Google redirect symptom of something else...

This seems to be a very popular problems lately.

Ok so I've been at this since yesterday, I did what I could to run the massive READ & RUN ME FIRST for which I have the logs and will be attached. This is including the deleting of offline material and even removing firefox and then reinstalling.

Also ran Kapersky's TDSSKiller, but here's where it gets interesting.
A couple of times after I restarted and began using firefox, I got the random page pop up so I figured I'd rerun TDSKiller (my apologies if this throws a monkey wrench in things) but it would find the same Backdoor.Multi.ZAccess.gen. I think it happened a few times but it would be a different dll each time. Guess I should have figured that there was something spawning these sooner.

So this morning I gave it another shot and nothing is picking up on any files, but I noticed that something tried to lock down C:\Documents and Settings with a special permissions type security entry, which was essentially completely trying to lock me out, but erased that entry. So I disabled my network device thinking that there's more to this and came here.

I'm kinda at the end of my wits and knowledge so if you see something I'd love to learn more about this. Also I'm putting effort into this more to learn than anything else, but there's also the fact that my win7 is an upgrade...and that makes the reinstall kinda annoying...

Thanks

 

and the rest of the logs and attachments at least I hope so...

Oh also no root repeal since I'm in win7 64-bit

 

Hi and welcome to Major Geeks, yeepnut!

Download: yorkyt.exe by Panda Security

• Download it to your desktop and run it.

• Yes, restart

• Let it restart again.

• Be patient as the tool is working after the 2nd reboot.

• When you see the above, test to see if browser redirects are still occuring.
• Attach the Yorkyt.exe.log to your next message (it will be in the same directory the tool was run from). (How to attach)

__

You forgot to attach c:\MGlogs.zip (from running C:\MGtools.exe). (How to attach)
Please do this now and also follow these instructions:

Please download OTL by OldTimer.

• Save it to your desktop.
• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  activex
  netsvcs
  /md5start
  afd.sys
  i8042prt.sys
  netbt.sys
  nsiproxy.sys
  svchost.exe
  tcpip.sys
  tdx.sys
  /md5stop
  %windir%\$ntuninstallkb*. /120
  %windir%\system32\drivers\*.sys /lockedfiles
  %windir%\*.* /mp
  %windir%\*.* /rp
  %windir%\*.* /sl
  %systemdrive%\mgtools\*.*
  

• Now click the button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

:-o oops...
thought I had that one on there... Working through the yorkyt now but here's the MGlogs I meant to post above.

 

No problem.
After you complete the Yorkyt instructions, I will need an updated MGlogs.zip so do this:

Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Alrighty here we go

During the MGtools run there was a popup about something missing but I didn't have the presence of mind to remember what it said...hopefully it'll show up in the ol logs.

I popped open those MGlogs, man there's so much comprehensive info in there, it's a little overwhelming.

 

We need to use a different tool to remove this type of infection. Do you have a USB flash drive you can use? If so, please follow these directions:

For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
• Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)

 

Oh wow going to the pre windows load to get rid of something, that sounds kinda serious.

If you don't mind me asking what was it that you saw that lead you to this conclusion? More just curiosity since all of those logs just looked like a ton of different reg keys and hex codes.

I'm working on backing up some document files from C: incase things take a turn for the "WHOLLY #%*!" Hopefully everything else on the other drives should remain unaffected...

And I'll do the start up restore steps for Farbar and post the logs. Bit in a few.

Onward to virus termination~!:major

 

Highlighted in red is a major component of a ZeroAccess infection on x64 OS.

Code:

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\subsystems
   Windows	REG_EXPAND_SZ  	%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=[COLOR="Red"]consrv[/COLOR]:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    ------------------------------------------------------------------------
  

HKEY_LOCAL_MACHINE\system\controlset001\control\session manager\subsystems
   Windows	REG_EXPAND_SZ  	%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=[COLOR="Red"]consrv[/COLOR]:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    ------------------------------------------------------------------------
  

HKEY_LOCAL_MACHINE\system\controlset002\control\session manager\subsystems
   Windows	REG_EXPAND_SZ  	%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=[COLOR="Red"]consrv[/COLOR]:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

We don't have to use FRST but I prefer to address all the traces of malware in one fell swoop using one tool/fix
That and it is much easier to address this registry problem using the above tool

 

so much to learn about the windows structure, but I'd prefer this to having the enigmatic mac black box.

So this just happens to be one of those I've seen this process so I know what it's up to kinda things huh? Okay well glad someone knows.

Oh enough ramble here is the FRST log you requested.

 

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

• Save fixlist.txt to your flash drive.
• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now restart your computer and boot back into Windows.

 

After you have completed the above, do the below:

From Programs and Features (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 29 (outdated)

Be careful, this folder is intended to be inaccessible on Vista/7.

__

Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
IE - HKU\S-1-5-21-121025758-1695003570-2526426557-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = FB 02 C6 B6 DC 6A CA 01  [binary data]
IE - HKU\S-1-5-21-121025758-1695003570-2526426557-1000\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2559647
IE - HKU\S-1-5-21-121025758-1695003570-2526426557-1000\..\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}: "URL" = http://toolbar.ask.com/toolbarv/askRedirect?gct=&gc=1&q={searchTerms}&crm=1&toolbar=FXT
O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll (Ask.com)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
@Alternate Data Stream - 128 bytes -> C:\Windows\SysWow64\zlib.dll:SummaryInformation
@Alternate Data Stream - 128 bytes -> C:\Windows\SysWow64\zlib.dll:DocumentSummaryInformation
[COLOR="DarkRed"]:reg[/COLOR]
[HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\Run]
"Adobe ARM"=-
"DivXUpdate"=-
"ATICustomerCare"=-
"Adobe Reader Speed Launcher"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"AdobeAAMUpdater-1.0"=-
[COLOR="DarkRed"]:commands[/COLOR]
[emptyjava]
[emptyflash]
[resethosts]

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

__

Let me know how the system is running after you have completed these steps.

 

I did not know that. I thought that it was accessible, I had gone into it before to take a look at my user and browse through the app data stuff... unless I'm thinking of something else..

Either way I'll run these tomorrow and post back here when I've got the logs.

Thanks for your 133t ninj4 aid thus far.:cool

 

Log log log everyone needs a log, you're gonna love it log.

*ahem...*
Here they are. The fix seems to have done it's thing. Malwarebytes doesn't seem to be blocking any foreign IP stuff so that's good. Guess I'll follow the protecting your system steps next.

How did you end up here helping us less knowledgeable?:confused

 

Good job. Latest logs are clean :cool

It's just something I enjoy. This site has helped me out in the past so figured I should return the favor.

__

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

 

Sweet deal. I hope to understand this stuff in time, it would be nice to be able to look at my own logs and understand what they mean.

In the mean time, cheers and thanks for your help.:wave

 

You're welcome.
Be safe