Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another Google Redirect


  • Please log in to reply
17 replies to this topic

#1 violentlyviolet

violentlyviolet

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 21 May 2010 - 01:26 PM

Sorry to be a bother, but I also seem to have been infected by the Google redirection virus. Google now generates random pop-ups and all searches seem to lead to somewhat random results. As well as this clicking on certain links also leads to redirections to various adverts or different search sites. I'm using Windows XP and Internet Explorer 8.

Before coming to this forum I've used: Malwarebyte's Anti-Malware, SUPERAntiSpyWare, and AVG is installed.

While these seem to have removed infected files, this Google virus is stubbornly remaining. I'm at my wits end - so any help would be really appreciated.

Edited by violentlyviolet, 21 May 2010 - 01:38 PM.


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:51 AM

Posted 26 May 2010 - 05:45 PM

Please run another Malwarebytes scan and post the log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 violentlyviolet

violentlyviolet
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 27 May 2010 - 12:37 PM

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3988

Windows 5.1.2600 Service Pack 3, v.3264
Internet Explorer 8.0.6001.18702

27/05/2010 18:10:01
mbam-log-2010-05-27 (18-10-01).txt

Scan type: Full scan (C:\|)
Objects scanned: 181314
Time elapsed: 1 hour(s), 46 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:51 AM

Posted 27 May 2010 - 04:07 PM

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Make sure the Sections option is checked (in the right hand panel). Leave all other options unchecked!
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 violentlyviolet

violentlyviolet
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 27 May 2010 - 04:43 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-27 22:39:35
Windows 5.1.2600 Service Pack 3, v.3264
Running: xry4zrz1.exe; Driver: C:\DOCUME~1\Katie\LOCALS~1\Temp\uxtdapow.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\compbatt.sys entry point in ".rsrc" section [0xF7A1F214]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\wuauclt.exe[568] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 0092000A
.text C:\WINDOWS\system32\wuauclt.exe[568] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\wuauclt.exe[568] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 0091000C
.text C:\WINDOWS\System32\svchost.exe[1536] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1536] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 0093000A
.text C:\WINDOWS\System32\svchost.exe[1536] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 0091000C
.text C:\WINDOWS\System32\svchost.exe[1536] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00DB000A
.text C:\WINDOWS\Explorer.EXE[3920] ntdll.dll!NtProtectVirtualMemory 7C90D6D0 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[3920] ntdll.dll!NtWriteVirtualMemory 7C90DF90 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[3920] ntdll.dll!KiUserExceptionDispatcher 7C90E45C 5 Bytes JMP 00B6000C

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\compbatt.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:51 AM

Posted 27 May 2010 - 05:10 PM

Try this:

http://www.bleepingcomputer.com/virus-remo...sing-tdsskiller
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 violentlyviolet

violentlyviolet
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 27 May 2010 - 05:41 PM

Tried it, and it got rid of one infection. However, the google virus still seems to be sticking. :thumbsup: I'm running a Malwarebytes again to see if it picks up anything.

#8 violentlyviolet

violentlyviolet
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 27 May 2010 - 05:46 PM

Nothing. :thumbsup: Thanks for the help so far. :flowers:

#9 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:51 AM

Posted 27 May 2010 - 05:50 PM

Please download HostsXpert 4.3
  • Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Restore MS Hosts File".
  • Click OK at the confirmation box.
  • Click "Make ReadOnly?".
  • Click the X to exit the program.
-- Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#10 violentlyviolet

violentlyviolet
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 27 May 2010 - 05:56 PM

Okay, I've done this.

#11 violentlyviolet

violentlyviolet
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 27 May 2010 - 06:00 PM

Wow, I think that might be it! It looks like that's done the trick. Is there any way to confirm?

#12 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:51 AM

Posted 27 May 2010 - 06:30 PM

Run a scan with SUPERAntiSpyware in Safe Mode and post the log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#13 violentlyviolet

violentlyviolet
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 28 May 2010 - 09:43 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/28/2010 at 03:35 PM

Application Version : 4.37.1000

Core Rules Database Version : 4958
Trace Rules Database Version: 2770

Scan type : Complete Scan
Total Scan Time : 02:03:41

Memory items scanned : 233
Memory threats detected : 0
Registry items scanned : 5329
Registry threats detected : 0
File items scanned : 64868
File threats detected : 27

Adware.Tracking Cookie
C:\Documents and Settings\Katie\Cookies\katie@avgtechnologies.112.2o7[1].txt
C:\Documents and Settings\Katie\Cookies\katie@content.yieldmanager[2].txt
C:\Documents and Settings\Katie\Cookies\katie@track.adform[3].txt
C:\Documents and Settings\Katie\Cookies\katie@ads.bleepingcomputer[2].txt
C:\Documents and Settings\Katie\Cookies\katie@2o7[1].txt
C:\Documents and Settings\Katie\Cookies\katie@advertising[1].txt
C:\Documents and Settings\Katie\Cookies\katie@bs.serving-sys[1].txt
C:\Documents and Settings\Katie\Cookies\katie@atdmt[1].txt
C:\Documents and Settings\Katie\Cookies\katie@track.adform[1].txt
C:\Documents and Settings\Katie\Cookies\katie@serving-sys[2].txt
C:\Documents and Settings\Katie\Cookies\katie@fastclick[1].txt
C:\Documents and Settings\Katie\Cookies\katie@adbrite[1].txt
C:\Documents and Settings\Katie\Cookies\katie@doubleclick[1].txt
C:\Documents and Settings\Katie\Cookies\katie@msnportal.112.2o7[1].txt
C:\Documents and Settings\Katie\Cookies\katie@revsci[1].txt
C:\Documents and Settings\Katie\Cookies\katie@content.yieldmanager[3].txt
C:\Documents and Settings\Katie\Cookies\katie@kaspersky.122.2o7[1].txt
C:\Documents and Settings\Katie\Cookies\katie@trafficmp[1].txt
C:\Documents and Settings\Katie\Cookies\katie@ad.yieldmanager[2].txt
C:\Documents and Settings\Katie\Cookies\katie@chitika[1].txt
C:\Documents and Settings\Katie\Cookies\katie@apmebf[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.associatedcontent[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pubmatic[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[2].txt

#14 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:51 AM

Posted 28 May 2010 - 04:07 PM

Any more problems?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#15 violentlyviolet

violentlyviolet
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:51 PM

Posted 28 May 2010 - 04:18 PM

No, everything seems to be working fine; no pop-ups, and Google is back to normal. Thank you so much for your help! :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users