Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Virus 06-05-2011


  • This topic is locked This topic is locked
12 replies to this topic

#1 holyzephyr

holyzephyr

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 05 June 2011 - 09:45 PM

okay, so i am new to this forum and honestly only joined to see if i cant get a little help with a problem i am currently facing with the Google Redirect virus. i have tried malwarebytes as well as the tool from kaspersky labs. kasperskys tool seemed to work until i rebooted the comuter. at which point the file was back and my outgoing data was being redirected again.

it all seems to be redirected to 193.105.154.217 or 193.105.154.207 or 193.105.154.210 i dont know if this is helpful but its what ive got at this point.

ive done a full, flash, and quick scan with malwarebytes to no avail. normally i scan about once a week and find minimal errors. but this seems to have just cropped up recently and i would like some assistance or guidance in removing it.

-thank you for being patient
Zephyr

-edit-
remembered i checked the Host settings and it was only my home ip there. no addition ip addresses like some other sites were requesting be removed to assist in destroying this horrible virus.

also thanks for the move, i had no idea were to post my query

Edited by holyzephyr, 05 June 2011 - 11:38 PM.
Moved from XP ~Budapest


BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:07 AM

Posted 07 June 2011 - 11:28 PM

Can you post the logs for the scans you have done?

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,851 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:07 PM

Posted 08 June 2011 - 12:14 AM

Hello,

I have removed the HiJack This log as such are not analyzed in this forum. Please post the MBAM log that was created when you ran it and the log from the "kasperskys tool"

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 holyzephyr

holyzephyr
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 08 June 2011 - 11:25 AM

kasperskys tool is called tdsskiller and this is all it ever finds

Rootkit.win32.zaccess.c

service name: i8042prt
service type: kernel driver (0x1)
service start: system (0x1)
file : C:\WINDOWS\system32\DRIVERS\i8043prt.sys
MD5: 4812e0147bd1f8e0be9de35292f93b66

it doesnt produce a log, but asks me to "cure" the file and reboot the computer. afterwhich i scan again. and the file is still there.

as for malwarebytes, i just did another scan with it and the only thing it picked up this time was the file supposedly removed by kaspersky. and here is the quick scan log, im going to go do a full scan while i wait for a reply.

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6805

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

6/8/2011 12:22:58 PM
mbam-log-2011-06-08 (12-22-57).txt

Scan type: Quick scan
Objects scanned: 157025
Time elapsed: 7 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\drivers\i8042prt.sys (Backdoor.ZAccess) -> Quarantined and deleted successfully.



also thank you orange blossom, i did not know that.

Edited by holyzephyr, 08 June 2011 - 11:26 AM.


#5 logicslayer

logicslayer

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Clearwater, Florida
  • Local time:09:07 PM

Posted 08 June 2011 - 11:57 AM

The log file produced by TDSSKiller is usually located in the root of your C:\ drive. I don't have the specific name of it but the filename will contain TDSSKiller.

Also how many times have you ran TDSSKiller? I have had some instances where I had to run it 3 or 4 times before it would finally remove the threat.

Edited by logicslayer, 08 June 2011 - 11:58 AM.


#6 holyzephyr

holyzephyr
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 08 June 2011 - 12:06 PM

Either way malwarebytes found and removed the same file tdsskiller found. so at least that one is gone.

im still waiting on the full scan to finish. it usually takes about 30-50 minutes for my computer. thats normal right?

#7 holyzephyr

holyzephyr
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 08 June 2011 - 12:30 PM

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6805

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

6/8/2011 1:27:40 PM
mbam-log-2011-06-08 (13-27-15).txt

Scan type: Full scan (C:\|)
Objects scanned: 238339
Time elapsed: 53 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\drivers\i8042prt.sys (Backdoor.ZAccess) -> No action taken.
c:\WINDOWS\assembly\GAC_MSIL\Desktop.ini (Backdoor.ZAccess) -> No action taken.

this is the result of the full scan. i made the mistake of saving the log before removing the infected files. but i did remove them.

#8 logicslayer

logicslayer

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Clearwater, Florida
  • Local time:09:07 PM

Posted 08 June 2011 - 01:41 PM

Yes, that is an average scan time. So did the latest scan come up clean? Also I would suggest installing Service Pack 3 for Windows XP.

#9 holyzephyr

holyzephyr
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 08 June 2011 - 01:50 PM

i dont mean to undermine your help logicslayer, but am i not supposed to wait for an approved helper or an admin to help me with this?

#10 logicslayer

logicslayer

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Clearwater, Florida
  • Local time:09:07 PM

Posted 08 June 2011 - 01:58 PM

If that's the case, then my apologies. I just saw someone who needed help and it was with something I deal with on a daily basis. I'll hold off on that until I read the forum rules then.

#11 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:07 AM

Posted 08 June 2011 - 02:07 PM

Please follow the instructions in ==>This Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Once you have created the new topic, please reply back here with a link to the new topic.

#12 holyzephyr

holyzephyr
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 08 June 2011 - 05:26 PM

http://www.bleepingcomputer.com/forums/topic402625.html

#13 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 34,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:06:07 PM

Posted 08 June 2011 - 10:32 PM

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the logs you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Removal Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users