Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Virus


  • Please log in to reply
10 replies to this topic

#1 ollyjoe

ollyjoe

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 10 January 2010 - 09:15 AM

Hello there.

Firstly, my sincerest apologies because I know that this has already been posted (about 100 times!). The solution is most likely already out there - although I'll openly admit i'm not very good at this complex computer lark, so I'm not really sure what i'm looking for.

I think that my computer has contracted the very annoying and frustrating Google Redirect Virus. I have read various forums so far and tried a few solutions, but with no luck (i.e. trying to delete unwanted Hosts IP addresses). An interesting Forum that I have read suggests trying to use ComboFix - although I am well aware that this can be a dangerous peice of kit if not used by someone who knows what they are doing!

I have run AVG, which found nothing, so I am running out of ideas. I regsitered on this Forum site today so that I could try and find a 'helper' who might be able to help me use ComboFix to diagnose the problem.

Is there anyone out there that can help?

Waiting in anticipation,

OllyJoe

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,109 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:39 PM

Posted 10 January 2010 - 09:39 AM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.

Please describe the issues you are experiencing with your computer.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 ollyjoe

ollyjoe
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 10 January 2010 - 10:34 AM

Hello and thank you for your reply.

The issue has been happening now for the last few months.

When I use google to search for a website the search results appear as normal. However, when I click on any of the links I am take to random other spam advertising pages. Sometimes not just spam advertising pages, but product pages also. If you would like me to list some of the pages that appear I can do so. Sometimes it will redirect a couple of times.

When I click on a search result it seems to open a new window or tab rather than opening the page in the same window/tab. It does this both when it redirects me and for pages which I manage to get on to successfuly.

I have dealt with this by closing the spam window and clicking on the link again. Sometimes it will redirect me 2 or 3 times before taking me to the page I wanted!

I hope you can help.

Thanks again,

OllyJoe

#4 ollyjoe

ollyjoe
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 10 January 2010 - 10:36 AM

Forgot to mention that it does this with both Internet Explorer and Firefox.

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,109 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:39 PM

Posted 10 January 2010 - 10:39 AM

Hi, lets try a rootkit scan first.

GMER
-------
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 ollyjoe

ollyjoe
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 10 January 2010 - 12:36 PM

Hi,

I have run GMER and the following is the report I saved.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-10 17:33:48
Windows 5.1.2600 Service Pack 3
Running: rd37nnc3.exe; Driver: C:\DOCUME~1\OLIVER~1\LOCALS~1\Temp\kwdoqfow.sys


---- System - GMER 1.0.15 ----

Code 89E14328 ZwEnumerateKey
Code 89E1E888 ZwFlushInstructionCache
Code 89E1435E IofCallDriver
Code 89E0E5D6 IofCompleteRequest
Code C7924300 KeSetProfileIrql

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EE130 5 Bytes JMP 89E14363
.text ntkrnlpa.exe!IofCompleteRequest 804EE1C0 5 Bytes JMP 89E0E5DB
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805ABEC4 5 Bytes JMP 89E1E88C
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB70 5 Bytes JMP 89E1432C
init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xB9A45ABF]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\MSIVXfixonqmubrvumroodslacfbebuajqmft.sys (*** hidden *** ) [SYSTEM] MSIVXserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXfixonqmubrvumroodslacfbebuajqmft.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXfixonqmubrvumroodslacfbebuajqmft.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXtnnaanuefwwdolygltkcbbasnxrxqxej.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXnjdmifxwfhanbpvjnrdxiginmxvndqoh.dll
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXfixonqmubrvumroodslacfbebuajqmft.sys
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXfixonqmubrvumroodslacfbebuajqmft.sys
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXtnnaanuefwwdolygltkcbbasnxrxqxej.dll
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXnjdmifxwfhanbpvjnrdxiginmxvndqoh.dll
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXfixonqmubrvumroodslacfbebuajqmft.sys
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXfixonqmubrvumroodslacfbebuajqmft.sys
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXtnnaanuefwwdolygltkcbbasnxrxqxej.dll
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXnjdmifxwfhanbpvjnrdxiginmxvndqoh.dll

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\MSIVXcount 4 bytes
File C:\WINDOWS\system32\MSIVXnjdmifxwfhanbpvjnrdxiginmxvndqoh.dll 54272 bytes executable
File C:\WINDOWS\system32\MSIVXtnnaanuefwwdolygltkcbbasnxrxqxej.dll 25600 bytes executable
File C:\WINDOWS\system32\drivers\MSIVXdvjsamipvtioneddeohijccxnjcxppwt.sys 77824 bytes executable
File C:\WINDOWS\system32\drivers\MSIVXfixonqmubrvumroodslacfbebuajqmft.sys 77824 bytes executable <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----


Thanks,

ollyjoe

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,109 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:39 PM

Posted 10 January 2010 - 12:56 PM

Thats a nasty rootkit we have there... Please consider the following information first.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 ollyjoe

ollyjoe
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 10 January 2010 - 01:35 PM

Hi,

Thank you for this information. It's rather worrying I must admit!

If I perofrm a complete reinstall of the computers OS will this completely remove infection?

I might attempt that before proceeding with the method above - if you think it is worth a shot? I am using a laptop that doesn't have that much information on it - so I am not bothered if I have to use the system restore discs.

I did run AVG the other day and it found a Trojan. It was located somewhere in a DVD Fab folder. I think that AVG healed the infected files - could this be related to my problem?

Thanks

Regards,

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,109 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:39 PM

Posted 10 January 2010 - 01:59 PM

If I perofrm a complete reinstall of the computers OS will this completely remove infection?

Its recommended to do a complete reformat ot the drive first so all data will be erased. If you re-install your OS after that, yes your computer will be clean.

I did run AVG the other day and it found a Trojan. It was located somewhere in a DVD Fab folder. I think that AVG healed the infected files - could this be related to my problem?

Malware comes never alone, it likes to invite 'friends'. So its quite possible this is related yes.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 ollyjoe

ollyjoe
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 10 January 2010 - 02:34 PM

Hi,

Thank you very much for all of your help today.

I will perform a complete re-format and re-install of my computers OS now.

Fingers crossed it will do the job.

Thanks again.

Regards,

OllyJoe

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,109 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:39 PM

Posted 10 January 2010 - 02:38 PM

That should do the trick :thumbsup:

Let me know if you have any more questions.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users