Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Google Redirect Virus

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Google Redirect Virus

Unread postby jmartin075 » February 11th, 2010, 8:14 pm

Here's the Malwarebytes Log. I don't understand how there could be so many infected files. I've been scanning my computer so much lately. Are they old infections that the MBAM update found? Are they new infections? I haven't really even been on the internet lately downloaded anything so I don't know how they could be. I made some purchases with a credit card about a month ago. Do I have to worry about my information being stolen?

I just got the "Generic Host Process for Win32 Services has encountered a problem" message again.

Malwarebytes' Anti-Malware 1.44
Database version: 3727
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/11/2010 7:03:38 PM
mbam-log-2010-02-11 (19-03-38).txt

Scan type: Full Scan (C:\|)
Objects scanned: 184945
Time elapsed: 1 hour(s), 40 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.
jmartin075
Regular Member
 
Posts: 23
Joined: February 2nd, 2010, 9:39 pm
Advertisement
Register to Remove

Re: Google Redirect Virus

Unread postby melboy » February 12th, 2010, 4:25 am

Hi

As you can probably see the infection you picked up yesterday is not good.

2010-02-11 20:54:57 0 d-sh--w- c:\windows\system32\lowsec

The infection is delivered by Win32/ZBOT

It looks to have been removed by MBAM soon after its arrival, so the effects of the infection may be minimal, but as you can see from the MS description - unfortunately it's not good.

Win32/Zbot is a trojan password stealer that can may bypass installed firewall applications to send captured passwords to an attacker. It also contains limited backdoor functionality that allows unauthorized access and control of an affected machine.


Many experts in the security community believe that once infected with this type of infection, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

  • It would be wise to - as you have used this computer for shopping, banking, or other transactions:
    Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
  • From a known clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.


I can attempt to carry on cleaning this machine but I can't guarantee that it will be at all secure afterwards.

Should you have any questions, please feel free to ask.


If you want to carry on and attempt to clean the PC then follow the instructions below.

If at any time Combofix asks you to update it, please allow it to do so.



COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    DDS::
    Trusted Zone: buy-internetsecurity10.com
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


SystemLook


Please download SystemLook by jpshortstuff from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :filefind
    *atapi* 
     

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


In your next reply:
  1. combofix.txt
  2. SystemLook.txt
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Google Redirect Virus

Unread postby jmartin075 » February 12th, 2010, 4:49 pm

What would you suggest I do? This is my home computer and I only use it for writing papers, listening to music, and the internet and there really isn't anything too important on it. That being said, I don't think a reformat would be too much of a problem because I have very little on here that needs to be saved. Also, my computer was disconnected from the internet during the scan and before it, if that matters.
jmartin075
Regular Member
 
Posts: 23
Joined: February 2nd, 2010, 9:39 pm

Re: Google Redirect Virus

Unread postby melboy » February 12th, 2010, 4:54 pm

Hi

It has to be your choice. Have you read the links I gave?
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Google Redirect Virus

Unread postby jmartin075 » February 12th, 2010, 10:09 pm

I'm thinking of reinstalling my os. My computer did not come with a disc, though. There is a a peice of paper that says stuff of about "Dell PC Restore".
jmartin075
Regular Member
 
Posts: 23
Joined: February 2nd, 2010, 9:39 pm

Re: Google Redirect Virus

Unread postby melboy » February 14th, 2010, 10:31 am

Hi

My apologies, I didn't receive a notification for this reply.

There is a Dell step by step guide for restoring your computer to its factory state here

After restoring to factory settings and when you connect to the internet for the first time, check for updates for your AntiVirus straight away and then make getting Windows updates a priority.


=============================================
General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection.


  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
    Uninstall Tools for Major Antivirus Products

  • Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
    Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.

  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.

  • Make Internet Explorer More Secure
    Internet Explorer 8 <<< Recommended Version
    For older versions please read and follow the recommendations at this site
    Internet Explorer7
    Internet Explorer6


Recommended Programs

I would recommend the download and installation of some or all of the following programs, and the updating of them on a regular basis.

  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
  • Malwarebytes' Anti-Malware
    Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.You can download Malwarebytes' Anti-Malware from HERE. You can find a tutorial HERE.
  • Hosts File
    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.
  • Use an alternative Internet Browser
    Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
    Firefox
    Opera


Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.


Any further questions?
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Google Redirect Virus

Unread postby jmartin075 » February 17th, 2010, 12:19 am

It's taking me awhile to restore my computer. No problems, just not enought time. Other than what you already suggested, are there any other precautions I can take to keep my computer safe? Thanks for all your help.
jmartin075
Regular Member
 
Posts: 23
Joined: February 2nd, 2010, 9:39 pm

Re: Google Redirect Virus

Unread postby melboy » February 17th, 2010, 2:20 pm

Hi

You're welcome.

Have a read of How to prevent Malware by miekiemoes, and also read this article by Tony Klein; So How Did I Get Infected In First Place.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Google Redirect Virus

Unread postby jmartin075 » February 19th, 2010, 3:21 pm

Hey, everything is running fine now. I installed winpatrol and reinstalled malwarebytes. I ran a scan with malware bytes and two infected files came up. Here's the log:


Malwarebytes' Anti-Malware 1.44
Database version: 3761
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/19/2010 2:04:37 PM
mbam-log-2010-02-19 (14-04-37).txt

Scan type: Full Scan (C:\|)
Objects scanned: 142408
Time elapsed: 43 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
jmartin075
Regular Member
 
Posts: 23
Joined: February 2nd, 2010, 9:39 pm

Re: Google Redirect Virus

Unread postby melboy » February 19th, 2010, 3:28 pm

Hi

Did you restore to factory defaults? (Dell PC Restore)

Doing so will have reformatted your hard drive, removed all data (including any malware) and restored the computer to the state it was in when you first purchased it.

Please reply so we can close this topic if you've no further questions.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Google Redirect Virus

Unread postby jmartin075 » February 20th, 2010, 12:04 pm

Yea, I used dell pc restore.
jmartin075
Regular Member
 
Posts: 23
Joined: February 2nd, 2010, 9:39 pm

Re: Google Redirect Virus

Unread postby NonSuch » February 21st, 2010, 5:08 am

As this issue appears to be resolved, this topic is now closed.

You can help support this site from this link :
Donations For Malware Removal
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27304
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 67 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware