Solved Google Redirect virus 8 steps completed

[pykespeek]

Hi everyone,
I'm really hoping you can help me, somehow my computer has become infected with the Google Redirect Virus and I am stumped. I have completed the 8 steps. here are my logs

 

[Bobbye]

Welcome to TechSpot, pykespeek. I'll help with the malware. I'd like you to run the following if you can tonight. It will probably be tomorrow morning before I can check the rest of the logs, but I do need that report:

Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..

 

[pykespeek]

Thanks I will do that, I really appreciate the help.

 

[pykespeek]

Here is the combo fix log.

 

[pykespeek]

I'm back, hope i didn't miss you

 

[pykespeek]

Hi, sorry to be a bug, is there anyone around who can help me... I posted my last log on April 22rd and I haven't heard anything....

 

[Bobbye]

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\program files\LimeWire
c:\documents and settings\HP_Owner\Application Data\LimeWire
c:\\Program Files\\uTorrent\\uTorrent.exe
c:\program files\Ask.com\UpdateTask.exe 
c:\program files\Ask.com\GenericAskToolbar.dll
c:\documents and settings\All Users\Application Data\TEMP
c:\program files\Ask.com\GenericAskToolbar.dll

Folder::
c:\program files\Trojan Remover

Registry::

RegNull:
[HKEY_USERS\S-1-5-21-1783900271-2319448321-3842092627-1009\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1C47CFA1-B6DB-3C00-114D-32A1BF57731C}*]
Driver::

FCopy::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
To remove the ask.com toolbar in full:

• 
  [•] Close all browser Windows
  [•] Click on ‘Start’> then click on the Start Search line
  [•] Type in cmd The cmd program will appear on the list of results.
  [•] Right-click on the icon, then choose Run as Administrator.
  [o] If a User Access Control window may pop up to confirm your choice. Click on the Continue button.
  [•] Type in the following command on the command line: regsvr32 /u "CProgram Files\Ask.com\GenericAskToolbar.dll> then Enter
  [•] A Message will pop up confirming that the operation was successful if the command was typed correctly. Click on the OK button to close this window.
  [•] On the “cmd” window, type “Exit” to close this window.
  [•] Go to the Programs and Features option on the Control Panel, then click on the Ask Toolbar entry and choose the Remove option.
  • 
    Close
    
    You have the entire Internet set it your Trusted Zone:
    Trusted Zone: internet
    Take it out. By putting the internet in the Trusted Zone, you are giving permission for every site on the internet to be allowed to access your computer under lower security. this is one reason why you get malware. The other is the file sharing.
    
    P2P or 'file sharing Warning:
    You are using uTorrent and LimeWire.
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall uTorrent and LimeWire or the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.
    
    Please read the information on P2P Warning to help you better understand these dangers.
    
    My apology for the delay in getting to you.

 

[pykespeek]

Thanks, sorry about that,

I have attached the new combofix log and removed the Internet from my trusted sites. Unfortunately I can't seem to get the Ask toolbar thing to work. I have attached a picture of the box, I tried a bunch of different ways of typing what I think you want me to put in there but I must be doing it wrong.

 

[Bobbye]

Sorry, my bad. There were 2 mistakes in the command line- 1 extra figure and 1 missing one. Hold on it for now- it looks like the script has removed the entries. My apology for the extra frustration!

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\program files\Application Updater\ApplicationUpdater.exe

Folder::
c:\program files\uTorrent
c:\program files\Ask.com
c:\program files\LimeWire
c:\documents and settings\HP_Owner\Application Data\LimeWire

Registry::
RegNull:
[HKEY_USERS\S-1-5-21-1783900271-2319448321-3842092627-1009\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1C47CFA1-B6DB-3C00-114D-32A1BF57731C}*]

Driver::
Application Updater

FCopy::
C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
=====================================
When finished, Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

=============================
Please download HijackThis from here.

• Save it to a permanent folder (such as C:\HJT).
• Next, open HijackThis, and select Do a system scan and save a logfile.
• A Notepad document will open. Please paste the log in your next reply

=======================
Has the redirect resolved? Are there any other malware related problems? We are almost through and I'll have you remove the cleaning tools at the end.

 

[pykespeek]

Hi again,
here are the logs you needed.
unfortunatley the redirects have not stopped. The ESETs scan still seems to list alot of malware and a trojan.

sigh...

 

[Bobbye]

Not to worry about the entries in the Eset log. they are not active in your system. The Qoobox is where Combofix sends it's quarantined entries and System Volume is where the System Testore points are held. We have you drop the old restore points at the end of cleaning. This is why we say don't use the System Restore feature while cleaning because if you choose an infected restore point, you will reinfect the system.

You should be running better att his point as LimeWire and Ask.com have been removed and they had numerous files.

Please reopen Hijackthis to 'do system scan only.' Check each of the following entries if present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
O4 - Startup: PowerReg SchedulerV2.exe

Close all Windows except for HijackThis and click on "Fix Checked."

Reboot the computer.

Open Internet Options (through either Tools in IE or the Control Panel)> Security tab> Trusted Zone> Sites> remove this Domain *.mcafee.com from this zone- nothing needsto be in the Trusted Zone unless you have an Intranet set up> Apply> OK

If you are still experiencing a 'redirect' after this, I need for you to describe exactly what is happening.

 

[pykespeek]

Hi again,
wish I had better news but the redirect is still happening. I did the HJT thing as you said then rebooted. It took a long time for the computer to come back on, it just sat at the windows screen with no icons up for about 3 mins. When it did come up it said Windows has recovered from a serious problem and requested i send the info to mircorsoft. (i didnt) I clicked on the link for the tech info and I have posted a pic of the pop up if you want to see it.
As far as the redirects, what is happening is I do a google search, say for Trains, then the google page with links comes up and I click a link. At that point the redirect happens, it takes a moment or two (longer than it should) and then redirects to another page. Usually it seems to go to something called 'upliftyoursearch.com' but once in a while it goes to something called 'r.localpages.com'. On a side note, if i click back to the original search results page and then click on the same link it will then go to the proper page, it does not redirect a second time.

sadness...

 

[pykespeek]

Sorry here is the pop up image from Microsoft. And one more thing, everytime I run combo fix it says there is a 'rootkit' running and then it has to reboot to do what ever it is doing... just in case thats important. I should have mentioned it before.

 

[pykespeek]

Hi Bobbye,
sorry to bump my post... I am still infected.. any ideas?

 

[Bobbye]

To investigate the cause of the "serious error":Start> Run> type in eventvwr

Do this on each the System and the Applications logs:
[1]. Click to open the log>
[2]. Look for the Error>
[3] .Right click on the Error> Properties>
[4]. Click on Copy button, top right, below the down arrow >
[5]. Paste here (Ctrl V)
[6].NOTES

• You can ignore Warnings and Information Events.
• If you have a recurring Error with same ID#, same Source and same Description, only one copy is needed.
• You don't need to include the lines of code in the box below the Description, if any.
• Please do not copy the entire Event log.

Errors are time coded. I am only wanting to see the one(s) that correspond to the message.
==========================
Since you have Combofix downloaded, run it in Safe Mode:
Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

================================
IF Combofix ran in Safe Mode, follow it's scan with this:

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
Folder::

FCopy::
C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Reboot. See if Combofix will run now in Normal Mode.

 

[pykespeek]

Here are the Events, they all happed within about 5 mins.

Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: Not enough storage is available to process this command.

Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The server name or address could not be resolved

Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The server name or address could not be resolved

Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: Not enough storage is available to process this command.

Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: Not enough storage is available to process this command.

Description:
Hanging application Trjscan.exe, version 6.8.2.1307, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

I will do the combo fix and post the results next

 

[pykespeek]

problemo

Hi again, gotta a slight problem doing the combo fix.. I can't boot to safemode. when i try it just goes back to the selection screen and it will only boot if i choose normal mode..

 

[Bobbye]

Reboot the computer.

Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

• Rkill.com
• Rkill.scr
• Rkill.pif
• Rkill.exe
  
• Double-click on the Rkill desktop icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following>>>>.

Please download exeHelper by Raktor and save it to your desktop.

• Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
• A black window should pop up, press any key to close once the fix is completed.
• A log file called exehelperlog.txt will be created and should open at the end of the scan)
• A copy of that log will also be saved in the directory where you ran exeHelper.com
• Copy and paste the contents of exehelperlog.txt in your next reply.

Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).

Now try Combofix.

 

[pykespeek]

Okay, i got rkill to work and rebooted, but when i go to save the exehelper to my desktop Mcafee freaks out and says it is not safe. I clicked cancel and then mcafee told me it had removed a trojan??? sorry if this is normal, i am kinda nervous what I d/l now...

 

[Bobbye]

We don't seem to be communicating very well:

It's best to run Combofix in Normal Mode. Since it's downloaded already, go offline, disable McAfee and try to run it.

Do the same for Malwarebytes.

 

[pykespeek]

Hi Bobbye,
Okay, I ran Combo fix (log attached) and malwarebytes (log attached) as mentioned before I did not run exehelper as mcafee said it had a virus. Malwarebytes said I have no malware but the redirects continue.. not just with google but also with Yahoo...

 

[pykespeek]

Oh also when I run combofix it still says there is a rootkit running and reboots before it does its thing..
I really appreciate your help.. thanks

 

[Bobbye]

Please explain to me exactly what you mean when you say "when I run Combofix it still says I have a rootkit." The GMER section in Combofix ends with user & kernel MBR OK

The only thing I can get out of the partial Error Events that you left is:
Trojan Remover from Simply Super Software.
You only gave me the descriptions in the events. There are 2 other parts: the Event ID# and the Source. That matters.

Disable this Trojan Remover- I would encourage uninstalling it altogether.

About the "Google Redirect." It isn't. Any malware can affect the searches on any search engine. Most people use Google, so the name 'Google redirect' has come in to being. If you've moved to the Yahoo search engine and are getting redirected, it's the same thing.

Frankly, McAfee can be a pain! It kicks up and scares users into NOT running something they Should run because it can't read right! McAfee devours a system- look at the drivers that are running- they are almost all McAfee.
===================================
Please disable TeaTimer until we're finished:

• Right click the TeaTimer icon in the system Tray
  
• Then click Exit Spybot-S&D Resident
• (One you are clean you can restart TeaTimer by going to C:\Program Files\Spybot - Search & Destroy, and double clicking on TeaTimer.exe

=============================
Please rescan with GMER.

 

[pykespeek]

..Sorry I'm not much help.. i'm not very good at this i guess.... With Combofix... I run it and the window pops up and says it is starting.. then it just sits there for a while and then is says something like "combofix has detected Rootkit activity and needs to reboot" (not an exact quote). As for the event logs.. sorry about that I have redone them in notepad and attached. Trojan Remover is gone. When I searched my system for it the whole folder was in the Qoobox quarantine folder. As for the TeaTimer i don't have that icon in my system tray and when I searched for TeaTimer.exe it was not found so, although I do have a spybot search and destroy folder in my program files, there is no .exe file in there.

I will run GMER now, it will probably take a couple of hours....

thanks,

 

[Bobbye]

Spybot Search & Destroy TeaTimer

• Launch Spybot Search & Destroy
  
• In the Menu, Select Mode and choose Advanced Mode
• Click Yes in the confirmation dialogue box
• click on Tools to expand the menu. Make sure that Resident is checked and then click Resident in the left pane.
• In the right pane uncheck Resident "Tea timer" (Protection of over-all system settings) to disable it.
• Uncheck the TeaTimer box and OK any prompts.
• If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
• Exit Spybot S&D when done.
• (Once you are clean, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]

TeaTimer is called the Resident. It is loading. This way to disable it is longer but it might be easier for you.