Solved Google Redirect virus 8 steps completed

[pykespeek]

Hi, I ran the GMER again, log is attached.
I am unable to turn off the spybot teatimer resident as I cannot find anyway to launch it. I have no icon and no .exe file in the spybot folder. I cannot find anyway to open this program. I have search my system repeatedly for teatime.exe and spybot. The spybot search and destroy folder is in the Program Files folder but within the spybot folder there is no .exe file to launch. I opened all of the subfolders and there are no .exe folders in any of them. Is there another way to kill this program. If I don't need it I have no problem deleting it completely I just don't know how. I even went into add/remove programs and spybot is not listed at all.
sorry for all the trouble...

 

[pykespeek]

i read another thread in regards to spybot not showing up inthe add/remove programs list, sugesting to download and reinstall it to allow for the uninstall to work... should i try that?

 

[pykespeek]

Hi Bobbye,
I don't know if you are still helping me or not but if you are here is what I have done ...I reran the rkill and then the exehelper as you indicated it was safe. exe helper log attached. Then as I was unable to access spybot s&d, I re downloaded and installed spybot s&d and then attempted to remove it from my system but it won't let me.. something is wrong with the uninstall dat file, however using your instructions I believe I have managed to disable it. I ran combo fix again (had to re download it as the copy i had expired) and this time the 'resident active' part is gone. I definitley have a rootkit however (even though the scan indicates I don't i believe) as when i try to run combo fix it tells me that it has detected rootkit activity and reboots my system before it does its scans. I have included the new combofix log and I will post another GMER log tomorrow. I am still unable to get into safemode, and the redirects continue. If you are too busy to help me, I understand and appreciate what you have done so far, but if there is someone else who can help I would really appreciate it.
Thanks,

 

[pykespeek]

Sorry here are the files.

 

[pykespeek]

Attached is the GMER log, also after GMER ran I turned my mcafee back on and clicked on internet explorer to come here and my computer rebooted. Once it came back on it said it had again recovered from a serious problem and so I went to eventvwr and I have attached the system event log.

 

[Bobbye]

My apology. I had some personal business to attend to and it took time from my board help. Now I'm trying to catch up.

Let's go back to the Event Errors. Although you didn't give me the Event ID# and the Source, it was most likely this:
Event ID: 11, Source: crypt32
Desc: Failed extract of third-party root list >> trustedr

<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>

With 3 descriptions:

• This network connection does not exist.
• Not enough storage is available to process this command.
• The server name or address could not be resolved[/lit]
  
  According to Microsoft you should check permissions on the temporary directory where the cabinet files is downloaded:
  • Use Windows Explorer to navigate to the temporary directory on the local computer. By default, the temporary directory is located at %userprofile%\AppData\Local\Temp.
• Right-click the temporary directory, and then click Properties.
• Click the Security tab.
• Ensure that the user account logged on to the computer has Full Control permissions.

Then verify:

• Use a Web browser to open a Web site that requires the Automatic Root Certificates Update component.
• When you open this Web site, a new root certificate is downloaded from the Microsoft Windows Update Web site.
• If the certificate is downloaded successfully, Event ID 1 in the Microsoft-Windows-CAPI2 event source will be written to the event log.

Other than permissions, the other factor is if the system time/date were wrong t the time of attempted access, the certificates will display as no longer valid.
============================
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :filefind /md5
  c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
  c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
  c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
  c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
  c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
  c:\windows\Installer\{ECB9C58E-C565-4683-9599-B72290BD3B25}\NewShortcut5_22EC35BDF8F245EB8DCB1C7FB65D0A71.exe
  c:\windows\Installer\{ECB9C58E-C565-4683-9599-B72290BD3B25}\NewShortcut1_22EC35BDF8F245EB8DCB1C7FB65D0A71.exe

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

I don't think you have a Rootkit.

 

[Bobbye]

We were posting at the same time:

STOP: c000021a {Fatal System Error}
Event Type: Error
Event Source: System Error
Event ID: 1003
Date: 5/1/2010
Time: 9:19:13 AM
Description: Error code c000021a, parameter1 e10f9a90, parameter2 c0000005, parameter3 0015000a, parameter4 00c8f80c
Possible causes:
1. GoBack causes a Stop error C000021a
C000021a (fatal system error).
To resolve: http://support.microsoft.com/kb/316503
2. KB925902 update causes STOP:c000021A fatal error at boot
The KB925902 update is incompatible with my XP Home SP2
Remove it through Recovery Console

These were the most common causes.

 

[pykespeek]

Whew, glad to have you back!
Well I thought I knew a bit about computers but I guess I don't... I cannot find the file you mentioned. I don't know where "%userprofile%\AppData\Local\Temp" is .. I right clicked on the start button and chose 'explore" then I pasted that address into the address bar and it does not come up. Then I did a system search for authrootstl.cab including hidden files and folders and it does not appear to exist on my system. I must be doing something wrong. In regards to the system error, I have not installed Norton Go Back and I don't know how to get into recovery console... :-/
I did the system look as instructed and I have attached the log.

 

[Bobbye]

It wasn't you in SytemLook- I must have had the code in wrong. If you don't mind, I'd like to revisit the specific problems you are having.

1. How is Combofix 'warning' you about a Rootkit before you run it?
2. Leave Spybot and TeaTimer alone for the moment.
3. Are you turning McAfee off before you run the scans.
4. Specifically, what problems are you having with the system?

 

[pykespeek]

Hi,

1. How is Combofix 'warning' you about a Rootkit before you run it?

When I run Combofix.. it opens up a box and says it is about preparing to run, then it stops for a while and then is says 'combofix has detected rootkit activity and needs to reboot' or something similar.. and then it reboots and runs.

2. Leave Spybot and TeaTimer alone for the moment.

Done.

3. Are you turning McAfee off before you run the scans.

I am turning off the Realtime Scanning and the firewall.

4. Specifically, what problems are you having with the system?

When I run a search with Google or Yahoo, the results page comes up properly. Then I click on a link to a webpage and after a moment or two (longer than normal i am redirected to a random website, such as 'upliftyoursearch.com' or 'r.localpages.com' or something called 'scour.com' if I click back to the google results page and click the same link again it goes to the correct webpage. oh also I cannot start my system in safemode it just reboots over and over and forces me to startup in normal mode.

 

[Bobbye]

I'd like you to run this:

Download TDSSKiller. Extract the zipped file to your desktop.

Go to Start ->Run. Type/Copy and Paste the following text into the prompt:

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v

• This will have the program write a detailed log
• The screen will resemble this black screen:

• If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
• After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list..
• You should get a screen like this:

• A log file named report.txt should have been created and saved to the root directory (usually C:\report.txt).
• Follow the prompts and attach the report to your next reply.

If that makes a difference, please run a new Combofix scan. Leave logs in next reply.

 

[pykespeek]

YAY! redirects have stopped. It found a rootkit and rebooted. I have run the Combofix and posted the log. I think we've done it!

 

[Bobbye]

Great! I moved a file a while back but it must have gotten reinfected. There is one hidden file I'd like you to remove:

You are going to c:\windows\TEMP\ver17.tmp (377 bytes) which is a hidden file:
Show Hidden Folders/Files

• Open Windows Explorer (Windows key+E)
• Go to Tools > Folder Options.
• Select the View tab.
• Scroll down to Hidden files and folders.
• Select Show hidden files and folders.
• Uncheck (untick) Hide protected operating system files (Recommended).
• Click Yes when prompted.
• Click OK.
• Click on My Computer> double click Local Drive(C)> Windows> Click on TEMP
• Scroll to ver17.tmp and do a right click> Delete

Go back and Reset Hidden/System Files & Folders replacing the checks in the two areas.
Close Windows Explorer.
=========================
Scan with HijackThis to make sure there are no entries to be removed:

Download HijackThis HERE and save it.

• Double-click on the saved file.
• When it runs it will prompt you to extract hijackthis.exe to C:\Program Files\Trend Micro\HijackThis.
• When the installation has finished. HijackThis will automatically launch.
• When the license agreement appears, select I accept and then click on the Do a system scan only button.
• When the scan is complete, click on the Save Log button to create a log of your information.
• Paste the log into your next reply.

I'll check that and instruct you to remove any entries if needed. When through, I'll have you remove the cleaning tools and old restore points!

Head up- you're almost there!

 

[pykespeek]

Hi, Sorry I was away yesterday. I checked for the file just as you said, but it is not there?? I definitely had the hidden files showing as you instructed, I took a pic of my desktop to show you.. dunno....
I ran the hijack this and the log is attached.

 

[Bobbye]

No problem- it was probably a part of entry removed by one of the scans. the system is clean- now you can Remove all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Let me know if you need more help.

 

[pykespeek]

thanks Bobbye, everything seems to be good. I removed all the files and set the restore point.
i really appreciate your help with this, you are a lifesaver!!
cheers!

 

[Bobbye]

You're very welcome. You did a nice job! I'll leave these tips for you and close the thread:

Please follow these simple steps to keep your computer clean and secure:

1.Disable and Enable System Restore: See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
2.Stay current on updates:

• Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
• Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
• Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

3.Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.
4.Remove Temporary Internet Files regularly: Use ATF Cleaner by Atribune or TFC
5. Use an AntiVirus Software(only one)
See Virus, Spyware, and Malware Protection and Removal Resources

6.Use a good, bi-directional firewall(one software firewall) I recommend either of these software firewalls.- both are free and good:
Comodo or Zone Alarm
7.Consider these programs for Extra Security

• Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
• IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
• Google Toolbar Get the free google toolbar to help stop pop up windows.

If I can be of further assistance, please let me know. .