Solved Google redirect virus (or similar) in my Win7 64-bit

[erichludwig]

eset is still not finished, 1st partition C was scanned and this trojan was found
Java/TrojanDownloader.Agent.NCJ trojan

eset is currently scanning my other partitions. This might take a while... (hours?) maybe you have enough now to make another suggestions?

 

[erichludwig]

eset still not finished after 3 h 28 min. Another issue was found, so far my eset log looks like this...

C:\Users\Aministrator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\6c4043a7-5b765c36 Java/TrojanDownloader.Agent.NCJ trojan
D:\Flight Simulator Files\Modules and Utilities\gamebooster22.exe.bug a variant of Win32/Toolbar.Widgi application

I'm afraid I may have to abort the scan soon without a proper eset log to show you...

Do you recommand me to redo this scan with the "remove found threat" later tonight?

Edit: scan aborted... will resume tonite and post tomorrow complete log... I understand this will be easter friday so I won't worry if I don't hear from you soon... Enjoy your long weekend!

 

[erichludwig]

I redid the eset scan last night, but couldn't resist using the option "remove threat", and didn't choose the "archive" option, I was hoping to save some time. Maybe not such a good idea, it took 2 hours 55 min anyway. I'll redo a complete scan and post later.

With this "limited" 2nd eset scan I had only this in the log:

D:\Flight Simulator Files\Modules and Utilities\gamebooster22.exe.bug a variant of Win32/Toolbar.Widgi application deleted - quarantined

I did some more tests with google and I could reproduce the redirection mentionned ealier, but since I have the "Firefox Adblock Plus" addon, I go first to this page saying "Notice: This website and its content requires unlocking", (which is good I think)
hxxp://ad.leadbolt[dot]net/adblock?section_id=971777715

If I click on "allow" I go to this obviously fake page :
hxxp://internet-inspection[dot]com/d/p/p1r9e88954?ref2=lb&ref3=lb_global&ref4=10147&ref5=13148&link_type=offer&sa=wtlpnltlovs&od=11plh9i

I was trying to google a page of my simulator forum: sim-outhouse[dot]com (this domain is rated Excellent in WOT) Maybe something in this web site is triggering the fake page? Maybe I actually have the redirect virus? Can't tell... Could not reproduce (yet) the redirection with another web site.

So I think I still need some more help to get rid of these issues...

Thanks

 

[Bobbye]

If you read the directions carefully, you would not have to make these 'big' decisions:

but couldn't resist using the option "remove threat", and didn't choose the "archive" option, I was hoping to save some time. Maybe not such a good idea, it took 2 hours 55 min anyway. I'll redo a complete scan and post later.

Clearly shown in the Eset directions. You may not understand this but there is a reason for this.

8. Uncheck 'Remove found threats'
9. Check 'Scan archives/

Pleas follow my directions. If there is a problem, you should let me know and not try a 'workaround. I'll be out this morning and will review the other logs after lunch.

Please don't do anything else.

 

[erichludwig]

Ok got it. Thanks. New scan under way since this morning, 2 hours done, 3 hours or so left... 500GB to scan is slow... Sorry for being impatient. Enjoy your lunch! Esay on the chocolate!

 

[erichludwig]

Ok, eset scan finished. No log produced, no threat found. That's a bit surprising considering my previous posts... Screen capture below...

Edit: Unneeded Screen Capture deleted by Bobbye.

Yesterday the same scan I aborted after 3 hours found this:
C:\Users\Aministrator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\6c4 043a7-5b765c36 Java/TrojanDownloader.Agent.NCJ trojan
D:\Flight Simulator Files\Modules and Utilities\gamebooster22.exe.bug a variant of Win32/Toolbar.Widgi application

So what could we do next?

 

[Bobbye]

Oh my! Is my love of chocolate coming through my fingertips?! Wasn't so much in the lunch but in the bags of chocolate I brought home! Sign.

I'm going to take the 2 Eset entries and show you what I do with them. It is possible that they will no longer show up, but some other files will be cleaned- so this gives you an idea why we don't remove them in the scan:


Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Processes	
  D:\Flight Simulator Files\Modules and Utilities\gamebooster22.exe
  :Files 
  C:\Users\Aministrator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\6c4 043a7-5b765c36 
  :Commands
  [purity]
  [emptytemp]
  [clearjavacache]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
===============================
1. The entry on the C Drive is from the Java cache. Malware usually gets in the when there is an outdated version of Java still on the system.
2. The entry on the D Drive is for what we call a PUP> Potentionally Unwanted Program. Thw Widgi Toolbar comes from Spigot:
Type: Spyware/Adware
Analysis: Installs & gathers info from a PC without user permission.
Infection: By downloading freeware & shareware.
Symptoms: Changes PC settings, excessive popups & slow PC performance.
3. The 'internetinspection' URL refers to a domain for Tucows. The domain itself is legitimate.
===============================
Other than those 2 entries on OTM, I don't see any problem with this system other than adding Avast, which need to be removed. The logs look good, the Services came put okay, Java is now up to date.

I don't know what is happening with the 'redirect', but I don't think they are redirects al all.

 

[erichludwig]

Thank you for all this, the OTM log looks ok to me, and as you predicted the 2 eset entries were not found... my bad... Should have know better... Hope eset destroyed them for good:

All processes killed
========== PROCESSES ==========
No active process named D:\Flight Simulator Files\Modules and Utilities\gamebooster22.exe was found!
========== FILES ==========
File/Folder C:\Users\Aministrator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\6c4 043a7-5b765c36 not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: admin
->Temp folder emptied: 100866 bytes
->Temporary Internet Files folder emptied: 147657 bytes
->Java cache emptied: 153768 bytes
->FireFox cache emptied: 110857436 bytes
->Flash cache emptied: 8157023 bytes

User: All Users

User: Aministrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 14626508 bytes
->FireFox cache emptied: 55831274 bytes
->Flash cache emptied: 126656 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 28034 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67630 bytes
RecycleBin emptied: 485 bytes

Total Files Cleaned = 181.00 mb

OTM by OldTimer - Version 3.1.19.0 log created on 04062012_205101

Files moved on Reboot...
C:\Users\admin\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...

--------------

Avast is uninstalled now. I'll monitor closely my laptop and be more carefull when surfing the net and installing new things, clean cache more often, run scans weekly, etc...
I've learn a lot today thanks to you and techspot, the USB flash drive vaccine, the MBR check, the rootkit thing, the WOT utility, etc..
I guess I can relax now and eat some more chocolate! Looks like we both need to be more careful with our liver...
Thanks again. You may safely close this thread.

 

[Bobbye]

I had you run OTM so you could see what it does. That's in addition to just the entry if you remove in Eset.
--------------------------------
The best compliment you could give me is to say "I learned a lot today!" TechSpot and I are both glad we could help you.
=======================================
Remove all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
  [o] Click START> then RUN
  [o] Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
• Download OTCleanIt by OldTimer and save it to your Desktop.
  [o] Double click OTCleanIt.exe.
  [o] Click the CleanUp! button.
  [o] If you are prompted to Reboot during the cleanup, select Yes.
  [o]The tool will delete itself once it finishes.
  Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
  Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
  
• Set a new, clean Restore Point
  [o] Click on Start> right click on Computer> Properties
  [o] Select System Protection
  [o] Click on the Create button (near bottom)
  [o] Type a name for the Restore Point
  [o] Click on Create again to save the restore point.
  
• Deleting all but the most recent System Protection point in Windows 7
  [o] Click Start> Computer> right click the C Drive and choose Properties> enter.
  [o] Click Disk Cleanup from there.
  
  
  
  [o] Click Clean up system files
  This restarts Disk Cleanup to run in elevated mode.
  [o] Click the More Options tab
  
  
  
  [o] Click the Clean up under System Restore and Shadow Copies.
  [o] Click OK.
  [o] You will get a confirmation screen> Just click Delete.
  [o] Click OK on the Disk Cleanup Screen.
  [o] Click Delete Files on the Confirmation screen.

This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
Images courtesy lytebyte.

Empty the Recycle Bin
========================================

Your system is clean!

I am closing the thread now> there is a stash of mini Milky Ways just waiting to be devoured!