Solved Google redirect virus (8 steps completed)

[arcanice]

Hi,

I'm having a problem with the google redirect virus..... apparently an unknown pdf file opened automatically as I clicked on a site (don't remember which one), and I've been having this problem ever since then. I've uploaded the files required from the 8-steps. If you need more details just let me know. Thanks for the help!

 

[Bobbye]

Welcome to TechSpot, arcanice. I'll help with the malware.

First, I'd like you to uninstall this program: HitmanPro35. You have it set to scan on boot so you will have to remove that to uninstall:

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Use the msconfig utility to uncheck on Startup.
Use Add/Remove Programs to uninstall.
Use Windows Explorer to delete the program folder.

Hitman is a bundle of programs that can be installed free on the internet. The programs have been added without the permission of the authors. Having it startup and run in the background will cause a problem with any attempts to clean.

It appears that either an unsigned driver update or an update from a file sharing site for your Athros Wireless Lan driver has caused the problem. There are multiple entries in the HijackThis log showing the corruption. But removing all of them using HJT might leave you with no internet connection, so instead, please do this:
Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls.
  
• Double click on the setup file on the desktop to run
• If prompted to download and install the Recovery Console, please do so.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
• If prompted to update, please allow.
• Click on Yes, to continue scanning for malware.
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.

.
Follow that with this scan:
Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please rescan with HJT when finished with the above. Leave the following in your next reply:
Attach Combofix report
Attach Eset scan log
Paste in the new HJT log.

This malware has affected several of the programs on the system.
Please don't run any other cleaning programs while I am helping you- only those I instruct you to run. Don't make any registry changes or use a Registry Cleaner. Don't do a System Restore. There is malware in the restore points. I'll have you drop those when the system is clean and set a new clean restore point.

 

[arcanice]

Hi Bobbye,
Thanks for helping me!
I just want to clarify a couple of things before I go ahead with the steps. First of all, should I do all of the steps (including scans) in safe mode? Or is that only for removing HitmanPro35? Also, by using "windows explorer to delete the program folder", do you mean that I should just go into my documents and settings, find the folder and delete it?

 

[arcanice]

Just a quick update:

I went ahead and tried to remove Hitman Pro 35 under safe mode, following the 3 steps outlined. I went into Applications and Data under All Users and deleted the file for the program. I also found one in the WINDOWS folder and deleted that one as well. Then I did a search for any files with the name hitman pro, and two results came up (this is after I restarted my computer after doing the 3 steps) - HITMANPRO35.EXE-04121C8C.pf under C:\WINDOWS\Prefetch, and hitmanpro35 under C:\WINDOWS\system32\drivers

Should I delete these as well?

 

[Bobbye]

You can delete anything for Hitman. If I see any other entries in the Combofix report, I'll set them up to be removed. I just don't want that running in the background while you're doing the scans.

 

[arcanice]

For some reason, I'm unable to delete the hitman pro file in the Prefetch file....but the driver was deleted without any problem.
Also, I've ran ComboFix and the ESET scan - the logs are attached.
For the HJT log.... the forum says that it has too many characters to paste on, so I attached it in the text file.

[edit]: After running combofix, it seemed like google did not have a redirecting problem for me anymore (the pages just load a bit slower). However, just now it appears to have returned - I was doing some research for my paper on google, and clicked on a link to BMJ (which is a pretty well established site for biomedical info).... and voila, I got redirected again! But I guess the good thing is, this time the redirection link doesn't open up properly, and firefox gives me a msg saying that the site can't be connected....... Does this mean using google had made the virus return? Or was just lying dormant on my system...?

 

[Bobbye]

firefox gives me a msg saying that the site can't be connected....

Firefox has a great built in security feature that will show an alert and tell you that the site is either known to be fraudulent or has script or some other type of malware. However, after checking the Eset log and seeing Virut, I think that might be the source of the problem.

arcanice, I don't like giving you this bad news, but you have a malware infection caused by Virut: It is all there in the Eset log. If you want to verify this, you can follow the VirSCAN:

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
  • c:\windows\system32\userinit.exe
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Also scan these,

C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe


Virut is a Polymorphic File Infector that infects ..exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine.

It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker.

Good explanation here:
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html


Change all of your passwords and monitor any online transactions.

Malware experts say that a Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain .exe, .scr, .rar, .zip, .htm, .html files.

* Backup all your documents and important items only.
* DON'T backup any executable files (,exe .scr .html or .htm)
* DON'T back up compressed files (zip/cab/rar) that may contain .exe or .scr files

You will ind excellent reformat/reinstall instructions here:
http://www.tech-101.com/tutorials/356-tutorial-windows-install-repair-xp-vista.html

Cleaning this does nothing but prolong the problem. As soon as one Virut entry is removed, it morphs into another. I strongly advise you to go ahead with the reformat/reinstall.

 

[arcanice]

eh... I probably will do a reformat/reinstall.... once I finish with my school stuff here.

But here are the scans... interestingly, the scanner did not pick up anything. (By the way, I apologize for all those chinese characters.... my OS is in Chinese)

About backing up files - you mentioned not to back up html files. Does this mean I can't back up the "my favourite" file in firefox? Or do I just have to export that in some other format? Also, would Word files (eg .doc), picture files and audio/movie files be affected by this malware? And my last question (sorry for bombarding you with stuff here), in the event that I want to back up some .exe files (which I probably don't, but am just wondering), should I put it through the online virus scanner first before backing it up?

[edit] Oh, and I just remembered something else. When my computer crashed before, I saw the technician that I brought my computer to using something called Norton Ghost to return everything back to the condition when he had just freshly reformatted my computer. Apparently it wipes out all the files (eg. system restore and the like), and return it to something like the factory setting? Would this work as well?

[edit 2] Just realized I did the scan with firefox. I'll remove the files attached and put up new ones in a bit

Thanks for all the help, Bobbye, I really appreciate it!

 

[arcanice]

Alright. Finally got IE to work.... just had to redo a couple of settings. Anywyays, here are the logs.

 

[Bobbye]

The scan can't read the Chinese characters. the language can be changed, but there are 28 Virut entries of this in Eset: Win32/Virut.NBP virus showing both languages.

Don't waste anymore time. The Norton Ghost is a backup program. If any of the infected files were in the backup, then putting them back on the system won't accomplish anything!

 

[arcanice]

Yeah.... I'll probably be doing that this Friday.

So how can I check whether or not the files I backed up contain the virus? I had the brilliant foresight of burning all the files I wanted on to dvd's (I don't have an external hard drive) back in February. Am I able to insert the dvd and get the eset online scanner to scan those?

Also, I guess back to my original questions - you didn't mention the virus affecting documents such as .doc, .pdf and .mp3 (any audio/video files).... so I'm assuming that these won't be affected by the virus?

And just one other thing, out of curiosity..... is it possible to tell how I got infected by this virus? Because I do have Norton Internet Security 2010, which should contain a firewall and antivirus..... but it didn't pick anything up. Does this mean I should resort to other programs?

Again, thanks for all your help!

 

[Bobbye]

is it possible to tell how I got infected by this virus?
apparently an unknown pdf file opened automatically as I clicked on a site (don't remember which one)

You can guess- but that's about all.

.doc, .pdf and .mp3 (any audio/video files).... so I'm assuming that these won't be affected by the virus?]

Never assume! Consider the fact that if Virut got on the system, it is likely other malware did also. And files downloaded from torrent sites usually come with malware.

Open the Eset log. Do you see all the infected programs and processes at the bottom? It is likely that any files you created or modified using these programs could be infected. The only recommendation I can give is to do a right click> scan with the antivirus program before inputting it back to the clean system.

Consider also that Virut not only got passed Norton, but Hitman didn't make a dent in it! Read the reference I left for Virut. It will help you better understand how it works.

 

[arcanice]

I don't know if I can ask this here (and you can let me know if I should post this elsewhere) - but before I go ahead and reformat, the tech guy I went to before (when my computer's harddrive broke down last summer), made a .gho file right after a clean reinstall of my system. I want to use that restore that .gho file, but I can't find the ghost executable file that opens it.... and the tech guy refuses to tell me how to open that over the phone. So I was wondering if you might know something about how to go about restoring it, Bobbye?

Any help is appreciated. Thanks in advance!

 

[Bobbye]

Sorry, I can't help you with that ghost file. Obviously if the person who created it won't help, it's either not there or he wants more money!

 

[arcanice]

lol that's what I thought as well, those darn merchants.

So I went ahead and reformatted. I did a scan with the eset online scanner and didn't find anything - hopefully that's a good enough sign.

Just for future reference though, would it be a good idea to use the eset online scanner to do a full system scan every once in a while? Since I noticed that it seems to pick up a lot of stuff that my antivirus (even though updated) doesn't...

And this is just out of curiosity - it seems like a lot of people are affected by the google redirect virus lately (looking at the forum, that is).... is there any particular reason why that is?

Thanks again Bobbye, you're a great help.

 

[Bobbye]

You're welcome. Glad to help. I'll answer your questions, then I'll leave some information to help with security for the system.

About an occasional online AV scan: this is a personal choice. It won't hurt anything if you do one, but if it does find malware. you need to understand what it is, what you do with it or about it besides remove the entry. I'm not a big Norton fan. They talk big but miss a lot, partly because people have been led to believe they can do anything and still be protected!

I don't care for 'suites'. Personally, I prefer stand alone programs for antivirus, firewall and at least 2 antimalware programs. I also have a router with a hardware firewall. This is called 'layered protection' and it what is needed. But all users need a reminder that they, themselves are the first line of security- no matter what they have or how much they have, if they don't practice 'safe surfing', they will get malware. This also includes safe handling of email and attachments.

About the 'Google redirect virus'. Actually there is no such thing- as far as I know. but it's become a catch all phrase for anytime someone doesn't get the requested site. Why? Because Google is the most used search engine and because almost all malware infections will hijack a home page and/or redirect a search. Believe it or not, malware tries to protect itself- it's part of the code written into it not to allow the user to go somewhere that might assist in it's removal.
=================================
Please follow these simple steps to keep your computer clean and secure:
1.Disable and Enable System Restore: See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
2.Stay current on updates:

• Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
• Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
• Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

3.Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.
4.Remove Temporary Internet Files regularly: Use ATF Cleaner by Atribune or TFC
5. Use an AntiVirus Software(only one)
See Virus, Spyware, and Malware Protection and Removal Resources
6.Use a good, bi-directional firewall(one software firewall) I recommend either of these software firewalls.- both are free and good:
Comodo or Zone Alarm
7.Consider these programs for Extra Security

• Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
• IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
• Google Toolbar Get the free google toolbar to help stop pop up windows.

If I can be of further assistance, please let me know. .

 

[arcanice]

Alright, this is insane - I got the google redirecting malware again! It's directing me to the same site.... adwordsredirect.com, so I'm assuming it's the same one? Haven't browsed any suspicious sites or opened any fishy attachments, so I have no idea how I've got this one. (Unless wikipedia can be counted as suspicious??)

Anyhow, I've attached the logs. Sorry Bobbye for troubling you again with this!

 

[Bobbye]

You have a program loading PPStream. This is a Chinese peer-to-peer streaming video network software.

From Wiki:

PPStream adopts P2P-streaming technology and supports high-volume traffic with tens of thousands of users online at once.

You mentioned that your OS is Chinese, so perhaps you installed this intentionally. If we had continued with the cleaning, somewhere along the way I would have given you a P2P- file sharing-Warning suggesting you remove it. I would also have had you run Combofix to look for other bad entries.

But you wanted to do the reformat/reinstall instead even after the scan for Virut came in clean. Possibly you loaded the same program with the same dangers and/or possibly with the same spyware and/or adware infection.

How about let's do it right this time!

If Combofix is still on the system:

Uninstall ComboFix and all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

Then:
Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls.
  
• Double click on the setup file on the desktop to run
• If prompted to download and install the Recovery Console, please do so.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
• If prompted to update, please allow.
• Click on Yes, to continue scanning for malware.
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.

.
Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

There are also other questionable process in the HJT log and it could also be that the use of Hitman skewed the information- Hopefully you removed that program!

Please leave the new Combofix report and new Eset scan in next reply.

Please don't run any other cleaning programs or scans while I am helping you unless I instruct you to. Don't use a Registry cleaner or make any Registry changes

 

[arcanice]

I have to admit, I was ignorant enough to not realize PPS was a p2p program until after the google malware thing hit me again (cuz I had thought p2p = uploading/downloading files = torrenting =/= streaming with pps...which is obviously wrong). Anyways, I took the liberty of going ahead and uninstalling that program from my computer - hopefully that's okay.

So here are the logs. Unfortunately the google redirecting issue is still there. But yeah, I'm all ears for the next step. Thanks again!

[edit] I removed the Hitman program before I reformatted my C drive.... so unless it somehow affected my D drive, it shouldn't be there anymore (at least I don't think)

 

[Bobbye]

You have a Rootkit infection. It showed in the first Combofix log but you decided then you were going to reformat. I take it you didn't do that. You need to remove the old Norton entries. For some reason, newer defs didn't remove older ones. Please manually update NIS, then reboot the computer.

Run TFC (Temp File Cleaner)

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
==============================
Please download GMER: Go to this site http://www.gmer.net/files.php and click on Download EXE. Save the file to your desktop
Two other links for the download should you need one:
Link 2
Link 3

• Double click on downloaded .exe file on the desktop
• Select Rootkit tab> click Scan
• When scan is completed, click Save button, and save the results as gmer.log

This screenshot HERE will show you how the display will come up.

Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log.
============================
Please follow this with a new Combofix scan. Leave reports for GMER and Combofix in next reply.

 

[arcanice]

Hm. I used the acer recovery disc that I had to make when I first got the computer, but now I'm guessing using those discs don't equate complete reinstall/reformat? Sorry about my newbness....

So, update on what I did. You mentioned I had old Norton entries - I wasn't sure if that meant the definition, or components of my old NIS before I used the acer recovery discs. So I uninstalled it using the norton removal tool, and then reinstalled it. I also went to the symantec site and manually downloaded the latest virus definition. The security update I had to download by using Norton Live Update that's part of NIS.

Ran TFC, GMER and Combofix. Logs are attached. I noticed GMER didn't scan my D drive, but if you need me to scan that as well, just let me know.

 

[Bobbye]

There are two processes in GMER with this:

SYMEFA.SYS .....................................................¨t²Î§ä¤¨ì«ü©wªºÀɮסC !
SYMDS.SYS................................................................ .   ¨t²Î§ä¤£¨ì«ü©wªºÀɮסC!

These are both from Norton. Is this something you can translate? I either need to know what the symbols on the right are or I need to repair the driver.

EDIT: There are also entries in the Combofix log with symbols:

2010-04-11 09:31 . 2010-04-11 09:31	--------	d-----w-	c:\documents and settings\All Users\¡u¶}©l¡v

And there are locked Registry key that I need to open but they also have the symbols:

[HKEY_USERS\S-1-5-21-4250166257-4081118584-925585345-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\b„v*gaR]

Some of the headings are also in these symbols and some of these I can work around, but when I can't see the full entry or if the entry can't be read, I don't know whether it should be moved or not.

 

[arcanice]

For the first two, SYMEFA.SYS and SYMDS.SYS, it means something like "system cannot find file"

For the second one c:\documents and settings\All Users\¡u¶}©l¡v --> it means "Start" - as in the start taskbar on the bottom of the desktop

The last one appears as weird symbols on my combofix log too - but I went into regedit to check, and it seems to be the one that says "Links".

Hope that helps!

[EDIT]
I tried to translate what I can from the combofix log and resaved it in rich text format (It's the only format that allows me to highlight the words that I translated). Don't know if it'll help, but if you need anything else just let me know. Thanks!

 

[Bobbye]

This isn't going to work. This version of Combofix has an entire page of entries in the Locked Registry Keys section. Any change, whether it's a / or a ] changes the entire meaning. I'm going to have to try to reconcile the original to the translated Combofix.

Please go ahead and do this:

Fixmbr : Repairs the master boot record of the specified disk.

If you have already installed the Recovery Console :

• 
  [1].During Startup, select Recovery Console from the startup options menu.
  [2].If you have a dual-boot or multiple-boot system, choose the installation that you need to access from the Recovery Console.
  [3].When prompted, type the Administrator password.
  [4].At the system prompt, type Recovery Console commands; fixmbr
  [5].When finished, to exit the Recovery Console and restart the computer, type exit.

 

[arcanice]

Okay, done.
Wow... I don't really know what fixmbr does exactly to my system.... but my computer seems to be working much faster now - and google doesn't redirect me anymore! Yay! (at least for now)

Sorry for all the trouble, Bobbye. Let me know if I can help in any way!