IPB

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> Google Redirect Virus
commonsense8
post 29.05.2013 11:44
Post #1


Newbie
*

Group: Members
Posts: 8
Joined: 29.05.2013




Hi, I'm not that tech savvy, but through some research I've found out that I have somehow acquired this virus. Could someone please educate me on how to get rid of it?
Go to the top of the page
 
+Quote Post
richbuff
post 30.05.2013 03:54
Post #2


Oldtimer
****************

Group: Moderators
Posts: 47445
Joined: 14.06.2007




Welcome. Please see the first Important topic. There, you will find instructions for logs. And screenshot, too.

Please see the small print that is located at the bottom of this message.


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
commonsense8
post 31.05.2013 04:56
Post #3


Newbie
*

Group: Members
Posts: 8
Joined: 29.05.2013




QUOTE(richbuff @ 29.05.2013 18:54) *
Welcome. Please see the first Important topic. There, you will find instructions for logs. And screenshot, too.

Please see the small print that is located at the bottom of this message.


Here is the getsysteminfo link: http://www.getsysteminfo.com/read.php?file...c3df4ebe6e0fca6

and I have uploaded the avg file
Attached File(s)
Attached File  sysinfo.zip ( 23.14K ) Number of downloads: 2
 
Go to the top of the page
 
+Quote Post
richbuff
post 31.05.2013 05:14
Post #4


Oldtimer
****************

Group: Moderators
Posts: 47445
Joined: 14.06.2007




You used the old, outdated AVZ that is built into the old Kaspersky 2012, instead of downloading the fresh, new and shiny AVZ that is downloaded by following the link in the AVZ instructions that is posted in the first Important topic.



--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
commonsense8
post 31.05.2013 06:18
Post #5


Newbie
*

Group: Members
Posts: 8
Joined: 29.05.2013




QUOTE(richbuff @ 30.05.2013 20:14) *
You used the old, outdated AVZ that is built into the old Kaspersky 2012, instead of downloading the fresh, new and shiny AVZ that is downloaded by following the link in the AVZ instructions that is posted in the first Important topic.


My apologies, for I also saw a link that explained how to use Kaspersky. Here is the new file.
Attached File(s)
Attached File  virusinfo_syscure.zip ( 58.08K ) Number of downloads: 3
 
Go to the top of the page
 
+Quote Post
richbuff
post 31.05.2013 09:00
Post #6


Oldtimer
****************

Group: Moderators
Posts: 47445
Joined: 14.06.2007




You are very low on ram.

Please add another two GB of ram. You have 64-bit Windows 7 with only 2 GB of ram. That is like the Navy buying the biggest aircraft carrier that they can afford, and then putting a Piper Cub on it.

Run this script, instructions: http://forum.kaspersky.com/index.php?showt...mp;#entry678368 PC will reboot:
CODE
begin
QuarantineFile('C:\Windows\system32\drivers\ottolsnj.sys','');
StopService('ottolsnj');
DeleteService('ottolsnj');
DeleteFile('C:\Windows\system32\drivers\ottolsnj.sys');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

After run script, attach a Combofix log, please review these instructions carefully before downloading Combofix, and follow these instructions carefully after downloading Combofix.

Before downloading and Saving combofix to Desktop, please rename combofix to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (right click the K icon and click pause protection > Choose the
option "resume manually" if still active) until after the scanning and removal process has taken place.

Please double click on the Combofix file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post. Also, please don't
forget to resume the Kaspersky that you paused.

Download Combofix here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

--------------------
The instructions posted here are for the original poster Only. If you have same or other issue, please see the first Important read me topic, and then open a New Topic for yourself.


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
commonsense8
post 31.05.2013 09:29
Post #7


Newbie
*

Group: Members
Posts: 8
Joined: 29.05.2013




Thank you, but before I begin all of this, is it required that I add more RAM? Or was that just your advice for future reference if I want to continue to have a functional computer?

edit: del quote.

This post has been edited by richbuff: 31.05.2013 10:07
Go to the top of the page
 
+Quote Post
richbuff
post 31.05.2013 10:08
Post #8


Oldtimer
****************

Group: Moderators
Posts: 47445
Joined: 14.06.2007




You can add the ram after we disinfect.


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
commonsense8
post 31.05.2013 11:16
Post #9


Newbie
*

Group: Members
Posts: 8
Joined: 29.05.2013




Here is the file. Unfortunately, the redirect virus is still active.
Attached File(s)
Attached File  ComboFix.txt ( 26.03K ) Number of downloads: 4
 
Go to the top of the page
 
+Quote Post
richbuff
post 31.05.2013 11:39
Post #10


Oldtimer
****************

Group: Moderators
Posts: 47445
Joined: 14.06.2007




Run this script, instructions same as the last one:
CODE
begin
CreateQurantineArchive('c:\quarantine.zip');
end.

A file called quarantine.zip should be created in C:\. Then please zip up C:\qoobox\quarantine and upload both it and C:\quarantine.zip to a filehost such as http://www.mediafire.com/
Then, Private Message me the Download link to the uploaded file. Click my user name and select Send message. Lastly, uninstall Combofix by: pause Kaspersky > Start > run >
type combofix /uninstall > ok. The space between the x and the / is needed. Or Start > run > type 123 /uninstall > ok. Restart Kaspersky.

Please attach a HiJackThis log: http://www.bleepingcomputer.com/download/hijackthis/


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
commonsense8
post 31.05.2013 12:08
Post #11


Newbie
*

Group: Members
Posts: 8
Joined: 29.05.2013




here is the log

Attached File(s)
Attached File  hijackthis.log ( 14.15K ) Number of downloads: 2
 
Go to the top of the page
 
+Quote Post
richbuff
post 31.05.2013 12:33
Post #12


Oldtimer
****************

Group: Moderators
Posts: 47445
Joined: 14.06.2007




Please right click HiJackThis and select Run as administrator, and Fix Checked the below items, if you do not recognize them as belonging to your internet service provider. Instructions, please scroll down to figure 6, here: http://www.bleepingcomputer.com/tutorials/...use-hijackthis/

CODE
O17 - HKLM\System\CCS\Services\Tcpip\..\{256AF131-1843-4C8E-89A5-7C0DA90BEBFC}: NameServer = 66.228.116.178,66.228.116.179
O17 - HKLM\System\CCS\Services\Tcpip\..\{658E85EB-BF65-418D-AF7B-05047B857A0B}: NameServer = 66.228.116.178,66.228.116.179
O17 - HKLM\System\CCS\Services\Tcpip\..\{846ee342-7039-11de-9d20-806e6f6e6963}: NameServer = 66.228.116.178,66.228.116.179
O17 - HKLM\System\CCS\Services\Tcpip\..\{9687B1F6-7150-477A-87BE-AFC48DBE098F}: NameServer = 66.228.116.178,66.228.116.179
O17 - HKLM\System\CS1\Services\Tcpip\..\{256AF131-1843-4C8E-89A5-7C0DA90BEBFC}: NameServer = 66.228.116.178,66.228.116.179
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 66.228.116.178,66.228.116.179


Reboot when done. Any better?

If not, please Private Message me links to websites that you get redirected to.


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
commonsense8
post 3.06.2013 06:30
Post #13


Newbie
*

Group: Members
Posts: 8
Joined: 29.05.2013




I reset IE and it works for now. I am unable to do anything with the router because I live in an apartment, and they own it. I usually use google chrome as my browser, however. I uninstalled and reinstalled it. Right now it seems as if the virus is gone. How do I prevent myself from getting it again?
Go to the top of the page
 
+Quote Post
richbuff
post 3.06.2013 06:53
Post #14


Oldtimer
****************

Group: Moderators
Posts: 47445
Joined: 14.06.2007




It looks like the malware changed your IE proxy settings.

Prevent by following all of the universally recognized rules for safe computing.

Safe computing is just like safe other things. Be careful where you stick your pointer.

Don't open malicious email attachments. Don't click on links in malicious emails. Don't stick other peoples removable media in your PC.

Other people use their own PCs; only you use your PC.

Keep everything on the PC up to date, including Windows and all applications.



--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
commonsense8
post 4.06.2013 00:59
Post #15


Newbie
*

Group: Members
Posts: 8
Joined: 29.05.2013




ok, thank you for all your help!
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic

 



Lo-Fi Version Time is now: 24.04.2014 19:01