Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Virus


  • This topic is locked This topic is locked
1 reply to this topic

#1 Wes S.

Wes S.

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 21 February 2010 - 04:24 PM


Hello,

I am trying to help a friend remove a virus. This one seems to affect searches he does on Google. We we do a search it provides us a list of hits like normal, when you click on one of the hits it seems to briefly show that it is connecting to http:\\66.54.254.163 then it quickly goes to some other random website. I am using a program called Bomgar to access his computer remotely to try and fix this. Any Help would be appreciated.

What I tried to do so far to fix it:

-Booted to safe mode and ran the latest Combofix and Malwarebytes
-Did a cleanup of the startup items with HiJackthis
-Reset IE settings back to default from the Advanced tab in the tools
-Ran a full scan with S&D Bot
-Removed AVG, Installed NOD32 and updated it (didn't run a full scan but the resident shield didn't find anything)
-Removed NOD32, Malwarebyes and S&D Bot
-Checked for a proxy setting (none found)
-Disabled "DNS Client" as per some website that suggested it, but that did nothing
- Gave up smile.gif and came here looking for help




DDS (Ver_09-12-01.01) - NTFSx86
Run by Crystal at 14:13:59.89 on Sun 02/21/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1534.1189 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-4B81727D\bomgar-scc.exe
C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-4B81727D\bomgar-scc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Crystal\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://www.google.ca
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Bomgar Support Reconnect []] "c:\documents and settings\all users\application data\bomgar-scc-4b817299\bomgar-scc.exe" -nomulti
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\crystal\applic~1\mozilla\firefox\profiles\tvf2vmra.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://ca.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_ca&p=
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 bomgar-ps-1266774662-1266774755;Bomgar Jump Client [1266774662-1266774755];c:\documents and settings\all users\application data\bomgar-scc-4b81727d\bomgar-scc.exe [2010-2-21 660856]
R2 bomgar-scc-1266774662;Bomgar Support Customer Client [1266774662];c:\documents and settings\all users\application data\bomgar-scc-4b81727d\bomgar-scc.exe [2010-2-21 660856]

=============== Created Last 30 ================

2010-02-21 18:50:14 0 dc----w- C:\wes
2010-02-21 17:51:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Bomgar-SCC-4B817299
2010-02-21 17:50:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Bomgar-SCC-4B81727D
2010-02-21 17:30:45 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-02-21 17:30:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-02-21 17:24:50 0 dc----w- C:\backups
2010-02-21 16:39:06 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-02-21 16:17:34 0 d-----w- c:\docume~1\crystal\applic~1\Malwarebytes
2010-02-21 16:17:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-21 16:03:12 98816 ----a-w- c:\windows\sed.exe
2010-02-21 16:03:12 77312 ----a-w- c:\windows\MBR.exe
2010-02-21 16:03:12 261632 ----a-w- c:\windows\PEV.exe
2010-02-21 16:03:12 161792 ----a-w- c:\windows\SWREG.exe
2010-02-20 03:27:51 0 d-----w- c:\program files\Ask.com
2010-02-02 19:10:37 42 ----a-w- c:\documents and settings\crystal\default.pls
2010-01-22 23:59:15 4184 -c--a-w- C:\INFCACHE.1

==================== Find3M ====================

2010-01-19 20:55:47 54816 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-11 04:00:06 59320 ----a-w- c:\docume~1\crystal\applic~1\GDIPFONTCACHEV1.DAT
2009-12-31 16:14:12 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 16:14:12 352640 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-31 15:33:06 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-18 13:05:43 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-12-18 13:04:09 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-12-16 12:58:04 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 12:58:04 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:35:35 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:35:35 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-08 18:14:02 2185984 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:14:02 2185984 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 18:11:44 2142720 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 17:35:25 2020864 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 17:35:22 2063104 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 17:35:22 2063104 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-08 08:59:48 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 14:41:55 453760 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-27 17:33:35 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:33:35 17920 ------w- c:\windows\system32\dllcache\msyuv.dll
2009-11-27 17:33:35 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:33:35 1291264 ------w- c:\windows\system32\dllcache\quartz.dll
2009-11-27 16:37:27 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:37:27 8704 ------w- c:\windows\system32\dllcache\tsbyuv.dll
2009-11-27 16:37:27 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:37:27 84992 ------w- c:\windows\system32\dllcache\avifil32.dll
2009-11-27 16:37:27 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:37:27 48128 ------w- c:\windows\system32\dllcache\iyuv_32.dll
2009-11-27 16:37:27 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:37:27 28672 ------w- c:\windows\system32\dllcache\msvidc32.dll
2009-11-27 16:37:27 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:37:27 11264 ------w- c:\windows\system32\dllcache\msrle32.dll
2008-03-03 22:27:50 56 --sh--r- c:\windows\system32\F4578D810A.sys
2008-03-03 22:28:14 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 14:15:10.71 ===============





Attached Files



BC AdBot (Login to Remove)

 


#2 Wes S.

Wes S.
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:16 PM

Posted 21 February 2010 - 05:04 PM

After spending all day on the issue and reading through the logs I posted here, I narrowed down the problem to be with atapi.sys. After doing some Google searches with the words "atapi.sys virus" it appears many people have had this problem. I am not trying to market anything here but if it saves someone some grief, the answer was run "Hitman Pro 3.5". It was able to delete the file and restore a good one without me having to boot in to BartPE or anything so my hats off to that program.

thank you to Bleeping Computer as this has been a saving grace for my computer business.

Thank You,

Wes






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users