Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect virus


  • Please log in to reply
22 replies to this topic

#1 VicVegas

VicVegas

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cornville, USA
  • Local time:11:13 AM

Posted 18 January 2011 - 02:07 PM

OK. So I've got a google redirect on here. I have gotten redirects in the past, but it stopped so I hadn't bothered with it. Computer was still acting normaly up until about a minute ago, where I was redirected to a couple of sites telling me that the place I was headed for was hacked, which is impossible since it was the Mcafee siteadvisor site. Then out of curiosity I tried going to Avast (which in retrospect was stupid) and got redirected to internetsecurity2011 (Fingers crossed it hasn't f***ed me up already). Also I noticed a divx tool in the corner that wasn't there before, which disappeared as soon as I started an Mbam scan. That makes me wonder. Have viruses gotten clever enough to deactivate when scanners are running?

...Actually it's behaving normally again now, it's like it has short bursts. Is there a reason Antivirus scans are so pathetic at picking these things up? They seem so damn common.

I'll go over some more details. So yeah I did something I shouldn't have once, I'm not proud of it, at least I had the excuse of being tired. Anyway, the 'file' is still on my computer, it wont let me delete or move it even in safe mode, and whenever I go near the 'file' it slows the computer down. The computer will also stick in running %50 CPU for a couple of hours whenever it goes over it. Then there's the occasional search redirect. Seems to run fine otherwise, I can play games and stuff without freezing.

And here's hopes that it isn't a worm (probably is) since I have three other computers constantly on this network and it's impossible to keep track of people and their USB drives. Whoop dee doo!

You're guide on using Combo fix says "You should not run ComboFix unless you are specifically asked to by a helper." so I decided not to use it. And since Mbam logs are really long, I'll wait until someone is actually watching this thread before posting it.

A quick response would be nice too, since you know, nobody responded AT ALL the last time I needed help. I will wait a max of 2 days before trying someplace else.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:13 PM

Posted 18 January 2011 - 03:06 PM

hello,sorry about your last experiance. Only so much time in a day ...

Yes malware now can shut everything down,such joy !! So let's do this next.

Post your MBAM log please.


Reboot into Safe Mode with Networking
How to enter safe mode(XP/Vista)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

RKill....

Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.



Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 VicVegas

VicVegas
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cornville, USA
  • Local time:11:13 AM

Posted 18 January 2011 - 05:24 PM

Post your MBAM log please.

Done, but zilch showed up.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5547

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

1/18/2011 1:22:14 PM
mbam-log-2011-01-18 (13-22-14).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 281099
Time elapsed: 1 hour(s), 21 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

I don't really feel comfortable with this... What does it do anyway?

That fake anti virus site doesn't seem to have done anything yet. Also that divx tool was completely unrelated, as I discovered it was running because I had a certain file type of video in media player at the time. Don't know why, just a subbed episode of Transformers: Headmasters. :huh:

Another thing I forgot to mention is that I already have Super Anti Spyware on my computer, and it's been taking forever (about 30-50 minutes) whenever I try to update.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:13 PM

Posted 18 January 2011 - 07:55 PM

I'll try to be as brief as possible but at the same time, hope you will understand as it can get complicated.

Fixexe.reg is a Registry File that fixes .exe file association that has be broken, which is usually caused by malware. When .exe file associations are broken, any associated .exe applications cannot be executed, and you will get one of those warnings/errors saying "What do you want to use to Open this file" since Windows can not recognize the file.

Hope that helps.


It does appear that there is something on here as you malware tools are struggling,
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 VicVegas

VicVegas
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cornville, USA
  • Local time:11:13 AM

Posted 19 January 2011 - 09:17 PM

I'll try to be as brief as possible but at the same time, hope you will understand as it can get complicated.

Fixexe.reg is a Registry File that fixes .exe file association that has be broken, which is usually caused by malware. When .exe file associations are broken, any associated .exe applications cannot be executed, and you will get one of those warnings/errors saying "What do you want to use to Open this file" since Windows can not recognize the file.

Hope that helps.


It does appear that there is something on here as you malware tools are struggling,

They all seem to run fine, SAS just takes a while to update. I did exaggerate a little though. Tried again this morning to update and it seemed to be more like 15 minutes, though it kinda slowed the computer down. It could be because I defragged a while back. This computer is old, and I've been considering a reformat anyway.

I'll try to run Rkill tomorrow afternoon if I get the chance. I'm sorry for getting aggravated earlier with my opening post, since the reality of it is that I don't have much time on my hands either. My mom's getting knee surgery soon so I have a lot to do around the house while she's staying off her leg.

Get back to you when I can. :(

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:13 PM

Posted 19 January 2011 - 10:00 PM

Ok, alls good with me. I am going to post an Online scan as it only installs a liitle bit to run and then removes itself it may work easier.

Please perform a scan with Eset Online Antiivirus Scanner.
This scan requires Internet Explorer to work. Vista/Windows 7 users need to run Internet Explorer as Administrator.
To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • If offered the option to get information or buy software at any point, just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply.
Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 VicVegas

VicVegas
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cornville, USA
  • Local time:11:13 AM

Posted 22 January 2011 - 03:04 AM

It says on their website that it works fine in Firefox. Did you want me to run this in safe mode?

#8 Jandrah

Jandrah

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 22 January 2011 - 04:33 AM

I have fought this thing for months now. I've tried everything I can find that is supposed to help and still I get redirected. Any thing that will get rid of this will be appreciated more than words can express. Thanks for any help in advance.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:13 PM

Posted 22 January 2011 - 10:34 AM

Preferable to run in Normal mode ....Yes I see it will work in FF I need to change the speech thanks.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 VicVegas

VicVegas
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cornville, USA
  • Local time:11:13 AM

Posted 23 January 2011 - 01:49 AM

A couple of things you mentioned aren't that accurate as I also had to click "Advanced Settings" to find "Scan potentially unwanted applications" and I only had to press one start button.

There's also a few check boxes you didn't mention like "scan for potentially unsafe applications" and "use custom proxy settings".

I'll stick to the ones you mentioned and post the Log a little bit later.

And sorry about the delay again. Looks like I'll only have the chance to check every other day for a good while. We went to the doctor yesterday and my mother had her surgery delayed. <_<

#11 VicVegas

VicVegas
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cornville, USA
  • Local time:11:13 AM

Posted 23 January 2011 - 05:18 AM

Took over 2 hours to complete. Apparently it hates compressed files.

And here's the log. Got 8 things and needs to reboot, but I'll wait for your say first.

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=eedb75047b79844e95a9d2dd3615ab19
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-01-23 08:58:58
# local_time=2011-01-23 02:58:58 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=138562
# found=8
# cleaned=8
# scan_time=7697
C:\Documents and Settings\Jon Davis\Application Data\Sun\Java\Deployment\cache\6.0\11\5b56d04b-3681cc42 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Jon Davis\Application Data\Sun\Java\Deployment\cache\6.0\61\18364cfd-18efa788 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Jon Davis\Local Settings\Application Data\{6D05514A-A6DB-47FA-BD5E-31BAF6635DFB}\chrome\content\overlay.xul JS/Gord.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\utukufevor.dll a variant of Win32/Cimag.BG trojan (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\smart.dll.tmp a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8C7AI4PK\f10[1].dll a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QJPQGKOS\f11[1].dll a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QJPQGKOS\ff11[1].dll a variant of Win32/PSW.WOW.NDJ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

This is what you wanted me to post right?

Jeez, makes me feel like an idiot for renewing my AVG licenses. "Content.IE5"? How old are some of these things?! :blink:

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:13 PM

Posted 23 January 2011 - 02:17 PM

The IE5 is just a throw back to The Temprary Internet files.. It's a long explanation but it's a type of caching system started then and it is just still used.
Well when your done with AVG ask me again and I'll tell you tou use Avira.

Yes do Reboot. I always reboot even if not told to do so after removing malware or in and Un installing programs,it completes the PC cycle.

Win32/PSW.WOW.NDJ trojan is designed to steal user passwords to accounts on WoW servers. Chankge these passwords after checking here and deleting these if stiil there.
%System32%\KB896425.log
c:\nxldr.dat
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System32 (Windows XP).

How are the redirects now?

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal/regular mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 VicVegas

VicVegas
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cornville, USA
  • Local time:11:13 AM

Posted 23 January 2011 - 07:29 PM

The IE5 is just a throw back to The Temprary Internet files.. It's a long explanation but it's a type of caching system started then and it is just still used.
Well when your done with AVG ask me again and I'll tell you tou use Avira.

Yes do Reboot. I always reboot even if not told to do so after removing malware or in and Un installing programs,it completes the PC cycle.

Win32/PSW.WOW.NDJ trojan is designed to steal user passwords to accounts on WoW servers. Chankge these passwords after checking here and deleting these if stiil there.
%System32%\KB896425.log
c:\nxldr.dat
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System32 (Windows XP).

How are the redirects now?

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal/regular mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

LoL, I don't even play WoW. Perfectly harmless to me... I guess.

As for the redirects, I have no clue how I would know since they happen anywhere from weeks to months in between. :mellow:

That one 'file' is still there though. Perhaps I could just quarantine it with Mbam?

I'll restart and then run Mbam a little bit later tonight. :thumbup2:

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:13 PM

Posted 23 January 2011 - 08:37 PM

Which file ? "divx"
Where is it now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 VicVegas

VicVegas
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cornville, USA
  • Local time:11:13 AM

Posted 23 January 2011 - 09:16 PM

Which file ? "divx"
Where is it now?

The divx thing was unrelated to the virus. I just wasn't paying enough attention to the format of the video playing.
The actual 'file' is something I downloaded a while back that slows down my computer whenever I go near it. It's just in a folder in drive D.

Also something must have been left behind because I got this after I restarted.
Posted Image

Edit:
No results from the Mbam scan or Super Anti Spyware. Just some cookies. What now?

Edited by VicVegas, 24 January 2011 - 04:19 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users