Google redirection / clicksor popups

[ronblanco]

Hello,

I've spent days trying to go through the 8-step process. I've learnt a lot, so that's something, but i'm still having probs. Part of the problem has been an inability to download some of the files or run some of the steps:

couldn't download MBAM, Comodo, Zonealarm

couldn't run superAV

could download and run: avasti,avira, avg8, ccleaner, hijackthis

Hijackthis log is attached. Of course most of it is gobbledigook to me so any help in deciding next course of action would be very much appreciated,

Regards

Ron

ps Is this malware something that might have led to compromised bank details etc and require re-format and re-install?

 

[touch]

Hello ronblanco

Remove/uninstall from "add/remove programs" in controlpanel:
AVG 8 and Avast or Avira

Download malwarebyte
http://www.download.com/Malwarebyte...4-10804572.html?tag=mncol;pop&cdlPid=10878968

Save the file as setup.exe

Run the setup.exe file
When it gets to the final step of the installation it will seem like it froze....it hasn't but it will take anywhere from 15mins to an hour to get through that step so just let it do its thing.
If automatic update fail, download the manual update ->
http://www.gt500.org/malwarebytes/mbam-rules.exe

Reboot to safe mode ->
"Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows Xp Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode."


Go into the Malware folder in through Program Files
Rename the mbam.exe to mab.exe and run it.
Do a full computer scan
Check all and remove/fix/delete them.

Restart your computer and attach the log

 

[ronblanco]

Thanks Touch

I have followed your steps and attached a log.

A couple of points to note:

1. The setup didn't take 15-60 mins as you suggested. It was very quick.
2. Couldn't reboot to safe mode - computer kept having a problem with this - so ran mab in normal mode.

Are these points relevant / affect results?
Does the log file indicate anything relevant?

much obliged,

Ron

 

[kimsland]

-> No action taken on MBAM scan, for found issues

Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected. <========= Not Done

Please re-run Malwarebytes
Confirm updated first (third tab)
Then do the above quoted message, but this time "Remove all found issues"

Latest MalwareBytes Rules for Manual update if that helps http://www.gt500.org/malwarebytes/database.jsp

 

[ronblanco]

Thanks kimsland,

I've done what you asked and attached the new file,

the problem still exists, i think!

cheers

 

[kimsland]

Hi Ron that looks a lot better.
But I suspect that you are still having issues though

Please run HJT Scan Only, and place a tick next to the following entries (note: some may not exist now)
Once all are ticked then close all/any Internet Browsers and select Fix

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: (no name) - {8E929F51-5914-11D6-971F-0050FC3F9161} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ACTIVdriver Control (ActivDRVcontrol) - Unknown owner - C:\Program Files\ACTIV Software\ACTIVdriver\ActivDRVservice.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

Close HJT once fixed

Then go to add/remove programs and uninstall Avast

Then download and run the AVG removal tool, here it is: http://www.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe

At last Restart


Once your computer starts back up, try updating Avira
I usually just right click on the umbrella tray icon, and select "Start Update"
Once Avira is confirmed updated, please run a full scan (as you had 3 AntiViruses going on, it is possible that some Virus may still be on your system)

Please then attach the Avira Antivirus scan log and a new HJT scan log
I think you're nearly there

 

[Bobbye]

ronblanco, hopefully I won't confuse you, but you need to know this:
You have the DNSchanger malware. Mbam found an entry, but the following indicate it in the HijackThis log. this is why you are getting redirected and it requires special cleaning, including a router reset:
O17 - HKLM\System\CCS\Services\Tcpip\..\{81CB376B-2F0A-4EC1-AB20-C32420774388}: NameServer = 85.255.112.10,85.255.112.133

You'll recognize this Trojan by checking the DNS server assignments on the computer that does not update. Do this by following these steps:

• 
  [1] Start> Run> type in cmd>
  [2] At the command prompt, type IPCONFIG /ALL and press Enter
  [3] You should be presented with the bunch of information, find the section for your Internet connection. It may be entitled Ethernet Adapter Local Area Connection or something similar.
  [4] Find the DNS Server section and double-check the numbers. Usually the DNS is a local IP like 192.168.0.1 or it could be a statically assigned IP from your ISP. If the DNS numbers are remotely similar to the following IPs then you have the DNS Changer Trojan. These IPs originate in Europe.
  85.255.113.122
  85.255.112.83
  85.255.116.148
  85.255.112.223
  [5] Type Exit at the command prompt to close it

You need to reset your router Why? Because as you can see, any computer you connect to it will be connecting to a malicious server prior to reaching the net. If you want I can post a script to hopefully bypass the bad DNS connection and force a static DNS connection to OpenDNS.

• 
  [1] Make sure you know the setup information for your router. You want to access the router configuration pages, and write down any information necessary to authenticate with your ISP. Please write this down, if you do not have a record elsewhere of this information. When in doubt, call your ISP and ask what is needed in the authentication fields of the router.
  [2] Shut down your computer, and any other computer connected to your router.
  [3] On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
  [4]Unplug the router. Wait sixty seconds. Now holding again the reset button, plug it back in.
  [5]Continue holding the reset button for twenty seconds.
  [6]Unplug the router again.
  [7]With the router unplugged, start your computer. Run MBAM again.
  [8]Connect again to the router. Then turn the router back on. When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
  [9]After resetting your router - go to Start -> Run -> type in cmd and press enter -> at the prompt type ipconfig /flushdns -> type EXIT and press enter.

After you are connected again - run a fresh HijackThis scan
Attach new Mbam and HijackThis logs.

 

[ronblanco]

Thanks Kimsland,

I will go through your suggestions in the morning when I've sobered up.

[4] Find the DNS Server section and double-check the numbers. Usually the DNS is a local IP like 192.168.0.1 or it could be a statically assigned IP from your ISP. If the DNS numbers are remotely similar to the following IPs then you have the DNS Changer Trojan. These IPs originate in Europe.
85.255.113.122
85.255.112.83
85.255.116.148
85.255.112.223

Hi Bobbye,

I've checked that info. I have two DNS servers listed, both starting 194. I also have an IP address and default gateway starting 86. Does that still indicate that I have the problem that you mentioned?

Thanks,

Ron

 

[ronblanco]

(kimsland) "Please then attach the Avira Antivirus scan log and a new HJT scan log"

Thanks Kimsland, I have done as you asked. Logs attached.

I have not performed Bobbye's suggestion yet. One thing at a time, I thought. Do you concur with his suggestion?

 

[Bobbye]

Feel free to wait for him to "concur". In the meantime, I suggest you follow through with the router reset.

You also have files in the AVscan- gxvxcserv.sys (Registry) that will need to be removed.

 

[ronblanco]

Feel free to wait for him to "concur". In the meantime, I suggest you follow through with the router reset.

You also have files in the AVscan- gxvxcserv.sys (Registry) that will need to be removed.

Thank you Bobbye. I did as you said and did an IPconfig, which gave me two DNS server entries starting 194. Because this was not similar to the dodgy values you warned me about, and because I wasn't sure where to find the setup info for my router, I hesitated with the router reset. However, the IPconfig did also list my IP address and default gateway starting 86 - which IS similar to the dodgy values you listed.

In view of my IPconfig findings, I would be grateful if you could confirm that I should go ahead with it, and also how do I remove that gxvxc entry from the registry?

Thanks for your help

 

[Bobbye]

The 86 block is in France. The 85 block is in the Ukraine. I do not have enough information about the IP with '86'. Your fist HijackThis log clearly showed this infection with:
O17 - HKLM\System\CCS\Services\Tcpip\..\{81CB376B-2F0A-4EC1-AB20-C32420774388}: NameServer = 85.255.112.10,85.255.112.133
O17 - HKLM\System\CCS\Services\Tcpip\..\{D02C3BBE-DA8D-48DC-A073-073F7724EF37}: NameServer = 85.255.112.10,85.255.112.133
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.10,85.255.112.133
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.10,85.255.112.133
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.10,85.255.112.133

But subsequent logs do not. I would reset the router as I don't see anything was done to remove the original IP. It is possible your hidden files aren't showing and that's why you don't see it.

Then: Run SCFix:

• Download SDFix HERE and save it to your Desktop.
• Double click SDFix.exe and it will extract the files to %systemdrive%
  (Drive that contains the Windows Directory, typically C:\SDFix)
• Boot into Safe Mode (Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
• Run SDFix
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
• Attach Report.txt back here

Rescan with HijackThis. Include new logs with SDFix report.

 

[ronblanco]

Hi Bobbye,

I'm not sure if I misunderstood you regarding the router.

My laptop is connected directly to my cable modem, which has no reset button. . I switched off the modem, ran mbam without internet connected, and followed the other instructions you gave.

Unfortunately I could not reboot to safe mode to run sdfix - my computer refused several times. Can I run it in normal mode? When trying in normal mode it gave me a list of options but i didn't know which was correct.

In any case I ran another HJT file and have attached.

My google redirection persists.

Thanks for your help so far, and please advise as to the next step,

Cheers

Ron

 

[ronblanco]

Correction:

Bobbye, There is a small hole on the back of my modem, but is not marked reset, and not sure if it did anything. How can I check if if did reset the modem oK?

Also, problem with safe reboot and sdfix still applies

mbam finds Trojan DNSChanger, i delete it but but it keeps reappearing. Just as you said.

 

[Bobbye]

mbam finds Trojan DNSChanger, i delete it but but it keeps reappearing. Just as you said.

The router didn't reset.

Please go to the manufacture's site for the router you have and look for reset directions.

 

[ronblanco]

Hi Bobbye,

I contacted my ISP. I do not use a router. My laptop is connected directly to my ambit modem.

I can switch the modem off and I can unscrew the external cable, but there is no reset option.

I did this, switched off, unscrewed, ran mbam, reconnected and have attached the logs.

I cannot run SDfix as I cannot reboot into safe mode.


Questions:

(1) I still have IP address starting 86. Does that necessarily indicate a problem?
(2) What does SDFix do? Can I run it from normal mode?


Thanks for your help so far.

 

[Bobbye]

Please clarify some things for me:

Are you using a USB Wireless LAN Adapter?
O4 - Global Startup: ZDConfig.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS Wireless LAN\ZDConfig.exe>>> Related to various brands of Wireless USB LAN Adapter
From Surce Webopedia:

wireless USB LAN adapter
Last modified: Thursday, April 10, 2008

A high-speed wireless network card that is used to access a network through a USB port on a computer or laptop. Most wireless USB LAN adapters look like small USB flash drives and usually are based on the 802.11g standard which provides a data rate up to 54-Mbps in a wireless LAN environment. Some wireless USB LAN adapters may also support the 802.11b standard. A wireless USB LAN adapter basically enables you to share files, folders, printers, other network resources and Internet access.

Recent zdconfig News and Issues
1. Browser hijack
* C:\Program Files\ZyDAS Technology Corporation\ZyDAS Wireless LAN\ZDConfig.EXE C:\Program Files\Microsoft IntelliType Pro\type ... read more on site
2. My computer has completely stopped responding. - Tech Support Forum
* C:\Program Files\ZyDAS Technology Corporation\ZyDAS Wireless LAN\ZDConfig.exe. C:\Program Files\Google\Google Desktop Search\ ... read more on site
Read here: http://www.pcprocesses.org/18772-process-zdconfig.html

The system has got to be confused about this: There are 2 different CLSIDs:
O9 - Extra button: Add to Restricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra button: Add to Trusted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll

Which zone do you want this in? What does "webzone" represent?You don't need anything in the Trusted Zone. But you also don't need to Restrict it,

You say you don't have a router but you put the router IP in the Trusted Zone. Why is that?
O15 - Trusted IP range: http://192.168.2.1

Hardware is not my best area so someone else might have a better question/answer.

 

[ronblanco]

Please clarify some things for me:

Are you using a USB Wireless LAN Adapter?

Hi Bobbye,

No. I have used a Linksys Wireless router previously with this machine. But now I use an ethernet cable between my laptop and the cable modem. I'm not sure why that Zydas thing should be necessary any more. However, in the past I have noticed that sometimes my internet has seemed to only start working once the zydas icon appears.

The system has got to be confused about this: There are 2 different CLSIDs:

O9 - Extra button: Add to Restricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra button: Add to Trusted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll

Which zone do you want this in? What does "webzone" represent?You don't need anything in the Trusted Zone. But you also don't need to Restrict it,]

Sorry Bobbye. You've lost me there. I don't really know what any of that means.

You say you don't have a router but you put the router IP in the Trusted Zone. Why is that?
O15 - Trusted IP range: http://192.168.2.1

Sorry. I don't know. CLSIDs, webzones, trusted zones? None of it is something I have set manually. I just wouldn't know where to start.


Thanks for your help. But I simply don't have the knowledge to answer those questions.

Any suggestions?

 

[Bobbye]

I've spent days trying to go through the 8-step process. I've learnt a lot, so that's something, but i'm still having probs. Part of the problem has been an inability to download some of the files or run some of the steps:

The questions I asked are directly to the entries in the logs. A good place for you to start is on Google:
Trusted Zone>> anything in this zone has lower security. you don't need any sites in the Trusted Zone. But you have a router IP in the Trusted Zone But you aren't using a router.

Wireless Network: A Network card, Network Adapter, LAN Adapter or NIC (network interface card) is a piece of computer hardware designed to allow computers to communicate over a computer network. ...

ZDConfig is related to Wireless USB LAN Adapter. And Global Startup means that it will start no matter which account is being used.

It looks to me that you never re-configured the computer when you went to the Ethernet direct cable instead of connecting through a router. All of these different entries that are starting up are telling the system to go in different directions!

Zydas WLAN USB driver should have been disabled, then uninstalled.

As for the Extra Buttons> the problem with the ones I see is that they contradict what to add to Restricted and what to add to Trusted.

I think you need to have someone who can have hands on to help you get the computer settings corrected. Or some kind of remote help and I don't think you can solve the connection problem until they are fixed.

It's kind of like expecting your car to drive to California and New York at the same time!

 

[ronblanco]

Hi Bobbye,

oh dear. sounds like it's the end of the road for now then.

the google redirect in itself isn't the end of the world, but i am obviously now nervous that all of my internet traffic etc may be rerouted through the Ukraine?

I have a number of other faults with my laptop:

cd drive not working
cannot boot to safe mode
cannot open system properties
sound fails intermittently
...

so its days might be numbered anyway.

Thanks for your help so far.

Ron

 

[Bobbye]

You should probably see if it can be fixed by a professional.

 

[ronblanco]

(bobbye) "A good place for you to start is on Google"

Hi bobbye, kimsland, touch,

Have you made any progress solving this damned google redirection virus? You're not going to let this one beat you are you?

My laptop is working much better now, but I still get the recurring DNSchanger virus. Mbam detects it and clears it, but it reappears after a while, even if I am not connected to the internet!

I have been investigating it myself and removed any google software, but my laptop will not allow me to delete one google directory called Google Updater. It says the file or dir is corrupted and unreadable. Can I override this somehow? I have become very suspicious about it.

Come on guys, let's crack this one,

Ron

 

[Bobbye]

It makes me a little nuts when I get email feedback, click on the link and the reply is gone! Here's what I got:

From: TechSpot OpenBoards
To: bobbye
Sent: Wednesday, May 27, 2009 7:43 AM
Subject: Reply to thread 'Google redirection / clicksor popups'
* This is an automated message, do not reply to this email.

Dear Bobbye,
ronblanco has just replied to a thread you have subscribed to entitled - Google redirection / clicksor popups - in the Virus & Malware removal forum of TechSpot OpenBoards.

This thread is located at:
https://www.techspot.com/vb/showthread.php?t=127695&goto=newpost

Here is the message that has just been posted:
***************
(bobbye) "A good place for you to start is on Google"

Hi bobbye, kimsland, touch,

Have you made any progress solving this damned google redirection virus? You're not going to let this one beat you are you?

My laptop is working much better now, but I still get the recurring DNSchanger virus. Mbam detects it and clears it, but it reappears after a while, even if I am not connected to the internet!

I have been investigating it myself and removed any google software, but my laptop will not allow me to delete one google directory called Google Updater. It says the file or dir is corrupted and unreadable. Can I override this somehow? I have become very suspicious about it.

Come on guys, let's crack this one,

Ron
***************
TechSpot OpenBoards

Well, I'm here but the reply isn't!
Properties of the email show sent and received 5/27/09

There is no quote or indication of who said this: Is this you wanting up to come up wih a magical cure?

Have you made any progress solving this damned google redirection virus? You're not going to let this one beat you are you?