Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Virus


  • Please log in to reply
13 replies to this topic

#1 Vasilycomp

Vasilycomp

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 22 October 2012 - 06:14 AM

Hi Jason, I've got the re-direct virusand have done most of everything I've been safely able to do, including:

Checking the Driver/Host/etc Folder
Running Malwarebytes
Running a clean copy of the TDSSKiller
Running eset
Checking the ntblog file and Drivers Folder for suspicious files

Every result is clean but Google still redirects. Please help.

BC AdBot (Login to Remove)

 


#2 Jean-Guy

Jean-Guy

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 22 October 2012 - 06:15 AM

Look for a suspicious hard drive partition, there's a nasty maxSS bootkit going around these days.

#3 Vasilycomp

Vasilycomp
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 22 October 2012 - 06:26 AM

Everything seems as it should, although I've very limited knowledge of computers. I'm just an old bank officer. Appreciate your thoughts

#4 iceremover

iceremover

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 22 October 2012 - 06:41 AM

what kind of browser do you use ?

have you tried scanning for infections in safe mode without networking ?
(remember to update the programs first)

#5 Vasilycomp

Vasilycomp
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 22 October 2012 - 06:45 AM

IE8 (ver 8.0.6001.18702
Haven't tried scanning in Safe Mode

#6 iceremover

iceremover

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 22 October 2012 - 06:53 AM

i would recommend scanning in safe mode first.

if not found anything you could try resetting the IE8 settings but that's probably not a solution when being redirected.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:26 PM

Posted 22 October 2012 - 09:49 AM

Hello,Also run


Posted Image Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

>>>>>>

Please download MiniToolBox, save it to your desktop and run it.Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run. Note: When using "Reset FF Proxy Settings" option Firefox should be closed.



Rerun TDSSKiller

Launch it. Click on change parameters-Select TDLFS file system

Click on "Scan".
Please post the LOG report(log file should be in your C drive)

Do not change the default options on scan results.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Vasilycomp

Vasilycomp
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 22 October 2012 - 10:36 PM

This is my ntblog, does anything look suspicious?
Where there is a line "Driver Loaded" but no path name, is that normal?

Service Pack 310 14 2012 19:51:34.125
Loaded driver \windows\system32\ntkrnlpa.exe
Loaded driver \windows\system32\hal.dll
Loaded driver \windows\system32\KDCOM.DLL
Loaded driver \windows\system32\BOOTVID.dll
Loaded driver ACPI.sys
Loaded driver \windows\system32\DRIVERS\WMILIB.SYS
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver ohci1394.sys
Loaded driver \windows\system32\DRIVERS\1394BUS.SYS
Loaded driver pciide.sys
Loaded driver \windows\system32\DRIVERS\PCIIDEX.SYS
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver dmload.sys
Loaded driver dmio.sys
Loaded driver PartMgr.sys
Loaded driver VolSnap.sys
Loaded driver atapi.sys
Loaded driver cercsr6.sys
Loaded driver \windows\System32\Drivers\SCSIPORT.SYS
Loaded driver disk.sys
Loaded driver \windows\system32\DRIVERS\CLASSPNP.SYS
Loaded driver fltmgr.sys
Loaded driver SYMDS.SYS
Loaded driver sr.sys
Loaded driver MpFilter.sys
Loaded driver SYMEFA.SYS
Loaded driver DLACDBHM.SYS
Loaded driver DRVMCDB.SYS
Loaded driver PxHelp20.sys
Loaded driver KSecDD.sys
Loaded driver WudfPf.sys
Loaded driver Ntfs.sys
Loaded driver NDIS.sys
Loaded driver Mup.sys
Loaded driver \SystemRoot\system32\DRIVERS\nic1394.sys
Loaded driver \SystemRoot\system32\drivers\loopbe1.sys
Loaded driver \SystemRoot\system32\DRIVERS\intelppm.sys
Loaded driver \SystemRoot\system32\DRIVERS\nv4_mini.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbuhci.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys
Loaded driver \SystemRoot\system32\DRIVERS\HDAudBus.sys
Loaded driver \SystemRoot\system32\DRIVERS\bcmwl5.sys
Loaded driver \SystemRoot\system32\DRIVERS\Rtenicxp.sys
Loaded driver \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
Loaded driver \SystemRoot\system32\DRIVERS\HSF_DPV.sys
Loaded driver \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
Loaded driver \SystemRoot\System32\Drivers\Modem.SYS
Loaded driver \SystemRoot\system32\DRIVERS\fdc.sys
Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\system32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
Loaded driver \SystemRoot\system32\DRIVERS\imapi.sys
Loaded driver \SystemRoot\system32\DRIVERS\audstub.sys
Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\system32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\system32\DRIVERS\psched.sys
Loaded driver \SystemRoot\system32\DRIVERS\ptilink.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\system32\DRIVERS\rdpdr.sys
Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\update.sys
Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys
Loaded driver \SystemRoot\System32\Drivers\wdf01000.sys
Loaded driver \SystemRoot\system32\DRIVERS\ew_jubusenum.sys
Loaded driver \SystemRoot\System32\Drivers\vmwvusb.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys
Loaded driver \SystemRoot\system32\drivers\RtkHDAud.sys
Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Flpydisk.SYS
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS
Loaded driver \SystemRoot\system32\drivers\NIS\1401010.002\ccSetx86.sys
Loaded driver \SystemRoot\system32\drivers\NIS\1401010.002\Ironx86.SYS
Did not load driver \SystemRoot\System32\Drivers\Changer.SYS
Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Loaded driver \SystemRoot\System32\Drivers\DLARTL_M.SYS
Did not load driver \SystemRoot\system32\DRIVERS\kbdhid.sys
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\system32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\system32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\system32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\system32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys
Loaded driver \??\I:\windows\system32\Drivers\SYMEVENT.SYS
Loaded driver \SystemRoot\system32\DRIVERS\arp1394.sys
Loaded driver \SystemRoot\system32\DRIVERS\hidusb.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbccgp.sys
Loaded driver \SystemRoot\system32\DRIVERS\USBSTOR.SYS
Loaded driver
Loaded driver \SystemRoot\System32\Drivers\NIS\1401010.002\SYMTDI.SYS
Loaded driver \SystemRoot\system32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys
Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS
Loaded driver \SystemRoot\system32\drivers\NIS\1401010.002\SRTSPX.SYS
Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\DRIVERS\mouhid.sys
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver \SystemRoot\system32\DRIVERS\kbdhid.sys
Loaded driver \??\I:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
Loaded driver \??\I:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
Loaded driver
Loaded driver \SystemRoot\system32\DRIVERS\ewusbmdm.sys
Loaded driver \SystemRoot\system32\DRIVERS\ewusbnet.sys
Loaded driver \SystemRoot\System32\Drivers\Udfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Loaded driver \??\I:\windows\system32\drivers\mbam.sys
Loaded driver \SystemRoot\System32\Drivers\DRVNDDM.SYS
Loaded driver \SystemRoot\System32\Drivers\DLADResM.SYS
Loaded driver \SystemRoot\System32\Drivers\DLAIFS_M.SYS
Loaded driver \SystemRoot\System32\Drivers\DLAOPIOM.SYS
Loaded driver \SystemRoot\System32\Drivers\DLAPoolM.SYS
Loaded driver \SystemRoot\System32\Drivers\DLABMFSM.SYS
Loaded driver \SystemRoot\System32\Drivers\DLABOIOM.SYS
Loaded driver \SystemRoot\System32\Drivers\DLAUDFAM.SYS
Loaded driver \SystemRoot\System32\Drivers\DLAUDF_M.SYS
Loaded driver \SystemRoot\system32\DRIVERS\AegisP.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndisuio.sys
Did not load driver \SystemRoot\system32\DRIVERS\rdbss.sys
Did not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\drivers\wdmaud.sys
Loaded driver \SystemRoot\system32\drivers\sysaudio.sys
Loaded driver \SystemRoot\system32\drivers\splitter.sys
Loaded driver \SystemRoot\system32\drivers\aec.sys
Loaded driver \SystemRoot\system32\drivers\swmidi.sys
Loaded driver \SystemRoot\system32\drivers\DMusic.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\drmkaud.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxdav.sys
Did not load driver \SystemRoot\System32\Drivers\Parport.SYS
Did not load driver \SystemRoot\System32\Drivers\Serial.SYS
Did not load driver \SystemRoot\System32\Drivers\adfs.SYS
Loaded driver \SystemRoot\system32\DRIVERS\srv.sys
Loaded driver \SystemRoot\system32\DRIVERS\mdmxsdk.sys
Did not load driver \SystemRoot\system32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\System32\Drivers\HTTP.sys
Loaded driver \SystemRoot\system32\DRIVERS\ipfltdrv.sys
Loaded driver \??\I:\WINDOWS\system32\FsUsbExDisk.SYS
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Did not load driver \SystemRoot\system32\drivers\NIS\1401010.002\SRTSPX.SYS
Loaded driver
Loaded driver

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:26 PM

Posted 22 October 2012 - 11:11 PM

The Symantec AutoProtect driver did not load but that may be disabled or malware, I cannot tell as I don't even know the operating system yet. Need the logs from above.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:26 PM

Posted 22 October 2012 - 11:11 PM

The Symantec AutoProtect driver did not load but that may be disabled or malware, I cannot tell as I don't even know the operating system yet. Need the logs from above.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Vasilycomp

Vasilycomp
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 23 October 2012 - 12:03 AM

Wen tto load the Junkware Removal but kept failing. Any suggestions or should I run the MiniToolBox?

#12 Vasilycomp

Vasilycomp
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 23 October 2012 - 04:23 AM

Reviewing my System32 Folder, I ran across a file call "schtasksu.dll" which I do not recognise nor can I find any information on.. Do you recognise this?

#13 Vasilycomp

Vasilycomp
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 23 October 2012 - 06:52 AM

Finally, with HitmanPro...found the culprit. Deleted and no further redirection so far.

Malware _____________________________________________________________________

I:\windows\system32\schtasksu.dll
Size . . . . . . . : 114,688 bytes
Age . . . . . . . : 22.2 days (2012-10-01 16:24:23)
Entropy . . . . . : 5.5
SHA-256 . . . . . : 1D84A264D48D733F34DA0177BD01370ECBE905BE098B1FFB408A58CACB4221FF
> G Data . . . . . . : Gen:Variant.Symmi.3495 (Engine A)
Fuzzy . . . . . . : 113.0

Really appreaciate the moderator being so prompt and supportive, especially when you have nowhere to turn.

Thanks

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:26 PM

Posted 23 October 2012 - 10:37 AM

You're welcome and thanks for visiting.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users