Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trying to use CmboFix to get rid of a Google Redirect virus.


  • This topic is locked This topic is locked
5 replies to this topic

#1 jvdart

jvdart

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:41 PM

Posted 04 March 2010 - 08:12 AM

I ran the ComboFix program successfuly per the instructions. However, after it completed the virus was still present and redirecting. I have the ComboFix.txt file but don't know what to do with it. Additional info: I have tried uninstalling IE8 and reinstalling it. Sometimes that actually works for a while, but eventually the virus takes over again. I also noticed that on an uninfected computer, when going to the www.google.com site, I see a graphical representation of the word Google. However, on the infected computer, I see the standard image for the word Google.

Attached Files


Edited by jvdart, 04 March 2010 - 08:21 AM.


BC AdBot (Login to Remove)

 


#2 jvdart

jvdart
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:41 PM

Posted 05 March 2010 - 08:59 AM

For the past two days I have been working to rid this virus from my daughter's PC. I have tried AVG, Malwarebytes, ComboFix, Hitman, XDelBox, TDSSKiller, CCCleaner, and etc... And, while they eliminated the obvious trojan infection, the real "redirection" virus still persists. However, I noticed some things yesterday that may be helpful for those of you who are "gurus" and really understand this stuff better than I do. I noticed that ...

A) on infected PCs,
1) the Google name was the standard image.
2) at all times, the copyright phrase in the middle of the form shows "@2009-Privacy" (the year is old)
3) from a DOS command prompt window, pinging "http://www.google.com/" would fail and never resolve.

cool.gif on un-infected PCs,
1) the main Google page (yesterday) showed the name Google as a graphic with multiple guitars.
2) the copyright phrase in the middle of the form shows "@2010-Privacy" (the year is current)
3) from a DOS command prompt window, pinging "http://www.google.com/" works perfectly.

This leads me to believe that the behavior of the virus is not about redirection when the user selects a search-results link from within Google, but rather that the redirection (or hijacking) is actually occuring prior to that; preventing the user from ever really entering Google in the first place. What appears to be Google it not, but is in fact a web form of the virus itself.

I believe the virus authors captured Google images in 2009 and are using them as a background to make the user believe that he/she is in Google, and thus believe the problem is happening as a redirection of a selected search-results link.

I hope this info helps...
-Jim

#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:41 AM

Posted 07 March 2010 - 10:41 AM

Hello and and Welcome to Bleepingcomputer

Please note we are very busy, so if I don't hear from you within 5 days the topic will be closed, If you have since resolved your issues I
would appreciate if you would let me no so I can close this topic.


Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)


Then please post back here with the following:
  • MBAM log
  • log.txt
  • info.txt

Thanks

unite.jpg


#4 jvdart

jvdart
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:41 PM

Posted 09 March 2010 - 08:16 AM

syler,
thank you for taking the time to investigate this problem. I have completed all the actions you recommended. Before sending all the results, because this time MalwareBytes actually found and removed one item (which it had not been doing before) I checked to see if the virus symptoms still persisted. They are gone! Multiple times I had downloaded the latest MalwareBytes during my efforts to solve the problem earlier. Apparently, your source for the latest-n-greatest version of it was just what I needed. I am attaching the requested files, just in case you want to see what has happened. Thanks again for your help.

Attached Files



#5 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:41 AM

Posted 09 March 2010 - 02:57 PM

Hi jvdart,

Malwarebytes gets updated very regularly so it was just a case of waiting for them to find it and add it to there database. your logs look
ok their are just some bits you should clean up.

You have Viewpoint installed, Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.



Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 18 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.



Please do a scan with ESET OnlineScan

Note: If you run this in a browser other than IE you will be asked to download and install esetsmartinstaller_enu.exe
  • Click the button.
  • Check
  • Click the button.
  • Accept any security warnings from your browser and allow it to install the ActiveX control.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push


Then please post back here with the following logs:
  • ESET report
  • New Rsit log.txt

Thanks

unite.jpg


#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:41 AM

Posted 14 March 2010 - 12:29 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users