TechSpot

[Closed] Google redirect virus. Just started happening 2 days ago

By btbamman989
Jul 17, 2010
  1. Well, i spent almost all of today trying to resolve this. did a lot of forum reading, and still this damn thing is beating me. any help would be greatly appreciate.
    Im going to start at the beginning. I noticed about a day ago, that i was getting weird results when using Google, didn't really think anything of it, until i noticed that my Girlfriends
    computer was acting the same way. Every 2/3 times i would click on one of my google results, it would open a new tab, and redirect me to some different web site. random one most of the time.
    One of the more common ones i think was spyzilla or something like that. So i tried updating Malwerebytes, avg, Microsoft security essentials and running them in safe mode to see if i could find an
    infection. i found multiple infections, on each scanner. well after about 5 hours of running all of them, and curring my system, and hers of all the infections, i logged back on to my computer.
    The google redirect problem is still on both computers, worse on hers. so, i tried all the scanners again, and founds some threats, got rid of them, and still the same problem. i also found out my room-mate
    has the same issue with google. also, before i forget to mention, After Playing a game last night, Windows media center would open. This worries me.
    We all have a wireless connection to the neighbors router. and this problem just started about 2 days ago.
    any help at all would be great, but please ONLY PEOPLE WHO ARE WILLING TO WALK ME THROUGH EVER STEP OF THE PROCESS. i spent way to long on this, and i would really like some intelligent feed back.
    PLEASE BE VERY DESCRIPTIVE, i have been tinkering with computers ever since i was 14, and this is actually the first time i was no able to solve my problem in one day...

    thanks in advance
     
  2. Broni

    Broni Malware Annihilator Posts: 52,899   +344

  3. btbamman989

    btbamman989 TS Rookie Topic Starter Posts: 18

    hmm,

    do i just post my results back to here, in this thread? or what is the best spot?
     
  4. btbamman989

    btbamman989 TS Rookie Topic Starter Posts: 18

    well, just in case you wanted me to post here

    Here are some attachments.
    im running windows 7 64 bit, so no go on GMER
     

    Attached Files:

  5. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    =====================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  6. btbamman989

    btbamman989 TS Rookie Topic Starter Posts: 18

    here you go

    i could not copy and paste, so im including attachments, hope that will be ok
     

    Attached Files:

  7. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    Which browser is getting redirected?

    ====================================================================

    You're running two AV programs, AVG and MSE. One of them has to go.
    If AVG, make sure to use AVG Remover: http://www.avg.com/us-en/download-tools

    =====================================================================

    Update your Java version here: http://www.java.com/en/download/installed.jsp
    During installation, make sure to UN-check any pre-checked extra "garbage" installation, like Yahoo toolbar, or others.
    Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista/7).

    ====================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
      O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
      O4:[b]64bit:[/b] - HKLM..\Run: [RunDLLEntry] C:\Windows\system32\AmbRunE.DLL File not found
      O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
      O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
      O20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
      O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
      O20:[b]64bit:[/b] - Winlogon\Notify\LBTWlgn: DllName - Reg Error: Key error. - c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
      O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
      O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
      O33 - MountPoints2\{25b2c56d-2da9-11df-a98f-806e6f6e6963}\Shell - "" = AutoRun
      O33 - MountPoints2\{25b2c56d-2da9-11df-a98f-806e6f6e6963}\Shell\AutoRun\command - "" = F:\autorun.exe -- File not found
      O33 - MountPoints2\{260723ba-702f-11df-a5bc-e0cb4ea05ccd}\Shell - "" = AutoRun
      O33 - MountPoints2\{260723ba-702f-11df-a5bc-e0cb4ea05ccd}\Shell\AutoRun\command - "" = G:\steambackup.exe -- File not found
      O33 - MountPoints2\{601c6871-2dbc-11df-b6e0-806e6f6e6963}\Shell - "" = AutoRun
      O33 - MountPoints2\{601c6871-2dbc-11df-b6e0-806e6f6e6963}\Shell\AutoRun\command - "" = F:\.\setup.exe -- File not found
      
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [resethosts]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  8. btbamman989

    btbamman989 TS Rookie Topic Starter Posts: 18

    I have been using Google Chrome for months, tried I.E. when this started to happen, but would not load a page. Also, im starting to get pop ups now, and Chrome keeps crashing, thanks for all the help so far by the way. attachments below.
     

    Attached Files:

  9. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    Download Dr.Web CureIt to the desktop:
    ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
    Alternative download: http://majorgeeks.com/Dr.Web_CureIT_d4783.html

    • Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
    • This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
    • Once the short scan has finished, select Complete scan.
    • Click the green arrow [​IMG] at the right, and the scan will start.
    • Click Yes to all if it asks if you want to cure/move the file.
    • When the scan has finished, in the menu, click File and choose Save report list
    • Save the report to your desktop. The report will be called DrWeb.csv
    • Close Dr.Web Cureit.
    • [color=5]Important![/color] Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
    • Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

    NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.
     
  10. btbamman989

    btbamman989 TS Rookie Topic Starter Posts: 18

    ok so i ran the scan, first the express then the complete.
    the first scan did find one thing, but i did not get a chance to save the
    document, during the complete scan, my girlfriend tried to use my computer, and exited out of the program. so i lost the report for the first scan, but i did a complete scan again, and it didnt find anything.
     
  11. btbamman989

    btbamman989 TS Rookie Topic Starter Posts: 18

    also, the virus still plagues me.
     
  12. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    Is the redirection the only visible presence of something wrong?

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  13. btbamman989

    btbamman989 TS Rookie Topic Starter Posts: 18

    well, it was at first, but when i first started this thread i had random things opening every so often, like media center for example. other then that, my computer is running noticeably slower.

    Thursday, July 22, 2010
    Operating system: Microsoft (build 7600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Thursday, July 22, 2010 07:20:49
    Records in database: 4232257
    Scan settings
    scan using the following database extended
    Scan archives yes
    Scan e-mail databases yes
    Scan area My Computer
    A:\
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\
    Scan statistics
    Objects scanned 182741
    Threats found 0
    Infected objects found 0
    Suspicious objects found 0
    Scan duration 04:12:20

    No threats found. Scanned area is clean.
    Selected area has been scanned.
     
  14. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    Do you still have pop-ups, or just redirection only?
     
  15. btbamman989

    btbamman989 TS Rookie Topic Starter Posts: 18

    well, i get pop ups every once in a while, mostly a popup of google opens up. but im starting to get redirects from different sites other then google, including this site. when i click on a link on this fourm from time to time a new tab will open up, it will either be the page i clicked on, or some other random site. also, it seems to prevent some sites from opening all together, like face book for example. my computer has never acted this way before. seems like what ever it is, its buried deep.
     
  16. btbamman989

    btbamman989 TS Rookie Topic Starter Posts: 18

    also, i tryed to scan with malwerebytes again, and the scan is taking way longer then usual. seems to freeze up a lot.
     
  17. btbamman989

    btbamman989 TS Rookie Topic Starter Posts: 18

    its on 2hrs and 56 mins, and it usually takes 1hr 30 mins tops to scan everything in my computer
     
  18. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    Are you running full scan, or quick scan?
     
  19. btbamman989

    btbamman989 TS Rookie Topic Starter Posts: 18

    a full scan
     
  20. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    Do you see any progress (file names changing at the bottom)?
     
  21. btbamman989

    btbamman989 TS Rookie Topic Starter Posts: 18

    yeah, its progressing, just really really slow
     
  22. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    Well, we have no choice but wait.
     
  23. btbamman989

    btbamman989 TS Rookie Topic Starter Posts: 18

    ok. do you think im infected with the normal redirect virus? or multiple embedded viruses?
     
  24. btbamman989

    btbamman989 TS Rookie Topic Starter Posts: 18

    it found nothing.

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4339

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    7/22/2010 7:34:06 PM
    mbam-log-2010-07-22 (19-34-06).txt

    Scan type: Full scan (A:\|C:\|D:\|E:\|F:\|G:\|H:\|)
    Objects scanned: 319464
    Time elapsed: 3 hour(s), 33 minute(s), 21 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  25. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    Your router may be infected.
    We need to hard reset it.
    Turn the computer off.

    On your router, you'll find a pinhole marked "Reset".
    Keep pushing the hole, using a pencil, or a paperclip until all lights briefly come off and on.
    Restart computer and check for redirections
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...