Author Topic: Google Redirect Virus (Read 18372 times)

GorakPrime · « **on:** July 09, 2011, 02:03:10 AM »

I've tried everything (nearly) to get rid of this. And by this, the whole running a Google search, clicking on a link, and being directed to an ad. First, it redirected me to scour.com, then after I did some virus scanning, it started redirecting me to google.doubeclick.com or something to that effect. Now it directs me to 64.111.211.158, and though Avast blocks it before loading, it's really starting to annoy me. I've scanned with McAfee (when I had it), Avast, Spybot, Malwarebytes, and the taken the following steps.

So far, I've followed a few tutorials that had me going into C:\WINDOWS\system32\drivers\etc\hosts to delete everything below the 127.0.0.1 localhost entry. Currently this is still clean.

I pretty much did everything here.

I then ran TDSSKiller, which I thought removed the virus because it seemed to stop after awhile. Present scans do not show anything.

I then ran HitmanPro35--which, again--removed a ton of cookie trackers and whatnot, but the virus persisted. These cookie trackers seem to always come back, too, which is pretty great.

I've also run CCleaner, which seemed to shave off a few temp files and fix a few registry entries, but in all, didn't do much.

Avast, Spybot, Windows, etc is all up-to-date.

I have pretty much run out of ideas. I just recently switched to Avast from McAfee, and this issue may or may not have started right around that time. (I pretty much hate McAfee, regardless, though).

Lastly, I saw on a previous post that running OST and pasting that text seemed to help that fellow. I have yet to try it as I am not sure if that text is person-specific or not. Mainly, I am just sort of worn down from fighting this dumb thing

Any help would be super, super awesome. Thanks in advance.

com155 · « **Reply #1 on:** July 09, 2011, 06:01:41 AM »

ok,do u mean ots? then pls run it so:

Download OTS to your Desktop and double-click on it to run it

Make sure you close all other programs and don't use the PC while the scan runs.
Select All Users
Under additional scans select the following

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

Under the Custom Scan box paste this in

%SYSTEMDRIVE%\*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
When the scan is complete Notepad will open with the report file loaded in it.
Please attach the log in your next post.

Edited to add custom scans

Please ensure that all logs are saved in the ANSI format

GorakPrime · « **Reply #2 on:** July 09, 2011, 06:33:06 AM »

I did as you instructed, I think. Here is the log. I hope it's in the correct format.

Thanks again.

com155 · « **Reply #3 on:** July 09, 2011, 06:57:17 AM »

Saw the log pls follow the fix.
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

 
[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> 
YN->HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
YN->{02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
YN->{5C255C8A-E604-49b4-9D64-90988571CECB} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
[Files/Folders - Modified Within 30 Days]
 NY-> C:\WINDOWS\Qzewoxoyiviyifa.dat
 NY-> C:\WINDOWS\System32\d3d9caps.dat
[Files - No Company Name]
 NY-> C:\WINDOWS\System32\drivers\atksgt.sys
NY-> C:\WINDOWS\Rqibarohijepu.bin
NY-> C:\Documents and Settings\Matthew Elwell\Local Settings\Application Data\x10e05rp0it3eboqp5
NY-> C:\WINDOWS\System32\drivers\atksgt.sys
NY-> C:\WINDOWS\System32\drivers\lirsgt.sys
NY-> C:\Documents and Settings\Matthew Elwell\Local Settings\Application Data\x10e05rp0it3eboqp5
NY-> C:\Documents and Settings\All Users\Application Data\x10e05rp0it3eboqp5
NY-> C:\Documents and Settings\Matthew Elwell\Application Data\wklnhst.dat 
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

GorakPrime · « **Reply #4 on:** July 09, 2011, 07:38:10 AM »

Pasted the text, ran the fix, etc. Attached is the log.

Thanks!

com155 · « **Reply #5 on:** July 09, 2011, 07:40:22 AM »

so is the problem fixed?

GorakPrime · « **Reply #6 on:** July 09, 2011, 07:50:38 AM »

I think it might be. Which, I know, sounds silly. It's happened a few times since the "fix," but it's not EVERY time like before.

com155 · « **Reply #7 on:** July 09, 2011, 08:08:59 AM »

ok,we killed the main baddie but his buddies are still alive we need to kill them too.for that do this:

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

 
[Unregister Dlls]
[Registry - Safe List]
YN-> C:\Documents and Settings\Matthew Elwell\Application Data\Mozilla\FireFox\Profiles\ww1xylvv.default\prefs.js -> 
YN->browser.startup.homepage -> "http://www.google.com" ->
[Files/Folders - Modified Within 30 Days]
NY-> C:\XP_TV.ini
NY-> C:\hpqp.ini
NY-> C:\WINDOWS\System32\drivers\etc\hosts
NY-> C:\WINDOWS\Rqibarohijepu.bin
NY-> C:\WINDOWS\System32\CONFIG.NT
NY-> C:\Documents and Settings\Matthew Elwell\Desktop\Setup.lnk
NY-> C:\WINDOWS\tasks\Driver Robot.job
NY-> C:\Documents and Settings\Matthew Elwell\Desktop\LLRO.lnk
NY-> C:\WINDOWS\System32\perfh009.dat
NY-> C:\WINDOWS\System32\perfc009.dat
NY-> C:\WINDOWS\Qzewoxoyiviyifa.dat
NY-> C:\WINDOWS\System32\drivers\etc\hosts.20110626-211737.backup 
NY-> C:\WINDOWS\System32\drivers\etc\hosts.20110619-103932.backup
NY-> C:\WINDOWS\System32\drivers\etc\hosts.20110618-212720.backup
[Files - No Company Name]
NY-> C:\WINDOWS\System32\.crusader
NY-> C:\WINDOWS\System32\physxcudart_20.dll
NY-> C:\WINDOWS\IFinst27.exe
NY-> C:\WINDOWS\System32\mlfcache.dat
NY-> C:\WINDOWS\NSSetDefaultBrowser.EXE
NY-> C:\WINDOWS\NSSetDefaultBrowser.ini
NY-> C:\WINDOWS\System32\iyvu9_32.dll
NY-> C:\WINDOWS\devenum.exe
NY-> C:\WINDOWS\System32\rixdicon.dll
NY-> C:\WINDOWS\System32\qt-mt331.dll
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.Tell me whether this was helpfull or not in terminating the problem.

magna86 · « **Reply #8 on:** July 09, 2011, 09:06:00 AM »

@com155
Can you please explain to me how you determine that these lines you've Fix are malicious?

Pondus · « **Reply #9 on:** July 09, 2011, 09:26:43 AM »

if he follows his earlier scheme, he find a OTS fix that looks nice.....and then he copy and paste

one fix fits all....

com155 · « **Reply #10 on:** July 09, 2011, 09:27:54 AM »

@magna86
well,each fix is different u have to read a log several times and carefully determine whether a file ligitimate or not for example:if u see a file in system32 named ftdisk.sys.u will think that this is a file for the hard drive but if u carefully check it u will find that it doesnt have any company name in its properties and u can easily say it can be a rootkit.in the above case atksgt.sys is a tdl3 rootkit.

com155 · « **Reply #11 on:** July 09, 2011, 09:29:04 AM »

@pondus
this is no copy pasted fix it has taken me almost 15 minutes to make this fix

magna86 · « **Reply #12 on:** July 09, 2011, 09:38:55 AM »

Quote from: com155 on July 09, 2011, 09:27:54 AM

well,each fix is different u have to read a log several times and carefully determine whether a file ligitimate or not for example:if u see a file in system32 named ftdisk.sys.u will think that this is a file for the hard drive but if u carefully check it u will find that it doesnt have any company name in its properties and u can easily say it can be a rootkit.in the above case atksgt.sys is a tdl3 rootkit.

Ok,thanks for explained me the procedure.
So if I understand you, these drivers are malicious?

C:\WINDOWS\System32\drivers\atksgt.sys
C:\WINDOWS\System32\drivers\lirsgt.sys

And please can you explain to me how you determine BHOs CLSID ( Browser Helper Object ) as good or bad?

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{02478D38-C3F9-4efb-9B51-7695ECA05670}
{5C255C8A-E604-49b4-9D64-90988571CECB}

What do you think of these files?
C:\WINDOWS\System32\d3d9caps.dat
C:\WINDOWS\System32\perfh009.dat

There is even more files to look at but unfortunately I have not much time available.

And Rootkit in system32?

com155 · « **Reply #13 on:** July 09, 2011, 09:47:22 AM »

as u see rootkits normaly reside in system 32 folders and speaking about thoses dat files they also look malcious according to the info that i have.
BHO normally are hard to identify as malcious u need to carfully examine their name and their source for examlpe:normally bhos dont create or multiply but bhos in above case have multipilied into several source codes.such bhos are normally responsible for redirection.In simple words bhos that have name of unknown sites in front of them are considered to be malcious.here,in the above case bhos have been made by the rootkit to redirect the user.

magna86 · « **Reply #14 on:** July 09, 2011, 10:10:36 AM »

Quote

as u see rootkits normaly reside in system 32 folders

Nope. Rootkit are drivers.
Rootkit itself does not need to be malware.
http://en.wikipedia.org/wiki/Rootkit
Question: Is a some AntiVirus softwere install its Rootkit?
Why?

Quote

BHO normally are hard to identify as malcious

Wrong. You need to know difference between registry values,entry,files and you also need to know how to read BHOs CLSID.

C:\WINDOWS\System32\drivers\atksgt.sys <-- Related to atksgt.sys protection of game CDs
http://www.greatis.com/appdata/a/a/atksgt.sys.htm

C:\WINDOWS\System32\drivers\lirsgt.sys <-- Related to lirsgt.sys Tages copy protection system
http://www.greatis.com/appdata/a/l/lirsgt.sys.htm

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{02478D38-C3F9-4efb-9B51-7695ECA05670} <-- related to Yahoo messenger
{5C255C8A-E604-49b4-9D64-90988571CECB} <-- related to Windows live messenger addon.

C:\WINDOWS\System32\d3d9caps.dat <-- DirectX Direct3D
C:\WINDOWS\System32\perfh009.dat < -- XP Performance Monitor

There is even more files to look at but unfortunately I have not time for this.
===========

@com155 ...Please do not use Malware Removal tools if you are not pass training for them.

Thanks for your attention

You want to learn how to fight malware?
http://www.bleepingcomputer.com/forums/topic86678.html

Author Topic: Google Redirect Virus (Read 18372 times)

GorakPrime

Google Redirect Virus

com155

Re: Google Redirect Virus

GorakPrime

Re: Google Redirect Virus

com155

Re: Google Redirect Virus

GorakPrime

Re: Google Redirect Virus

com155

Re: Google Redirect Virus

GorakPrime

Re: Google Redirect Virus

com155

Re: Google Redirect Virus

magna86

Re: Google Redirect Virus

Pondus

Re: Google Redirect Virus

com155

Re: Google Redirect Virus

com155

Re: Google Redirect Virus

magna86

Re: Google Redirect Virus

com155

Re: Google Redirect Virus

magna86

Re: Google Redirect Virus