TechSpot

Antivirus 2009 and Google redirect virus

By riellyb
Nov 18, 2008
Topic Status:
Not open for further replies.
  1. Last night I got a pop up balloon in my taskbar on the bottom right claiming that windows had found spyware on my machine. Next it automatically downloaded Antivirus 2009. Then when I tried to search for a spyware removal tool on google all the search result links redirected to go.google.com and brought me to different sites. I had heard about Malewarebytes at my job and tried to download it but when it tried to connect to it's server to install it was being redirected to 127.0.0.1(Home). This was very infuriating. I Found a fix that involved downloading Dr.Web on another computer and running it off a flash drive. I found this site after that worked. I have done all eight steps and my machine seems to be back to normal. My logs are attached. Thank you very much for any help you can give me.

    Attached Files:

  2. rf6647

    rf6647 TS Maniac Posts: 931

    Welcome to TS.- - Say Yeah!

    Pardon my exhuberance. I couldn’t contain myself. You are to be congratulated for staying cool while under the gun. Your approach saves us a lot of work to complete the analysis.

    From the details you report, I infer that no residual symptoms of an infection are apparent to you. That’s encouraging.

    Please consider sharing details of the Dr. Web software that was so effective. It sounds like the Rx we need to overcome the bug that bit you. Here is the free version I found, but I want to be sure.
    freedrweb/cureit/


    - - - Next ----

    Sample removal of files associated with infection

    Run MBAM - do not scan
    > More Tools > Run Tool (FileAssassin)

    Copy and paste the line in the box to "File Name" and click open.

    Code:
     Standard 'open' dialog box presented;  Msg - no file  > if deleted by tools
    C:\Windows\System32\Drivers\beep.sys
    C:\Windows\System32\brastk.exe
    C:\Windows\System32\karna.dat
    Restart the computer

    Scan with HJT, tick & Fix the following
    Code:
    O20 - AppInit_DLLs: karna.dat
    Exit & restart the computer.

    The direction from here will be to update MBAM & SAS.

    Scan with MBAM, quick mode. Repeat this scan until achieving 0 infections or no further progress is made.

    Scan with MBAB, complete mode,

    Scan with SAS.

    Post logs : MBAB, SAS, HJT (all MBAB logs with infections)

    Please share details of your progress & state observations of what you consider unusual that should be considered.

    Background of the analysis –
    Need Database version > 1400; Memory process NOT ended:
    Malwarebytes' Anti-Malware 1.30 Database version: 1306 11/18/2008 12:07:06 PM
    Scan type: Full Scan (C:\|) Objects scanned: 171558 Time elapsed: 1 hour(s), 56 minute(s)
    Memory Processes Infected: 1 Memory Modules Infected: 0 Registry Keys Infected: 2
    Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 12
    Memory Processes Infected: (Heuristics.Reserved.Word.Exploit) -> Failed to unload process.

    v2.0.2 Scan saved at 1:36:55 PM, on 11/18/2008
    XP SP3 MSIE: v7.00 Boot mode: Normal
    O20 - AppInit_DLLs: karna.dat - - > MBAM stale; observe effect of latest version to correct
    Suspicious:
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
    Not confirmed by O22 - - > HJT whitelist ? Have user to tick off updates (google)
  3. riellyb

    riellyb TS Rookie Topic Starter

    Yes that is the program I used. It worked because there is no need for the program to connect to server because it automatically runs without connecting to a server to download updates etc. I am not sure what site I got this tip from exactly. I remember I found it randomly in the comment section of a thread about the google redirect virus. This forum won't let me repost the link because this is only my second post. But the Link from above is right I believe.
  4. riellyb

    riellyb TS Rookie Topic Starter

    rf6647,

    I am unclear as to what you wrote after Next.
    Do you want me to update MBAM and SAS and rerun each scan?
    I am sorry but i found the language to be a bit comnfusing.
    thanks for your help
  5. rf6647

    rf6647 TS Maniac Posts: 931

    Updating the tools & rescanning is the essence.

    The extra steps I listed in this 'express' style is just me being lazy. They are general landmarks to follow.

    Using File Assassin (called from within MBAM) to individually delete the 3 files is a jiffy test to give me an idea if Dr. Web CureIt touched those areas.

    Use of restart the computer, forces the reload of the startup applications. Scans with HJT are more understandable when run following a restart.

    HJT is used to zap (from the registry) the O20 call to load the file, which for this run should show "missing file".

    From here it is 'drill - baby -drill'. This is where we Update the tools and scan untill we are clean or the number of detected infections does not change. Most often, it has been 1 additional scan of each program.

    For MBAM, a quick scan takes maybe 8 minutes. The complete scan takes 2 hours. So this is probably an increase of 8 minutes in the time it takes since if the vast majority of cases, the next scan is clean. The steps are written for the 'worst' case scenario.

    If MBAM logs contain entries with wording "reboot", then File Assassin I scheduled to run on startup. It does no good to re-scan until after the restart for this case.

    The last line of my last reply is put there to remind me to re-check the HJT log that is posted along with the other logs. If SAS detects this as an exploit, it will disappear. If it remains, then I interpretted that incorrectly.
  6. jimmyb

    jimmyb TS Rookie

    I had this trojan infect my computer, and I have been able to remove the files and prevent them from loading (I think), but there is a problem that still lingers that I can't resolve.

    When trying to access certain security websites, I am being redirected to 127.0.0.1. For example, when trying to go to 'malwarebytes' website from a browser, I am redirected to a localhost screen. I have looked in my HOSTS file, and no spurious hostnames have been added. In fact, I tried to add an entry for malwarebytes' with the correct TCP/IP address, but when I try pinging the site from a command prompt, the address shows 127.0.0.1. Likewise, when I try to update the malwarebytes software, I get an error message because it doesn't find the real IP address. Same goes for SpyBot. When trying to install, I get an error when I get to the part of the installation process that tries to access the SpyBot Search & Destroy website. I have tried 'ipconfig /flushdns', but that doesn't work. I have rebooted. That doesn't work. I also tried installing SpyBot and updating malwarebytes in Safe mode, but they were still being redirected to 127.0.0.1, so it has something to do with how XP resolves hostnames.

    Any ideas where Windows XP might be looking to resolve hostname-IP's?
  7. rf6647

    rf6647 TS Maniac Posts: 931

    Jimmyb begin your own thread

    Jimmyb, please begin a new thread to discus your problem. Use the link to the start page for this forum. Upper left portion of the page displays the 'new thread' . Click it & go from there.

    Your present description gives details about your problem that indicate you will be able to submit logs to begin the thread as detailed 8-step malware removal guide.. Your situation should include the last MBAM and/or SAS logs showing an infection in addition to the standard 3 logs. Alert us to this.

    A class of infections referred to as trojan.dnschanger may still be present on your computer / local network. The next suggestion is based on 'folklore' - it has not been validated. Disconnect all computers from the local network. Restart your computer. Restart router and/or modems in the network. Connect only this compter to the network. D/L updates for MBAM and SAS. Run scans. Report progress in your thread. Also report if folklore remedy to reset netork elements had no effect.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.