Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Search Redirect Virus


  • Please log in to reply
5 replies to this topic

#1 whoosh88

whoosh88

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 23 May 2010 - 02:05 PM

Hello.

It seems like others are having the same issue I am having. I recently got a virus that does one really annoying thing. Whenever I search something on Google and click one of the results (even if it's a legitimate link, i.e. youtube.com, etc), it will redirect me to a completely different page. Something that looks like a search engine with whatever I had searched google for.

I updated MalwareByte's Anti-Malware and ran it. It found and deleted multiple files, however a few it could not delete. I then updated SUPERAntiSpyware and ran that. It found several things and got rid of them. I thought the problem might be gone, but it's still happening. AVG Free Edition is not picking anything up. I ran MBAM and SUPERAntiSpyware a couple more times each and they also found nothing, but I am still getting these search result redirects.

It's happening for both IE (version 8) and Firefox (version 3.6.3). I am running Windows XP Media Center Edition, updated. Could someone be of assistance?

Thanks,
Mark

BC AdBot (Login to Remove)

 


#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:07:22 PM

Posted 23 May 2010 - 03:55 PM

Hi whoosh88 and welcome to Bleeping Computer.

I updated MalwareByte's Anti-Malware and ran it. It found and deleted multiple files, however a few it could not delete.

Could you post the report from that scan please:

Start MBAM then click on the 'Logs' tab at the top.
They'll be date stamped so you should be able to see the report in question.
Double click on the report, it'll then open in 'Notepad'.
You can then copy and paste the results in your next reply.

Thanks.

BBPP6nz.png


#3 whoosh88

whoosh88
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 23 May 2010 - 06:13 PM

Hello Starbuck.

Here is the log from the first scan I did with MBAM:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4130

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/22/2010 12:11:14 PM
mbam-log-2010-05-22 (12-11-14).txt

Scan type: Full scan (C:\|)
Objects scanned: 241013
Time elapsed: 1 hour(s), 7 minute(s), 12 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 3
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 13

Memory Processes Infected:
C:\Documents and Settings\Mark\Local Settings\Application Data\ybveamvui\ctnefkdtssd.exe (Trojan.Agent.Gen) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rusfybrp (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rusfybrp (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\documents and settings\Mark\application data\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Mark\Application Data\sdra64.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
C:\Documents and Settings\Mark\Local Settings\Application Data\ybveamvui\ctnefkdtssd.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mark\Application Data\sdra64.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mark\Local Settings\Temp\wgvyd.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mark\Local Settings\Temp\xemacwsonr.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mark\Local Settings\Temp\xnrosaewmc.tmp (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mark\Local Settings\Temp\khvcol.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\BEDBKR1F\rvqxfn[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\BEDBKR1F\fwevpovto[1].htm (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\BEDBKR1F\yptozgozmu[1].htm (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5\I6HNJ9NV\gotnewupdate000[1].exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.

#4 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:07:22 PM

Posted 24 May 2010 - 04:01 AM

Hi whoosh88

That report doesn't look very good i'm afraid.

Some browser hijackers and downloaders such as 'Zeus (Zbot) Banking Trojan ' - have been/are active on your computer. It is known that these trojans can communicate with remote computers, download and run code, send emails and redirect browser requests. Unfortunately we cannot be sure about what they have done.

If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojans have been identified there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

For more information read ....Here
If you choose to format and reinstall read...... Here

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy again.

If you decide to continue, i'll have this thread moved to the malware removal forum and we'll continue there.

BBPP6nz.png


#5 whoosh88

whoosh88
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 24 May 2010 - 11:01 AM

Hello Starbuck.

I was figuring I'd probably need to reformat. I've changed my passwords on my laptop (and yes, there were financial ones :thumbsup:).

Since you guys are the experts, it seems like I will have to reformat. I was kind of leaning towards that route anyway as I was not able to clean it up. I guess you can now close this thread.

I do appreciate the quick responses, though. Thanks!

-Mark

#6 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:07:22 PM

Posted 24 May 2010 - 11:34 AM

Hi Mark,

Under the circumstances i think you have made the right decision.
Plus a reformat/reinstall will get you up and running normally again very quickly.

I do appreciate the quick responses, though. Thanks

it's no problem at all.
Just wish it could have been better news for you.

Safe surfing. Posted Image

BBPP6nz.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users