Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer infected with virus that redirects my searches (google redirect)


  • Please log in to reply
6 replies to this topic

#1 mamyers

mamyers

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 10 April 2010 - 06:10 PM

I was infected with some malware a few days ago including Paladin and Malware Defender. I have been able to remove most of the infections using a combination of Malwarebytes Spybot Superantispyware and Avira antivirus. There is only one more problem I cannot seem to get rid of. That being whenever I search using google or yahoo the results page comes up as it should. However when I click on one of the results, rather than the page I clicked on I am redirected to another page, usually it is some random search engine I've never heard of before and it's different every time.

I should state that the aforementioned programs now say that my computer is clean and cannot detect this problem.

This virus is not limited to merely redirecting pages but it also generates pop ups based on previous searches. For instance say I searched "teeth" in google. A few minutes afterward a pop up window will come up with a search engine similar to the page the virus directed me to earlier with "teeth" in the search. It seems to keep a record of my previous searches in order to generate pop ups later.

As the preparation guide on your website asked, I've generated three text files. A DDS.txt, a attach.txt and a arc.txt based on the DDS program and the GMER programs. I've attached those text files to this post.

I would appreciate any help you can give me!

I just discovered a few more problems that are most likely related to this virus or the viruses I just removed. Windows will not go into hibernation, when I try the "Prepairing to hibernate" screen comes up for a few seconds then closes. Also I cannot boot into safe mode other than Directory Services mode. When I try booting into safe mode I get a blue screen. These two problems were not issues until this infection.

Attached Files


Edited by mamyers, 11 April 2010 - 07:51 AM.


BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:13 PM

Posted 13 April 2010 - 07:49 AM

Hello, and welcome.gif to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

If you have since resolved the original problem you were having, we would appreciate you letting us know.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. smile.gif

***************************************************

Please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 mamyers

mamyers
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 14 April 2010 - 03:21 PM

The situation has not changed since the last time I posted. I've attached a new DDS Log. DDS.txt and Attach.txt. Here is what the problem is.

I was infected with some malware a few days ago including Paladin and Malware Defender. I have been able to remove most of the infections using a combination of Malwarebytes Spybot Superantispyware and Avira antivirus. There is only one more problem I cannot seem to get rid of. That being whenever I search using google or yahoo the results page comes up as it should. However when I click on one of the results, rather than the page I clicked on I am redirected to another page, usually it is some random search engine I've never heard of before and it's different every time.

I should state that the aforementioned programs now say that my computer is clean and cannot detect this problem.

This virus is not limited to merely redirecting pages but it also generates pop ups based on previous searches. For instance say I searched "teeth" in google. A few minutes afterward a pop up window will come up with a search engine similar to the page the virus directed me to earlier with "teeth" in the search. It seems to keep a record of my previous searches in order to generate pop ups later.

Also, Windows will not go into hibernation, when I try hibernating the "Prepairing to hibernate" screen comes up for a few seconds then closes. Also I cannot boot into safe mode other than Directory Services mode. When I try booting into safe mode I get a blue screen. These two problems were not issues until this infection.

Attached Files


Edited by mamyers, 14 April 2010 - 04:52 PM.


#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:13 PM

Posted 15 April 2010 - 08:00 AM

Hello mamyers

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.


Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double click on renamed.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade


In your next reply, please include the following:
ComboFix log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 mamyers

mamyers
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 15 April 2010 - 12:00 PM

Here is the combofix report file. Just a note, it did delete a file but I'm still having the same problems.

Attached Files


Edited by mamyers, 15 April 2010 - 12:00 PM.


#6 mamyers

mamyers
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 16 April 2010 - 08:00 PM

I managed to fix the problem. Apparently the virus modified the following files
c:\windows\system32\drivers\atapi.sys
c:\windows\system32\drivers\disk.sys

When I ran the GMER scan it said that the two files had been modified suspiciously. So what I did was pull out my windows xp installation disk and booted to it. I chose the repair option and it booted into DOS. I then used the following commands

ren c:\windows\system32\drivers\atapi.sys atapi.old
ren c:\windows\system32\drivers\disk.sys disk.old

copy c:\windows\servicepackfiles\i386\atapi.sys c:\windows\system32\drivers\atapi.sys
copy c:\windows\servicepackfiles\i386\disk.sys c:\windows\system32\drivers\disk.sys

What I did was to restore the original files from the servicepackfiles directory. If this had not worked I could have restored them from the XP Disk using these commands

expand e:\I386\atapi.sy_ c:\windows\system32\drivers\
expand e:\I386\disk.sy_ c:\windows\system32\drivers\

The redirect problem is now gone.

Edited by mamyers, 16 April 2010 - 08:01 PM.


#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:13 PM

Posted 18 April 2010 - 07:07 AM

Hello mamyers.

Sorry for the delay, things have been a bit hectic here.

Glad you managed to resolve the problem. Any further issues with the machine?

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users