Google Redirect Virus

Page 2 of 4 Previous  1, 2, 3, 4  Next

View previous topic View next topic Go down

Google Redirect Virus

Post by jay_b on Tue 12 Jul 2011, 3:24 am

First topic message reminder :


Hi All

I am also having a Google link redirect problem. I've tried running Malwarebytes, it comes back clean but the problem persists

Any help would be very much appreciated.

jay_b

jay_b

Rookie Surfer
Rookie Surfer

Posts : 63
Joined : 2011-06-24
Operating System : xp

View user profile

Back to top Go down


Re: Google Redirect Virus

Post by Kenny94 on Fri 29 Jul 2011, 8:30 am

Can you post the OTL log?



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Fri 29 Jul 2011, 6:55 pm

Kenny94 wrote:

  • Download OTL.exe to your desktop.
  • Double-Click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Standard Output.
  • Under the Standard Registry box change it to All.
  • Under the Extra Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold



netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90



  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.

  • When the scan completes, it will open two notepad windows. OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.


Do I run OTL again using the same instructions as when i ran just by opening OTL no log appears

thanks

jay_b

Rookie Surfer
Rookie Surfer

Posts : 63
Joined : 2011-06-24
Operating System : xp

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Sat 30 Jul 2011, 12:51 am

Are you still experiencing the redirects at this point? ComboFix should run even with AVG installed as it has been updated. Delete the copy of ComboFix you have & download it again from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):
Link 1
Link 2

**IMPORTANT !!! RENAME ComboFix.exe to Commy.exe BEFORE you save it to your Desktop**

And following the intructions in the ComboFix post. And post the log please.



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Sat 30 Jul 2011, 1:19 am

I only have once my desktop loads up, a blank windows insert showing 'hello2' and 'hello4' , it is not letting me access internet etc. The system runs very slowly then freezes up.

this message sent from alternative computer

Tried safe mode and although desktop appears, am unable to open anything that i double click or run.
i.e internet, malware,TDSSkiller

jay_b

Rookie Surfer
Rookie Surfer

Posts : 63
Joined : 2011-06-24
Operating System : xp

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Sat 30 Jul 2011, 4:00 am

Since you cannot access your infected computer, you will have to download the required tools from your clean computer and move them to the infected computer with some removable media, for example burn it to a CD or write it to an USB flash disk.

If you use an USB flash disk, I highly recommend you to immunize it first, to prevent malware using the usb flash drive for spreading itself.

Please download Flash_Disinfector by sUBs from here and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run the tool
  • When requested, insert the USB flash disk(s) you want to to immunize/disinfect
  • Hold down the Shift key when inserting the drive(s) until Windows detects the drive
  • Click OK to start the disinfection process
  • Reboot your computer when done.

Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that you choose to disinfect. Do not delete that folder!

====================



Also, print out or save these instructions into note pad on a flash drive. (so you can see how to run the tools). If you can't save it to the desktop of the infected computer, you can run it right off of the flash drive.

Please download exeHelper from one of the two links.
Link 1
Link 2

  • Double-click on exeHelper.com or exeHelper.scr to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Next

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are two different versions. If one of them won't run then download and try to run the other one.
Vista and Windows 7 users need to right-click and choose Run as Administrator
You only need to get one of them to run, not both of them.
Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are two different versions. If one of them won't run then download and try to run the other one.
Vista and Windows 7 users need to right-click and choose Run as Administrator
You only need to get one of them to run, not both of them.

  1. eXplorer.exe -
  2. WiNlOgOn.exe


Please post the log in your next reply. (To see what was terminate).

Note: If your security software warns about Rkill, please ignore and allow the download to continue.

Once you've gotten one of them to run then try to immediately run the following:

Download and run ComboFix. ComboFix should run again. When finished, it will produce a log. Please save that log to a Notepad File to post in your next reply.



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Sat 30 Jul 2011, 7:52 am


Copied to disc transferred . Attemped to run from disc on infected computer.
Black screen pops up but them immediately receive problem message ecountered a problem and unable to continue. Do i want to send details to Microsoft or not. This is the same type of message i would normally receive when a programme crashes.

Tried both exeHelper files but same message with both.


jay_b

Rookie Surfer
Rookie Surfer

Posts : 63
Joined : 2011-06-24
Operating System : xp

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Sat 30 Jul 2011, 8:57 am

Okay, well first off you need to separate all of the computers from each other. They cannot be on the same network at the same time. I've used Avira AntiVir Rescue System with success to move on to the next stage.

Avira AntiVir Rescue System Requires access to a working computer with a CD/DVD burner to create a bootable CD.

  • Avira AntiVir Rescue System. Click Here - Tutorial for Avira Rescue CD.
    If you encounter problems running the Rescue Disk, you can get further assistance at the Avira Support Forum.
  • Place a blank CD in your burner and double-click on the downloaded file named rescue_system-common-en.exe
  • The program will automatically burn the CD for you.
  • Place the burned CD into the affected computer and start the computer from this CD.
  • On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.
  • Click on the Configuration button.

    • Select Scan all files
    • Select Try to repair infected files and Rename files, if they cannot be removed
    • Select Scan for dialers
    • Select Scan for joke programs (Jokes)
    • Select Scan for games
    • Select Scan for spyware (SPR)

  • Click on Virus scanner
  • Click on Start scanner at the bottom of the screen
  • When the scan is finished, you can save the scan report by clicking on Save and then by choosing where to save it So be sure to save the report and post it. For further review.



Note:

If you need a ISO burner? Download BurnCDCC , a standalone (ISO burner) You need to download the Avira Rescue disk and save it to your desktop. Open BurnCDCC > Click the browse button and select the Avira package.Place an empty disk in your burner. Slide the speed bar down to 2x. Place a check mark in the boxes. Read Verify, Finalize and Auto Eject. Click the start button. When complete the burner tray will slide open. You now have a bootable disk to move on.



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Mon 01 Aug 2011, 7:27 am

Now running

jay_b

Rookie Surfer
Rookie Surfer

Posts : 63
Joined : 2011-06-24
Operating System : xp

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Mon 01 Aug 2011, 8:56 am

Okay. be sure to save the scan report and post it please.



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Mon 01 Aug 2011, 6:23 pm

Avira / Linux Version 1.9.152.0
Copyright (c) 2010 by Avira GmbH
All rights reserved.
engine set: 8.2.6.22
VDF Version: 7.11.12.171
Scan start time: Sun Jul 31 23:54:44 2011
configuration file: /etc/avira/scancl.conf
ALERT: [JAVA/Stutter.J.2] /media/Devices/sda2/Documents and Settings/abbeyfield/Application Data/Sun/Java/Deployment/cache/6.0/24/53f48ad8-7ad6bce2 <<< Contains signature of the Java virus JAVA/Stutter.J.2 [renamed]


ALERT: [Java/Exdoer.G] /media/Devices/sda2/Documents and Settings/abbeyfield/Application Data/Sun/Java/Deployment/cache/6.0/35/7523cea3-56a9e8d3 --> powerColor/c1.class <<< Contains signature of the Java virus JAVA/Exdoer.G [archive scan abort]


ALERT: [TR/Dldr.Karagany.A.287] /media/Devices/sda2/Documents and Settings/abbeyfield/Application Data/Sun/Java/Deployment/cache/6.0/37/25dfa8e5-6e01e5db <<< Is the Trojan horse TR/Dldr.Karagany.A.287 [renamed]


ALERT: [EXP/CVE-2010-0840.BG] /media/Devices/sda2/Documents and Settings/abbeyfield/Application Data/Sun/Java/Deployment/cache/6.0/37/29212065-2d90d690 --> folder/Glocker.class <<< Contains signature of the exploits EXP/CVE-2010-0840.BG [archive scan abort]


ALERT: [Java/Agent.AO] /media/Devices/sda2/Documents and Settings/abbeyfield/Application Data/Sun/Java/Deployment/cache/6.0/54/36fe39b6-65d6c7cc --> google/stomp.class <<< Contains signature of the Java virus JAVA/Agent.AO [archive scan abort]


ALERT: [EXP/Java.BN] /media/Devices/sda2/Documents and Settings/abbeyfield/Application Data/Sun/Java/Deployment/cache/6.0/54/680b9df6-47a63d6a --> bingo/haskalu.class <<< Contains signature of the exploits EXP/Java.BN [archive scan abort]


ALERT: [JAVA/Tharra.A] /media/Devices/sda2/Documents and Settings/abbeyfield/Application Data/Sun/Java/Deployment/cache/6.0/54/6b310336-211dd4cd <<< Contains signature of the Java virus JAVA/Tharra.A [renamed]


ALERT: [JAVA/Tharra.A] /media/Devices/sda2/Documents and Settings/abbeyfield/Application Data/Sun/Java/Deployment/cache/6.0/54/6b310336-479594a2 <<< Contains signature of the Java virus JAVA/Tharra.A [renamed]


ALERT: [JAVA/Tharra.A] /media/Devices/sda2/Documents and Settings/abbeyfield/Application Data/Sun/Java/Deployment/cache/6.0/54/6b310336-530781c9 <<< Contains signature of the Java virus JAVA/Tharra.A [renamed]


ALERT: [JAVA/Tharra.A] /media/Devices/sda2/Documents and Settings/abbeyfield/Application Data/Sun/Java/Deployment/cache/6.0/54/6b310336-68c4baad <<< Contains signature of the Java virus JAVA/Tharra.A [renamed]


ALERT: [JAVA/Tharra.A] /media/Devices/sda2/Documents and Settings/abbeyfield/Application Data/Sun/Java/Deployment/cache/6.0/54/6b310336-765da3a9 <<< Contains signature of the Java virus JAVA/Tharra.A [renamed]


ALERT: [JAVA/Tharra.A] /media/Devices/sda2/Documents and Settings/abbeyfield/Application Data/Sun/Java/Deployment/cache/6.0/54/6b310336-7e8fae05 <<< Contains signature of the Java virus JAVA/Tharra.A [renamed]


WARNING: [Unsupported archive type] /media/Devices/sda2/Documents and Settings/abbeyfield/My Documents/My Videos/Miro/Incomplete Downloads/RACE 07 ot Akella/Race'07-Image/RACE07.iso


WARNING: [Error writing file] /media/Devices/sda2/Documents and Settings/abbeyfield/My Documents/My Videos/Miro/Incomplete Downloads/RACE07.iso


WARNING: [Bad compressed data] /media/Devices/sda2/Documents and Settings/abbeyfield/My Documents/My Videos/Miro/Incomplete Downloads/The Cardigans - Live performance collection/2001-10-29 A Camp - Live at KB, Malmo/artwork.zip


WARNING: [Unexpected end of file] /media/Devices/sda2/Documents and Settings/abbeyfield/My Documents/My Videos/Miro/Incomplete Downloads/The Cardigans - Live performance collection/2003-06-28 Live at Roskilde/artwork.zip


WARNING: [A malformed archive header was detected] /media/Devices/sda2/Documents and Settings/abbeyfield/My Documents/My Videos/Miro/Incomplete Downloads/The Cardigans - Live performance collection/2004-02-14 Live at Popstad/artwork_and_info.zip


WARNING: [A malformed archive header was detected] /media/Devices/sda2/Documents and Settings/abbeyfield/My Documents/My Videos/Miro/Incomplete Downloads/The Cardigans - Live performance collection/2004-02-14 Live at Popstad/artwork_and_info.zip


WARNING: [Unsupported archive type] /media/Devices/sda2/Documents and Settings/abbeyfield/My Documents/My Videos/Miro/[PC] Race The WTCC Game [RIP] [dopeman]/WTCC.7z


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/Documents and Settings/NetworkService/Local Settings/Application Data/gnp.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/Program Files/LANDesk/LDClient/amclient.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/Program Files/LANDesk/LDClient/LDIScn32.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [W32/PatchLoad.A] /media/Devices/sda2/Program Files/LANDesk/LDClient/issuser.exe <<< Contains signature of the Windows virus W32/PatchLoad.A [renamed]


ALERT: [W32/PatchLoad.A] /media/Devices/sda2/Program Files/LANDesk/LDClient/SoftMon.exe <<< Contains signature of the Windows virus W32/PatchLoad.A [renamed]


ALERT: [W32/PatchLoad.A] /media/Devices/sda2/Program Files/LANDesk/LDClient/tmcsvc.exe <<< Contains signature of the Windows virus W32/PatchLoad.A [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/Program Files/LANDesk/LDClient/WebPortal/sdclientmonitor.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [TR/Spy.ZBot.86016.3] /media/Devices/sda2/Program Files/LANDesk/LDClient/LocalSch.EXE <<< Is the Trojan horse TR/Spy.ZBot.86016.3 [renamed]


ALERT: [W32/PatchLoad.A] /media/Devices/sda2/Program Files/LANDesk/Shared Files/residentAgent.exe <<< Contains signature of the Windows virus W32/PatchLoad.A [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/Program Files/Adobe/Reader 9.0/Reader/Reader_sl.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/Program Files/ATI Technologies/ATI Control Panel/atiptaxx.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/Program Files/BT Business Broadband Desktop Help/btbb/BTHelpNotifier.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/Program Files/Common Files/Adobe/ARM/1.0/AdobeARM.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/Program Files/Common Files/Java/Java Update/jusched.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [TR/Gendal.6181686] /media/Devices/sda2/Program Files/Common Files/LogiShrd/LVMVFM/LVPrcSrv.exe <<< Is the Trojan horse TR/Gendal.6181686 [renamed]


ALERT: [W32/PatchLoad.A] /media/Devices/sda2/Program Files/Common Files/Motive/McciCMService.exe <<< Contains signature of the Windows virus W32/PatchLoad.A [renamed]


WARNING: [Unexpected end of file] /media/Devices/sda2/Program Files/FastStone Capture/uninst.exe


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/Program Files/Hewlett-Packard/HP Software Update/HPWuSchd2.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [W32/PatchLoad.A] /media/Devices/sda2/Program Files/Intel/Wireless/Bin/Dot1XCfg.exe <<< Contains signature of the Windows virus W32/PatchLoad.A [renamed]


ALERT: [TR/Gendal.6113986] /media/Devices/sda2/Program Files/Intel/Wireless/Bin/EvtEng.exe <<< Is the Trojan horse TR/Gendal.6113986 [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/Program Files/Intel/Wireless/Bin/ifrmewrk.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [W32/PatchLoad.A] /media/Devices/sda2/Program Files/Intel/Wireless/Bin/RegSrvc.exe <<< Contains signature of the Windows virus W32/PatchLoad.A [renamed]


ALERT: [TR/Gendal.6133535] /media/Devices/sda2/Program Files/Intel/Wireless/Bin/S24EvMon.exe <<< Is the Trojan horse TR/Gendal.6133535 [renamed]


ALERT: [W32/PatchLoad.A] /media/Devices/sda2/Program Files/Intel/Wireless/Bin/WLKEEPER.exe <<< Contains signature of the Windows virus W32/PatchLoad.A [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/Program Files/Intel/Wireless/Bin/ZCfgSvc.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [TR/Kazy.25211.21] /media/Devices/sda2/Program Files/Java/jre6/bin/jqs.exe <<< Is the Trojan horse TR/Kazy.25211.21 [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/Program Files/QuickTime/qttask .exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/Program Files/QuickTime/qttask.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/Program Files/Microsoft Office/Office12/GrooveMonitor.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


WARNING: [Archive is invalid or corrupt] /media/Devices/sda2/Program Files/WinRAR/rarnew.dat


ALERT: [BDS/ZAccess.dg] /media/Devices/sda2/Qoobox/Quarantine/C/WINDOWS/assembly/GAC_MSIL/desktop.ini.vir <<< Contains a signature of the (dangerous) backdoor program BDS/ZAccess.dg Backdoor server programs [renamed]


ALERT: [TR/Rootkit.Gen] /media/Devices/sda2/Qoobox/Quarantine/C/WINDOWS/system32/Drivers/rasl2tp.sys.vir <<< Is the Trojan horse TR/Rootkit.Gen [renamed]


ALERT: [W32/PatchLoad.A] /media/Devices/sda2/WINDOWS/system32/wuauclt.exe <<< Contains signature of the Windows virus W32/PatchLoad.A [renamed]


WARNING: [Unexpected end of file] /media/Devices/sda2/WINDOWS/Temp/5047e27c-9de0-4fcb-b2de-659dba8a5439.tmp


WARNING: [Bad compressed data] /media/Devices/sda2/WINDOWS/Temp/36942b83-95bc-4f9c-a8af-05eee793baf0.tmp


WARNING: [Bad compressed data] /media/Devices/sda2/WINDOWS/Temp/bdb4a872-8f78-4d2f-bb95-baa15d81f819.tmp


WARNING: [Error reading file] /media/Devices/sda2/WINDOWS/Temp/4ad3185e-3ac9-4896-97e3-86bbaf498956.tmp


ALERT: [TR/Dropper.Gen] /media/Devices/sda2/WINDOWS/Temp/hki377.exe <<< Is the Trojan horse TR/Dropper.Gen [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/WINDOWS/Temp/tjnvac/setup.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


WARNING: [File is encrypted] /media/Devices/sda2/WINDOWS/Temp/SAS_SelfExtract/Quarantine/Quarantine - 06-26-2011 - 17-55-19.SBU


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/WINDOWS/Temp/Jdr.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/WINDOWS/twain_32/Samsung/CLX3170/Scan2pc .exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/WINDOWS/twain_32/Samsung/CLX3170/Scan2pc.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [TR/Dropper.Gen] /media/Devices/sda2/WINDOWS/Fonts/J0uR2JE.com_ <<< Is the Trojan horse TR/Dropper.Gen [renamed]


ALERT: [BDS/ZAccess.bc] /media/Devices/sda2/WINDOWS/assembly/GAC_MSIL/Desktop(2).ini <<< Contains a signature of the (dangerous) backdoor program BDS/ZAccess.bc Backdoor server programs [renamed]


ALERT: [BDS/ZAccess.dg] /media/Devices/sda2/WINDOWS/assembly/GAC_MSIL/Desktop.ini <<< Contains a signature of the (dangerous) backdoor program BDS/ZAccess.dg Backdoor server programs [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/System Volume Information/_restore{7BEF35F8-68AE-427C-A324-766C932918CC}/RP0/A0001011.com <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


ALERT: [TR/Dropper.Gen] /media/Devices/sda2/System Volume Information/_restore{7BEF35F8-68AE-427C-A324-766C932918CC}/RP0/A0008015.exe <<< Is the Trojan horse TR/Dropper.Gen [renamed]


ALERT: [TR/Dropper.Gen] /media/Devices/sda2/System Volume Information/_restore{7BEF35F8-68AE-427C-A324-766C932918CC}/RP0/A0008016.exe <<< Is the Trojan horse TR/Dropper.Gen [renamed]


ALERT: [TR/Dropper.Gen] /media/Devices/sda2/System Volume Information/_restore{7BEF35F8-68AE-427C-A324-766C932918CC}/RP0/A0008017.exe <<< Is the Trojan horse TR/Dropper.Gen [renamed]


ALERT: [TR/VB.Downloader.Gen] /media/Devices/sda2/System Volume Information/_restore{7BEF35F8-68AE-427C-A324-766C932918CC}/RP0/A0008020.exe <<< Is the Trojan horse TR/VB.Downloader.Gen [renamed]


ALERT: [TR/Crypt.ZPACK.Gen] /media/Devices/sda2/System Volume Information/_restore{7BEF35F8-68AE-427C-A324-766C932918CC}/RP0/A0008021.exe <<< Is the Trojan horse TR/Crypt.ZPACK.Gen [renamed]


Statistics :
Directories............... : 8041
Archives.................. : 1388
Files..................... : 303226
Infected.............. : 57
Renamed........... : 57
Warnings.............. : 14
Suspicious............ : 0
Infections................ : 57

jay_b

Rookie Surfer
Rookie Surfer

Posts : 63
Joined : 2011-06-24
Operating System : xp

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Wed 03 Aug 2011, 2:36 am

You must first verify that you can logon to the Windows Recovery Console. ComboFix should have installed one for you.

To do so, you must have the Recovery Console installed or use the Windows XP installation cd.

How to install and use the Windows XP Recovery Console

Please download maxhandle.exe by noahdfear to your desktop

  • Double click and run the application
  • An active internet connection is required so that maxhandle.exe may download a tool from SysInternals (every time it is run).
  • Log is saved to c:\maxhandle.txt
  • If Max++ is not found Nothing found! is echoed to the screen - no log is produced.
Please post this log.



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Wed 03 Aug 2011, 3:34 am

I now have Windows recovery console installed. Am i to boot up recovery console mode and run?

I have downloaded maxhandle.exe onto a usb and added to my desktop but each time i attempt to run it brings a request for which program to download/open file with - Adobe, media player, windows picture viewer etc etc

jay_b

Rookie Surfer
Rookie Surfer

Posts : 63
Joined : 2011-06-24
Operating System : xp

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Wed 03 Aug 2011, 11:41 am

run it brings a request for which program to download/open file with - Adobe, media player, windows picture viewer etc etc
Does this happen with other applications? Example Malwarebytes?



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Wed 03 Aug 2011, 8:39 pm

It happens with all current applications on my desktop, including internet explorer and malewarebytes. Asking which program i would like to open with.

jay_b

Rookie Surfer
Rookie Surfer

Posts : 63
Joined : 2011-06-24
Operating System : xp

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Wed 03 Aug 2011, 11:05 pm

We need to do a extension fix:

Open notepad and copy and paste next present in the Codebox below in it:
(don't forget to copy and paste REGEDIT4)


Code:
REGEDIT4

[-HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command]

[-HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command]

[-HKEY_CLASSES_ROOT\.exe\shell\open\command]

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[-HKEY_CLASSES_ROOT\secfile]

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this:

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok

Please Reboot your computer.

Then run maxhandle.exe



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Wed 03 Aug 2011, 11:45 pm

just to confrim i extracted the files from Maxhandle.exe and ran 'hand.bat' as it would not allow me to run by double clicking the maxhandle icon saved onto my desktop

Maxhandle.txt:


Run from on 03/08/2011 at 13:43:03.10

found C:\WINDOWS\system32\config\rkdannio


jay_b

Rookie Surfer
Rookie Surfer

Posts : 63
Joined : 2011-06-24
Operating System : xp

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Thu 04 Aug 2011, 1:34 am

Run TDSSKiller as you did in post 10. Post this log please.



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Thu 04 Aug 2011, 1:56 am

Downloaded to desktop new TDSSkiller
Unbale to run , same message each time i attempt to run it brings a request for which program to download/open file with - Adobe, media player, windows picture viewer etc etc

I Have saved to C:Drive and right clicked and tried 'run as'

Warning appears- Can't initialize log'
followed by
'Can't load driver'

I have tried renaming the application and carried out both the above, desktop and C:Drive withe the same results

jay_b

Rookie Surfer
Rookie Surfer

Posts : 63
Joined : 2011-06-24
Operating System : xp

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Thu 04 Aug 2011, 3:13 am

TDSSkiller needs to be on your destop. Then, make sure extensions are shown, see here how to do this.

Then run TDSSkiller.



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Thu 04 Aug 2011, 4:05 am

TDSSkiller on desktop, file extensions shown but same errors

Warning appears- Can't initialize log'
followed by
'Can't load driver'

When i boot up the pc it get the following error messagae

'UScroL setup has encountered a problem and needs to close'

Not sure if this causes and issues.


jay_b

Rookie Surfer
Rookie Surfer

Posts : 63
Joined : 2011-06-24
Operating System : xp

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Thu 04 Aug 2011, 4:20 am

Please download aswMBR from here


  • Save aswMBR.exe to your Desktop
  • Double click aswMBR.exe to run it
  • Click the Scan button to start the scan as illustrated below



Note: Do not take action against any **Rootkit** entries until I have reviewed the log.

  • Once the scan finishes click Save log to save the log to your Desktop

  • Copy and paste the contents of aswMBR.txt back here for review



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Thu 04 Aug 2011, 5:20 am

aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-08-03 19:05:39
-----------------------------
19:05:39.000 OS Version: Windows 5.1.2600 Service Pack 3
19:05:39.000 Number of processors: 1 586 0xD08
19:05:39.000 ComputerName: ABEXL0002 UserName:
19:05:39.609 Initialize success
19:06:53.312 AVAST engine defs: 11080301
19:07:41.156 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
19:07:41.156 Disk 0 Vendor: Hitachi_HTS541060G9AT00 MB3OA61A Size: 57231MB BusType: 3
19:07:43.515 Disk 0 MBR read successfully
19:07:43.515 Disk 0 MBR scan
19:07:43.546 Disk 0 Windows XP default MBR code
19:07:43.546 Disk 0 scanning sectors +117210240
19:07:43.750 Disk 0 scanning C:\WINDOWS\system32\drivers
19:07:57.375 Service scanning
19:07:58.859 Modules scanning
19:08:03.390 Disk 0 trace - called modules:
19:08:03.406 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
19:08:03.421 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86fc75e0]
19:08:03.421 3 CLASSPNP.SYS[f7587fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86f5c940]
19:08:03.843 AVAST engine scan C:\WINDOWS
19:08:20.343 AVAST engine scan C:\WINDOWS\system32
19:10:18.281 File: C:\WINDOWS\system32\wuauclt.exe.vir **INFECTED** Win32:Patched-WQ [Trj]
19:10:22.453 AVAST engine scan C:\WINDOWS\system32\drivers
19:10:38.921 AVAST engine scan C:\Documents and Settings\abbeyfield
19:10:40.500 File: C:\Documents and Settings\abbeyfield\Application Data\Adobe\plugs\mmc2409671.txt **INFECTED** Win32:MalOb-DT [Cryp]
19:11:34.562 File: C:\Documents and Settings\abbeyfield\Application Data\Sun\Java\Deployment\cache\6.0\63\5f91807f-5e90eac4 **INFECTED** Win32:Trojan-gen
19:17:14.937 AVAST engine scan C:\Documents and Settings\All Users
19:18:51.968 Scan finished successfully
19:19:26.328 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
19:19:26.375 The log file has been saved successfully to "E:\aswMBR.txt"



jay_b

Rookie Surfer
Rookie Surfer

Posts : 63
Joined : 2011-06-24
Operating System : xp

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Fri 05 Aug 2011, 1:47 am

ComboFix should run and finish but, let's remove AVG:

Use the uninstaller below:

Please download AppRemover to your Desktop. Double-click AppRemover.exe.
Untick Enable anonymous usage statistic.
Click Next>>. Select AVG and click Next>>.
By clicking Next>> again, AppRemover will start the uninstall process. This may take a few minutes.
Once completed you may be prompted to restart your system. Please do so.


Note

If AVG is not listed. Rerun AppRemover and select to "Clean Up a Failed Uninstall" Select AVG follow the promts.

Delete the copy of ComboFix you have & download it again from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):
Link 1
Link 2

**IMPORTANT !!! RENAME ComboFix.exe to Commy.exe BEFORE you save it to your Desktop**

And following the intructions in the ComboFix post. And post the log please.



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by jay_b on Fri 05 Aug 2011, 4:07 am

installed Appremover, ran as instructed but nothing found.

Downloaded and ran ComboFix as Commyfix, does not compete, has run for 2 hours.

Shall i rerun and leave until complete?

jay_b

Rookie Surfer
Rookie Surfer

Posts : 63
Joined : 2011-06-24
Operating System : xp

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Kenny94 on Fri 05 Aug 2011, 5:00 am

ComboFix takes at least 20-30 minutes to finish if needed. So two hours is to long.

On your keyboard press Ctrl-Alt-Delete to bring up Task Manager. Open Task Manager and click the “New Task” button. Then and copy/paste following bolded text into the Create New Task box and click OK:

"%userprofile%\Desktop\Commy.exe"

ComboFix should run again. When finished, it will produce a log. Please save that log to a Notepad File to post in your next reply.



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Google Redirect Virus

Post by Sponsored content Today at 11:11 am


Sponsored content


Back to top Go down

Page 2 of 4 Previous  1, 2, 3, 4  Next

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum