Solved Google redirect virus on my PC

[jebell41]

Hi

I've been experiencing the Google redirect issue for the past week. I am using firefox v3.6.8 and have a Windows XP. I ran my McAfee full virus scan and tried to restore my system to an earlier date before I found this forum.

I have followed the Updated 8 step Viruses/Spyware/Malware Preliminary Removal Instructions and will attach the Malwarebytes Anti-Malware.log, gmer.log, and the DDS.logs.

Just some more info-- I had a hard time with the gmer scan, I had to run it in Safe mode with Devices unchecked. In Safe Mode the log file is really small. But when I tried to run in in regular mode, the gmer scan either froze and became unresponsive or would automatically reboot my pc after like 2 hours of scanning.
Also, after I was finally successful with the gmer scan and left Safe Mode, reboot automatically ran CDKSDK and recovered a bunch of lost files. I didn't catch the file names


Thanks in advance for any help or advice you can provide.

 

[Broni]

Welcome aboard

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[jebell41]

When I click on the ComboFix in the link above, my Virus Software won't let it download- it says it's a Trojan! There's lots of posts on Google that say it's a trojan.

The instructions above by Broni say to download ComboFix then in step 2 to disable all anti-virus software. If I turn off my anti-virus software while I still have my browser open, won't I be leaving myself open to more viruses?

 

[Broni]

There's lots of posts on Google that say it's a trojan.

Pure nonsense. Do you think, I'd want you to download a trojan?

Disable McAfee antivirus, leave McAfee firewall alone and you'll be perfectly fine.
Download Combofix.

 

[jebell41]

google redirect virus-ran combofix

Thanks Broni,

I ran the Combofix on my pc this morning and have attached the report log.

NOTE: While Combofix was generating the report, my AntiVirus software started up and started a scan because I inadvertantly selected "restart in 15 minutes" as opposed to "never" when I turned off the scanning. Just wanted to pass on that info in case it affected the outcome of the Combofix report.

 

[Broni]

How is redirection?

 

[jebell41]

It looks like I'm no longer experiencing the google redirection issue with Firefox. I've tried several google search/results that I encountered the problems with earlier in the week and each time and taken to the correct webpage.

The one thing I did notice is that Firefox is no longer set as my default browser. Is it okay to make it my default browser again?

 

[Broni]

Yes. That swap was made by Combofix as a precuation.

We need to some more checking though...

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

======================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[jebell41]

Google redirect issue

Should I disable my Anti Virus software while OTL is running?

 

[jebell41]

I'm running OTL and a warning bubble popped up: OTL:OTL.exe-Corrupt file "The file or directory \documents and Settings\All Users\Application Date\TEMP is corrupt and unreadable. Please run the Chkdsk utility."

should I continue with OTL?
Should I run the Chkdsk utility?

 

[jebell41]

Ok I've run the OTL -I've attached the OTL.txt file because when I tried to paste it - got message that exceeded the message size

 

[jebell41]

Google REdirected Virus- Extras report

I've attached the Extras.txt file because again, when I tried to copy/past eit, received a text too long message.


Also, should I run the Chksdk utility? See message #10 above when I got warning bubble.

 

[Broni]

should I run the Chksdk utility?

You may as well. It won't hurt anything.

========================================================================

Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.

=======================================================================

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
  O3 - HKLM\..\Toolbar: (no name) - {57ECFB59-CD00-4b9d-961A-704E762AC529} - No CLSID value found.
  O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
  O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\Updreg.EXE (Creative Technology Ltd.)
  O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab (Reg Error: Key error.)
  O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
  [2006/06/07 23:17:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
  [2007/04/22 10:33:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joyce\Application Data\Viewpoint
  
  
  :Services
  
  :Reg
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
  "DisableMonitoring" =-
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
  "DisableMonitoring" =-
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[jebell41]

Google redirect issue java log and OTL logs

When I ran the JavaRa.exe, I received an error message "JavaRa encountered a problem and needs to close." I when back to the URL you provided above and the Verify Java confirmed that I had the latest version (Java 6.0.21)

After that it provided a log (JavaRa.log) so I'm attaching that for your review.

I'm also attaching the log that generated after running OTL's Run Fix and after running OTL's Quick Scan

 

[Broni]

Very good

Last scans...

1. Download Security Check from HERE, and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

2. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


3. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

• Spyware, Adware, Dialers, and other potentially dangerous programs
  [*] Archives
  [*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

 

[jebell41]

I'm 1.5 hours in to the Kaspersky scan and a Dell Support Center support software installer keeps popping up and trying to install. I've tried to cancel it 3 times and the installer keeps popping up.

 

[Broni]

Do nothing. Leave it as an active pop-up. As long, as you don't click "OK", or "Cancel", it shouldn't bother you for now.

 

[jebell41]

Google redirect virus on my pc -last 3 scans and reports

ok it took a while for the Kaspersky scan to run

Attached are the checkup.txt and the kaspersky.txt

 

[Broni]

Please, uninstall HSN.
Make sure, HSN folder is gone from C:\Program Files directory.
Empty recycle bin.

========================================================================

Update Adobe Reader

You can download it from https://www.techspot.com/downloads/2083-adobe-reader-dc.html
After installing the latest Adobe Reader, uninstall all previous versions.
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.

====================================================================

OTL Clean-Up
Clean up with OTL:

* Double-click OTL.exe to start the program.
* Close all other programs apart from OTL as this step will require a reboot
* On the OTL main screen, press the CLEANUP button
* Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

=====================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.

 

[jebell41]

Google redirect virus on my pc- problem uninstalling HSN

When I try to uninstall HSN via the control panel, I get error Rundll message: "Error loading C:\Programs\HSN\bar\1.bin\hsnbar.dll
The specified module could not be found."

When I go to this folder, this .dll is not in there.

If I try to just delete the HSN folder , I get the following error message:
"Cannot delete HSNDATA.DLL: It is being used by another person or programs. Close any programs that might be using the file and try again."

I have all my browsers closed, so I'm not sure what other program would be using that file.

Please advise

 

[Broni]

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  
  :Services
  
  :Reg
  
  :Files
  C:\Program Files\HSN
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
  

 

[jebell41]

Google redirect virus on my pc- HSN folder and shopping bar

Ok I ran OTL with the script you provided and have attached the log.

I checked C:\programs and the HSN folder is no longer there. However, the HSN shopping bar is still listed in the Control Panel\Add-Remove Programs and if I click on uninstall I still get the Rundll message:

"Error loading C:\Programs\HSN\bar\1.bin\hsnbar.dll
The specified module could not be found."


Should I continue with Adobe Reader update and OTL Clean Up from previous email or wait until you review the attached OTL log before making any further moves?

 

[Broni]

Don't worry about Add\Remove listing. Most likely, it's just dead entry.

Go ahead with other steps.

 

[jebell41]

Thanx

Broni,

Thanks for all your help and patience. I haven't had problem with Google redirection in the past 2 days. The only problem I have is a Dell Support .msi that tries to install every once in a while. but the said .msi is not in the directory folder it is looking in - so it never completes

 

[Broni]

Is Dell Support Center listed in Add\Remove?
If so, I suggest, you uninstall it. You really don't need it and it's known for causing problems.
Let me know, how it went, so we can proceed with last step of cleaning procedure.