TechSpot

Need help got the Google redirect virus

Solved
By jpak88
Nov 12, 2010
  1. jpak88

    jpak88 TS Rookie Topic Starter Posts: 54

    firefox isnt getting redirected.



    Windows IP Configuration



    Host Name . . . . . . . . . . . . : anonymous

    Primary Dns Suffix . . . . . . . :

    Node Type . . . . . . . . . . . . : Unknown

    IP Routing Enabled. . . . . . . . : No

    WINS Proxy Enabled. . . . . . . . : No



    Ethernet adapter Local Area Connection:



    Connection-specific DNS Suffix . :

    Description . . . . . . . . . . . : Intel(R) PRO/1000 MTW Network Connection

    Physical Address. . . . . . . . . : 00-14-22-61-4E-35

    Dhcp Enabled. . . . . . . . . . . : Yes

    Autoconfiguration Enabled . . . . : Yes

    IP Address. . . . . . . . . . . . : 192.168.1.3

    Subnet Mask . . . . . . . . . . . : 255.255.255.0

    Default Gateway . . . . . . . . . : 192.168.1.1

    DHCP Server . . . . . . . . . . . : 192.168.1.1

    DNS Servers . . . . . . . . . . . : 192.168.1.1

    Lease Obtained. . . . . . . . . . : Tuesday, November 23, 2010 5:55:34 AM

    Lease Expires . . . . . . . . . . : Wednesday, November 24, 2010 5:55:34 AM
     
  2. Broni

    Broni Malware Annihilator Posts: 47,066   +257

    Yeah. ipconfig log looks normal, so it must be IE issue.
    Open IE, go Tools>Internet Options>Advanced tab and click "Reset" button.
    Restart IE and check for issues.
     
  3. jpak88

    jpak88 TS Rookie Topic Starter Posts: 54

    yea still getting redirected after i reset everything
     
  4. Broni

    Broni Malware Annihilator Posts: 47,066   +257

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    =================================================================

    Copy the entire content of the report and paste it in a reply here.

    Note. You may get this warning it is ok, just ignore it:
    "Rootkit Unhooker has detected a parasite inside itself!
    It is recommended to remove parasite, okay?"
     
  5. jpak88

    jpak88 TS Rookie Topic Starter Posts: 54

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0008001d

    Kernel Drivers (total 147):
    0x804D7000 \windows\system32\ntkrnlpa.exe
    0x806E4000 \windows\system32\hal.dll
    0xF7B12000 \windows\system32\KDCOM.DLL
    0xF7A22000 \windows\system32\BOOTVID.dll
    0xF741E000 spdp.sys
    0xF7B14000 \windows\System32\Drivers\WMILIB.SYS
    0xF7406000 \windows\System32\Drivers\SCSIPORT.SYS
    0xF73D8000 ACPI.sys
    0xF73C7000 pci.sys
    0xF73A7000 fltMgr.sys
    0xF7612000 ohci1394.sys
    0xF7622000 \windows\system32\DRIVERS\1394BUS.SYS
    0xF7632000 isapnp.sys
    0xF7BDA000 pciide.sys
    0xF7892000 \windows\system32\DRIVERS\PCIIDEX.SYS
    0xF7642000 MountMgr.sys
    0xF7388000 ftdisk.sys
    0xF7B16000 dmload.sys
    0xF7362000 dmio.sys
    0xF789A000 PartMgr.sys
    0xF7652000 VolSnap.sys
    0xF734A000 atapi.sys
    0xF730A000 a320raid.sys
    0xF7662000 disk.sys
    0xF7672000 \windows\system32\DRIVERS\CLASSPNP.SYS
    0xF72F8000 sr.sys
    0xF72BF000 PCTCore.sys
    0xF72AE000 TfSysMon.sys
    0xF729D000 TfFsMon.sys
    0xF7682000 PxHelp20.sys
    0xF7286000 KSecDD.sys
    0xF7273000 WudfPf.sys
    0xF71E6000 Ntfs.sys
    0xF71B9000 NDIS.sys
    0xF719F000 Mup.sys
    0xF76E2000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xF6327000 \SystemRoot\system32\drivers\ctaud2k.sys
    0xF6303000 \SystemRoot\system32\drivers\portcls.sys
    0xF7712000 \SystemRoot\system32\drivers\drmk.sys
    0xF62E0000 \SystemRoot\system32\drivers\ks.sys
    0xF62B4000 \SystemRoot\system32\drivers\ctoss2k.sys
    0xF7B58000 \SystemRoot\system32\drivers\ctprxy2k.sys
    0xF7722000 \SystemRoot\system32\DRIVERS\nic1394.sys
    0xF628C000 \SystemRoot\system32\DRIVERS\e1000325.sys
    0xF5ED6000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
    0xF5EC2000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF7982000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xF5E9E000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF798A000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF7992000 \SystemRoot\system32\DRIVERS\fdc.sys
    0xF5E8A000 \SystemRoot\system32\DRIVERS\parport.sys
    0xF7732000 \SystemRoot\system32\DRIVERS\serial.sys
    0xF7142000 \SystemRoot\system32\DRIVERS\serenum.sys
    0xF7742000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF6412000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF6402000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF799A000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    0xF5E4A000 \SystemRoot\system32\drivers\smwdm.sys
    0xF5D97000 \SystemRoot\system32\drivers\senfilt.sys
    0xF7C61000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF7B5A000 \SystemRoot\System32\Drivers\RootMdm.sys
    0xF79A2000 \SystemRoot\System32\Drivers\Modem.SYS
    0xF63F2000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF713A000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF5D80000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF63E2000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF63D2000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF79AA000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF5D6F000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF63C2000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF79B2000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF79BA000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF79C2000 \SystemRoot\system32\DRIVERS\RimSerial.sys
    0xF5D3F000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xF63B2000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF79CA000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF79D2000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF5D22000 \SystemRoot\system32\DRIVERS\mcdbus.sys
    0xF7B5C000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF5CC4000 \SystemRoot\system32\DRIVERS\update.sys
    0xF711E000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF63A2000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF5C77000 \SystemRoot\system32\drivers\hap16v2k.sys
    0xF5B9A000 \SystemRoot\system32\drivers\ha10kx2k.sys
    0xF5B78000 \SystemRoot\system32\drivers\emupia2k.sys
    0xF5B58000 \SystemRoot\system32\drivers\ctsfm2k.sys
    0xF5ABA000 \SystemRoot\system32\drivers\ctac32k.sys
    0xF7752000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF7B68000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF79E2000 \SystemRoot\system32\DRIVERS\flpydisk.sys
    0xF7AFE000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7D34000 \SystemRoot\System32\Drivers\Null.SYS
    0xF7B6E000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF79F2000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xF79FA000 \SystemRoot\System32\drivers\vga.sys
    0xF7B70000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF7A02000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF7A0A000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF7B06000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xAE7A3000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xAE74A000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xAE713000 \??\C:\WINDOWS\system32\drivers\pctgntdi.sys
    0xAE6ED000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xF7782000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xAE69D000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xF7163000 \SystemRoot\System32\drivers\ws2ifsl.sys
    0xF7792000 \SystemRoot\system32\DRIVERS\arp1394.sys
    0xAE67B000 \SystemRoot\System32\drivers\afd.sys
    0xF77A2000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xF7A12000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
    0xAE650000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xAE5E0000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xF77B2000 \SystemRoot\System32\Drivers\Fips.SYS
    0xAE5BD000 \SystemRoot\system32\DRIVERS\avipbb.sys
    0xF7B76000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    0xF7A1A000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0xF5CBC000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xF77D2000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xF5CB0000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0xF5CAC000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xF7822000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xF5CA4000 \SystemRoot\System32\Drivers\dump_diskdump.sys
    0xAE4B5000 \SystemRoot\System32\Drivers\dump_a320raid.sys
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xAE7F2000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF78C2000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7C8C000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\ati2dvag.dll
    0xBF065000 \SystemRoot\System32\ati2cqag.dll
    0xBF0FE000 \SystemRoot\System32\atikvmag.dll
    0xBF182000 \SystemRoot\System32\atiok3x2.dll
    0xBF1CD000 \SystemRoot\System32\ati3duag.dll
    0xBF572000 \SystemRoot\System32\ativvaxx.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xAC160000 \SystemRoot\system32\DRIVERS\avgntflt.sys
    0xAC14C000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xF7872000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0xABE03000 \SystemRoot\system32\drivers\wdmaud.sys
    0xAC060000 \SystemRoot\system32\drivers\sysaudio.sys
    0xABB31000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xF7BD4000 \SystemRoot\System32\Drivers\ParVdm.SYS
    0xABBD5000 \??\C:\windows\system32\drivers\cpuz133_x32.sys
    0xAB881000 \SystemRoot\system32\DRIVERS\srv.sys
    0xAB7A2000 \??\C:\windows\system32\drivers\PfModNT.sys
    0xAB559000 \SystemRoot\System32\Drivers\HTTP.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 51):
    0 System Idle Process
    4 System
    724 C:\WINDOWS\system32\smss.exe
    772 csrss.exe
    812 C:\WINDOWS\system32\winlogon.exe
    856 C:\WINDOWS\system32\services.exe
    868 C:\WINDOWS\system32\lsass.exe
    1076 C:\WINDOWS\system32\ati2evxx.exe
    1096 C:\WINDOWS\system32\svchost.exe
    1164 svchost.exe
    1268 C:\WINDOWS\system32\svchost.exe
    1308 C:\WINDOWS\system32\svchost.exe
    1484 svchost.exe
    1556 svchost.exe
    1644 C:\WINDOWS\system32\ati2evxx.exe
    1792 C:\WINDOWS\system32\spoolsv.exe
    1836 C:\Program Files\Avira\AntiVir Desktop\sched.exe
    632 C:\WINDOWS\explorer.exe
    720 C:\WINDOWS\system32\TaskSwitch.exe
    740 C:\Program Files\Analog Devices\Core\smax4pnp.exe
    760 C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.exe
    752 C:\WINDOWS\system32\CTHELPER.EXE
    140 C:\Program Files\Lexmark 5400 Series\lxctmon.exe
    1128 C:\Program Files\Lexmark 5400 Series\ezprint.exe
    1244 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    1356 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    1408 C:\Program Files\RocketDock\RocketDock.exe
    1504 C:\Program Files\Bret Taylor\Stickies\Stickies.exe
    1736 C:\Program Files\Creative\SBAudigy4\Entertainment Center\RcMan.exe
    1940 C:\Program Files\Pando Networks\Media Booster\PMB.exe
    1664 C:\WINDOWS\system32\ctfmon.exe
    340 C:\Program Files\MagicDisc\MagicDisc.exe
    444 svchost.exe
    1524 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    1708 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    1916 C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
    1996 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    2100 C:\WINDOWS\system32\CTSVCCDA.EXE
    2140 C:\Program Files\Java\jre6\bin\jqs.exe
    2172 C:\WINDOWS\system32\lxctcoms.exe
    2360 C:\WINDOWS\system32\PnkBstrA.exe
    2384 C:\Program Files\Spyware Doctor\pctsAuxs.exe
    2500 C:\WINDOWS\system32\svchost.exe
    3052 C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
    3068 alg.exe
    3096 C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
    3996 C:\WINDOWS\system32\wuauclt.exe
    2432 C:\Program Files\Internet Explorer\IEXPLORE.EXE
    208 C:\Program Files\Internet Explorer\IEXPLORE.EXE
    860 C:\Program Files\Internet Explorer\IEXPLORE.EXE
    2988 C:\Documents and Settings\Owner\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: MAXTORATLAS10K5_300SCA, Rev: JNZH

    Size Device Name MBR Status
    --------------------------------------------
    279 GB \\.\PhysicalDrive0 RE: Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!
     
  6. jpak88

    jpak88 TS Rookie Topic Starter Posts: 54

    >Drivers
    >Stealth
    Nothing detected :(
     
  7. Broni

    Broni Malware Annihilator Posts: 47,066   +257

  8. jpak88

    jpak88 TS Rookie Topic Starter Posts: 54

    it seems to be working =) no redirects atm. im not really familiar with these terms for a pc but what does a dns do? and how is changing it can effect it from not redirecting? and am i 100% protected from the virus from hijacking again. im still afraid to log into bank accounts and stuff. sorry but im just very cautious
     
  9. jpak88

    jpak88 TS Rookie Topic Starter Posts: 54

    and also would my dads computer be safe also? i havent turned it on and wont until tomorrow.
     
  10. Broni

    Broni Malware Annihilator Posts: 47,066   +257

    Good news :)

    This will explain DNS better, than I can: http://www.howstuffworks.com/dns.htm

    Your computer is definitely clean, but we still need to perform very last steps.
    Your dad's computer should be OK too.

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. Run defrag at your convenience.

    11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    12. Please, let me know, how is your computer doing.
     
  11. jpak88

    jpak88 TS Rookie Topic Starter Posts: 54

    my computer is working great thanks. which anti virus prog should i keep? spydoctor? avira or mbam? im thinking of unistalling spydoctor but what do you recommend
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,066   +257

    Good news :)
    Only Avira is an antivirus program.
    You can safely uninstall SpyDoctor.
    Keep MBAM and run occasional scans.

    Good luck and stay safe :)
     
  13. jpak88

    jpak88 TS Rookie Topic Starter Posts: 54

    Thanks for everything. Have a happy thanksgiving!
     
  14. Broni

    Broni Malware Annihilator Posts: 47,066   +257

    Same to you :)
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.