Hi guys,
I believe I have some sort of google redirect virus. I do a google search and no matter what I click on I get redirect to a bunch of adware junk. I'm tried everything and have subsequently removed lots of malware but it still hasn't fixed the problem. This virus also appears to have blocked me from certain sites to include microsoft.com; I've looked at the /etc/hosts file and it only has the one localhost line... please feel free to help if you have a minute. I've been fighting this for 3 days now.
I followed the 8 steps and here are the log files from all the latest scanning i've done:
Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 6.0.6000
8/20/2009 7:49:28 PM
mbam-log-2009-08-20 (19-49-28).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 218532
Time elapsed: 1 hour(s), 43 minute(s), 39 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\$Recycle.Bin\S-1-5-21-19325671-1066254232-3760890249-1000\$R3G8EIB.dll (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\Users\preciosa\Desktop\fkyou\bar\1.bin\MWSOEMON.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Users\preciosa\Downloads\MyWebFaceSetup2.3.50.49.GRfox000.exe (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\Windows\freddy58.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Windows\pp11.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
SUPERAntiSpyware Scan Log
superantispyware
Generated 08/20/2009 at 08:51 PM
Application Version : 4.27.1002
Core Rules Database Version : 4065
Trace Rules Database Version: 2005
Scan type : Complete Scan
Total Scan Time : 00:49:10
Memory items scanned : 622
Memory threats detected : 0
Registry items scanned : 7420
Registry threats detected : 0
File items scanned : 27371
File threats detected : 8
Adware.Tracking Cookie
C:\Users\preciosa\AppData\Local\Temp\Low\Cookies\preciosa@atdmt[1].txt
C:\Users\preciosa\AppData\Roaming\Microsoft\Windows\Cookies\Low\preciosa@tacoda[1].txt
C:\Users\preciosa\AppData\Roaming\Microsoft\Windows\Cookies\Low\preciosa@imrworldwide[2].txt
C:\Users\preciosa\AppData\Roaming\Microsoft\Windows\Cookies\Low\preciosa@advertising[2].txt
C:\Users\preciosa\AppData\Roaming\Microsoft\Windows\Cookies\Low\preciosa@doubleclick[1].txt
C:\Users\preciosa\AppData\Roaming\Microsoft\Windows\Cookies\Low\preciosa@admarketplace[1].txt
C:\Users\preciosa\AppData\Roaming\Microsoft\Windows\Cookies\Low\preciosa@theclickcheck[2].txt
C:\Users\preciosa\AppData\Roaming\Microsoft\Windows\Cookies\Low\preciosa@bridge1.admarketplace[1].txt
Thanks in advance for any help that you may be able to provide. tks - Derek
I believe I have some sort of google redirect virus. I do a google search and no matter what I click on I get redirect to a bunch of adware junk. I'm tried everything and have subsequently removed lots of malware but it still hasn't fixed the problem. This virus also appears to have blocked me from certain sites to include microsoft.com; I've looked at the /etc/hosts file and it only has the one localhost line... please feel free to help if you have a minute. I've been fighting this for 3 days now.
I followed the 8 steps and here are the log files from all the latest scanning i've done:
Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 6.0.6000
8/20/2009 7:49:28 PM
mbam-log-2009-08-20 (19-49-28).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 218532
Time elapsed: 1 hour(s), 43 minute(s), 39 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\$Recycle.Bin\S-1-5-21-19325671-1066254232-3760890249-1000\$R3G8EIB.dll (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\Users\preciosa\Desktop\fkyou\bar\1.bin\MWSOEMON.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Users\preciosa\Downloads\MyWebFaceSetup2.3.50.49.GRfox000.exe (Adware.MyWeb) -> Quarantined and deleted successfully.
C:\Windows\freddy58.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Windows\pp11.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
SUPERAntiSpyware Scan Log
superantispyware
Generated 08/20/2009 at 08:51 PM
Application Version : 4.27.1002
Core Rules Database Version : 4065
Trace Rules Database Version: 2005
Scan type : Complete Scan
Total Scan Time : 00:49:10
Memory items scanned : 622
Memory threats detected : 0
Registry items scanned : 7420
Registry threats detected : 0
File items scanned : 27371
File threats detected : 8
Adware.Tracking Cookie
C:\Users\preciosa\AppData\Local\Temp\Low\Cookies\preciosa@atdmt[1].txt
C:\Users\preciosa\AppData\Roaming\Microsoft\Windows\Cookies\Low\preciosa@tacoda[1].txt
C:\Users\preciosa\AppData\Roaming\Microsoft\Windows\Cookies\Low\preciosa@imrworldwide[2].txt
C:\Users\preciosa\AppData\Roaming\Microsoft\Windows\Cookies\Low\preciosa@advertising[2].txt
C:\Users\preciosa\AppData\Roaming\Microsoft\Windows\Cookies\Low\preciosa@doubleclick[1].txt
C:\Users\preciosa\AppData\Roaming\Microsoft\Windows\Cookies\Low\preciosa@admarketplace[1].txt
C:\Users\preciosa\AppData\Roaming\Microsoft\Windows\Cookies\Low\preciosa@theclickcheck[2].txt
C:\Users\preciosa\AppData\Roaming\Microsoft\Windows\Cookies\Low\preciosa@bridge1.admarketplace[1].txt
Thanks in advance for any help that you may be able to provide. tks - Derek