Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect problem


  • This topic is locked This topic is locked
7 replies to this topic

#1 theJenix

theJenix

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 19 September 2010 - 07:23 PM

I am having a problem on my Windows 7 64 bit machine. A few weeks ago I noticed a couple programs attempting to launch itself...not sure how I got infected but as soon as I noticed that, I installed a number of programs to try and fix it. I initially installed Windows Security Essentials, Peer Block and MalwareBytes Anti Malware (I also have McAfee on this computer, but it's pretty useless as far as I can tell). These programs found a couple instances of Win32/Hiloti.gen!D, one of Win32/Bamital, some other various exploits and questionable things. I thought everything was good, but then I noticed that in Firefox, google links would sometimes redirct to 78.140.143.83 (MalwareBytes blocks the redirect, and it always to the same address). I did a bit of researching and noticed that this is likely caused by the the TDL3 rootkit. I then downloaded Sophos Anti-rootkit, Kaspersky's TDSSKiller, Prevx, Hitman Pro 3.5...and for good measure, Gooredfix. HitmanPro found an exploit in a text editor program I downloaded, but aside from that none of these programs found anything related to TDL3 or, but I was still having issues with Firefox and google redirecting a link every once in a while. I have not seen this behavior in IE, and having installed Chrome recently, can't say Ive seen it in there either...although to be honest I don't use either browser enough to really know for sure.

I even went so far as to boot into recovery mode and rebuild my MBR (given the nature of TDL3 for Windows 7 64bit), although I suppose the damage has been done at this point. The latest attempt to fix this was to delete and rebuild my Firefox profile, which means reinstalling all of my extensions. That worked for a day but I just had a redirect...at this point I figure it would be best to seek professional help.

Thanks in advance for any help you can give me.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,567 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:14 PM

Posted 19 September 2010 - 08:37 PM

Hello, did you run Goored fix?? We will most likely need a deeper look her after you have used all these tools so we can ID all changes.

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.

In the event these will not run with the 64 bit system then run OTL.

  • 1. Please download OTL from one of the following mirrors:
  • This is THE Mirror
    2. Save it to your desktop.
    3. Double click on the Posted Image icon on your desktop.
    4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

    5. Push the Quick Scan button.
    6. Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 theJenix

theJenix
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 19 September 2010 - 08:41 PM

I did run GooRedFix...it didn't find anything, and since then I've completely deleted and recreated my Firefox profile.

I've had issues with GMER (forgot to mention it in the original post) and since I am running 64 bit, I went straight for OTL.exe. When I downloaded it, Prevx popped up an alert on that file. Silly question, but we're sure that file is safe?

It's scanning right now.

Thanks.

Edited by theJenix, 19 September 2010 - 08:44 PM.


#4 theJenix

theJenix
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 19 September 2010 - 08:57 PM

Prevx didn't find anything, and none of my other malware detectors picked up on it so I went ahead and ran OTL.exe. Will post the logs when done.

Thanks

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,567 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:14 PM

Posted 19 September 2010 - 09:00 PM

You're welcome, yep all tools here are safe.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 theJenix

theJenix
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 19 September 2010 - 09:53 PM

OTL finished...here are the log files.

Thanks for your help

---------------------
Log Removed~~boopme

Edited by boopme, 20 September 2010 - 11:03 AM.


#7 theJenix

theJenix
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 19 September 2010 - 10:02 PM

Sorry...this edit was to remove the DDS log. I'll go post it in the proper forum.

Edited by theJenix, 19 September 2010 - 10:03 PM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,567 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:14 PM

Posted 20 September 2010 - 11:01 AM

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.

Edited by boopme, 20 September 2010 - 11:02 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users