Can't get rid of stubborn redirect virus

[okolao]

Hi there,

Let me start by saying I run windows 7 64bit on a laptop and I do not have a boot disk, neither did I create a factory image

I have the findgala google redirect virus. I have gone through the redirect virus removal guide and the clean up one to no avail.

I have run MBAM multiple times, in safe mode, after updating it and did find something eventually, removed it and i'm still getting the redirects.
MSE has failed to find anything all together.

I run chrome as my sole browser but did also clear the cache in IE.

I'm really at a loss and need help

[okolao]

Hi there,

Let me start by saying that I am running windows 7 64bit on a laptop, I don't have the boot disk neither did I create a factory image I'm an idiot, I know.

I have some kind of redirect virus, it redirects me to findgala, so after lots of searching and trying things I'm at a loss. I have followed both the redirect virus removal guide and the more general one to no avail.

However whilst MBAM did find something finally after an update (spyware.banker??) whilst in safe mode after deleting it and restarting I am still getting the redirects. MSE also found nothing.

I have attached all the logs that were mentioned, I really just don't know what to do next

[chaslang]

Welcome to Major Geeks!

Is your redirection problem only happening with Chrome? Shutdown Chrome and test with IE.

[okolao]

Hi,

Thanks for the reply. I am getting the redirects on both chrome and IE and some sites such as my gmail aren't secure.
I am not currently getting them on IE as of this afternoon but last night I was and these redirects happen on and off with worsening severity.

[chaslang]

It may just be that you have allowed an addon to Google Chrome. I did see signs of Yontoo and there may be other junk too. Please attach the requested log from Hitman Pro.

Also what did you use that put in the large hosts file. Sometimes things can hide in large hosts files because it is hard to locate them when the file is so large.

[okolao]

Hi,

I've attached that hitmanpro log. I hope that helps.

I'm not sure what you mean? I'm not even sure what a host file is, so if I did do something it wasn't on purpose.

I thought I may of gotten rid of it until I just had another redirect after searching for antivirus software as this is what triggers the redirects most often.

Also my boyfriend whilst I was at work removed yontoo from chrome extensions.

[chaslang]

Quote:

Originally Posted by okolao

Also my boyfriend whilst I was at work removed yontoo from chrome extensions.

Not completely and since you still have a problem, we will have to remove Chrome to fix this.

So uninstall Chrome now. Do not reinstall until requested. Just use Internet Explorer for now.

Uninstall the below very old versions of software:
Java(TM) 6 Update 30



Please download OTM by Old Timer and save it to your Desktop.

• Right-click OTM.exe and select Run as administrator to run it.
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
  the code box

Code:

:Processes
explorer.exe
 
:Files
C:\Program Files (x86)\Yontoo
C:\Users\Lia\AppData\Local\Google\Chrome
echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c
ipconfig /flushdns /c
 
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99066096-8989-4612-841F-621A01D54AD7}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{8D8654CD-7FBC-4C7E-84E9-371BFA8DB04E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{9D9785E5-3424-40B6-A287-BA143AD53109}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{B6783DFA-B8C8-4CB6-AB9F-EF1A1F7F7AE8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{F5F971A9-DBF8-4EEC-81E3-5F1660573E6C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Products\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc]
:Commands
[purity]
[EmptyTemp]
[start explorer]

[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
  ) and choose Paste.
• Now click the large button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach this log file to your next message.


Now download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
• It will create a folder named HostsXpert in whatever folder you extract it to.
• Run HostsXpert.exe by double clicking on it.
• Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).
• Click Restore Microsoft's Hosts File and then click OK.
• Click the X to exit the program

Now download and install Chrome from the below link:

Google Chrome 23.0.1271.97 Stable


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• the C:\_OTM\MovedFiles log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[okolao]

Hi,

It hasn't happened yet so far so that's good, not even when searching for some anti virus software.
I've attached the logs too

[chaslang]

I still see Java(TM) 6 Update 30 in your logs. Did you forget to uninstall it?

Also now Yontoo shows in your Uninstall Programs list. It was not showing there in your first logs. The below show remove it.


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Quote:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}]

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.