Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Virus


  • This topic is locked This topic is locked
86 replies to this topic

#1 Dangerouslydefective

Dangerouslydefective

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 06 June 2011 - 07:59 PM

Per the topic, I need help removing the Google Redirect Virus.

I am currently running Windows XP Home Edition and when the virus is active, all window appearances and start menu look 'old school', like Windows 95. I've also noticed that a new svchost.exe will continue to open and, if left to run, can take upwards of 200,000 K of memory usage per the Task Manager.

I have tried Malware Bytes, unhackMe and HitMan Pro as suggested in other threads, but none of these programs have fixed the problem. Both unhackMe and HitMan Pro detected TDL3 (alias Alureon) rootkit, but neither were able to remove it. I have also tried Kaspersky Labs' TDSSKiller as recommended by this site and it did not detect the virus.

After all this, I feel that I have affected the virus, but still have not eliminated it. Do I have a bigger problem on my hands?

Any help would be appreciated. Thank you!

Edited by hamluis, 19 June 2011 - 06:51 PM.
Moved from AII to MRL at MRT request.


BC AdBot (Login to Remove)

 


#2 Dangerouslydefective

Dangerouslydefective
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 10 June 2011 - 04:50 PM

Since I posted the previous symptoms, I have also noticed that I cannot play sounds on internet videos. Not sure if this is a part of the original issue, or something else entirely.

Thanks in advance.

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:54 PM

Posted 10 June 2011 - 07:41 PM

Hello. please do these and post the logs.

>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

RKill....

Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.


Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).




Run an Online scan
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Dangerouslydefective

Dangerouslydefective
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 11 June 2011 - 03:26 PM

Thanks for the help. ESET found quite a few infections, and mbam found nothing more.

After a restart, it appears that the infection has cleared up.

Once again, thanks so much for your help. You may consider this issue solved.

Edited by Dangerouslydefective, 11 June 2011 - 04:51 PM.


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:54 PM

Posted 12 June 2011 - 07:13 PM

Excellent! If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Dangerouslydefective

Dangerouslydefective
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 18 June 2011 - 01:48 PM

Thanks for the tips. Unfortunately, it seems as though they weren't quite good enough. After a restart, the infection came right back. I have followed the original steps posted below, and I am posting the logs, as requested.

I have noticed that most of my windows & task bar change from the typical XP smooth blue format to the Windows 95 gray blocky format. I also cannot create or restore from the System Restore utility, and whenever I try to activate my Windows Firewall, I receive this message: "Windows Firewall settings cannot be dsplayed becaues the associated service is not running. Do you want to start the Windows Fiewall/Internet Connection Sharing (ICS) service?". When I click 'Yes', I get "Windows cannot start the Windows Firewall/Internet COnnection Sharing (ICS) service.". Any insight will be appreciated.

Thanks again for your help!

GooredFix Log
GooredFix by jpshortstuff (03.07.10.1)
Log created at 12:18 on 19/07/2004 (Jim)
Firefox version 4.0.1 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [10:02 12/04/2011]
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [18:47 12/07/2008]
{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} [09:51 11/03/2009]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [15:19 09/04/2009]
{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [23:41 16/06/2009]
{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [00:52 17/08/2009]
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [12:01 04/11/2009]
{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} [09:47 02/04/2010]
{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [09:51 28/04/2010]
{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [17:20 28/08/2010]
{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [10:07 27/10/2010]
{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} [22:10 27/12/2010]

C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\37n5o6vm.default\extensions\
firefox@red-cog.com [23:47 10/10/2010]
{20a82645-c095-46ed-80e3-08825760534b} [23:47 10/10/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [00:35 20/05/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [09:51 11/03/2009]

-=E.O.F=-

ESET Online Scan Log
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0002628.dll probably a variant of Win32/HackTool.Inject.K application cleaned by deleting - quarantined
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0002629.exe a variant of Win32/Inject.NDT trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0002630.dll probably a variant of Win32/HackTool.Inject.K application cleaned by deleting - quarantined
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0002631.exe a variant of Win32/Inject.NDT trojan cleaned by deleting - quarantined



MBAM Scan Log
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6836

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

7/19/2004 6:22:21 PM
mbam-log-2004-07-19 (18-22-21).txt

Scan type: Quick scan
Objects scanned: 189673
Time elapsed: 1 hour(s), 14 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:54 PM

Posted 18 June 2011 - 03:04 PM

OK, let's update and re run MBAM and TDSS.
Are you on a router and the only machine on it?

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.5.4.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:54 PM

Posted 18 June 2011 - 03:09 PM

@Dangerouslydefective,

After you've had a chance to perform the instructions in boopme's post here: http://www.bleepingcomputer.com/forums/topic402238.html/page__view__findpost__p__2297911

I'd like for you to do the following:


Rootkit UnHooker (RkU)
Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth Code, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:54 PM

Posted 18 June 2011 - 03:19 PM

Thanks SweetTech
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 Dangerouslydefective

Dangerouslydefective
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 18 June 2011 - 09:40 PM

Yes, I have a router, and no, it isn't the only computer using that router. I have a netbook which actively uses it, as well as an iPod touch, Wii, DSLite, etc. that are set up on the router.

Also, I have repeatedly used TDSSKiller, but it has never found any infections. No exceptions now; no files found.

RKUnhookerLE continually dies on me (tried 3 times), so I can't post a log. However, I can see from Windows Task Manager that it had an impact. When I launched windows, explorer.exe took over 20k of memory, and only takes 3k after RKUnHooker. Also, I noticed that a svchost.exe would open, and would increase memory usage the longer it stayed open. When I force-close the file (both end process and end process tree), it will pop up seconds later. After RKUnhookerLE, it no longer pops up.


Thanks to both of you for your help. As requested, below is the MBAM log:

MBAM Log
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6891

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

7/17/2004 3:17:40 AM
mbam-log-2004-07-17 (03-17-40).txt

Scan type: Quick scan
Objects scanned: 190667
Time elapsed: 1 hour(s), 15 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#11 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:54 PM

Posted 19 June 2011 - 07:57 AM

hmm.. Okay. Please try this tool instead:


Scanning with GMER

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.


Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.

Notes:
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#12 Dangerouslydefective

Dangerouslydefective
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 19 June 2011 - 01:33 PM

I scanned with GMER with no issues, and the log is attached below. I haven't removed anything for fear of removing something important...

@boopme - You asked about my router. Did you see any issues with that? I'm not 100% sure I set it up as well as I could have. Any advice along those lines will be greatly appreciated.

Thanks again!

GMER Log
GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2004-07-17 20:11:39
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Intel___ rev.0.1.
Running: gmer.exe; Driver: C:\DOCUME~1\Jim\LOCALS~1\Temp\fxtdypoc.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\BlackBox.SYS ZwSystemDebugControl [0xAE9876FE]
Code \SystemRoot\System32\Drivers\BlackBox.SYS ExAllocatePool
Code \SystemRoot\System32\Drivers\BlackBox.SYS ExAllocatePoolWithTag
Code \SystemRoot\System32\Drivers\BlackBox.SYS KeDelayExecutionThread

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!KeDelayExecutionThread 804E14F6 5 Bytes JMP AE98753B \SystemRoot\System32\Drivers\BlackBox.SYS
.text ntoskrnl.exe!ExAllocatePool 8050D57A 5 Bytes JMP AE9874DC \SystemRoot\System32\Drivers\BlackBox.SYS
PAGE ntoskrnl.exe!ZwSystemDebugControl 80651A75 5 Bytes JMP AE987702 \SystemRoot\System32\Drivers\BlackBox.SYS
init C:\WINDOWS\System32\DRIVERS\mohfilt.sys entry point in "init" section [0xF7AE7760]
.text win32k.sys!EngSetLastError + 411 BF81CD2D 5 Bytes JMP AE987656 \SystemRoot\System32\Drivers\BlackBox.SYS
.text win32k.sys!FONTOBJ_pxoGetXform + 9326 BF84ECA6 5 Bytes JMP AE987695 \SystemRoot\System32\Drivers\BlackBox.SYS
.text win32k.sys!XLATEOBJ_iXlate + 1073 BF864BDB 5 Bytes JMP AE987618 \SystemRoot\System32\Drivers\BlackBox.SYS
? System32\Drivers\BlackBox.SYS The system cannot find the path specified. !

---- EOF - GMER 1.0.15 ----

#13 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:54 PM

Posted 19 June 2011 - 04:37 PM

@boopme - You asked about my router. Did you see any issues with that? I'm not 100% sure I set it up as well as I could have. Any advice along those lines will be greatly appreciated.

I believe boopme was asking because we typically see some infections that hijack routers, and change the settings, which has been known to cause all sorts of issues.

Are any other computers in the household experiencing issues with redirects or is it an isolated incident with this computer only?

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#14 Dangerouslydefective

Dangerouslydefective
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 19 June 2011 - 06:13 PM

This computer is the only one experiencing problems with the redirect virus, but we did have an incident about 2 months ago. Our main computer got the 2011 Windows Security Virus, and not 3 days later, the netbook got the same thing. Fortunately, MBAM cleared that right up.

Is there anything I need to do with GMER? I ran the log, but never took action on anything it found.

#15 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:54 PM

Posted 19 June 2011 - 06:17 PM

Nope, no further action needs to be taken with GMER. I'm going to request that this thread be moved to the Malware forum, so I can have you run more powerful tools.

I'd appreciate it if you could take the time to read the following guidelines below:


---

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I would be glad to take a look at your log and help you with solving any malware problems.

Please adhere to the guidelines below and then follow instructions as outlined further below:


  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.
____________________________________________________

OTL Custom Scan

We need to create a new OTL Report
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    volsnap.sys
    atapi.sys
    explorer.exe
    winlogon.exe
    wininit.exe
    hlp.dat
    /md5stop
  • Push the Posted Image button.
  • One report will open, copy and paste it in a reply here:
  • OTL.txt <-- Will be opened


NEXT:



Please provide me with the contents of OTL.txt & Extras.txt in your next reply.

Edited by SweetTech, 19 June 2011 - 06:20 PM.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users