Google redirection virus and other stuff

By VTL
Jul 14, 2010
Topic Status:
Not open for further replies.
  1. Hi, lately my google searches have been redirected to random ad/search sites.

    I ran kaspersky and it found 2 infected files in my windows system folders. I can't seem to disinfect them. And when I have kaspersky open, I can't open anything. For example: when i click on the firefox icon, it says it cannot find the .exe file. When i do go to the firefox directory in the program files folder to try to open it, it gives me the same error.

    I'm not sure if this is caused by the google redirection virus or not, so I mentioned it as well.

    Please help me with my computer. Thank you very much.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
  3. VTL

    VTL Newcomer, in training Topic Starter

    Sorry about that.

    One thing that happened after running GMER is that I cannot open anything after saving the gmer logs. I had to restart my computer, but the screen turned black afterwards and won't restart at all. So I had to manually restart it via pressing the button.

    Anyways, here are the logs for my computer. Sorry again for the inconvenience.

    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Looks like you have a Rootkit going here!

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    Re-enable your Antivirus software.
    ==================================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
  5. VTL

    VTL Newcomer, in training Topic Starter

    Combofix is not working for me.

    The first time I run it, it restarts my computer before showing a blue window named administrator. Then after my computer restarts, the window is still there while my screen is pitch black. So I had to restart my computer again.

    Now when I run combofix, the bar loads up and my desktop icons flashes for a while. But nothing else as your steps suggested happens.
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Please go ahead with the Eset scan.

    From bleepingcomputer.

    Try uninstalling Combofix, then reinstalling as follows:

    Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    ====================================
    Please download ComboFix HERE and save to your desktop:

    Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    • Double click on the setup file on the desktop to run
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
    • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    I left more images in this download in case you see any of them. See if you can get a scan.
  7. VTL

    VTL Newcomer, in training Topic Starter

    I finally managed to run combofix. It had to restart my computer twice since it found rookits still running. The second time was caused by rookit again and it told me to write down the notice.

    Service: RDPREFMP

    File: C:\Windows\system32\drivers\rdprefmp.sys.

    Anyways, here are the logs from Combofix and Eset.

    Also, my computer has been giving me a notice where it says my windows is not a genuine copy, and has changed my background to pitch black. I looked it up and it might be malware blocking my validation files and whatnot. Is this true?

    Thank you.

    Attached Files:

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Related to rdprefmp.sys RDP Reflector Driver Miniport from Microsoft Corporation.
    But it was infected and Combofix handled it:
    Infected copy of c:\windows\system32\drivers\rdprefmp.sys was found and disinfected
    =================================
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      
      :Services
      
      :Reg
      
      :Files 
      C:\$Recycle.Bin\S-1-5-21-3180167293-174922687-3939198346-1000\$RZZ21S0\‰¤‘‹*§E«J‰¤—\_A9E5CFE1.exe	
      C:\Users\Tommy\Documents\Downloads\‰¤‘‹*§E«J‰¤—\_A9E5CFE1.exe
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =========================================
    Please empty the Recycle Bin

    I'd like you to open your Combofix logs and look in the following section:
    ---- LOCKED REGISTRY KEYS -----
    It looks like you are specifying File Handlers for File Extensions:
    OpenWithList
    OpenWithProgids
    Some I can read such as:
    "a"="firefox.exe"
    "MRUList"="ba"
    "b"="uTorrent.exe"
    others I cannot identify.

    What is *1* 0tmcE04l@w
    It is an identity? Another language?

    And there is a different entry here:
    c:\users\Tommy\AppData\Roaming\—ßìƒTƒfƒBƒXƒeƒBƒbƒN SaveData

    Can you identify the following?
    c:\program files\millefeuille (7/15/2010) (a cream puff??)
    C:\ZERO (7/2/2010)
    \ouaoqdbwb (possibly Quick Books?)
    c:\program files\Project64 1.6 (7/5/2010)



    Do we have a language problem here?
  9. VTL

    VTL Newcomer, in training Topic Starter

    Sorry for the late reply.

    Here is the log from OT Move.

    These are game directories that I have, I've deleted most of them since I have already finished the game. If it comes out as gibberish, then it must be the unicode settings.

    But as for 1* 0tmcE04l@w, I have no idea what that is.

    Thanks again.
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Please remove the directories you no longer use. Then run the script below and paste the new log it creates in the next reply.

    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    Driver::
    FCopy::
    C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
  11. VTL

    VTL Newcomer, in training Topic Starter

    When I was running ComboFix, I got an error that says failed to delete C:\Windows\erdt\Hiv-Backup. But it seems I can manually delete that folder right now.

    Anyways, here is the log from this time.

    Thanks again.

    Attached Files:

    • CF.txt
      File size:
      21.2 KB
      Views:
      1
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Did you run Combofix in Safe Mode? Why?
  13. VTL

    VTL Newcomer, in training Topic Starter

    No, I did not run combofix in safe mode.
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Okay, Combofix is indicating that it was run in - REDUCED FUNCTIONALITY MODE -

    Please review the information here and tell me which applies to your system:
    http://support.microsoft.com/kb/925582
  15. VTL

    VTL Newcomer, in training Topic Starter

    It is probably the non-genuine copy notice that I've mentioned before. I got it a couple days after running combofix the first time. And I haven't encountered the google redirection virus recently, but my computer is stuck in non-genuine reduced mode though.
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    If I had known the OS was pirated, the support would have stopped then.
  17. VTL

    VTL Newcomer, in training Topic Starter

    The os is not pirated. I got it from my university.
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Then it should have been a genuine copy. I seriously doubt that your university is handing out pirated copies of a Windows operating system.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.