Inactive Google redirected virus

[jamesdamen]

I am having the same Google problem that many people seem to have at the moment.
We have 1 PC and 4 Laptops connected to our router. The virus has infected the PC and 2 of the laptops. However, if I take my laptop and connect it to my mates network I no longer get the Google problem.
I have attached the logs from both my laptop and the PC.

Any help would be much appreciated!

 

[crunchie]

Hi and welcome to TechSpot forums .

====

Need the GMER log too please. Also the attach.txt from DDS.

Run from one PC only please.

 

[jamesdamen]

Here we go.
Many thanks.

 

[crunchie]

Please update MBA-M and have it scan and remove what is found.
Post the log after rebooting.

=========

Please download ComboFix by sUBs from HERE or HERE

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply.
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

 

[jamesdamen]

I have run ComboFix in the past, but without running all the other programs. Would you like me to run it again?

The log from the last time it was ran is attached.

 

[crunchie]

Hi. It looks like this is not a legitimate copy of Windows. I see an activation patch showing in the log. The safest Operating System is a legitimate one and you really should look at purchasing a license.

If you can run Combofix again I will look at the log.

 

[jamesdamen]

A friend of mine installed Windows for me, is there anyway I can make it genuine now its installed, or would I have to do a fresh install?
I will run Combofix again and post the log later but I'm thinking of simply re-installing Windows.

 

[crunchie]

You will either have to call Microsoft and pay for a license key, or purchase one from an outlet.

 

[jamesdamen]

OK. Here is the latest ComboFIx log. If it looks as though its going to be simple to fix, then I'l do that and simply purchase a licence key. If not I'm tempted to go with a complete reinstall.

 

[jamesdamen]

Forgot to actually attach the log!
Here it is.

 

[crunchie]

Very short log.

Download Bootkit Remover to your Desktop.

• You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
• After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
• It will show a Black screen with some data on it.
• Right click on the screen and click Select All.
• Press CTRL+C
• Open a Notepad and press CTRL+V
• Post the output back here.

 

[jamesdamen]

Here it is:


Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows 7 Ultimate Edition (build 7600), 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`0da00000
Boot sector MD5 is: bb4f1627d8b9beda49ac0d010229f3ff

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...

 

[crunchie]

Looks ok.

Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.

• You will need to use Internet Explorer to complete this scan.
• You will need to temporarily Disable your current Anti-virus program.
• Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
• When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

NOTE: If you are unable to complete the ESET scan, please try another from the list below:

• Kaspersky Online Scanner ​

• Panda Active Scan​

• Trend Micro HouseCall​

• F-Secure Online Virus Scanner​

 

[jamesdamen]

Here it is.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=c2e466cfff19c84c8c836569e7bd848e
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-08-23 10:00:12
# local_time=2010-08-23 11:00:12 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=512 16777215 100 0 4657526 4657526 0 0
# compatibility_mode=1797 16775165 100 100 398872 57487797 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=5893 16776574 100 94 11253075 35064824 0 0
# compatibility_mode=8192 67108863 100 0 148 148 0 0
# scanned=110147
# found=10
# cleaned=0
# scan_time=2378
C:\Poker\William Hill Poker\_SetupPoker.exe Win32/PTCasino application 00000000000000000000000000000000 I
C:\Program Files\X2Xsoft\Free Video Flip and Rotate\VideoFlipRotate.exe probably a variant of Win32/TrojanDropper.Agent.DUTRTZJ trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Users\James\AppData\Roaming\a8ad2486.exe.vir a variant of Win32/Kryptik.FGR trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Windows\System32\ernel32.dll.vir a variant of Win32/Kryptik.FGR trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Windows\System32\spool\prtprocs\w32x86\A5k55.dll.vir a variant of Win32/Kryptik.FGR trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Windows\System32\spool\prtprocs\w32x86\iQ3w7uO.dll.vir a variant of Win32/Kryptik.FGR trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Windows\System32\spool\prtprocs\w32x86\sKU179a.dll.vir a variant of Win32/Kryptik.FGR trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Windows\System32\spool\prtprocs\w32x86\UO3o793.dll.vir a variant of Win32/Kryptik.FGR trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Windows\System32\spool\prtprocs\w32x86\wS555.dll.vir a variant of Win32/Kryptik.FGR trojan 00000000000000000000000000000000 I
C:\Users\James\Downloads\fliprotatesetup.exe probably a variant of Win32/TrojanDropper.Agent.DUTRTZJ trojan 00000000000000000000000000000000 I

 

[crunchie]

Please go to Jotti's or to virustotal and have these files scanned. Post the results back here.

C:\Users\James\Downloads\fliprotatesetup.exe
C:\Program Files\X2Xsoft\Free Video Flip and Rotate\VideoFlipRotate.exe
C:\Poker\William Hill Poker\_SetupPoker.exe

 

[jamesdamen]

For file _SetupPoker.exe:

2010-08-24 Found nothing

2010-08-24 Found nothing

2010-08-23 Found nothing

2010-08-24 not-a-virus:OnlineCasino

2010-08-24 Found nothing

2010-08-24 Found nothing

2010-08-24 Found nothing

2010-08-24 Found nothing

2010-08-24 Found nothing

2010-08-24 Found nothing

2010-08-24 Trojan.Generic.Bredolab-2

2010-08-24 Trojan.Buzus.dign

2010-08-24 Found nothing

2010-08-24 Found nothing

2010-08-24 Trojan.MulDrop1.35614

2010-08-24 Trojan.Win32.Buzus.cuff

2010-08-24 Found nothing

2010-08-24 Trojan.Buzus.BBQN

2010-08-24 Found nothing



For file VideoFlipRotate.exe:

2010-08-24 Found nothing

2010-08-24 Found nothing

2010-08-23 Found nothing

2010-08-24 Found nothing

2010-08-24 Found nothing

2010-08-24 Trojan-Dropper.Win32.Agent.cogk

2010-08-24 Found nothing

2010-08-24 Found nothing

2010-08-24 Found nothing

2010-08-24 Found nothing

2010-08-24 Found nothing

2010-08-24 Found nothing

2010-08-24 Troj.Dropper.W32.Agent.cogk

2010-08-24 Found nothing

2010-08-24 Found nothing

2010-08-24 Found nothing

2010-08-24 Found nothing

2010-08-24 Found nothing

2010-08-24 Found nothing


For file fliprotatesetup.exe:

2010-08-24 Found nothing

2010-08-24 Found nothing

2010-08-23 Found nothing

2010-08-24 Found nothing

2010-08-24 Found nothing

2010-08-24 Trojan-Dropper.Win32.Agent.cogk

2010-08-24 Found nothing

2010-08-24 Found nothing

2010-08-24 Found nothing

2010-08-24 Found nothing

2010-08-24 Found nothing

2010-08-24 Found nothing

2010-08-24 Found nothing

2010-08-24 Found nothing

2010-08-24 Found nothing

2010-08-24 Found nothing

2010-08-24 Found nothing

2010-08-24 Found nothing

2010-08-24 Found nothing

 

[crunchie]

1. Please open Notepad

• Click Start , then Run
• Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\Users\James\Downloads\fliprotatesetup.exe
C:\Program Files\X2Xsoft\Free Video Flip and Rotate\VideoFlipRotate.exe
C:\Poker\William Hill Poker\_SetupPoker.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

• Combofix.txt

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

==============

Let me know how the pc is please.

 

[jamesdamen]

I've attached the log. The problem still persists.
If I take the laptop and connect to my friend's network, Google works fine and I dont get the problem. Is it possible that the virus is in the network somewhere?

 

[crunchie]

Have a go at resetting your router and let me know if you are still re-directed.

 

[jamesdamen]

If I reset it will my WEP keys and settings all get reset?

 

[crunchie]

Sure will. You will need to record the settings before the reset. Do you know your ISP's servers?

 

[jamesdamen]

No I dont. Are these recorded in the router settings which I can browse to? I have an option to take a backup of my routers settings. If I take a backup, reset the laptop, then reload the settings, will that work and save everything?

 

[crunchie]

You need your username and password that you use to access your ISP and also their DNS servers. If you go to their website, you should be able to get the DNS server address from there.
Will most likely be in the FAQ's.