Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect / MOVED


  • This topic is locked This topic is locked
26 replies to this topic

#1 maestro88

maestro88

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 12 December 2009 - 09:24 AM

:thumbsup: Is it possible to get rid of this google redirect virus? I've tried working with a Trend Micro agent and they were unable to solve the issue even though they had me delete some of my hijack log items. They offered to help me if I purchased an $80 upgrade. Should I do it? Would someone be willing to look at my current log file?

Edited by garmanma, 12 December 2009 - 11:11 AM.


BC AdBot (Login to Remove)

 


#2 petewills

petewills

  • Members
  • 1,378 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, UK
  • Local time:11:04 PM

Posted 12 December 2009 - 09:31 AM

Don't pay!

Post your problem details (not your log at this stage) in the Security Am I Infected, What do I do Forum.

They will take you through the necessary steps.

Edited by petewills , 12 December 2009 - 09:36 AM.


#3 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:04 PM

Posted 12 December 2009 - 04:51 PM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. Then bullet the immediate notification bubble. Then press submit.


Lets take a look with Malwarebytes

Please download Malwarebytes' Anti-Malware from here:
Malwarebytes
Please rename the file BEFORE downloading to zztoy.exe instead of mbam-setup.exe

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Double Click zztoy.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


If Malwarebytes won't install or run

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.
Computer Pro

#4 maestro88

maestro88
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 13 December 2009 - 12:43 PM

Thanks for the reply computer pro.

In the past few weeks - malware bytes was one of the things I tried based on the posts I've read. It did find an infection but didn't fix my problem. Here is my first log from 2 weeks ago...

Malwarebytes' Anti-Malware 1.41
Database version: 3274
Windows 5.1.2600 Service Pack 3

12/1/2009 10:32:51 PM
mbam-log-2009-12-01 (22-32-51).txt

Scan type: Full Scan (C:\|)
Objects scanned: 220451
Time elapsed: 1 hour(s), 12 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7aa32fc7-133b-4ae7-998e-ced0d9829b12} (Trojan.Dialer) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items de




Here is the log from the scan I just ran - no problems.

Malwarebytes' Anti-Malware 1.42
Database version: 3353
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/13/2009 11:35:19 AM
mbam-log-2009-12-13 (11-35-19).txt

Scan type: Full Scan (C:\|)
Objects scanned: 220353
Time elapsed: 1 hour(s), 24 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I also worked a bit with my security internet provider, Trend Micro. They had me run hijack this and send a log, which I did. They had me delete several items, but that also did not work. They could not figure it out and told me someone could fix it remotely if I signed up for the $80 service...

Would you like my hijack this log?

#5 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:04 PM

Posted 13 December 2009 - 05:39 PM

No, I can do without the HijackThis log because they are not allowed to be posted in this area.

Lets run RootRepeal:

Please install RootRepeal

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K
Unzip that to your Desktop and then click RootRepeal.exe to open the scanner.

*Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
* Click on the Report tab, then click the Scan button. Check all seven of the boxes.
* In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
* When the scan has completed, a list of files will be generated in the RootRepeal window.
* Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
* Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
* Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High


Note 2: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".
Computer Pro

#6 maestro88

maestro88
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 13 December 2009 - 07:43 PM

OK - thanks again for the help. Here is the txt file...

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/13 18:23
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x998C3000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\aaron schauer\local settings\temp\~df63b7.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\aaron schauer\local settings\temp\~df2f19.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\aaron schauer\local settings\application data\bvrp software\netwaiting\mohlog.txt
Status: Allocation size mismatch (API: 112, Raw: 72)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0x869bcd80

#: 047 Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x869bc280

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0x869bc540

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x869bdbe0

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0x869bd300

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0x869bd5c0

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x869bdd80

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x869bc800

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0x869bd040

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x869bcac0

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x869bda40

Shadow SSDT
-------------------
#: 548 Function Name: NtUserSetWindowsHookAW
Status: Hooked by "<unknown>" at address 0x869be3e0

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x869be200

==EOF==

#7 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:04 PM

Posted 13 December 2009 - 07:56 PM

Ok, lets run Dr. Web:

Please download Dr. Web the free version & save it to your desktop. DO NOT perform a scan yet.

Scan with Dr. Web Cureit as follows:
Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
The Express scan will automatically begin.
(This is a short scan of files currently running in memory, boot sectors, and targeted folders).
If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
When complete, click Select All, then choose Cure > Move incurable.
(This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
Now put a check next to Complete scan to scan all local disks and removable media.
In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
In the top menu, click file and choose save report list.
Save the DrWeb.csv report to your desktop.
Exit Dr.Web Cureit when done.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Computer Pro

#8 maestro88

maestro88
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 13 December 2009 - 09:13 PM

OK. Done with express scan...said 1 virus found, and eradicated (Process in memory: C:\WINDOWS\Explorer.EXE:600)

Will now start complete scan.

#9 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:04 PM

Posted 13 December 2009 - 09:18 PM

Ok, I will be waiting for the log.
Computer Pro

#10 maestro88

maestro88
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 13 December 2009 - 11:17 PM

Wow this is quite the scan...not quite half done yet.

#11 maestro88

maestro88
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 14 December 2009 - 07:11 AM

Here is all it is:

Process in memory: C:\WINDOWS\Explorer.EXE:600;;BackDoor.Tdss.565;Eradicated.;

#12 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:04 PM

Posted 14 December 2009 - 07:33 AM

How are things running now?
Computer Pro

#13 maestro88

maestro88
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 14 December 2009 - 07:46 AM

Still redirecting. When I search on google and click on a result, it takes me to places like ads.com and info.com etc. Hasn't gone away.

#14 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:04 PM

Posted 14 December 2009 - 08:06 AM

Could you please run another RootRepeal scan for me?
Computer Pro

#15 maestro88

maestro88
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 14 December 2009 - 08:29 AM

Here it is...

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/14 07:11
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x960BD000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\modemlog_conexant hda d110 mdc v.92 modem.txt
Status: Size mismatch (API: 3884, Raw: 3914)

Path: c:\documents and settings\aaron schauer\local settings\temp\~df103a.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\program files\trend micro\internet security\log\20091214.pfg
Status: Size mismatch (API: 270152, Raw: 267660)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0x85e77d60

#: 047 Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x85e77260

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0x85e77520

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x85e78bc0

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0x85e782e0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0x85e785a0

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x85e78d60

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x85e777e0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0x85e78020

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x85e77aa0

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x85e78a20

Shadow SSDT
-------------------
#: 548 Function Name: NtUserSetWindowsHookAW
Status: Hooked by "<unknown>" at address 0x85e793c0

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x85e791e0

==EOF==




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users