Solved Google redirect virus (8 steps completed)

[Bobbye]

That is a good thing! are there any other malware related problems? I'd like to get one new HijackThis log and a new online Scan if we can keep the characters out! I know this has been a long haul, but if a scan can't read the characters, no sense in running it!

You have both HijackThis and the Eset Nod32 programs on the system. So update, run new scans and I'll review them. Hopefully Eset will be clean and there won't be any major problems in HJT. I just want to make sure after all your hard work that the system is clean- then I can have you remove all the cleaning tools!

Remember, in the Eset scan you do not check for removal.

 

[arcanice]

Sounds good!
I haven't noticed any other malware problems (and hopefully there isn't any!), but here are the eset and HJT logs for your expert eyes

 

[Bobbye]

Well, I sure can't find anything wrong in these logs! It's been a long trip> how does it feel to have a CLEAN system?!!

Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Please let me know if I can be of more help.

 

[arcanice]

Well, I sure can't find anything wrong in these logs! It's been a long trip> how does it feel to have a CLEAN system?!!

One word: Awesome

Just one thing though, I'm not sure if it's because of the difference in OS language - but to clean up the restore points, I had to go into My Computers -> right click on C drive --> Properties --> Disc Cleanup --> More options --> Clean up under the System Restore tab.

Hopefully that's the same thing? But I also noticed that my system restore was originally turned off when I was trying to create a new restore point... so I think the current restore point is my only one anyways.

A few questions before I leave you alone for good:
1) I still have CCleaner, HijackThis, GMER, and TFC on my desktop - do I remove these through the add/remove programs from control panel? Or should I leave them?

2) This is just out of curiosity - what did fixmbr do exactly? I know it stands for fix master boot record.... so does this mean the rootkit was residing somewhere in my boot record, and fixmbr got rid of it?

3) And my final question - so to avoid confusing anyone else (or myself) in the future - Using the Acer Recovery discs to go back to original factory settings doesn't do the same thing as reformating/reinstalling my computer? (for example, does it still leave traces of files that were on my computer before using the recovery discs?)


And that is all! Thanks so much Bobbye! I can only imagine your frustration helping nearly-computer-illiterate people like me. What would us newbies do without you guys around! Your help is much appreciated. Thanks again!

 

[Bobbye]

1) I still have CCleaner, HijackThis, GMER, and TFC on my desktop - do I remove these through the add/remove programs from control panel? Or should I leave them?

Did you do this?

Download OTCleanIt by OldTimer and save it to your Desktop.

That should remove the programs AND the logs they created. If it didn't: follow this>

HijackThis: uninstall in Add/Remove Programs. Delete program folder using Windows explorer: Right click on Start> Explore> My Computer> Double click on Local Drive (C)> Programs> look for TrendMicro folder and do a right click> Delete.

I recommend you remove CCleaner (same path as above) and keep TFC> I think it's a better, safer program to cleaning the tif and temp files.

Remove GMER> same path.

You my have to search for the logs for each program and delete if they weren't removed by OTM.

Edit: Sorry, I forgot these:
#2 is Yes.

#3: This description should answer the question for you. It should also make you aware that it should only be done if all else fails since files and folders will be lost:

Sometimes it’s necessary to restore a computer to the original default settings. This is often needed when a vital file becomes corrupted. Restoring a computer to its original factory settings also cleans up the C drive and removes all the viruses and old programs that bog down a computer and make it slow and unresponsive. However, restoring a system should be a last ditch effort in trying to repair a computer, since restoration causes all programs and many files to be lost forever. Restoring an Acer computer to its original factory settings can be done in a few easy steps.

I come across some people who would rather do a reformat/reinstrall then troubleshoot for malware. I never encourage that except in a case like a Virut infection where it is known at the beginning that there is no effective repairing of the system by running programs and scans.

You are very welcome for the help. Glad I could do it for you. Let me know if you have any questions in the future,

 

[arcanice]

Thanks!

Just a note on the OTC - I did install it and run it, but for some reason HJT, CCleaner and GMER were still there. But I followed your intructions and removed them manually, so all's good.

 

[Bobbye]

You did the right thing. Let me know if you need help later on. I'm going to close the thread now. I'm leaving some tips for you to help keep the system clean:

Please follow these simple steps to keep your computer clean and secure:
1.Disable and Enable System Restore: See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
2.Stay current on updates:

• Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
• Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
• Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

3.Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.
4.Remove Temporary Internet Files regularly: Use ATF Cleaner by Atribune or TFC
5. Use an AntiVirus Software(only one)
See Virus, Spyware, and Malware Protection and Removal Resources

6.Use a good, bi-directional firewall(one software firewall) I recommend either of these software firewalls.- both are free and good:
Comodo or Zone Alarm
7.Consider these programs for Extra Security

• Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
• IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
• Google Toolbar Get the free google toolbar to help stop pop up windows.