Google Redirect Virus.. Did scans.. Posting logs

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by LvingLgend, Mar 30, 2011.

  1. LvingLgend

    LvingLgend Private E-2

    Ok I am working on a machine for a friend who got the Google redirect virus... It is a Dell XPS 210 XP Home Edition

    It not only has the Google redirect but also had another part or different virus that looked like AVG but wasnt... They were running Kaspersky at the time this virus got in. I ran the basic malware removal recommended from the site here but the redirect still remained.. So I did the extra part as well and now have all logs... the phony AVG virus is gone but when I open a firefox browser the main page looks like russian words... I did remove IE from the add and remove windows components thinking that might help but it didnt. Issues I did have during this were it kept saying I had Verizon Security Suite installed and running when it wasnt showing up anywhere and it also said the name of the phony AVG virus as a running process but I couldnt find either one in add and remove or on the c drive list anywhere... Here are my logs... I am still having the google redirect issues but not the phony AVG one.
     

    Attached Files:

  2. LvingLgend

    LvingLgend Private E-2

    And last log
     

    Attached Files:

  3. LvingLgend

    LvingLgend Private E-2

    Just a sample of how the home page looks.

    "Firefox 4 is er! Download het vandaag en zet internet in een hogere versnelling."
     
  4. LvingLgend

    LvingLgend Private E-2

    And my MGTools logs
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That is not the MGtools log. As stated in the instructions, the log from MGtools is C:\MGlogs.zip

    Please attach this log

    Also please rerun TDSSkiller properly and attach a complete log as yours is incomplete.
     
  6. LvingLgend

    LvingLgend Private E-2

    Sorry bout the MGTools log.. Hope this is the right one.. as for running TDSKiller properly.. I followed the steps as layed out in the removal section.... I will rerun again... I have dont these steps a few different times on other computers and not had any issues... Not sure whats up with this one but ive never had one as bad as this....
     
  7. LvingLgend

    LvingLgend Private E-2

    Correct MGTools log
     

    Attached Files:

  8. LvingLgend

    LvingLgend Private E-2

    Ok.. I reran tdsskiller and im not sure what way there is to run it... its as simple as double clicking it to run... it runs and doesnt find any issues... what is it that was wrong with the way i ran it the first time??? Can you please explain what was wrong with the first run I did??? I just dont understand what to do next as far as tdsskiller is concerned.. I still have the google redirect problem... none of the scanners are finding a problem... have none of the logs shown any issues??? Thanx for all the help...
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The log you originally attached only had the below info:
    Look at the ones that are inside the MGlogs.zip file you just attached. Those are the correct/full logs. If you had originally attached the most recent one of them or had attacht the correct MGtools log at first, I would not have needed to ask for a proper log from TDSSkiller. ;)


    Download HostsXpert and then follow the below steps.
    • Unzip HostsXpert.zip
    • It will create a folder named HostsXpert in whatever folder you extract it to.
    • Run HostsXpert.exe by double clicking on it.
    • Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).
    • Click Restore Microsoft's Hosts File and then click OK.
    • Click the X to exit the program
    Why are you running in Safe Boot Mode? We need logs from Normal Boot Mode unless you cannot run in normal boot mode and you did not say that you could not. Please attach a new log from MGtools that is run in normal boot mode. Also tell me if you are still having problems.
     
  10. LvingLgend

    LvingLgend Private E-2

    Thank you for explaining that... But I honestly followed the directions step by step as I have the half dozen times ive done this for other pc's ive cleaned up... This one for some reason is acting odd (more than the usual malware) and to that point..

    "Why are you running in Safe Boot Mode? We need logs from Normal Boot Mode unless you cannot run in normal boot mode and you did not say that you could not. Please attach a new log from MGtools that is run in normal boot mode. Also tell me if you are still having problems."

    I dont know why it shows I ran in safemode when I havent... This is a clean copy of XP and not a cracked one so im at a loss... I did try and run malwarebytes in safe mode before I began the complete clean out process but it wouldnt let me, nor any of the other programs (ccleaner,superantispyware) Once that happened I uninstalled kaspersky...rebooted and started from scratch downloading and running everything from step one. After running through everything from step one correctly it did remove the phony anti-virus pop ups but the redirect is still there.. I thought I did something wrong so I repeated the steps again... I've run MGTools 3 times now with the same results as well as tdsskiller and the same.. I will re-run MGTools one more time and post those logs. only error messages I got while doing the process was when I ran combofix it picked up the phony anti-virus and also said machine was running verizon antivirus suite but I couldnt find a trace of it (unless in registry keys somewhere). As I said I will re-run MGTools and the other step you posted. I appreciate all your help as well as the others who take time to help everyone on this board. Ive learned quite alot from the people on here and paypal donations arent enough to express my gratitude!!!
     
  11. LvingLgend

    LvingLgend Private E-2

    Ok I ran hostsxpert and heres what it said..

    Your hosts file is marked as "system file" and can not be manipulated. Press ok to remove the system file attribute.cancel to quit.

    Hostsxpert will not reset these attributes.

    Any other way I can fix this?? download my own host file and replace???
     
  12. LvingLgend

    LvingLgend Private E-2

    Re-Direct is still there.......I also tried editing the host file as hijackthis suggests but it must have a script on there that keeps re-writing it... it keeps going back to the same thing even after I save it.
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Uninstall the below old versions of software:
    Java(TM) 6 Update 23
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7

    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now install the current version of Sun Java from: Sun Java Runtime Environment


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  14. LvingLgend

    LvingLgend Private E-2

    Will do and Thanx again!!!
     
  15. LvingLgend

    LvingLgend Private E-2

    Here they are...
     

    Attached Files:

  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not tell me how things are working.
     
  17. LvingLgend

    LvingLgend Private E-2

    ooops.. Sorry was happy it cleaned everything out and was re-installing stuff... AWESOME!!! It got everything nasty off the hard drive!! Working like new again!!! As I said... paypal donations arent enough to thank each and everyone of you for all the hard work. Thanx again!!!
     
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.



    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds