and when I use Firefox and IE to google search I get a redirect for some of the links to a couple different websites. Here is the current one

www antispyware-online-scanv7.com/1/?sess==GQ1xjDwMCZpcD03NS4xMDAuMjAwLjIzJnRpbWU9MTI1NzIwOA0MaQ=N#
This is the newest incarnation of the website link redirect.

I get it by searching google and going to

www garrythorburn.com/upbook/don.php?id=free+printable+pretend+money

www gorecourthc.co.uk/646328/5dot.php?id=coin+regognition+printable+free+games

With Noscript add-on in Firefox I can stop it from working and get info about it.

Also when it runs it looks like it is scanning for a virus but all the items on the left to click on are links to the site above that is crazy long.


EDIT: Moved to more appropriate forum

Any help would be appreciated.

Edited by garmanma, 13 August 2009 - 08:33 PM.
Disable links


BC AdBot (Login to Remove)

 


#2 Jameson.Bliss

Jameson.Bliss

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:53 AM

Posted 13 August 2009 - 10:52 PM

Gotta get back to work but jsut wanted to say that there is a redirect virus link out there that makes it look like your computer is infected by all kind of threats...red lights blinking...looks like a windows computer thing but it is not. It touts itself as an online computer scan and wants you to remove all threat immediately. But when you do you download the thing onto your computer!

www antispyware-online-scanv7.com is where it says removal software orginates. So do not download it. Turn off everything and HTG that it did not infect anything. It is very convincing and very scary. My gf was smart enuf to see it and avoid any of the pitfalls that would have probably gotten her laptop into serious trouble. It is going around right now so wanted to warn as many people as possible. Somebody wants your computer!

#3 Pie Paradox

Pie Paradox

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 13 August 2009 - 11:00 PM

I'm not a helper but I had the same exact problem. I have Firefox and I can't remember what it was, but there was a certain .dll file that made the redirects occur. I recommend completely deleting the folder (or uninstall, save favorites) and I'm pretty sure it will work.
Maybe same thing for Internet Explorer!

Just completely reinstall your internet browser, basically.

Edited by Pie Paradox, 13 August 2009 - 11:00 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,035 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:53 PM

Posted 14 August 2009 - 01:57 PM

Hello let's do 2 things..
Please read and follow all these instructions very carefully.
  • Please download GooredFix and save it to your Desktop.
  • Double-click GooredFix.exe to run it.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).
Now
We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 NeCr0mStR

NeCr0mStR
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 14 August 2009 - 09:20 PM

Here are the reports from both programs.

Thank you for the help.

GooredFix by jpshortstuff (12.07.09)
Log created at 22:04 on 14/08/2009 (Marlene)
Firefox version 3.0.13 (en-US)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
{3112ca9c-de6d-4884-a869-9855de68056c} [17:11 15/03/2007]
{972ce4c6-7e08-4474-a285-3208198ce6fd} [21:37 01/04/2009]
{B13721C7-F507-4982-B2E5-502A71474FED} [00:00 28/08/2007]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
(Key not found)

-=E.O.F=-

---------And here is Root repeal

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/14 22:06
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEDE3B000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79DE000 Size: 8192 File Visible: No Signed: -
Status: -

Name: hiber_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\hiber_WMILIB.SYS
Address: 0xF79CA000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF6EA6000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xf729a514

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xf7289282

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xf7289474

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xf729ad00

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xf729afb8

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xf72993fa

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xf729b422

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xf729a7d8

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "PCTCore.sys" at address 0xf7288f32

==EOF==


Once again thank you for your help.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,035 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:53 PM

Posted 15 August 2009 - 08:56 AM

Hello, Ley's check your Java version..
JAVA
Go into Control Panel>Add Remove Programs. Be sure the 'Show Updates' box is checked. Go down the list and tell me what Java applications are installed and their version. (Highlight the program to see this).


Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 NeCr0mStR

NeCr0mStR
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 16 August 2009 - 06:17 AM

Java script is Runtime environment 5 update 6

Still have same problems. Here are the logs

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/15/2009 at 10:52 PM

Application Version : 4.27.1002

Core Rules Database Version : 4058
Trace Rules Database Version: 1998

Scan type : Complete Scan
Total Scan Time : 04:57:20

Memory items scanned : 214
Memory threats detected : 0
Registry items scanned : 6239
Registry threats detected : 0
File items scanned : 77924
File threats detected : 0


-------------------------------------------------

Malwarebytes' Anti-Malware 1.40
Database version: 2632
Windows 5.1.2600 Service Pack 3

8/16/2009 7:09:43 AM
mbam-log-2009-08-16 (07-09-43).txt

Scan type: Full Scan (C:\|D:\|F:\|)
Objects scanned: 186574
Time elapsed: 38 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by NeCr0mStR, 16 August 2009 - 06:20 AM.


#8 NeCr0mStR

NeCr0mStR
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 20 August 2009 - 05:50 PM

So I couldn't get rid of whatever was causing the problem so I decided to just nuke the whole drive and re-install. And sure enough it is still redirecting my google searches and I can't figure out how to get rid of it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users