Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Virus


  • Please log in to reply
5 replies to this topic

#1 elbabe

elbabe

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 14 April 2011 - 11:55 PM

I have become infected with a Google redirect virus. I have succeeded in removing these infections before, but this one has me stumped. I am running Windows Vista SP1

As I was being infected, I denied the registry changes that Spybot S&D asked my to confirm. User Account Control also asked me to give access. After denying it twice, I accidentally hit accept. I immediately shut down the computer, but it was too late. I appear to have a rootkit infection.

The virus redirects me to various spam websites from Google links. It also plays audio advertisements from Internet Explorer windows I cannot see, even in TaskManager. Either my hard shutdown or poor virus writing work results in a number of javascript error messages showing up asking me if I want to continue to run a script.

I ran Spybot S&D and it found nothing. I ran Malwarebytes and found nothing in the quick scan. A full scan gave me a blue screen.
Figuring I had a rootkit, I downloaded Combofix. When I attempted to run ComboFix in Safe Mmode, the computer went to a blue screen. Eventually, I succeeded in running a renamed Combofix in normal mode. However, it came up with nothing found. Attempting to run Panda failed, as it will not run in Safe Mode and bluescreens when I attempt to run it in normal mode, even after renaming it. F Blacklight worked, but found nothing. TDSSKiller won't run at all even when renamed (even in Safe mode command prompt!), I can only conclude the virus is killing the process as soon as it starts.

Part of the problem is that if this virus had a fake antivirus or computer repair component, I never saw it, so I'm having difficulty identifying what it even is. My conclusions are that this is a rootkit, and that it intentionally bluescreens when I attempt to remove it. I am out of ideas, so any help would be appreicated. I have F-Blacklight and Combofix logs if needed.

BC AdBot (Login to Remove)

 


#2 elbabe

elbabe
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 15 April 2011 - 12:10 AM

I should add a couple things:
I have attempted to follow the directions here, but I still cannot get TDSSKiller to function:
http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller
Examples of sites I am getting redirected to:
scour.com
shultsautogroup.com
forless.com

EDIT: In fact, most redirects seem to be taking place through shultsautogroup.com

EDIT2: I'm going to give an example of one of the IE script crash popups:
Window Name: Internet Explorer Script Error
Line: 14
Char:1
Error: Object doesn't support this property or method
Code:0
URL:http://[www]celebrity-gossip[.net]/dania-ramirez/dania-ramirez-wet-republic-swimsuit-sexy-416489?adv=miva
Do you want to continue running scripts on this page?

Edited by elbabe, 15 April 2011 - 12:23 AM.


#3 elbabe

elbabe
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 15 April 2011 - 11:45 AM

Anyone?

#4 o0luigi0o

o0luigi0o

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 15 April 2011 - 12:07 PM

Its a new variant of olmasco(tdss), which is a rootkit. It does something to the registry and you can't install malwarebytes or spybot. Giving you an access denied at the end during Saving Uninstall information. However, you can run super antispyware, not sure if that will help.

Edited by o0luigi0o, 15 April 2011 - 12:16 PM.


#5 elbabe

elbabe
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 15 April 2011 - 01:43 PM

Okay. I see that there is a newer version of TDSS killer than what I may have been using. I will try that, and I will also try SUPER antispyware.

#6 o0luigi0o

o0luigi0o

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 15 April 2011 - 01:54 PM

ya i doubt tdsskiller will see this one, it just came out. previously, it was named volsnap.sys. now its called 200C0D0.sys which was detected by ESET latest definitions




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users