TechSpot

Google redirected virus

By jamesdamen
Aug 21, 2010
  1. I am having the same Google problem that many people seem to have at the moment.
    We have 1 PC and 4 Laptops connected to our router. The virus has infected the PC and 2 of the laptops. However, if I take my laptop and connect it to my mates network I no longer get the Google problem.
    I have attached the logs from both my laptop and the PC.

    Any help would be much appreciated!
     

    Attached Files:

  2. crunchie

    crunchie Malware Helper Posts: 728

    Hi and welcome to TechSpot forums :).

    ====

    Need the GMER log too please. Also the attach.txt from DDS.

    Run from one PC only please.
     
  3. jamesdamen

    jamesdamen TS Rookie Topic Starter

    Here we go.
    Many thanks.
     

    Attached Files:

  4. crunchie

    crunchie Malware Helper Posts: 728

    Please update MBA-M and have it scan and remove what is found.
    Post the log after rebooting.

    =========

    Please download ComboFix by sUBs from HERE or HERE
    • You must download it to and run it from your Desktop
    • Physically disconnect from the internet.
    • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    • Double click combofix.exe & follow the prompts.
    • When finished, it will produce a log. Please save that log to post in your next reply.
    • Re-enable all the programs that were disabled during the running of ComboFix..

    Note:
    Do not mouse-click combofix's window while it is running. That may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Run Combofix ONCE only!!
     
  5. jamesdamen

    jamesdamen TS Rookie Topic Starter

    I have run ComboFix in the past, but without running all the other programs. Would you like me to run it again?

    The log from the last time it was ran is attached.
     

    Attached Files:

  6. crunchie

    crunchie Malware Helper Posts: 728

    Hi. It looks like this is not a legitimate copy of Windows. I see an activation patch showing in the log. The safest Operating System is a legitimate one and you really should look at purchasing a license.

    If you can run Combofix again I will look at the log.
     
  7. jamesdamen

    jamesdamen TS Rookie Topic Starter

    A friend of mine installed Windows for me, is there anyway I can make it genuine now its installed, or would I have to do a fresh install?
    I will run Combofix again and post the log later but I'm thinking of simply re-installing Windows.
     
  8. crunchie

    crunchie Malware Helper Posts: 728

    You will either have to call Microsoft and pay for a license key, or purchase one from an outlet.
     
  9. jamesdamen

    jamesdamen TS Rookie Topic Starter

    OK. Here is the latest ComboFIx log. If it looks as though its going to be simple to fix, then I'l do that and simply purchase a licence key. If not I'm tempted to go with a complete reinstall.
     
  10. jamesdamen

    jamesdamen TS Rookie Topic Starter

    Forgot to actually attach the log!
    Here it is.
     

    Attached Files:

    • log.txt
      File size:
      21 KB
      Views:
      1
  11. crunchie

    crunchie Malware Helper Posts: 728

    Very short log.

    Download Bootkit Remover to your Desktop.

    • You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    • After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  12. jamesdamen

    jamesdamen TS Rookie Topic Starter

    Here it is:


    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.1.0.0
    OS Version: Microsoft Windows 7 Ultimate Edition (build 7600), 32-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`0da00000
    Boot sector MD5 is: bb4f1627d8b9beda49ac0d010229f3ff

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
     
  13. crunchie

    crunchie Malware Helper Posts: 728

    Looks ok.

    Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.
    • You will need to use Internet Explorer to complete this scan.
    • You will need to temporarily Disable your current Anti-virus program.
    • Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
    • When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

    NOTE: If you are unable to complete the ESET scan, please try another from the list below:

     
  14. jamesdamen

    jamesdamen TS Rookie Topic Starter

    Here it is.

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=c2e466cfff19c84c8c836569e7bd848e
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-08-23 10:00:12
    # local_time=2010-08-23 11:00:12 (+0000, GMT Daylight Time)
    # country="United Kingdom"
    # lang=1033
    # osver=6.1.7600 NT
    # compatibility_mode=512 16777215 100 0 4657526 4657526 0 0
    # compatibility_mode=1797 16775165 100 100 398872 57487797 0 0
    # compatibility_mode=2560 16777215 100 0 0 0 0 0
    # compatibility_mode=5893 16776574 100 94 11253075 35064824 0 0
    # compatibility_mode=8192 67108863 100 0 148 148 0 0
    # scanned=110147
    # found=10
    # cleaned=0
    # scan_time=2378
    C:\Poker\William Hill Poker\_SetupPoker.exe Win32/PTCasino application 00000000000000000000000000000000 I
    C:\Program Files\X2Xsoft\Free Video Flip and Rotate\VideoFlipRotate.exe probably a variant of Win32/TrojanDropper.Agent.DUTRTZJ trojan 00000000000000000000000000000000 I
    C:\Qoobox\Quarantine\C\Users\James\AppData\Roaming\a8ad2486.exe.vir a variant of Win32/Kryptik.FGR trojan 00000000000000000000000000000000 I
    C:\Qoobox\Quarantine\C\Windows\System32\ernel32.dll.vir a variant of Win32/Kryptik.FGR trojan 00000000000000000000000000000000 I
    C:\Qoobox\Quarantine\C\Windows\System32\spool\prtprocs\w32x86\A5k55.dll.vir a variant of Win32/Kryptik.FGR trojan 00000000000000000000000000000000 I
    C:\Qoobox\Quarantine\C\Windows\System32\spool\prtprocs\w32x86\iQ3w7uO.dll.vir a variant of Win32/Kryptik.FGR trojan 00000000000000000000000000000000 I
    C:\Qoobox\Quarantine\C\Windows\System32\spool\prtprocs\w32x86\sKU179a.dll.vir a variant of Win32/Kryptik.FGR trojan 00000000000000000000000000000000 I
    C:\Qoobox\Quarantine\C\Windows\System32\spool\prtprocs\w32x86\UO3o793.dll.vir a variant of Win32/Kryptik.FGR trojan 00000000000000000000000000000000 I
    C:\Qoobox\Quarantine\C\Windows\System32\spool\prtprocs\w32x86\wS555.dll.vir a variant of Win32/Kryptik.FGR trojan 00000000000000000000000000000000 I
    C:\Users\James\Downloads\fliprotatesetup.exe probably a variant of Win32/TrojanDropper.Agent.DUTRTZJ trojan 00000000000000000000000000000000 I
     
  15. crunchie

    crunchie Malware Helper Posts: 728

    Please go to Jotti's or to virustotal and have these files scanned. Post the results back here.

    C:\Users\James\Downloads\fliprotatesetup.exe
    C:\Program Files\X2Xsoft\Free Video Flip and Rotate\VideoFlipRotate.exe
    C:\Poker\William Hill Poker\_SetupPoker.exe
     
  16. jamesdamen

    jamesdamen TS Rookie Topic Starter

    For file _SetupPoker.exe:

    2010-08-24 Found nothing

    2010-08-24 Found nothing

    2010-08-23 Found nothing

    2010-08-24 not-a-virus:OnlineCasino

    2010-08-24 Found nothing

    2010-08-24 Found nothing

    2010-08-24 Found nothing

    2010-08-24 Found nothing

    2010-08-24 Found nothing

    2010-08-24 Found nothing

    2010-08-24 Trojan.Generic.Bredolab-2

    2010-08-24 Trojan.Buzus.dign

    2010-08-24 Found nothing

    2010-08-24 Found nothing

    2010-08-24 Trojan.MulDrop1.35614

    2010-08-24 Trojan.Win32.Buzus.cuff

    2010-08-24 Found nothing

    2010-08-24 Trojan.Buzus.BBQN

    2010-08-24 Found nothing



    For file VideoFlipRotate.exe:

    2010-08-24 Found nothing

    2010-08-24 Found nothing

    2010-08-23 Found nothing

    2010-08-24 Found nothing

    2010-08-24 Found nothing

    2010-08-24 Trojan-Dropper.Win32.Agent.cogk

    2010-08-24 Found nothing

    2010-08-24 Found nothing

    2010-08-24 Found nothing

    2010-08-24 Found nothing

    2010-08-24 Found nothing

    2010-08-24 Found nothing

    2010-08-24 Troj.Dropper.W32.Agent.cogk

    2010-08-24 Found nothing

    2010-08-24 Found nothing

    2010-08-24 Found nothing

    2010-08-24 Found nothing

    2010-08-24 Found nothing

    2010-08-24 Found nothing


    For file fliprotatesetup.exe:

    2010-08-24 Found nothing

    2010-08-24 Found nothing

    2010-08-23 Found nothing

    2010-08-24 Found nothing

    2010-08-24 Found nothing

    2010-08-24 Trojan-Dropper.Win32.Agent.cogk

    2010-08-24 Found nothing

    2010-08-24 Found nothing

    2010-08-24 Found nothing

    2010-08-24 Found nothing

    2010-08-24 Found nothing

    2010-08-24 Found nothing

    2010-08-24 Found nothing

    2010-08-24 Found nothing

    2010-08-24 Found nothing

    2010-08-24 Found nothing

    2010-08-24 Found nothing

    2010-08-24 Found nothing

    2010-08-24 Found nothing
     
  17. crunchie

    crunchie Malware Helper Posts: 728

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad.exe in the Run Box.
    2. Now copy/paste the entire content of the codebox below into the Notepad window:
    Code:
    KillAll::
    
    File::
    C:\Users\James\Downloads\fliprotatesetup.exe
    C:\Program Files\X2Xsoft\Free Video Flip and Rotate\VideoFlipRotate.exe
    C:\Poker\William Hill Poker\_SetupPoker.exe
    
    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Save the above as CFScript.txt

    4. Physically disconnect from the internet.

    5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

    6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
    • Combofix.txt
    Please take note:

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    ==============

    Let me know how the pc is please.
     
  18. jamesdamen

    jamesdamen TS Rookie Topic Starter

    I've attached the log. The problem still persists.
    If I take the laptop and connect to my friend's network, Google works fine and I dont get the problem. Is it possible that the virus is in the network somewhere?
     

    Attached Files:

  19. crunchie

    crunchie Malware Helper Posts: 728

    Have a go at resetting your router and let me know if you are still re-directed.
     
  20. jamesdamen

    jamesdamen TS Rookie Topic Starter

    If I reset it will my WEP keys and settings all get reset?
     
  21. crunchie

    crunchie Malware Helper Posts: 728

    Sure will. You will need to record the settings before the reset. Do you know your ISP's servers?
     
  22. jamesdamen

    jamesdamen TS Rookie Topic Starter

    No I dont. Are these recorded in the router settings which I can browse to? I have an option to take a backup of my routers settings. If I take a backup, reset the laptop, then reload the settings, will that work and save everything?
     
  23. crunchie

    crunchie Malware Helper Posts: 728

    You need your username and password that you use to access your ISP and also their DNS servers. If you go to their website, you should be able to get the DNS server address from there.
    Will most likely be in the FAQ's.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...