Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

***Firefox only Google redirecting Virus**


  • Please log in to reply
12 replies to this topic

#1 Vetsi2103

Vetsi2103

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 06 September 2011 - 05:21 PM

Hi All,

I am new to this forum and stumbled upon it while searching for a fix. I recieved this redirecting virus 5 days ago I instantly googled what I could about it because at first it kept redirecting me to gimmeanswers.com and ask.com now it redirects me to vrious sites I noticed its only on firefox and not on internet explorer. An example is I just googled the weather channel and when I clicked on it I was sent to this site

http://www.bargainmatch.com/mixsearch/more?keyword=weather&affid=74409&wdo=no&p_only=yes&p_count=10&ptr=VC&sid=fbc494d8daea78896a19baa2ec0891b6&cid=BPO

for some reason when I google facebook it doesnt redirect me.
so far I have tried Tdsskiller,Gmer, Avast, Malewarebytes, and superantispyware, the first time I ran any of these programs it found tons of malicious maleware, I didnt use my computer for 2 days and today when I turned it on I ran a goored fix that I found on a site that is supposed to fix the redirecting virus and voila it dissapeared, I was very please but ran all the other programs once again and tried to google something else and I was redirected again! now when I run all theses programs they are not finding any malicious anything...Im stumped I don't know what to do anymore.

Any Help will be appreciated!! B)

Thank you in advance

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:37 PM

Posted 06 September 2011 - 05:27 PM

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 Vetsi2103

Vetsi2103
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 08 September 2011 - 11:17 PM

Thank You ,here is my last log, I have tried this a few times and they seem to all look the same.

GooredFix by jpshortstuff (03.07.10.1)
Log created at 00:02 on 09/09/2011 (VeTsi)
Firefox version 3.6.21 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [01:41 10/03/2011]

C:\Users\VeTsi\Application Data\Mozilla\Firefox\Profiles\yhc8ysqy.default\extensions\
es-ve@dictionaries.addons.mozilla.org [03:26 26/04/2011]
vshare@toolbar [19:21 19/12/2010]
{20a82645-c095-46ed-80e3-08825760534b}(220) [03:38 30/06/2010]
{7b13ec3e-999a-4b70-b9cb-2617b8323822} [02:06 27/04/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [10:56 11/04/2009]
"wrc@avast.com"="C:\Program Files\AVAST Software\Avast\WebRep\FF" [03:51 02/09/2011]

---------- Old Logs ----------
GooredFix[14.26.55_06-09-2011].txt
GooredFix[20.51.22_06-09-2011].txt
GooredFix[22.38.44_06-09-2011].txt

-=E.O.F=-

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:37 PM

Posted 08 September 2011 - 11:25 PM

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 Vetsi2103

Vetsi2103
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 09 September 2011 - 11:35 AM

thank You....here is my log


MiniToolBox by Farbar
Ran by VeTsi (administrator) on 09-09-2011 at 12:34:02
Windows Vista ™ Home Basic Service Pack 1 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

"network.proxy.type", 0
========================= Hosts content: =================================

::1 localhost

127.0.0.1 localhost

========================= IP Configuration: ================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : VeTsi-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel® WiFi Link 5100 AGN
Physical Address. . . . . . . . . : 00-22-FB-AA-65-C2
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::c8e0:69fb:d730:8ab4%12(Preferred)
IPv4 Address. . . . . . . . . . . : 10.0.0.6(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Thursday, September 08, 2011 11:34:30 PM
Lease Expires . . . . . . . . . . : Saturday, September 10, 2011 12:19:49 PM
Default Gateway . . . . . . . . . : 10.0.0.1
DHCP Server . . . . . . . . . . . : 10.0.0.1
DNS Servers . . . . . . . . . . . : 10.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Marvell Yukon 88E8040 PCI-E Fast Ethernet Controller
Physical Address. . . . . . . . . : 00-25-64-40-9B-1C
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 6:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{BFC13E39-719C-41D1-BBFE-581CE8EFE4EF}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:bd:362d:f5ff:fff9(Preferred)
Link-local IPv6 Address . . . . . : fe80::bd:362d:f5ff:fff9%10(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Local Area Connection* 11:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{319B028B-8BF7-46CF-BFE0-C5F4F5D55F5D}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 12:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 6TO4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: UnKnown
Address: 10.0.0.1

Name: google.com
Addresses: 74.125.113.104
74.125.113.105
74.125.113.106
74.125.113.147
74.125.113.99
74.125.113.103



Pinging google.com [74.125.113.103] with 32 bytes of data:

Reply from 74.125.113.103: bytes=32 time=27ms TTL=51

Reply from 74.125.113.103: bytes=32 time=30ms TTL=51



Ping statistics for 74.125.113.103:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 27ms, Maximum = 30ms, Average = 28ms

Server: UnKnown
Address: 10.0.0.1

Name: yahoo.com
Addresses: 209.191.122.70
67.195.160.76
69.147.125.65
72.30.2.43
98.137.149.56



Pinging yahoo.com [98.137.149.56] with 32 bytes of data:

Reply from 98.137.149.56: bytes=32 time=87ms TTL=51

Reply from 98.137.149.56: bytes=32 time=89ms TTL=51



Ping statistics for 98.137.149.56:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 87ms, Maximum = 89ms, Average = 88ms



Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time=7ms TTL=128

Reply from 127.0.0.1: bytes=32 time=1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 1ms, Maximum = 7ms, Average = 4ms

===========================================================================
Interface List
12 ...00 22 fb aa 65 c2 ...... Intel® WiFi Link 5100 AGN
11 ...00 25 64 40 9b 1c ...... Marvell Yukon 88E8040 PCI-E Fast Ethernet Controller
1 ........................... Software Loopback Interface 1
13 ...00 00 00 00 00 00 00 e0 isatap.{BFC13E39-719C-41D1-BBFE-581CE8EFE4EF}
10 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
16 ...00 00 00 00 00 00 00 e0 isatap.{319B028B-8BF7-46CF-BFE0-C5F4F5D55F5D}
14 ...00 00 00 00 00 00 00 e0 6TO4 Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.6 30
10.0.0.0 255.255.255.0 On-link 10.0.0.6 286
10.0.0.6 255.255.255.255 On-link 10.0.0.6 286
10.0.0.255 255.255.255.255 On-link 10.0.0.6 286
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.0.0.6 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.0.0.6 286
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
10 18 ::/0 On-link
1 306 ::1/128 On-link
10 18 2001::/32 On-link
10 266 2001:0:4137:9e76:bd:362d:f5ff:fff9/128
On-link
12 286 fe80::/64 On-link
10 266 fe80::/64 On-link
10 266 fe80::bd:362d:f5ff:fff9/128
On-link
12 286 fe80::c8e0:69fb:d730:8ab4/128
On-link
1 306 ff00::/8 On-link
10 266 ff00::/8 On-link
12 286 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\system32\NLAapi.dll [48128] (Microsoft Corporation)
Catalog5 02 C:\Windows\system32\napinsp.dll [50176] (Microsoft Corporation)
Catalog5 03 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 04 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 05 C:\Windows\System32\mswsock.dll [223232] (Microsoft Corporation)
Catalog5 06 C:\Windows\System32\winrnr.dll [19968] (Microsoft Corporation)
Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [152864] (Apple Inc.)
Catalog9 01 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 22 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 23 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 24 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 25 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 26 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)

**** End of log ****

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:37 PM

Posted 09 September 2011 - 05:08 PM

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Reset FF Proxy Settings
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Also let me know if there is any improvement.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 Vetsi2103

Vetsi2103
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 13 September 2011 - 06:00 PM

Hi sorry for the delay in response I haven't been home or near my computer i downloaded mini box and check the one box you told me to check and this is my Log

MiniToolBox by Farbar
Ran by VeTsi (administrator) on 13-09-2011 at 18:54:52
Windows Vista ™ Home Basic Service Pack 1 (X86)

***************************************************************************

"Reset FF Proxy Settings": Firefox Proxy settings were reset.


**** End of log ****


everything seemed ok until i just went to click on the weather channel and it redirected me and malewarebytes blocked the site.

#8 Vetsi2103

Vetsi2103
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 13 September 2011 - 09:01 PM

Hi I also wanted to tell you i am now infected on ie as well, I also found two csrss processes running on my computer in task manager coming from the windows system 32 file and another one located in a different file, I am aware the 2nd one maybe malicious.

#9 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:37 PM

Posted 13 September 2011 - 10:01 PM

Try this:

http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#10 Vetsi2103

Vetsi2103
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 13 September 2011 - 10:47 PM

I ran a scan with Tdsskiller and it didn't find anything... anyt other suggestions?

#11 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:37 PM

Posted 13 September 2011 - 11:43 PM

Run a quick scan with Malwarebytes and see what it finds.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#12 Vetsi2103

Vetsi2103
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 14 September 2011 - 09:04 PM

Hi it didnt find anything but I will post the log,


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7719

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

9/14/2011 8:14:43 PM
mbam-log-2011-09-14 (20-14-43).txt

Scan type: Quick scan
Objects scanned: 173604
Time elapsed: 10 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:37 PM

Posted 14 September 2011 - 10:05 PM

This requires a more in depth look.

Please follow the instructions in ==>This Guide<==. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users