Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

friggin redirect virus


  • Please log in to reply
7 replies to this topic

#1 kuki217

kuki217

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 24 July 2011 - 10:46 PM

Hello, i have been trying to rid myself of the Google redirect virus for awhile now. I have scoured the web for answers but have found no solutions and don't know what else to do. I have used malwarebytes, ccleaner, and i've tried running TDSSKiller (which won't run. i even renamed it) I also have done a system restore with no results as well as a mozilla redirection prevention tool. Please help me kill this virus. I will be on tomorrow after so i will work with whoever can help me. Thanks in advance.

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:04 PM

Posted 24 July 2011 - 11:00 PM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 kuki217

kuki217
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 25 July 2011 - 07:17 PM

Hello, i'm sorry it took me so long to return here. Here is the log for the security check.

Results of screen317's Security Check version 0.99.7
Windows XP
Out of date service pack!!
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 19
Out of date Java installed!
Adobe Flash Player 10.1.102.64
Adobe Reader 9.3
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.18)
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````

#4 kuki217

kuki217
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 25 July 2011 - 07:21 PM

here is the log for mini toolbox.

MiniToolBox by Farbar
Ran by Shawn (administrator) on 24-07-2011 at 20:19:56
Microsoft Windows XP (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================


127.0.0.1 localhost

========================= IP Configuration: ================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection 2"

set address name="Local Area Connection 2" source=dhcp
set dns name="Local Area Connection 2" source=dhcp register=PRIMARY
set wins name="Local Area Connection 2" source=dhcp

# Interface IP Configuration for "Local Area Connection 3"

set address name="Local Area Connection 3" source=dhcp
set dns name="Local Area Connection 3" source=dhcp register=PRIMARY
set wins name="Local Area Connection 3" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : shawn-2qw5jui6b

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection 2:



Connection-specific DNS Suffix . : gateway.2wire.net

Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC

Physical Address. . . . . . . . . : 00-40-05-80-89-30

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.67

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.254

DHCP Server . . . . . . . . . . . : 192.168.1.254

DNS Servers . . . . . . . . . . . : 192.168.1.254

Lease Obtained. . . . . . . . . . : Sunday, July 24, 2011 11:36:00 AM

Lease Expires . . . . . . . . . . : Monday, July 25, 2011 11:36:00 AM



Ethernet adapter Local Area Connection 3:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : SiS 900-Based PCI Fast Ethernet Adapter

Physical Address. . . . . . . . . : 00-00-00-00-00-00

Server: home
Address: 192.168.1.254

Name: google.com
Addresses: 74.125.225.52, 74.125.225.48, 74.125.225.51, 74.125.225.49
74.125.225.50



Pinging google.com [74.125.225.80] with 32 bytes of data:



Reply from 74.125.225.80: bytes=32 time=54ms TTL=53

Reply from 74.125.225.80: bytes=32 time=52ms TTL=53



Ping statistics for 74.125.225.80:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 52ms, Maximum = 54ms, Average = 53ms

Server: home
Address: 192.168.1.254

Name: yahoo.com
Addresses: 209.191.122.70, 67.195.160.76, 69.147.125.65, 72.30.2.43
98.137.149.56



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:



Reply from 209.191.122.70: bytes=32 time=109ms TTL=55

Reply from 209.191.122.70: bytes=32 time=96ms TTL=55



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 96ms, Maximum = 109ms, Average = 102ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 40 05 80 89 30 ...... Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
0x3 ...00 00 00 00 00 00 ...... SiS 900-Based PCI Fast Ethernet Adapter - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.67 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.67 192.168.1.67 20
192.168.1.67 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.67 192.168.1.67 20
224.0.0.0 240.0.0.0 192.168.1.67 192.168.1.67 20
255.255.255.255 255.255.255.255 192.168.1.67 192.168.1.67 1
255.255.255.255 255.255.255.255 192.168.1.67 3 1
Default Gateway: 192.168.1.254
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/23/2011 10:01:12 PM) (Source: Application Error) (User: )
Description: Faulting application jaucheck.exe, version 2.0.2.1, faulting module jaucheck.exe, version 2.0.2.1, fault address 0x0000c940.

Error: (07/21/2011 08:31:22 PM) (Source: Perflib) (User: )
Description: The timeout waiting for the performance data collection function "PerfDisk"
in the "C:\WINDOWS\system32\perfdisk.dll" Library to finish has expired. There may be a problem with
this extensible counter or the service it is collecting data from or the
system may have been very busy when this call was attempted.

Error: (07/21/2011 06:55:10 PM) (Source: Perflib) (User: )
Description: The open procedure for service "WmiApRpl" in DLL "C:\WINDOWS\System32\wbem\wmiaprpl.dll" has taken longer than
the established wait time to complete. There may be a problem with
this extensible counter or the service it is collecting data from or the
system may have been very busy when this call was attempted.

Error: (07/21/2011 06:54:57 PM) (Source: PerfNet) (User: )
Description: Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.

Error: (07/20/2011 08:04:13 PM) (Source: Perflib) (User: )
Description: The timeout waiting for the performance data collection function "PerfDisk"
in the "C:\WINDOWS\system32\perfdisk.dll" Library to finish has expired. There may be a problem with
this extensible counter or the service it is collecting data from or the
system may have been very busy when this call was attempted.

Error: (07/20/2011 08:03:42 PM) (Source: Perflib) (User: )
Description: The timeout waiting for the performance data collection function "PerfDisk"
in the "C:\WINDOWS\system32\perfdisk.dll" Library to finish has expired. There may be a problem with
this extensible counter or the service it is collecting data from or the
system may have been very busy when this call was attempted.

Error: (07/20/2011 07:50:21 PM) (Source: Perflib) (User: )
Description: The timeout waiting for the performance data collection function "PerfDisk"
in the "C:\WINDOWS\system32\perfdisk.dll" Library to finish has expired. There may be a problem with
this extensible counter or the service it is collecting data from or the
system may have been very busy when this call was attempted.

Error: (07/20/2011 07:28:02 PM) (Source: Perflib) (User: )
Description: The timeout waiting for the performance data collection function "PerfDisk"
in the "C:\WINDOWS\system32\perfdisk.dll" Library to finish has expired. There may be a problem with
this extensible counter or the service it is collecting data from or the
system may have been very busy when this call was attempted.

Error: (07/19/2011 08:56:44 PM) (Source: Perflib) (User: )
Description: The timeout waiting for the performance data collection function "PerfDisk"
in the "C:\WINDOWS\system32\perfdisk.dll" Library to finish has expired. There may be a problem with
this extensible counter or the service it is collecting data from or the
system may have been very busy when this call was attempted.

Error: (07/19/2011 08:44:10 PM) (Source: Perflib) (User: )
Description: The timeout waiting for the performance data collection function "PerfDisk"
in the "C:\WINDOWS\system32\perfdisk.dll" Library to finish has expired. There may be a problem with
this extensible counter or the service it is collecting data from or the
system may have been very busy when this call was attempted.


System errors:
=============
Error: (07/23/2011 11:29:48 PM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (07/23/2011 11:29:40 PM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (07/23/2011 11:29:33 PM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (07/23/2011 11:16:53 PM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (07/23/2011 11:16:45 PM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (07/23/2011 10:53:30 PM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (07/23/2011 10:53:23 PM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (07/23/2011 10:26:19 AM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (07/23/2011 10:26:12 AM) (Source: 0) (User: )
Description: \Device\CdRom0

Error: (07/23/2011 10:26:04 AM) (Source: 0) (User: )
Description: \Device\CdRom0


Microsoft Office Sessions:
=========================
Error: (07/23/2011 10:01:12 PM) (Source: Application Error)(User: )
Description: jaucheck.exe2.0.2.1jaucheck.exe2.0.2.10000c940

Error: (07/21/2011 08:31:22 PM) (Source: Perflib)(User: )
Description: PerfDiskC:\WINDOWS\system32\perfdisk.dll

Error: (07/21/2011 06:55:10 PM) (Source: Perflib)(User: )
Description: WmiApRplC:\WINDOWS\System32\wbem\wmiaprpl.dll

Error: (07/21/2011 06:54:57 PM) (Source: PerfNet)(User: )
Description:

Error: (07/20/2011 08:04:13 PM) (Source: Perflib)(User: )
Description: PerfDiskC:\WINDOWS\system32\perfdisk.dll

Error: (07/20/2011 08:03:42 PM) (Source: Perflib)(User: )
Description: PerfDiskC:\WINDOWS\system32\perfdisk.dll

Error: (07/20/2011 07:50:21 PM) (Source: Perflib)(User: )
Description: PerfDiskC:\WINDOWS\system32\perfdisk.dll

Error: (07/20/2011 07:28:02 PM) (Source: Perflib)(User: )
Description: PerfDiskC:\WINDOWS\system32\perfdisk.dll

Error: (07/19/2011 08:56:44 PM) (Source: Perflib)(User: )
Description: PerfDiskC:\WINDOWS\system32\perfdisk.dll

Error: (07/19/2011 08:44:10 PM) (Source: Perflib)(User: )
Description: PerfDiskC:\WINDOWS\system32\perfdisk.dll


========================= Memory info: ===================================

Percentage of memory in use: 53%
Total physical RAM: 511.48 MB
Available physical RAM: 237.71 MB
Total Pagefile: 1250.65 MB
Available Pagefile: 1015.27 MB
Total Virtual: 2047.88 MB
Available Virtual: 2006.14 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:72.5 GB) (Free:8.95 GB) NTFS
3 Drive d: () (Fixed) (Total:72.5 GB) (Free:20.71 GB) NTFS

========================= Users: ========================================

User accounts for \\SHAWN-2QW5JUI6B

Administrator Guest HelpAssistant
Shawn SUPPORT_388945a0


== End of log ==

#5 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:04 PM

Posted 25 July 2011 - 08:23 PM

I still need two other logs.

...and a question...
Any particular reason why no single Service Pack is installed?
Do NOT attempt to install anything yet.

I also don't see any AV program running.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#6 kuki217

kuki217
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 25 July 2011 - 10:28 PM

Hello, here is the log for malwarebytes. To answer your question i hadn't any service packs installed because i mainly use my PC for Microsoft Word. Once all of this is done i'll install any service packs i need. I will post the gmer log in awhile.

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7278

Windows 5.1.2600
Internet Explorer 6.0.2600.0000

7/24/2011 10:05:32 PM
mbam-log-2011-07-24 (22-05-32).txt

Scan type: Quick scan
Objects scanned: 142081
Time elapsed: 5 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 kuki217

kuki217
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 26 July 2011 - 09:28 AM

Here is the log for GMER.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-07-26 10:26:10
Windows 5.1.2600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 MDT_MD2500BB-00RDA0 rev.20.00K20
Running: coqkyfit.exe; Driver: C:\DOCUME~1\Shawn\LOCALS~1\Temp\fxpoyfod.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!KeInitializeInterrupt + B79 804D4F8E 1 Byte [06]

---- EOF - GMER 1.0.15 ----

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:04 PM

Posted 26 July 2011 - 07:06 PM

Since you're connected to the internet you must have some AV program running,
Please install one of these:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- Avira free antivirus: http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html
Update, run full scan, report on any findings.

Then...

Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can download, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

====================================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
Click the "Scan" button to start scan:
Posted Image

On completion of the scan click "Save log", save it to your desktop and post in your next reply:
Posted Image

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users