Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Virus


  • This topic is locked This topic is locked
6 replies to this topic

#1 chapmania

chapmania

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 13 December 2010 - 04:06 PM

Hi There

A few weeks ago my laptop (Windows XP Pro) had the Google Redirect Virus.
I used TDSSKILLER which found some rootkits and deleted them. The Redirect issue thankfully went away.
However, I keep getting problems with missing files on start up and the Laptop is basically crawling in speed ever since. To make matters worse, the Google redirect is back and it's also effected my Windows 7 desktop computer and my mothers Windows XP (home version) Laptop!

I've carried out research and understand that the router could have been compromised and could be the source of the current spate of Google redirects.
As of yet i've not tried to do a factory reset as its a bit daunting and to be honest, my laptop is the big concern.

To describe the problem.
I visit google.com, type in a search query, results page loads, when I click a link from the results page, a new tab opens (never used to open a new tab) In this tab it will load random websites offering games consoles, adult material and sometimes rogue search results. If I press the back button in firefox, it will load the correct website of which I seleted from the google results. Sometimes a bad website doesn't load and the intended website from the search result eventually loads (although still in a new tab)

I would be hugely greatful if someone can help me with my problems.
I am attaching my DSS logs with my post along with one from OTL.

As a side note, I must tell you that I have been unable to get GMER to run properly, it usually hangs after a few mintues of scanning and crashes my whole system. I then find the laptop won't reboot normally and I have to load up in safe mode, and then restart in normal mode.

I look forward to any assistance that any of you knowledgable people can offer.

Thanks
Peter

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:52 AM

Posted 19 December 2010 - 05:59 PM

Hello chapmania ,

Posted Image

Sorry for the delay. :( If you still need help, please post a new DDS/HijackThis log and I'll be happy to look at it. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 chapmania

chapmania
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 19 December 2010 - 06:52 PM

Hi, thank you for the reply.

I have managed to sort out the redirect issue, it was the router causing the issue. I changed the default admin username and password, and set some DNS setting (or something like that) to be dynamically assigned and all is now well. So the desktop pc and my mothers laptop are now fine.

The issue now is my much troubled personal laptop running Windows XP Pro. It is taking a good 10 minutes to boot up and populate the desktop etc. There appears to be so many more running processes than there used to be. I don't have a clue what's happened. I have 1 gig of ram and 32gb of space free on my 100gig HDD. It was fine pre-redirect virus.

Attached are some fresh logs for you.

Thank you
Peter.

Attached Files



#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:52 AM

Posted 19 December 2010 - 07:09 PM

Hi Peter,

Open HijackThis and choose Do a system scan only. Place a check against each of the following, making sure you get them all and not any others by mistake:


O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: CCC.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: CCC.lnk = ? (User 'Default user')
O4 - .DEFAULT User Startup: CCC.lnk = ? (User 'Default user')
O4 - Startup: CCC.lnk = ?
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe



Click on Fix Checked when finished and exit HijackThis. Restart your computer and see if it's any faster. :)

You don't really have a lot of processes running. I've seen more, and worse. :wink:

Let me know how you come out.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 chapmania

chapmania
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 19 December 2010 - 09:15 PM

Hi

I removed the 13 items via HijackThis, sadly the system is still majorly slow. I detect no difference in performance.
At the moment I'm thinking that my laptop would make a great doorstop!

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:52 AM

Posted 19 December 2010 - 09:21 PM

Okay....not time to throw it out yet. :thumbup2:

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link
  • Close all open browsers before using, especially FireFox. <-Important!!!
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
[i][color=green]

You have a ton of services running.....you might try taking it offline and turning off all the non Microsoft services. Reboot and see if it's faster. It may be that one or more of those services is not playing well with the others and slowing you down.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:52 AM

Posted 27 December 2010 - 12:06 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users