Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect virus


  • Please log in to reply
3 replies to this topic

#1 jamiebenn

jamiebenn

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 12 August 2012 - 10:11 AM

This appears to be a very similar problem to what I have seen in other posts - all requiring a seemingly unique solution. I can search from my google homepage but when i click on what site i want it redirects me to a search results page and briefly with something like "http://63.209.69.107/search/web/auto/a22/44561-20351/v5" appearing in my address bar. I've tried Trend Micro, Malwarebytes, Spybot, and others with no joy. Problem occurs in Internet Explorer or Google Chrome. Any suggestions on next steps.

Thanks for any help you can provide.

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:30 PM

Posted 12 August 2012 - 10:12 AM

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Do not change the default options on scan results

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

Download

ESET online scanner

Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

#3 jamiebenn

jamiebenn
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 12 August 2012 - 09:56 PM

Thanks NARENXP,

As requested -

TDSSkiller:

21:45:27.0984 6668 TDSS rootkit removing tool 2.7.48.0 Jul 24 2012 13:16:32
21:45:28.0312 6668 ============================================================
21:45:28.0312 6668 Current date / time: 2012/08/12 21:45:28.0312
21:45:28.0312 6668 SystemInfo:
21:45:28.0312 6668
21:45:28.0312 6668 OS Version: 5.1.2600 ServicePack: 3.0
21:45:28.0312 6668 Product type: Workstation
21:45:28.0312 6668 ComputerName: DH9007C1
21:45:28.0312 6668 UserName: Julie Buttrill
21:45:28.0312 6668 Windows directory: C:\WINDOWS
21:45:28.0312 6668 System windows directory: C:\WINDOWS
21:45:28.0312 6668 Processor architecture: Intel x86
21:45:28.0312 6668 Number of processors: 2
21:45:28.0312 6668 Page size: 0x1000
21:45:28.0312 6668 Boot type: Normal boot
21:45:28.0312 6668 ============================================================
21:45:30.0171 6668 Drive \Device\Harddisk0\DR0 - Size: 0x2540BE4000 (149.01 Gb), SectorSize: 0x200, Cylinders: 0x4BFC, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
21:45:30.0203 6668 ============================================================
21:45:30.0203 6668 \Device\Harddisk0\DR0:
21:45:30.0203 6668 MBR partitions:
21:45:30.0203 6668 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x1B747, BlocksNum 0x1209CE16
21:45:30.0203 6668 ============================================================
21:45:30.0249 6668 C: <-> \Device\Harddisk0\DR0\Partition0
21:45:30.0249 6668 ============================================================
21:45:30.0249 6668 Initialize success
21:45:30.0249 6668 ============================================================
21:46:12.0562 3484 ============================================================
21:46:12.0562 3484 Scan started
21:46:12.0562 3484 Mode: Manual; TDLFS;
21:46:12.0562 3484 ============================================================
21:46:13.0796 3484 Abiosdsk - ok
21:46:13.0843 3484 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
21:46:13.0843 3484 abp480n5 - ok
21:46:13.0874 3484 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
21:46:13.0890 3484 ACPI - ok
21:46:13.0906 3484 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
21:46:13.0906 3484 ACPIEC - ok
21:46:13.0999 3484 AdobeFlashPlayerUpdateSvc (f19c98ad81d2c0e1bbfd8153d2c80ee8) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
21:46:13.0999 3484 AdobeFlashPlayerUpdateSvc - ok
21:46:14.0031 3484 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
21:46:14.0046 3484 adpu160m - ok
21:46:14.0093 3484 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
21:46:14.0093 3484 aec - ok
21:46:14.0140 3484 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
21:46:14.0156 3484 AFD - ok
21:46:14.0171 3484 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
21:46:14.0171 3484 agp440 - ok
21:46:14.0187 3484 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
21:46:14.0187 3484 agpCPQ - ok
21:46:14.0187 3484 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
21:46:14.0187 3484 Aha154x - ok
21:46:14.0203 3484 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
21:46:14.0203 3484 aic78u2 - ok
21:46:14.0218 3484 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
21:46:14.0218 3484 aic78xx - ok
21:46:14.0234 3484 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
21:46:14.0234 3484 Alerter - ok
21:46:14.0265 3484 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe


aswMBR:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-12 21:55:01
-----------------------------
21:55:01.109 OS Version: Windows 5.1.2600 Service Pack 3
21:55:01.109 Number of processors: 2 586 0x4B02
21:55:01.109 ComputerName: DH9007C1 UserName:
21:55:02.062 Initialize success
21:58:31.062 AVAST engine defs: 12081201
21:58:48.890 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
21:58:48.890 Disk 0 Vendor: ST3160812AS 3.ADH Size: 152587MB BusType: 3
21:58:48.906 Disk 0 MBR read successfully
21:58:48.906 Disk 0 MBR scan
21:58:48.937 Disk 0 unknown MBR code
21:58:48.937 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 54 MB offset 63
21:58:48.953 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 147769 MB offset 112455
21:58:48.984 Disk 0 Partition 3 00 DB CP/M / CTOS Dell 8.0 4753 MB offset 302760990
21:58:48.984 Disk 0 scanning sectors +312496380
21:58:49.046 Disk 0 scanning C:\WINDOWS\system32\drivers
21:59:01.390 Service scanning
21:59:21.296 Modules scanning
21:59:27.234 Module: C:\WINDOWS\System32\DLA\DLADResN.SYS **SUSPICIOUS**
21:59:28.453 Disk 0 trace - called modules:
21:59:28.468 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
21:59:28.468 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86d2fab8]
21:59:28.484 3 CLASSPNP.SYS[f74a7fd7] -> nt!IofCallDriver -> \Device\00000067[0x86da5570]
21:59:28.484 5 ACPI.sys[f735e620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86da4d98]
21:59:29.078 AVAST engine scan C:\WINDOWS
21:59:31.437 File: C:\WINDOWS\explorer.exe **INFECTED** Win32:Patched-AIU [Trj]
21:59:42.062 AVAST engine scan C:\WINDOWS\system32
22:00:04.499 File: C:\WINDOWS\system32\fastsrch.dll **INFECTED** Win32:Malware-gen
22:01:13.781 File: C:\WINDOWS\system32\svchost.exe **INFECTED** Win32:Patched-AIU [Trj]
22:01:24.640 File: C:\WINDOWS\system32\winlogon.exe **INFECTED** Win32:Patched-AIU [Trj]
22:02:43.374 AVAST engine scan C:\WINDOWS\system32\drivers
22:03:01.656 AVAST engine scan C:\Documents and Settings\Julie Buttrill
22:06:46.359 File: C:\Documents and Settings\Julie Buttrill\My Documents\8efb5.exe **INFECTED** Win32:MalOb-GR [Cryp]
22:07:05.109 File: C:\Documents and Settings\Julie Buttrill\My Documents\u7n51.exe **INFECTED** Win32:MalOb-GR [Cryp]
22:07:20.124 AVAST engine scan C:\Documents and Settings\All Users
22:08:36.031 Scan finished successfully
22:09:06.953 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Julie Buttrill\Desktop\MBR.dat"
22:09:06.953 The log file has been saved successfully to "C:\Documents and Settings\Julie Buttrill\Desktop\aswMBR.txt"


ESET Online Scanner:

C:\Documents and Settings\Julie Buttrill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Set.jar-543a5317-1f7a4725.zip Java/Exploit.Agent.NBS trojan cleaned by deleting - quarantined
C:\Documents and Settings\Julie Buttrill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Set.jar-5a661b54-7bad238e.zip Java/Exploit.Agent.NBS trojan cleaned by deleting - quarantined
C:\Documents and Settings\Julie Buttrill\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Set.jar-6888e9ff-79a77a33.zip Java/Exploit.Agent.NBS trojan cleaned by deleting - quarantined
C:\Documents and Settings\Julie Buttrill\My Documents\8efb5.exe a variant of Win32/Kryptik.YNL trojan cleaned by deleting - quarantined
C:\Documents and Settings\Julie Buttrill\My Documents\u7n51.exe a variant of Win32/Kryptik.YWC trojan cleaned by deleting - quarantined
C:\Program Files\InstallBrainService\InstallBrainService(2).exe a variant of Win32/InstallBrain application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Julie Buttrill\Local Settings\Application Data\{809af6e4-0272-03f0-2854-077e8e74e9c5}\n.vir Win32/Sirefef.EV trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Julie Buttrill\Local Settings\Application Data\{809af6e4-0272-03f0-2854-077e8e74e9c5}\U\00000004.@.vir Win32/Conedex.D trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Julie Buttrill\Local Settings\Application Data\{809af6e4-0272-03f0-2854-077e8e74e9c5}\U\000000cb.@.vir Win32/Conedex.E trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Julie Buttrill\Local Settings\Application Data\{809af6e4-0272-03f0-2854-077e8e74e9c5}\U\80000000.@.vir Win32/Sirefef.FA trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Julie Buttrill\Local Settings\Application Data\{809af6e4-0272-03f0-2854-077e8e74e9c5}\U\80000032.@.vir a variant of Win32/Sirefef.FD trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\StartNow Toolbar\ToolbarUpdaterService(2).exe.vir Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\0.5894028842392043.exe.vir a variant of Win32/Kryptik.VZH trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\svchost.exe.vir Win32/Patched.NBG.Gen trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon.exe.vir Win32/Patched.NBG.Gen trojan cleaned - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP14\A0001028.exe Win32/Patched.NBG.Gen trojan cleaned - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP14\A0001030.exe Win32/Patched.NBG.Gen trojan cleaned - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP14\A0001181.exe Win32/Patched.NBG.Gen trojan cleaned - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP14\A0001183.exe Win32/Patched.NBG.Gen trojan cleaned - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP18\A0001326.exe Win32/AutoRun.Spy.Banker.M worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP18\A0001387.ini Win32/Sirefef.EZ trojan deleted - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP20\A0002540.exe Win32/Patched.NBG.Gen trojan cleaned - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP20\A0002542.exe Win32/Patched.NBG.Gen trojan cleaned - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP21\A0002783.exe Win32/Patched.NBG.Gen trojan cleaned - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP21\A0002785.exe Win32/Patched.NBG.Gen trojan cleaned - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP3\A0000195.exe Win32/Patched.NBG.Gen trojan cleaned - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP3\A0000197.exe Win32/Patched.NBG.Gen trojan cleaned - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP3\A0000378.exe Win32/Patched.NBG.Gen trojan cleaned - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP3\A0000380.exe Win32/Patched.NBG.Gen trojan cleaned - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP43\A0010581.dll a variant of Win32/Injector.PKW trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP44\A0011715.exe Win32/Patched.NBG.Gen trojan cleaned - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP44\A0011718.exe Win32/Patched.NBG.Gen trojan cleaned - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP46\A0012839.exe Win32/Patched.NBG.Gen trojan cleaned - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP46\A0012841.exe Win32/Patched.NBG.Gen trojan cleaned - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP47\A0012950.exe a variant of Win32/InstallBrain application cleaned by deleting - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0000713.exe Win32/Patched.NBG.Gen trojan cleaned - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0000715.exe Win32/Patched.NBG.Gen trojan cleaned - quarantined
C:\WINDOWS\explorer.exe Win32/Patched.NBG.Gen trojan cleaned (after the next restart) - quarantined
C:\WINDOWS\system32\fastsrch.dll a variant of Win32/Injector.PKW trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\svchost.exe Win32/Patched.NBG.Gen trojan cleaned (after the next restart) - quarantined
C:\WINDOWS\system32\winlogon.exe Win32/Patched.NBG.Gen trojan cleaned - quarantined
Operating memory Win32/Patched.NBG.Gen trojan

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:30 PM

Posted 12 August 2012 - 10:01 PM

We need advanced tools to remove this one.svchost,explorer.exe,winlogon.exe are critical system files which have been infected.

Read the guide here

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here

http://www.bleepingcomputer.com/forums/forum22.html

Good luck




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users