Solved STILL have Google redirect virus!

September 23, 2011 at 04:53:06
Specs: Windows XP
Hi all,

I recently posted with this problem; the helped I received seemed to make a difference for a little while, but the redirect "monster" has come right back...I ran
rkill.exe," "TDSSKiller," then Malwarebytes, none of which really worked...Hitman Pro was able to detect a couple of things, but still, I have had no luck in eradicating this problem from my computer.

I have been doing some research and found that "ComboFix" comes highly recommended, only if someone experienced (like yourselves) is helping. I have also checked my host file (nothing there). The solution just seems to allude me.

In any event, I want to get this damn thing off my computer, and would greatly appreciate this forum's continued help in doing so. Thanks so much in advance!


See More: STILL have Google redirect virus!

Report •

#1
September 23, 2011 at 07:37:07
✔ Best Answer
BillShakespeare,

Google redirections have several flavors, so they can be difficult to get rid of.

Need to obtain some informationn from you in order to determine which course of action to take.

First, which browser, or browsers, do you use?

Next, please run the following tool, it will give information on what is going on with your system, and help identify the redirections:

Download DDS from one of these locations:
http://download.bleepingcomputer.co...
http://download.bleepingcomputer.co...

Save to your Desktop

Double-click the dds file to run it.

When done, DDS opens two logs:
-DDS.txt
-Attach.txt

Save both reports to your Desktop.

Since these reports are large, please go to the Uploading website:
http://uploading.com/files/upload/

In: 'Select files to upload', click 'Browse', and 'Look in' the Desktop.

Select the DDS.txt, and click on 'Open'
You will see the following:
"Your file has been uploaded successfully: (Name and size of the file)"

Please copy the 'Download link'.

Do the same uploading for the Attach.txt.

Please copy the 'Download link', for each report, and provide them in your reply.


Also, please download GMER:
http://gmer.net/download.php
[Downloads a randomly named file. (Recommended)]

Close all running programs, and temporarily disable any real-time protection so your security programs do not conflict with gmer's driver. Info:
http://www.bleepingcomputer.com/for...

Double-click on the randomly named GMER file (i.e. n7gmo46c.exe)
Allow the gmer.sys driver to load...

GMER opens to the Rootkit/Malware tab and performs an automatic quick scan when first run. (Please do not use the computer while the scan is in progress.)

If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO

Now, click the >Scan< button.
If you see a rootkit warning window, click OK.

When the scan finishes, click the 'Save...' button to save the scan results to your Desktop.
Save the file as >gmer.log<

>>Click the Copy button and >post< the results of the GMER log in your reply.<<

Note: Please, do not take action on any of the information on the GMER report!!

If you encounter any problems, try running GMER in Safe Mode:
http://www.computerhope.com/issues/...

If GMER crashes or keeps resulting in a BSODs, uncheck 'Devices' (on the right side) before scanning.


Thanks!

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#2
September 23, 2011 at 15:26:32
Hey, thanks for your response.

I use Mozilla Firefox (ver 3.6.22; I know I should update more frequently), however other browsers on my computer are affected as well. Firefox is what I use daily.

It will take me a little bit of time to go all these steps, but I will get back to you with those download links as soon as I can

Here is the forum link for the dds.txt:
[url=http://uploading.com/files/86bc14aa/dds.txt/]dds.txt - 12.0 KB[/url]

And the forum link for the attach.txt file:
[url=http://uploading.com/files/a1c67e64/attach.txt/]attach.txt - 21.1 KB[/url]

I will have to complete the other steps as we go along, as I have to run soon, but immediately after I post this reply I will download and run the GMER program.

Thanks so much for your help!


Report •

#3
September 23, 2011 at 19:46:45
BillShakespeare,

TDSS does not appear to be in play here.

Since FireFox is your main browser, please do the following:

Download GooredFix:
http://jpshortstuff.247fixes.com/Go...

Save to the Desktop.

Make sure all FireFox windows are closed.

To run the tool, double-click the file.

When prompted to run the scan, click: Yes

GooredFix checks for infections, and, when done, the scan report appears.

Please post the Goored.txt (found on the Desktop) in your reply.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

Related Solutions

#4
September 24, 2011 at 03:38:21
My continued thanks.

Here is the goored.txt report:

GooredFix by jpshortstuff (03.07.10.1)
Log created at 03:23 on 24/09/2011 (Declan)
Firefox version 3.6.22 (en-US)

========== GooredScan ==========

Deleting "C:\Documents and Settings\Declan\Application Data\Mozilla\Firefox\Profiles\08a55joc.default\extensions\{a0524669-fbc2-4142-aa04-856d4a3b474c}" -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [22:50 07/02/2009]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [03:02 08/05/2009]
{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [01:02 01/09/2009]

C:\Documents and Settings\Declan\Application Data\Mozilla\Firefox\Profiles\08a55joc.default\extensions\
moveplayer@movenetworks.com [23:36 22/02/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [07:29 07/02/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [03:02 08/05/2009]

-=E.O.F=-

That's all I have for now; I screwed up the GMER scan by accidentally closing it. I'll try that again. More to follow...I look forward to your next reply. Again, I am very grateful. Take care.


Report •

#5
September 24, 2011 at 09:40:45
BillShakespeare,

Do not worry about GMER for now.

Please follow up with ComboFix...

If you have ComboFix (CF) already on your Desktop, please remove it!
Download an updated version:
http://download.bleepingcomputer.co...

Save ComboFix.exe to your Desktop!!

Important >> Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of CF.

Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through these links: http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/sec...

XP - Double-click on ComboFix.exe to run the program.

Follow the prompts.

XP users (only) - Please install the Recovery Console when presented with the option.

Click on ‘Yes‘, to continue scanning for malware.

When finished, CF produces a report.

Since this report can be quite large, please go to the ‘Uploading’ website:
http://uploading.com/files/upload/

In: Select files to upload, click 'Browse', and 'Look in' the Desktop.
Select the ComboFix report, and click on 'Open'
You will see the following:
“Your file has been uploaded successfully: (Name and size of the file)”

Please copy the 'Download link', and provide it in your reply.

Notes:

1.Do not mouse-click the ComboFix window while it is running.
This action may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.

3. CF disconnects your machine from the internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


Also, please update as to whether you are still having malware problems.

Thanks!

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#6
September 24, 2011 at 13:50:06
Just finished the combofix scan. Here is the log:

[url=http://uploading.com/files/e3475187/log.txt/]log.txt - 14.5 KB[/url]

I will try a few google searches to see if there's been any effect. Thanks!


Report •

#7
September 24, 2011 at 13:51:48
So far, so good!

Report •

#8
September 24, 2011 at 17:01:44
That is good news!

However, since an infection will return if its source is the Master Boot Record (MBR) (It loads the infection as soon as you boot into Windows!)

And, since you do not want to return with this problem again, let's check for this possibility.

Please download aswMBR:
http://public.avast.com/~gmerek/asw...

Save to your Desktop.

Double click the 'aswMBR.exe' icon to run it

Click the 'Scan' button to start the scan

Upon completion of the scan, click the 'Save Log' button

Save the 'aswMBR log' to your Desktop, and post it in your reply.
Note - Do NOT attempt any fix anything!!

Also, you will notice that another file is created on the Desktop.
It is named MBR.dat.

Please keep this file on the Desktop, and do not do anything with it.
This is important, just in case we need access to the MBR information

Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#9
September 24, 2011 at 17:53:40
Here is the log:

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-24 17:24:03
-----------------------------
17:24:03.765 OS Version: Windows 5.1.2600 Service Pack 3
17:24:03.765 Number of processors: 2 586 0x407
17:24:03.765 ComputerName: DECLANPC UserName: Declan
17:24:04.875 Initialize success
17:27:30.218 AVAST engine defs: 11092401
17:30:12.734 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
17:30:12.750 Disk 0 Vendor: WDC_WD2500JS-60NCB1 10.02E02 Size: 238475MB BusType: 3
17:30:14.796 Disk 0 MBR read successfully
17:30:14.812 Disk 0 MBR scan
17:30:14.906 Disk 0 Windows XP default MBR code
17:30:14.921 Disk 0 scanning sectors +488376000
17:30:15.015 Disk 0 scanning C:\WINDOWS\system32\drivers
17:30:24.859 Service scanning
17:30:25.875 Modules scanning
17:30:30.515 Disk 0 trace - called modules:
17:30:30.515 ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
17:30:30.515 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8651cab8]
17:30:30.531 3 CLASSPNP.SYS[f7630fd7] -> nt!IofCallDriver -> \Device\0000005f[0x8658c9e8]
17:30:30.531 5 ACPI.sys[f74a7620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-e[0x86589940]
17:30:31.906 AVAST engine scan C:\WINDOWS
17:30:48.078 AVAST engine scan C:\WINDOWS\system32
17:32:45.531 AVAST engine scan C:\WINDOWS\system32\drivers
17:33:00.468 AVAST engine scan C:\Documents and Settings\Declan
17:36:05.328 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Declan\Desktop\MBR.dat"
17:36:05.375 The log file has been saved successfully to "C:\Documents and Settings\Declan\Desktop\aswMBR.txt"


aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-24 17:24:03
-----------------------------
17:24:03.765 OS Version: Windows 5.1.2600 Service Pack 3
17:24:03.765 Number of processors: 2 586 0x407
17:24:03.765 ComputerName: DECLANPC UserName: Declan
17:24:04.875 Initialize success
17:27:30.218 AVAST engine defs: 11092401
17:30:12.734 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
17:30:12.750 Disk 0 Vendor: WDC_WD2500JS-60NCB1 10.02E02 Size: 238475MB BusType: 3
17:30:14.796 Disk 0 MBR read successfully
17:30:14.812 Disk 0 MBR scan
17:30:14.906 Disk 0 Windows XP default MBR code
17:30:14.921 Disk 0 scanning sectors +488376000
17:30:15.015 Disk 0 scanning C:\WINDOWS\system32\drivers
17:30:24.859 Service scanning
17:30:25.875 Modules scanning
17:30:30.515 Disk 0 trace - called modules:
17:30:30.515 ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
17:30:30.515 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8651cab8]
17:30:30.531 3 CLASSPNP.SYS[f7630fd7] -> nt!IofCallDriver -> \Device\0000005f[0x8658c9e8]
17:30:30.531 5 ACPI.sys[f74a7620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-e[0x86589940]
17:30:31.906 AVAST engine scan C:\WINDOWS
17:30:48.078 AVAST engine scan C:\WINDOWS\system32
17:32:45.531 AVAST engine scan C:\WINDOWS\system32\drivers
17:33:00.468 AVAST engine scan C:\Documents and Settings\Declan
17:36:05.328 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Declan\Desktop\MBR.dat"
17:36:05.375 The log file has been saved successfully to "C:\Documents and Settings\Declan\Desktop\aswMBR.txt"
17:47:28.109 AVAST engine scan C:\Documents and Settings\All Users
17:48:09.703 Scan finished successfully
17:52:51.593 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Declan\Desktop\MBR.dat"
17:52:51.750 The log file has been saved successfully to "C:\Documents and Settings\Declan\Desktop\aswMBR.txt"

The MBR.dat file is indeed on my desktop now; let me know if there's anything I need to do with it. Thanks!


Report •

#10
September 24, 2011 at 19:11:52
We're on the downhill roll, now.

Just some maintenance, and a security check....

Please download TFC (Temporary File Cleaner) to your Desktop:
http://oldtimer.geekstogo.com/TFC.exe

Save any work in progress!! TFC closes all open applications and will remove any unsaved work.
Double-click TFC.exe to run the program.
If prompted, click Yes to reboot.


Next, download Security Check:
http://screen317.changelog.fr/Secur...

Save to the Desktop.
Double click SecurityCheck.exe and follow the on-screen instructions (in the black box.)

When done, a Notepad document opens automatically: ‘checkup.txt’
Please post the contents of checkup.txt in your reply.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#11
September 25, 2011 at 06:29:12
checkup.txt:

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
[b]``````````````````````````````
[u]Antivirus/Firewall Check:[/u][/b]
Windows Firewall Disabled!
Microsoft Security Essentials
Antivirus up to date! (On Access scanning [b]disabled[/b]!)
[b]```````````````````````````````
[u]Anti-malware/Other Utilities Check:[/u][/b]
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java(TM) 6 Update 14
[color=red][b]Out of date Java installed![/b][/color]
Adobe Flash Player 10.0.32.18
Adobe Reader 9.3
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.22)
[b]````````````````````````````````
Process Check:
[u]objlist.exe by Laurent[/u][/b]
Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
[b]``````````End of Log````````````[/b]



Report •

#12
September 25, 2011 at 10:33:49
This next step is important, as it will implement important cleanup procedures, reset your System Restore by flushing out previous restore points (which contain the infections), and create a new restore point.


Click Start > Run and copy/paste, the following bolded text into the Run box and click OK:
]ComboFix /uninstall

ComboFix will uninstall itself from your computer and remove its backups and quarantined files.
When it has finished you will see a dialog box stating that ComboFix has been uninstalled.

You can now delete the ComboFix program icon from your Desktop, if still there.

-->> Do you have a Firewall enabled? It can be something other than the Windows firewall.
All that shows is Microsoft Security Essentials.

If you have no Firewall, follow these steps to enable the Windows Firewall:
1.Click Start > click Run, type: Firewall.cpl
2.Click: 'OK'
3.On the General tab, click 'ON' (recommended).
4.Click: 'OK'

-->>If the Firewall does not turn on, post back any error message, etc.!!


The following tasks you can do as your time permits, but, please do not wait more than a couple of days.

Please verify the version of Java you have installed:
http://www.java.com/en/download/ins...

If your version of Java is outdated, it needs to be updated to eliminate security vulnerabilities.
When done, uninstall older versions:
http://www.java.com/en/download/uni...


Also update the following:
Adobe Reader
Out of date Adobe Reader installed!

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#13
September 25, 2011 at 13:08:22
Done and done! The java download seems to have overwritten any previous versions of java I had (I could only find one java program in my add/remove program folder, so I think I'm ok there).

I again extend my sincere thanks to you for all your help. Your assistance removed not only a virus from my computer, but stress from my life! Much appreciated. Take care.


Report •

#14
September 25, 2011 at 13:50:51
Thank you for the kind words. I has been a pleasure working with you.


To close, consider doing the following to prevent future infections...

Malware is normally installed through vulnerabilities found in out-dated and insecure programs on a computer. You can use the Secunia Personal Software Inspector to scan for vulnerable programs on your computer:
http://secunia.com/vulnerability_sc...

A tutorial on how to use the program to scan for vulnerable programs is found here:
http://www.bleepingcomputer.com/tut...


Surf safely, BillShakespeare!!

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/ Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

Ask Question