[Closed] Google redirect virus. Just started happening 2 days ago

[btbamman989]

Well, i spent almost all of today trying to resolve this. did a lot of forum reading, and still this damn thing is beating me. any help would be greatly appreciate.
Im going to start at the beginning. I noticed about a day ago, that i was getting weird results when using Google, didn't really think anything of it, until i noticed that my Girlfriends
computer was acting the same way. Every 2/3 times i would click on one of my google results, it would open a new tab, and redirect me to some different web site. random one most of the time.
One of the more common ones i think was spyzilla or something like that. So i tried updating Malwerebytes, avg, Microsoft security essentials and running them in safe mode to see if i could find an
infection. i found multiple infections, on each scanner. well after about 5 hours of running all of them, and curring my system, and hers of all the infections, i logged back on to my computer.
The google redirect problem is still on both computers, worse on hers. so, i tried all the scanners again, and founds some threats, got rid of them, and still the same problem. i also found out my room-mate
has the same issue with google. also, before i forget to mention, After Playing a game last night, Windows media center would open. This worries me.
We all have a wireless connection to the neighbors router. and this problem just started about 2 days ago.
any help at all would be great, but please ONLY PEOPLE WHO ARE WILLING TO WALK ME THROUGH EVER STEP OF THE PROCESS. i spent way to long on this, and i would really like some intelligent feed back.
PLEASE BE VERY DESCRIPTIVE, i have been tinkering with computers ever since i was 14, and this is actually the first time i was no able to solve my problem in one day...

thanks in advance

 

[Broni]

Welcome aboard
As everyone else, you have to start with these steps: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

 

[btbamman989]

hmm,

do i just post my results back to here, in this thread? or what is the best spot?

 

[btbamman989]

well, just in case you wanted me to post here

Here are some attachments.
im running windows 7 64 bit, so no go on GMER

 

[Broni]

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

=====================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[btbamman989]

here you go

I could not copy and paste, so im including attachments, hope that will be ok

 

[Broni]

Which browser is getting redirected?

====================================================================

You're running two AV programs, AVG and MSE. One of them has to go.
If AVG, make sure to use AVG Remover: http://www.avg.com/us-en/download-tools

=====================================================================

Update your Java version here: http://www.java.com/en/download/installed.jsp
During installation, make sure to UN-check any pre-checked extra "garbage" installation, like Yahoo toolbar, or others.
Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista/7).

====================================================================

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
  O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
  O4:[b]64bit:[/b] - HKLM..\Run: [RunDLLEntry] C:\Windows\system32\AmbRunE.DLL File not found
  O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
  O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
  O20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
  O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
  O20:[b]64bit:[/b] - Winlogon\Notify\LBTWlgn: DllName - Reg Error: Key error. - c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
  O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
  O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
  O33 - MountPoints2\{25b2c56d-2da9-11df-a98f-806e6f6e6963}\Shell - "" = AutoRun
  O33 - MountPoints2\{25b2c56d-2da9-11df-a98f-806e6f6e6963}\Shell\AutoRun\command - "" = F:\autorun.exe -- File not found
  O33 - MountPoints2\{260723ba-702f-11df-a5bc-e0cb4ea05ccd}\Shell - "" = AutoRun
  O33 - MountPoints2\{260723ba-702f-11df-a5bc-e0cb4ea05ccd}\Shell\AutoRun\command - "" = G:\steambackup.exe -- File not found
  O33 - MountPoints2\{601c6871-2dbc-11df-b6e0-806e6f6e6963}\Shell - "" = AutoRun
  O33 - MountPoints2\{601c6871-2dbc-11df-b6e0-806e6f6e6963}\Shell\AutoRun\command - "" = F:\.\setup.exe -- File not found
  
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [resethosts]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[btbamman989]

I have been using Google Chrome for months, tried I.E. when this started to happen, but would not load a page. Also, im starting to get pop ups now, and Chrome keeps crashing, thanks for all the help so far by the way. attachments below.

 

[Broni]

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Alternative download: http://majorgeeks.com/Dr.Web_CureIT_d4783.html

• Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
• This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, select Complete scan.
• Click the green arrow
  
  at the right, and the scan will start.
• Click Yes to all if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click File and choose Save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• [color=5]Important![/color] Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
• Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

 

[btbamman989]

ok so i ran the scan, first the express then the complete.
the first scan did find one thing, but i did not get a chance to save the
document, during the complete scan, my girlfriend tried to use my computer, and exited out of the program. so i lost the report for the first scan, but i did a complete scan again, and it didnt find anything.

 

[btbamman989]

also, the virus still plagues me.

 

[Broni]

Is the redirection the only visible presence of something wrong?

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

• Spyware, Adware, Dialers, and other potentially dangerous programs
  [*] Archives
  [*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

 

[btbamman989]

well, it was at first, but when i first started this thread i had random things opening every so often, like media center for example. other then that, my computer is running noticeably slower.

Thursday, July 22, 2010
Operating system: Microsoft (build 7600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, July 22, 2010 07:20:49
Records in database: 4232257
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Scan statistics
Objects scanned 182741
Threats found 0
Infected objects found 0
Suspicious objects found 0
Scan duration 04:12:20

No threats found. Scanned area is clean.
Selected area has been scanned.

 

[Broni]

Do you still have pop-ups, or just redirection only?

 

[btbamman989]

well, i get pop ups every once in a while, mostly a popup of google opens up. but im starting to get redirects from different sites other then google, including this site. when i click on a link on this fourm from time to time a new tab will open up, it will either be the page i clicked on, or some other random site. also, it seems to prevent some sites from opening all together, like face book for example. my computer has never acted this way before. seems like what ever it is, its buried deep.

 

[btbamman989]

also, i tryed to scan with malwerebytes again, and the scan is taking way longer then usual. seems to freeze up a lot.

 

[btbamman989]

its on 2hrs and 56 mins, and it usually takes 1hr 30 mins tops to scan everything in my computer

 

[Broni]

Are you running full scan, or quick scan?

 

[btbamman989]

a full scan

 

[Broni]

Do you see any progress (file names changing at the bottom)?

 

[btbamman989]

yeah, its progressing, just really really slow

 

[Broni]

Well, we have no choice but wait.

 

[btbamman989]

ok. do you think im infected with the normal redirect virus? or multiple embedded viruses?

 

[btbamman989]

it found nothing.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4339

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

7/22/2010 7:34:06 PM
mbam-log-2010-07-22 (19-34-06).txt

Scan type: Full scan (A:\|C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 319464
Time elapsed: 3 hour(s), 33 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[Broni]

Your router may be infected.
We need to hard reset it.
Turn the computer off.

On your router, you'll find a pinhole marked "Reset".
Keep pushing the hole, using a pencil, or a paperclip until all lights briefly come off and on.
Restart computer and check for redirections