Essential

Googleleads (Google Redirect) Virus

60 posts in this topic

Are the redirects in Firefox, Internet Explorer, or both?

Share this post


Link to post
Share on other sites

I don't use Internet Explorer so I have no idea. But it definitely occurs in Firefox. In the log above, the status of some is "detected" but they're not "deleted", will something have to be done?

Share this post


Link to post
Share on other sites

I don't use Internet Explorer so I have no idea. But it definitely occurs in Firefox. In the log above, the status of some is "detected" but they're not "deleted", will something have to be done?

The scan unfortunately didn't really show us anything actually :(. What it found were vulnerabilities in out-of-date applications, which (while they do pose a security risk) aren't the reason you're getting redirects.

Let's try this:

Please go to Start > Run and type:

maxlook -sig

and hit Enter.

Note:

Be sure that you have internet connection. Please post back with the logfile which will open in notepad.

Share this post


Link to post
Share on other sites

Oh. I sure have a lot of vulnerabilities. I'll have to update some stuff after solving this problem :)

Run from C:\DOCUME~1\JIMMYH~1\Desktop\SPYWAR~1\maxlook.exe on Tue 06/28/2011 at 14:29:43.85

--------- maxlook unsigned files ---------

c:\windows\maxdrive\bvrp_pci.sys:
Verified: Unsigned
File date: 11:12 AM 3/24/2004
Publisher: n/a
Description: n/a
Product: n/a
Version: n/a
File version: n/a
c:\windows\maxdrive\cdr4_xp.sys:
Verified: Unsigned
File date: 9:48 PM 8/28/2006
Publisher: Sonic Solutions
Description: CDR4 CD and DVD Place Holder Driver (see PxHelp)
Product: Drag-to-Disc
Version: 8.0.0.212
File version: 8.0.0.212
c:\windows\maxdrive\cdralw2k.sys:
Verified: Unsigned
File date: 9:48 PM 8/28/2006
Publisher: Sonic Solutions
Description: CDRAL Place Holder Driver (see PxHelp)
Product: Drag-to-Disc
Version: 8.0.0.212
File version: 8.0.0.212
c:\windows\maxdrive\libusb0.sys:
Verified: Unsigned
File date: 12:33 PM 3/20/2007
Publisher: http://libusb-win32.sourceforge.net
Description: LibUSB-Win32 - Kernel Driver
Product: LibUSB-Win32 - Kernel Driver
Version: 0.1.12.1
File version: 0.1.12.1
c:\windows\maxdrive\omci.sys:
Verified: Unsigned
File date: 11:42 AM 8/22/2001
Publisher: Dell Computer Corporation
Description: OMCI Device Driver
Product: OMCI Driver
Version: 6, 1, 0, 242
File version: 6, 1, 0, 242
c:\windows\maxdrive\Scutum50.sys:
Verified: Unsigned
File date: 4:31 PM 4/21/2009
Publisher: Printing Communications Assoc., Inc. (PCAUSA)
Description: PCAUSA NDIS 5.0 SPR Protocol Driver
Product: PCAUSA Rawether for Windows
Version: 5.5.18.05
File version: 5.5.18.05
c:\windows\maxdrive\tap0901.sys:
Verified: Unsigned
File date: 7:48 PM 12/11/2009
Publisher: The OpenVPN Project
Description: TAP-Win32 Virtual Network Driver
Product: TAP-Win32 Virtual Network Driver
Version: 2.1.1 9/6
File version: 2.1.1 9/6 built by: WinDDK

--------- system32\drivers unsigned files ---------

c:\windows\system32\drivers\bvrp_pci.sys:
Verified: Unsigned
File date: 11:12 AM 3/24/2004
Publisher: n/a
Description: n/a
Product: n/a
Version: n/a
File version: n/a
c:\windows\system32\drivers\cdr4_xp.sys:
Verified: Unsigned
File date: 9:48 PM 8/28/2006
Publisher: Sonic Solutions
Description: CDR4 CD and DVD Place Holder Driver (see PxHelp)
Product: Drag-to-Disc
Version: 8.0.0.212
File version: 8.0.0.212
c:\windows\system32\drivers\cdralw2k.sys:
Verified: Unsigned
File date: 9:48 PM 8/28/2006
Publisher: Sonic Solutions
Description: CDRAL Place Holder Driver (see PxHelp)
Product: Drag-to-Disc
Version: 8.0.0.212
File version: 8.0.0.212
c:\windows\system32\drivers\libusb0.sys:
Verified: Unsigned
File date: 12:33 PM 3/20/2007
Publisher: http://libusb-win32.sourceforge.net
Description: LibUSB-Win32 - Kernel Driver
Product: LibUSB-Win32 - Kernel Driver
Version: 0.1.12.1
File version: 0.1.12.1
c:\windows\system32\drivers\omci.sys:
Verified: Unsigned
File date: 11:42 AM 8/22/2001
Publisher: Dell Computer Corporation
Description: OMCI Device Driver
Product: OMCI Driver
Version: 6, 1, 0, 242
File version: 6, 1, 0, 242
c:\windows\system32\drivers\Scutum50.sys:
Verified: Unsigned
File date: 4:31 PM 4/21/2009
Publisher: Printing Communications Assoc., Inc. (PCAUSA)
Description: PCAUSA NDIS 5.0 SPR Protocol Driver
Product: PCAUSA Rawether for Windows
Version: 5.5.18.05
File version: 5.5.18.05
c:\windows\system32\drivers\tap0901.sys:
Verified: Unsigned
File date: 7:48 PM 12/11/2009
Publisher: The OpenVPN Project
Description: TAP-Win32 Virtual Network Driver
Product: TAP-Win32 Virtual Network Driver
Version: 2.1.1 9/6
File version: 2.1.1 9/6 built by: WinDDK


3550807.sys has gone missing!


35508071.sys has gone missing!


35508072.sys has gone missing!

Share this post


Link to post
Share on other sites

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    bvrp_pci.sys
    3550807.sys
    35508071.sys
    35508072.sys


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found at on your Desktop entitled SystemLook.txt

Share this post


Link to post
Share on other sites

SystemLook 04.09.10 by jpshortstuff

Log created at 14:51 on 28/06/2011 by Jimmy Huang

Administrator - Elevation successful

========== filefind ==========

Searching for "bvrp_pci.sys"

C:\WINDOWS\maxdrive\bvrp_pci.sys --a---- 4272 bytes [17:32 14/06/2008] [15:12 24/03/2004] C945DC4EEE3F624DFD07788EA7F0DB0A

C:\WINDOWS\system32\drivers\bvrp_pci.sys -ra--c- 4272 bytes [17:32 14/06/2008] [15:12 24/03/2004] C945DC4EEE3F624DFD07788EA7F0DB0A

Searching for "3550807.sys"

C:\Documents and Settings\Jimmy Huang\Desktop\Virus Removal Tool\setup_9.0.0.722_28.06.2011_03-10\drivers\3550807.sys --a---- 315408 bytes [01:02 28/06/2011] [03:31 10/10/2009] 66EF49622BAA18E4D4F1FE4BAE1D51B8

C:\WINDOWS\system32\drivers\3550807.sys --a---- 315408 bytes [01:02 28/06/2011] [03:31 10/10/2009] 66EF49622BAA18E4D4F1FE4BAE1D51B8

Searching for "35508071.sys"

C:\Documents and Settings\Jimmy Huang\Desktop\Virus Removal Tool\setup_9.0.0.722_28.06.2011_03-10\drivers\1\35508071.sys --a---- 128016 bytes [01:02 28/06/2011] [21:59 25/09/2009] 7DD41B7AC1FBB1DBF20BB1F4E4FBE58C

C:\WINDOWS\system32\drivers\35508071.sys --a---- 128016 bytes [01:02 28/06/2011] [21:59 25/09/2009] 7DD41B7AC1FBB1DBF20BB1F4E4FBE58C

Searching for "35508072.sys"

C:\Documents and Settings\Jimmy Huang\Desktop\Virus Removal Tool\setup_9.0.0.722_28.06.2011_03-10\drivers\2\35508072.sys --a---- 37392 bytes [01:02 28/06/2011] [17:54 22/10/2009] A305FAD3719C5DB0C13D1C2BFD08A04D

C:\WINDOWS\system32\drivers\35508072.sys --a---- 37392 bytes [01:02 28/06/2011] [17:54 22/10/2009] A305FAD3719C5DB0C13D1C2BFD08A04D

-= EOF =-

Share this post


Link to post
Share on other sites
I don't use Internet Explorer so I have no idea. But it definitely occurs in Firefox.

Since you have Internet Explorer installed, could you please try running it and doing some Google searches? I need to know if this problem is exclusive to Firefox. ;)

Share this post


Link to post
Share on other sites

I just googled a lot in Internet Explorer and I didn't experience any redirects. However, I can't be sure because in Firefox, it only occurs sometimes. Are there any specific keywords to google to see if I can bring it up? I tried stuff like hsbc and paypal but nothing showed up.

Share this post


Link to post
Share on other sites

I think we're on to something ;)

Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt). Note: Do not run Option #2 yet.

Share this post


Link to post
Share on other sites

There wasn't an option one or two and it just asked if it could run.

GooredFix by jpshortstuff (03.07.10.1)

Log created at 15:29 on 28/06/2011 (Jimmy Huang)

Firefox version 4.0.1 (en-US)

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\

afurladvisor@anchorfree.com [16:35 16/01/2011]

{972ce4c6-7e08-4474-a285-3208198ce6fd} [22:04 02/05/2011]

{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [23:27 19/10/2009]

{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [04:49 04/11/2009]

C:\Documents and Settings\Jimmy Huang\Application Data\Mozilla\Firefox\Profiles\tyj38oe4.default\extensions\

netvideohunter@netvideohunter.com [18:16 15/06/2011]

{20a82645-c095-46ed-80e3-08825760534b} [17:05 28/06/2010]

{5c8bfb7c-9a54-11dc-8314-0800200c9a66} [23:34 16/11/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]

"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [23:27 19/10/2009]

"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [02:20 03/01/2010]

"smartwebprinting@hp.com"="C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2" [00:22 08/01/2010]

-=E.O.F=-

Share this post


Link to post
Share on other sites

Hmm. That didn't work.

Please navigate to

C: > WINDOWS > system32 > drivers

Locate the following file: bvrp_pci.sys. Right-click and copy it to your Desktop.

After you have done that, please go to http://www.virustotal.com , click on Browse, and upload the following file/s for analysis: You will only be able to have one file scanned at a time.

c:\documents and settings\Jimmy Huang\Desktop\bvrp_pci.sys

Then click Submit. Allow the file to be scanned, and then please copy/paste the results here for me to see.

Share this post


Link to post
Share on other sites

It's clean.

bvrp_pci.sys

Submission date:

2011-06-28 19:54:17 (UTC)

Current status:

finished

Result:

0/ 42 (0.0%)

VT Community

not reviewed

Safety score: -

Compact

Print results

Antivirus Version Last Update Result

AhnLab-V3 2011.06.29.00 2011.06.28 -

AntiVir 7.11.10.141 2011.06.28 -

Antiy-AVL 2.0.3.7 2011.06.27 -

Avast 4.8.1351.0 2011.06.28 -

Avast5 5.0.677.0 2011.06.28 -

AVG 10.0.0.1190 2011.06.28 -

BitDefender 7.2 2011.06.28 -

CAT-QuickHeal 11.00 2011.06.28 -

ClamAV 0.97.0.0 2011.06.28 -

Commtouch 5.3.2.6 2011.06.28 -

Comodo 9214 2011.06.28 -

DrWeb 5.0.2.03300 2011.06.28 -

eSafe 7.0.17.0 2011.06.28 -

eTrust-Vet 36.1.8413 2011.06.28 -

F-Prot 4.6.2.117 2011.06.28 -

F-Secure 9.0.16440.0 2011.06.28 -

Fortinet 4.2.257.0 2011.06.28 -

GData 22 2011.06.28 -

Ikarus T3.1.1.104.0 2011.06.28 -

Jiangmin 13.0.900 2011.06.28 -

K7AntiVirus 9.106.4851 2011.06.28 -

Kaspersky 9.0.0.837 2011.06.28 -

McAfee 5.400.0.1158 2011.06.28 -

McAfee-GW-Edition 2010.1D 2011.06.28 -

Microsoft 1.7000 2011.06.28 -

NOD32 6248 2011.06.28 -

Norman 6.07.10 2011.06.28 -

nProtect 2011-06-28.01 2011.06.28 -

Panda 10.0.3.5 2011.06.28 -

PCTools 8.0.0.5 2011.06.28 -

Prevx 3.0 2011.06.28 -

Rising 23.64.01.03 2011.06.28 -

Sophos 4.66.0 2011.06.28 -

SUPERAntiSpyware 4.40.0.1006 2011.06.28 -

Symantec 20111.1.0.186 2011.06.28 -

TheHacker 6.7.0.1.244 2011.06.28 -

TrendMicro 9.200.0.1012 2011.06.28 -

TrendMicro-HouseCall 9.200.0.1012 2011.06.28 -

VBA32 3.12.16.3 2011.06.28 -

VIPRE 9720 2011.06.28 -

ViRobot 2011.6.28.4538 2011.06.28 -

VirusBuster 14.0.100.0 2011.06.28 -

Share this post


Link to post
Share on other sites

I'm going to confer with some experts about something. I appreciate your patience. :)

-DFB

Share this post


Link to post
Share on other sites

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats is UNCHECKED and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

------

Please include the ESET scan results in your next reply. ;)

Share this post


Link to post
Share on other sites

I will be posting the log tomorrow :) I would like to thank you for your patience as well!

Share this post


Link to post
Share on other sites
I will be posting the log tomorrow :)

Sounds good. Thank you for letting me know.

I would like to thank you for your patience as well!

Cheers! :)

Share this post


Link to post
Share on other sites

While the scan is going on, I would like to say that someone messaged me to use "http://www.surfright.nl/en" and that it would most likely solve my problems. Can you confirm that this is not rogue software?

Share this post


Link to post
Share on other sites

It is another scanner, but I would suggest that you avoid using tools other than what I advise you to here. ;)

Can you forward me the message?

Share this post


Link to post
Share on other sites

I'm not sure how to forward it (was a personal conversation) but it said:

"Dude I dont know why these censoreding knuckle heads in the forums refuse to post this, but this will fix your rootkit right up.

Do me a favor, if it works post in your thread that it did.

http://www.surfright.nl/en"

Share this post


Link to post
Share on other sites

When viewing the message in your Personal Messenger, select the Add button under Invite Participant (left-hand side)... then choose D-FRED-BROWN ;).

Share this post


Link to post
Share on other sites

I used the ctrl+f to find invite participant but I can't find it. Is there any other way? The scan is taking a while but so far it's found two infected files :)

Share this post


Link to post
Share on other sites

Check your messages :).

Share this post


Link to post
Share on other sites

Scan finally finished.

C:\Documents and Settings\Jimmy Huang\Application Data\Sun\Java\Deployment\cache\6.0\4\4b83f3c4-66513c92 multiple threats

C:\Documents and Settings\Jimmy Huang\Application Data\Sun\Java\Deployment\cache\6.0\7\1ee67f87-6fd71d45 multiple threats

Share this post


Link to post
Share on other sites

Please reboot to Safe Mode with Networking (tap the F8 key just before Windows starts to load and select the Safe Mode with Networking option from the menu).

Once you're in Safe Mode with Networking, please try running Firefox. Let me know if you get any redirects upon doing Google searches. ;)

Share this post


Link to post
Share on other sites

Didn't seem to have any. The thing with this virus is that it only occurs sometimes. I haven't seen it happen for a while so I'm not sure if it was inadvertently deleted or is just hiding dormant.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.