Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect virus; also cannot access Windows Update


  • This topic is locked This topic is locked
24 replies to this topic

#1 pomtown

pomtown

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 13 June 2010 - 06:21 AM

I'm on a PC with Windows XP Professional Service Pack 2.

I've experienced these problems within the last few hours:
- In Firefox and IE, Google and Bing search engine results pages will appear normal, but clicking any link in the results will take me through multiple redirects, eventually bringing me to sites like MonsterMarketplace (always something spammy).
- Chrome refuses to load at all.
- I cannot install Microsoft Security Essentials - after validation of Windows, I get an error code 0x80070002 that the installation cannot be completed.
- Windows Update will not connect to update.microsoft.com, I also cannot load windowsupdate.microsoft.com
- My hosts file at C:\WINDOWS\system32\drivers\etc appears full of junk listings (can post if anyone wants to see them)
- I've tried running Spybot Search & Destroy and Malware Bytes Anti-Malware, both found and removed threats but I'm still experiencing the problematic behavior.

At this point I'm not even sure what the problem is - Malware? Spyware? Virus? - but I'd like to get this fixed with your help :-) Here's the DDS.txt file contents and Attach.txt... Please let me know what other information I can provide to help diagnose the problem (and help get to a fix!).

** UPDATE ** After I finished drafting this post and running the scans, the PC stopped connecting to the internet entirely through Firefox or IE. The Windows Firewall became disabled and I have not been able to turn it back on through the control panel. Am posting from another computer now.

________________________________________

DDS (Ver_10-03-17.01) - NTFSx86
Run by us at 13:29:12.17 on Sat 06/12/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.133 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\us\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
IE: {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - c:\program files\ultimatebet\UltimateBet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://email.fws.gov/fw5romail/iNotes6W.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200170215984
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1273328917437
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\us\applic~1\mozilla\firefox\profiles\wpget2nd.default\
FF - plugin: c:\documents and settings\us\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
pref(dom.disable_open_during_load, true);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

S3 cnxt1803;Compaq 10_100 MiniPCI Ethernet NIC Driver;c:\windows\system32\drivers\cnxt1803.sys [2008-1-12 39936]
S4 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-7-18 234888]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-1-13 24652]

=============== Created Last 30 ================

2010-06-12 17:27:57 0 ----a-w- c:\documents and settings\us\defogger_reenable
2010-06-12 14:26:32 0 d-----w- c:\windows\pss
2010-06-12 14:10:18 0 d-----w- c:\docume~1\us\applic~1\Malwarebytes
2010-06-12 14:09:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-10 11:43:00 0 d-----w- C:\Altysoft Video Converter
2010-06-10 11:42:48 0 d-----w- c:\program files\Altysoft Free Video Converter
2010-06-10 11:35:10 0 d-----w- c:\docume~1\us\applic~1\Xilisoft Corporation
2010-06-05 21:41:43 16520 ---ha-w- c:\windows\system32\mlfcache.dat
2010-06-05 21:10:01 0 d-----w- c:\program files\iPod
2010-06-05 21:09:38 0 d-----w- c:\program files\iTunes
2010-06-05 21:04:48 0 d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-05-13 15:32:11 97280 ----a-w- c:\windows\system32\xl_x263dec.dll
2010-04-21 10:43:11 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-16 18:00:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-04-16 15:35:06 81 ----a-w- C:\CTX.DAT
2010-04-08 17:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-15 09:31:48 165376 ----a-w- c:\windows\system32\unrar.dll
2010-03-11 15:15:02 16384 --sha-w- c:\windows\temp\cookies\index.dat
2010-03-11 15:15:02 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2010-03-11 15:15:02 81920 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 13:30:47.21 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 pomtown

pomtown
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 14 June 2010 - 05:13 PM

Just a quick bump - after restarting, can connect to web sites through IE and FF (although still unable to connect to update.microsoft.com or windowsupdate.microsoft.com, and still experiencing the originally reported Google redirect problems). Let me know if I can provide any other information.

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:25 PM

Posted 17 June 2010 - 03:08 AM

Hi pomtown,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Please update me on the current condition of your computer if the issue is not resolved.

#4 pomtown

pomtown
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 17 June 2010 - 06:45 AM

farbar, thanks for checking in.

Yes, I agree to refrain from making any changes to my system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on.

I should let you know that I had originally contacted Microsoft support for the error code I received when I tried to install Windows Security Essentials (see my original post). They had me install and run Windows Installer CleanUp Utility - although I didn't use it to remove anything as I saw no programs they instructed me to remove.

Microsoft also had me stop and start the Automatic Updates service and remove all temporary files from my computer. Then they instructed me to try downloading and installing Microsoft Security Essentials again. I was still unable to complete the installation, except now I didn't get as far as receiving the error code I originally had - now, the installer won't pass the Windows Genuine Validation at all, and now I have an icon in my system tray alerting me that I am a victim of software counterfeiting.

Aside from the steps above, I have not run any other tools, updated Windows, installed applications, or removed any files since my original post. I am still experiencing the Google redirect problem originally reported, and am a little annoyed that I somehow "unvalidated" my copy of Windows! dry.gif Let me know if I need to re-run dds and gmer.

Thank you,
Pomtown

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:25 PM

Posted 17 June 2010 - 06:56 AM

Thank you for the feedback pomtown.

No need for new logs.

We will take care of the redirection. You can't validate Windows as log as the rootkit is on your computer. After removing the rootkit you will be able to connect to Microsoft server and possibly validate and update Windows.

Download and run TDSSKiller.exe.
Let reboot when asked and attach the log it makes on the root of C drive (C:\TDSSKiller-version-date-time.txt).

Also check and tell me about the issue after running the tool.

#6 pomtown

pomtown
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 18 June 2010 - 07:21 AM

thumbup.gif Looking good - no Google redirects, I'm able to access update.microsoft.com, Chrome browser is now loading. Log attached.

Although my Windows Genuine Validation is still unhappy...

Attached Files



#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:25 PM

Posted 18 June 2010 - 09:16 AM

  1. You have the latest version of Java (Java 6 Update 20) and it is good. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
    Please unisntall the following:

    Java™ 6 Update 3
    Java™ 6 Update 5
    Java™ 6 Update 7


  2. This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.

  3. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  4. Please run DDS and post a fresh DDS.txt to your reply. No need for the Attach.txt


#8 pomtown

pomtown
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 18 June 2010 - 05:36 PM

1. Java™ 6 Update 3, Java™ 6 Update 5, and Java™ 6 Update 7 have been uninstalled.

2. CCleaner has been installed and run per the instructions.

3. Malwarebytes' AntiMalware has been updated and a quick scan has been run. No threats were found, and nothing was removed; the scan log is attached.

4. New DDS log attached.

Attached Files



#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:25 PM

Posted 18 June 2010 - 05:55 PM

Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:


CODE
@ECHO OFF
Reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v {68692108-D64E-63F7-6E11-BF091E42F74B} /f >log.txt 2>&1
dir /a/b "c:\documents and settings\us\application data\qoyh" >>log.txt 2>&1
if exist "c:\documents and settings\us\application data\qoyh\atkuh.exe" move "c:\documents and settings\us\application data\qoyh\atkuh.exe" %temp%\badatkuh.bad
echo.------------ >>log.txt
rm /s/q "c:\documents and settings\us\application data\qoyh" >nul 2>&1
dir /a/b "c:\documents and settings\us\application data\qoyh" >>log.txt 2>&1
START log.txt

  • Go to the File menu at the top of the Notepad and select Save as.
  • Select Save in: desktop
  • Fill in File name: look.bat
  • Save as type: All file types (*.*)
  • Click save.
  • Close the Notepad.
  • Locate look.bat on the desktop. It should look like this:
  • Double-click to run it.
  • A notepad opens, copy and paste the content (log.txt) to your reply.


#10 pomtown

pomtown
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 18 June 2010 - 07:31 PM

Content of log.txt is:



The operation completed successfully
atkuh.exe
------------


#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:25 PM

Posted 18 June 2010 - 07:35 PM

After cleaning the computer we are going to update Windows (you have not updated Windows do you?)

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with the tool. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • You will get a warning about the not trusted download sites for ComboFix, click Yes.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#12 pomtown

pomtown
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 19 June 2010 - 05:51 AM

I got as far as the installation of Microsoft Windows Recovery Console and running the scan. I walked away from the computer and it apparently downloaded a Windows Automatic Update and restarted itself before I saw the log. Sorry! I've since turned off automatic updates. This is the first Windows Update to run since I originally opened this thread, as far as I know.

So, would you like me to run the ComboFix scan again and generate a new log? Or might there be a way for me to find the log from the original ComboFix scan?

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:25 PM

Posted 19 June 2010 - 07:12 AM

See if there is a log here on the root of C drive named ComboFix.txt (C:\ComboFix.txt). Otherwise run Combofix once more.

#14 pomtown

pomtown
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 19 June 2010 - 09:31 PM

I didn't see C:\ComboFix.txt. But I did find C:\Qoobox\ComboFix2.txt and C:\Qoobox\ComboFix-quarantined-files.txt, both files dated earlier today - attached. Let me know if these are the logs you're looking for and if it makes sense they are in the C:\Quoobox folder - and if I should run ComboFix again.

Attached Files



#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:25 PM

Posted 20 June 2010 - 09:41 AM

Good job. thumbup2.gif
  1. Open notepad and copy/paste the text in the code box below into it:

    CODE
    http://www.bleepingcomputer.com/forums/t/324049/google-redirect-virus;-also-cannot-access-windows-update/

    Collect::[4]
    c:\documents and settings\Administrator\Start Menu\Programs\Startup\odna.exe

    Folder::
    c:\documents and settings\us\Application Data\Qoyh
    c:\documents and settings\us\Application Data\Cueqer

    DDS::
    uInternet Connection Wizard,ShellNext = iexplore


    Save this as CFScript.txt





    Referring to the picture above, drag CFScript.txt into ComboFix.exe

    When finished, it shall produce a log for you. Please copy and paste that log in your next reply.

    **Important Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  2. You are missing one important program on that computer: An antivirus.
    This is somewhat suicidal in today's digital world.
    You need to install an antivirus program as soon as you can. I recommend this good free antivirus:

    Avira
    • Download the installer from softpedia.com link as it has a secure download mirror. Install and update it.
    • In the left pane click Status. In the right pane click Scan system now.
    • After the scan finished let it remove what it finds and then Click Report.
    • You can get the last report also by clicking on Reports on the left pane.
    • In the right window under Action double-click on the last Scan listed (you see also the corresponding Dat/Time).
    • A window opens, click on Report file.
    • Copy and paste the content of the report to your reply.

    Note: If you would like to install Microsoft Security Essentials you may install it, but you should either either install Avira or Microsoft Security Essentials. Two antiviruses are not recommended ans it leads to system problems.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users