Google redirect - steps followed, logs attached, please help

karajade · Apr 13, 2010

Google links redirect to spam sites both in IE and Firefox.

I tried to follow all the steps. So hopefully I did it all correctly. My logs are attached. Please let me know what to do next. Thanks!

Bobbye · Apr 13, 2010

Welcome to TechSpot, karajade. I will help with the malware.

Unfortunately, there is indication that the system has a Virut infection. Virut is a Polymorphic File Infector that infects ..exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine.
It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker

Good explanation here:
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html

But let's check to make sure:

Make sure to use Internet Explorer for this
Please go to VirSCAN.org FREE on-line scan service
Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
- c:\windows\system32\userinit.exe
Click on the Upload button
If a pop-up appears saying the file has been scanned already, please select the ReScan button.
Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.

Also scan these,

C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe

Please past the log you get from these scans into your next reply. We will determine what to do based on those results. If Virut is confirmed, I will recommend a complete reformat and reinstall because that is the only way to remove the infection.

You might want to start doing this:

Change all of your passwords and monitor any online transactions.
Backup all your documents and important items only.
[*] DON'T backup any executable files (,exe .scr .html or .htm)
[*] DON'T back up compressed files (zip/cab/rar) that may contain .exe or .scr files

karajade · Apr 13, 2010

Thanks for the help. I hope that is not the case, but if it is I will start to move my important files to my external drive. Here is the info you requested.

Here is the first one:

VirSCAN.org Scanned Report :
Scanned time : 2010/04/13 18:54:25 (CDT)
Scanner results: Scanners did not find malware!
File Name : userinit.exe
File Size : 25088 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 0e135526e9785d085bcd9aede6fbcbf9
SHA1 : d15244d41efddbab08d53fe032aedff39091d3af
Online report : http://virscan.org/report/5c09ecaa79ddacee0cb010b6977ccf8d.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100414053119 2010-04-14 4.86 -
AhnLab V3 2010.04.11.00 2010.04.11 2010-04-11 1.06 -
AntiVir 8.2.1.210 7.10.6.69 2010-04-13 0.25 -
Antiy 2.0.18 20100412.4183175 2010-04-12 0.02 -
Arcavir 2009 201004131822 2010-04-13 0.03 -
Authentium 5.1.1 201004131118 2010-04-13 1.34 -
AVAST! 4.7.4 100413-1 2010-04-13 0.01 -
AVG 8.5.720 271.1.1/2809 2010-04-14 0.22 -
BitDefender 7.81008.5632550 7.31190 2010-04-14 3.56 -
ClamAV 0.95.3 10737 2010-04-13 0.01 -
Comodo 3.13.579 4592 2010-04-13 0.86 -
CP Secure 1.3.0.5 2010.04.13 2010-04-13 0.04 -
Dr.Web 5.0.2.3300 2010.04.14 2010-04-14 6.53 -
F-Prot 4.4.4.56 20100413 2010-04-13 1.33 -
F-Secure 7.02.73807 2010.04.14.02 2010-04-14 0.05 -
Fortinet 4.0.14 11.693 2010-04-13 0.21 -
GData 19.10991/19.884 20100413 2010-04-13 5.83 -
ViRobot 20100413 2010.04.13 2010-04-13 0.44 -
Ikarus T3.1.01.80 2010.04.13.75620 2010-04-13 5.65 -
JiangMin 13.0.900 2010.04.13 2010-04-13 1.19 -
Kaspersky 5.5.10 2010.04.13 2010-04-13 0.08 -
KingSoft 2009.2.5.15 2010.4.13.20 2010-04-13 0.68 -
McAfee 5400.1158 5945 2010-04-08 0.02 -
Microsoft 1.5605 2010.04.13 2010-04-13 6.65 -
Norman 6.04.11 6.04.00 2010-04-13 6.01 -
Panda 9.05.01 2010.04.13 2010-04-13 2.17 -
Trend Micro 9.120-1004 6.994.14 2010-04-13 0.03 -
Quick Heal 10.00 2010.04.13 2010-04-13 1.53 -
Rising 20.0 22.43.01.04 2010-04-13 1.12 -
Sophos 3.06.0 4.52 2010-04-14 3.40 -
Sunbelt 3.9.2418.2 6173 2010-04-13 6.65 -
Symantec 1.3.0.24 20100413.005 2010-04-13 0.06 -
nProtect 20100413.01 7966965 2010-04-13 4.55 -
The Hacker 6.5.2.0 v00260 2010-04-13 0.38 -
VBA32 3.12.12.4 20100408.2021 2010-04-08 3.06 -
VirusBuster 4.5.11.10 10.124.8/2008666 2010-04-13 2.30 -

Here is the explorer.exe:

http://virscan.org/report/283285bd0892baa8086e15cb0f6183bf.html

VirSCAN.org Scanned Report :
Scanned time : 2010/04/13 18:49:15 (CDT)
Scanner results: Scanners did not find malware!
File Name : explorer.exe
File Size : 2927104 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 4f554999d7d5f05daaebba7b5ba1089d
SHA1 : e509a42554cc0e5888ac8bf494d3c02223238609
Online report : http://virscan.org/report/283285bd0892baa8086e15cb0f6183bf.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100414053119 2010-04-14 4.76 -
AhnLab V3 2010.04.11.00 2010.04.11 2010-04-11 1.16 -
AntiVir 8.2.1.210 7.10.6.69 2010-04-13 0.25 -
Antiy 2.0.18 20100412.4183175 2010-04-12 0.02 -
Arcavir 2009 201004131822 2010-04-13 0.09 -
Authentium 5.1.1 201004131118 2010-04-13 2.46 -
AVAST! 4.7.4 100413-1 2010-04-13 0.12 -
AVG 8.5.720 271.1.1/2809 2010-04-14 0.26 -
BitDefender 7.81008.5632550 7.31190 2010-04-14 3.56 -
ClamAV 0.95.3 10737 2010-04-13 0.35 -
Comodo 3.13.579 4592 2010-04-13 0.89 -
CP Secure 1.3.0.5 2010.04.13 2010-04-13 0.47 -
Dr.Web 5.0.2.3300 2010.04.14 2010-04-14 6.58 -
F-Prot 4.4.4.56 20100413 2010-04-13 2.32 -
F-Secure 7.02.73807 2010.04.14.02 2010-04-14 0.18 -
Fortinet 4.0.14 11.693 2010-04-13 0.34 -
GData 19.10991/19.884 20100413 2010-04-13 6.58 -
ViRobot 20100413 2010.04.13 2010-04-13 0.41 -
Ikarus T3.1.01.80 2010.04.13.75620 2010-04-13 5.67 -
JiangMin 13.0.900 2010.04.13 2010-04-13 1.20 -
Kaspersky 5.5.10 2010.04.13 2010-04-13 0.08 -
KingSoft 2009.2.5.15 2010.4.13.20 2010-04-13 0.66 -
McAfee 5400.1158 5945 2010-04-08 0.02 -
Microsoft 1.5605 2010.04.13 2010-04-13 6.49 -
Norman 6.04.11 6.04.00 2010-04-13 6.01 -
Panda 9.05.01 2010.04.13 2010-04-13 1.93 -
Trend Micro 9.120-1004 6.994.14 2010-04-13 0.04 -
Quick Heal 10.00 2010.04.13 2010-04-13 2.32 -
Rising 20.0 22.43.01.04 2010-04-13 1.10 -
Sophos 3.06.0 4.52 2010-04-14 3.42 -
Sunbelt 3.9.2418.2 6173 2010-04-13 5.19 -
Symantec 1.3.0.24 20100413.005 2010-04-13 0.16 -
nProtect 20100413.01 7966965 2010-04-13 4.64 -
The Hacker 6.5.2.0 v00260 2010-04-13 0.49 -
VBA32 3.12.12.4 20100408.2021 2010-04-08 3.03 -
VirusBuster 4.5.11.10 10.124.8/2008666 2010-04-13 3.16 -

C:\WINDOWS\System32\svchost.exe:

VirSCAN.org Scanned Report :
Scanned time : 2010/04/13 18:52:11 (CDT)
Scanner results: Scanners did not find malware!
File Name : svchost.exe
File Size : 21504 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 3794b461c45882e06856f282eef025af
SHA1 : bf15549a7ec01ac505ccac036aba5b9bae688135
Online report : http://virscan.org/report/4c4f94f7e12bb751de382d79bc8fc807.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100414053119 2010-04-14 4.79 -
AhnLab V3 2010.04.11.00 2010.04.11 2010-04-11 1.10 -
AntiVir 8.2.1.210 7.10.6.69 2010-04-13 0.24 -
Antiy 2.0.18 20100412.4183175 2010-04-12 0.02 -
Arcavir 2009 201004131822 2010-04-13 0.03 -
Authentium 5.1.1 201004131118 2010-04-13 1.29 -
AVAST! 4.7.4 100413-1 2010-04-13 0.01 -
AVG 8.5.720 271.1.1/2809 2010-04-14 0.21 -
BitDefender 7.81008.5632550 7.31190 2010-04-14 3.56 -
ClamAV 0.95.3 10737 2010-04-13 0.01 -
Comodo 3.13.579 4592 2010-04-13 0.88 -
CP Secure 1.3.0.5 2010.04.13 2010-04-13 0.04 -
Dr.Web 5.0.2.3300 2010.04.14 2010-04-14 6.62 -
F-Prot 4.4.4.56 20100413 2010-04-13 1.28 -
F-Secure 7.02.73807 2010.04.14.02 2010-04-14 0.05 -
Fortinet 4.0.14 11.693 2010-04-13 0.19 -
GData 19.10991/19.884 20100413 2010-04-13 6.78 -
ViRobot 20100413 2010.04.13 2010-04-13 0.41 -
Ikarus T3.1.01.80 2010.04.13.75620 2010-04-13 5.65 -
JiangMin 13.0.900 2010.04.13 2010-04-13 1.21 -
Kaspersky 5.5.10 2010.04.13 2010-04-13 0.08 -
KingSoft 2009.2.5.15 2010.4.13.20 2010-04-13 0.66 -
McAfee 5400.1158 5945 2010-04-08 0.02 -
Microsoft 1.5605 2010.04.13 2010-04-13 6.58 -
Norman 6.04.11 6.04.00 2010-04-13 6.01 -
Panda 9.05.01 2010.04.13 2010-04-13 1.99 -
Trend Micro 9.120-1004 6.994.14 2010-04-13 0.03 -
Quick Heal 10.00 2010.04.13 2010-04-13 1.51 -
Rising 20.0 22.43.01.04 2010-04-13 1.11 -
Sophos 3.06.0 4.52 2010-04-14 3.39 -
Sunbelt 3.9.2418.2 6173 2010-04-13 5.00 -
Symantec 1.3.0.24 20100413.005 2010-04-13 0.05 -
nProtect 20100413.01 7966965 2010-04-13 4.68 -
The Hacker 6.5.2.0 v00260 2010-04-13 0.37 -
VBA32 3.12.12.4 20100408.2021 2010-04-08 2.81 -
VirusBuster 4.5.11.10 10.124.8/2008666 2010-04-13 2.30 -

Bobbye · Apr 15, 2010

Okay, good. Looks like Virut isn't the culprit. The entry in SAS was:Trojan.Agent/Gen-Virut-So I had to confirm or eliminate it.

Updates:

1. Adobe Reader:
One of the malware entries was found on an outdated version of the Adobe Reader. You have v7, the current is v9.xx. Please update this now:
Visit this Adobe Reader site and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.

You have 14 processes running for Adobe v7- each one of them presents a vulnerability.

2. Java:
The Java also does not appear to be current and it also presents vulnerabilities when outdated. Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer before continuing!***
Double-click on JavaRa.exe to start the program.
Choose Englishfrom the drop-down menu and click on
Select.
JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted.
When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location.

Then download and install Java Runtime Environment (JRE) 6 Update X (now u19)
Java Updates

3. Windows Update is also behind. You have SP1 for Vista. The current is SP2:
Visit the Microsoft Download Site. You should get All updates marked Critical and the current SP updates.

Since many update are for security vulnerabilities, failure to get current update and remove outdated versions leave the system vulnerable to malware.
=================================
You have an active Vundo Variant running on the system. Please run the following:
Download ComboFix HERE:

With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
Important! Save the renamed download to your desktop.
Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Double click on the setup file on the desktop to run
If prompted to download and install the Recovery Console, please do so.
(Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
If prompted to update, please allow.
Click on Yes, to continue scanning for malware.
When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.

.
Run Eset NOD32 Online AntiVirus Scanner HERE

Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the Active X control to install
Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
Click Start
Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
Click Scan
Wait for the scan to finish
Re-enable your Antivirus software.
A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please leave both the Combofix report and Eset log in your next reply.

Bobbye · Apr 18, 2010

Are you still with me?

Google redirect - steps followed, logs attached, please help

karajade

Attachments

Bobbye

Posts: 16,313 +36

karajade

Bobbye

Posts: 16,313 +36

Bobbye

Posts: 16,313 +36

Similar threads

Latest posts