Another Google Redirect Virus

By reubencahn
Nov 18, 2009
Topic Status:
Not open for further replies.
  1. Links that appear in Google search lead to random advertising pages. Have run the 8 step process. Any help is much appreciated. Here are the logs:
  2. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Your HJT log is double the size of most others Users
    This is because you have Norton (many entries) and a stack of Dell entries. Actually all up you have:
    38 Windows startups (compared to my 1)
    39 Service startups (note these are on top of your Windows startups)
    Making a grand total of 77 Startups !
    Does Windows actually run?

    I have to go (so I'm told) But I wanted to post, please remove as many not required startups as humanly possible

    Edit:
    I'm already back :)

    OK please follow the below so we can at least view your HJT log:

    Download these Tools, and save them to a New Folder on the Desktop: (ie don't run yet)
    IE Reset: http://go.microsoft.com/?linkid=9646978
    TFC: http://oldtimer.geekstogo.com/TFC.exe
    Combofix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Startup Control Panel: http://www.mlin.net/files/StartupCPL.zip
    Norton Removal Tool (If you want to remove Norton): ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe
    Free Avira (If you decided to Remove Norton) http://dlce.antivir.com/package/wks_avira/win32/en/pecl/avira_antivir_personal_en.exe
    Hosts: http://www.mvps.org/winhelp2002/hosts.zip
    JavaRa http://downloads.sourceforge.net/javara/JavaRa.zip

    Uninstall these:
    EmbassySecurityCheck
    Spybot - Search & Destroy
    SUPERAntiSpyware
    All the Google stuff (user preference)
    Roxio LiveShare P2P (user preference)
    Roxio Hard Drive Watcher (user preference)
    Norton (user preference)


    At last we can start (note you may have needed to restart if you uninstalled any of the above)

    1. Close all open programs (you can also disconnect from the Internet)
    2. Run MicrosoftFixit50195.msi (This is IE Reset)
    3. Unzip StartupCPL.zip, and install it. Then run it and disable all the known things you don't want starting with Windows
    4. Unzip JavaRa and run it (select English) then select "Remove older versions"
    5. Run TFC, once in the program press "Start" (you may need to Restart)
    6. Disable Norton, and run Combofix (any warnings from Norton - just allow) (you may need to Restart) Note save the log file
    7. Restart
    8. Unzip and open hosts.zip, double click on mvps.bat
    9. Start > Run > Services.msc > ok
    • locate these Services, then double click on them and set them to Manual > Apply
      • DNS Client
      • Help Service (also change the Recovery, to "take no action")
      • Java Quick Starter
      • Many others are Norton and Cisco stuff, we'll discuss later ;))
    10. Restart
    11. Attach a new HJT log and also that Combofix log
    12. Here's hoping you removed Norton (since it didn't help you this time)
  3. reubencahn

    reubencahn Newcomer, in training Topic Starter

    Can't uninstall Norton since the office requires it. Otherwise followed directions to the best of my limited abilities. Attached are the logs.
  4. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    The following files (if exist still)
    I am not aware if they are Malware or not (likely yes)
    Please upload them (one at a time) to HERE
    And report back

    Otherwise no other Malware found :)

    But. I would like you to do an online scan

    Please run this online scan. It will give you a log and I need to see it:
    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Please let me know the results :)


    EDIT
    The following entries (Office of Defender Services)
    Are obviously required by you and your department?
    Why do all large corporations always have Norton?
    Norton must have made some big deals with them

    EDIT2
    Not to sound rude or anything, but don't you guys have onsite techs?
  5. reubencahn

    reubencahn Newcomer, in training Topic Starter

    I uploaded the first file. It was not found to be malware.
    As to the second file, a folder by that name existed, but it was empty.
    As to the third, the Network Services folder no longer exists within Documents and Settings
    I am attaching the log
    These are entries necessary for our web-based VPN
    Government
    Don't ask
  6. reubencahn

    reubencahn Newcomer, in training Topic Starter

    Problem seems to be gone when using IE. Redirect still starts to occur in Firefox, but the page to which the browser is being redirected will not load. I get the following messages:

    Firefox can't establish a connection to the server at www.primosearch.com
    or
    Firefox can't establish a connection to the server at atl.mv.bidsystem.com.
    or
    Firefox can't find the server at dubaiskipark.com.

    I also seem to be redirected on fewer links, say 1 out of 4 instead of 2 out of 3
  7. reubencahn

    reubencahn Newcomer, in training Topic Starter

    double post
  8. kritius

    kritius TechSpot Guru Posts: 2,087

    You haven't answered if you have on site tech support.

    For now, delete the copy of ComboFix that is on your desktop and redownload a fresh copy, run it and for the benefit of this forum, attach the log.
  9. reubencahn

    reubencahn Newcomer, in training Topic Starter

    I'm currently out of town, but when I return to the office tomorrow, I will have on site tech support. They haven't been able to help with this problem. Only suggestions were to run Super Anti-Spyware. I will download ComboFix again and run.
  10. kritius

    kritius TechSpot Guru Posts: 2,087

    Okay.

    It's always best to have the tech support do any work, if something were to happen to the computer during the cleaning process it will be nothing to do with us and will be completely on your shoulders.
  11. reubencahn

    reubencahn Newcomer, in training Topic Starter

    I understand. Here's the latest log.
     
  12. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    That's strange
    Combofix has now found Malware and removed it, but the first run nothing was found
    Also did you end up checking those files for Malware?
    And did you end up doing an online scan?

    For some reason you have not done this?
  13. reubencahn

    reubencahn Newcomer, in training Topic Starter

    I posted but for some reason was told my post would be hidden until reviewed by a moderator. In any case, I followed the instructions. The first file, I uploaded. It was not found to be malware. The second two did not exist any longer. I then ran the online scan. It found no threats. I am attaching the log. The other files asked about are, I believe, those installed by our web-based vpn client.
  14. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    So are you still being redirected in Firefox?
    If so, uninstall Firefox (backup any bookmarks) and then run CCleaner
    Then go HERE and re-install Firefox. (By the way, I'm using the latest "Beta" version of Firefox (and have been since its first release) Its now up to >> Firefox V3.6 b3)



    Un-install Combofix
    • Click START then RUN
    • Now type Combofix /uninstall in the runbox and click OK
    (Note: 1 space after ComboFix in that uninstall command)


    Update Java
    By clicking HERE and confirming you have the latest Java installed
    Run JavaRa again
    This will remove all your old Java stuff (that is not required)

    Remove Restore Points
    1. Go to Start > All Programs > Accessories > System Tools > System Restore
    2. Select Create a restore point, and OK it.
    3. Next, go to Start > Run and type in cleanmgr
    4. After selecting your drive, Select the "More options" tab
    5.Choose the option to "clean up system restore" and OK it.
    This will remove all restore points except the new one you just created.

    You could also download and run Smart Defrag and defrag your system fully

    Restart
    Report how everything is running :)
    You can then fully delete the New Folder created earlier, and then empty your Recycle Bin
  15. kritius

    kritius TechSpot Guru Posts: 2,087

    Kimsland, there is a file in there that is infected there are also other files that need looked at before ComboFix is removed. Please do not remove it yet.
  16. kritius

    kritius TechSpot Guru Posts: 2,087

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
      *atapi.sys
      *iaStor.sys
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
  17. reubencahn

    reubencahn Newcomer, in training Topic Starter

    SystemLook Log

    SystemLook log:
  18. kritius

    kritius TechSpot Guru Posts: 2,087

    Re download ComboFix, run it and post the log
  19. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Note: atapi.sys was recently (a couple of days ago) reported as a false positive by Malwarebytes.
    New updates to Malwarebytes database (currently version 3217) has removed the false positive atapi.sys
  20. reubencahn

    reubencahn Newcomer, in training Topic Starter

    When I returned to the office, our tech support people replaced the drive. So I'm virus free. However, I asked for it back in order to run ComboFix in case anything useful can be learned by reviewing the log. Here it is:
  21. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Please click here to download AVP Tool by Kaspersky.
    • Save it to your desktop.
    • Reboot your computer into SafeMode.


      • You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
        Use your up arrow key to highlight SafeMode then hit enter.
    • Double click the setup file to run it.
    • Click Next to continue.
    • It will by default install it to your desktop folder.Click Next.
    • Hit ok at the prompt for scanning in Safe Mode.
    • It will then open a box There will be a tab that says Automatic scan.
    • Under Automatic scan make sure these are checked.
      • System Memory
      • Startup Objects
      • Disk Boot Sectors.
      • My Computer.
      • Also any other drives (Removable that you may have)

    After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
    Then choose OK again then you are back to the main screen.
    • Then click on Scan at the to right hand Corner.
    • It will automatically Neutralize any objects found.
    • If some objects are left un-neutralized then click the button that says Neutralize all
    • If it says it cannot be Neutralized then chooose The delete option when prompted.
    • After that is done click on the reports button at the bottom and save it to file, name it Kas.
    • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.



      • Note: This tool will self uninstall when you close it so please save the log before closing it.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.