Google-redirect virus

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by daflyingkiwi, Dec 29, 2012.

  1. daflyingkiwi

    daflyingkiwi Private E-2

    I am dealing with a seemingly undetectable google redirect virus. I have completed all of the virus removal steps and have attached all relevant logs, although I don't know how much help they will be as nothing was detected. I have run scans on my own (before finding this forum) with about 10 anti-virus programs, all of which came up with nothing. I will get my computer re-imaged if this problem is not resolved. One of the redirects infected my computer with a virus that said the government had caught me watching child pornography and I needed to pay a fine (lol). I got rid of that using system restore, but the redirect virus has persisted.

    In case it helps, I am often re-directed to a site claiming to be Norton (especially when searching on virus removal), which has Norton anti-virus for sale. No doubt the purpose of the virus is to scam me into buying it. I was wondering if this might indicate the infection is a known malware.

    Because I can only make 5 attachments, I will post the other three scan results here:

    fixTDSS results: No infections found

    GooredFix results:
    --------------------------------------------------------------------------
    GooredFix by jpshortstuff (03.07.10.1)
    Log created at 20:05 on 28/12/2012 (John)
    Firefox version 17.0.1 (en-US)

    ========== GooredScan ==========

    (none)

    ========== GooredLog ==========

    C:\Program Files (x86)\Mozilla Firefox\extensions\
    {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [03:39 06/12/2012]
    {972ce4c6-7e08-4474-a285-3208198ce6fd} [03:39 06/12/2012]

    C:\Users\John\Application Data\Mozilla\Firefox\Profiles\c6umoxkh.default\extensions\
    (none)

    [HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
    (none)

    -=E.O.F=-
    --------------------------------------------------------------------------

    Hitman pro results:
    --------------------------------------------------------------------------
    Code:
    HitmanPro 3.7.0.185
    www.hitmanpro.com
    
       Computer name . . . . : R8Z4YWK
       Windows . . . . . . . : 6.1.1.7601.X64/4
       User name . . . . . . : R8Z4YWK\John
       UAC . . . . . . . . . : Disabled
       License . . . . . . . : Trial (19 days left)
    
       Scan date . . . . . . : 2012-12-28 22:30:37
       Scan mode . . . . . . : Normal
       Scan duration . . . . : 2m 30s
       Disk access mode  . . : Direct disk access (SRB)
       Cloud . . . . . . . . : Internet
       Reboot  . . . . . . . : No
    
       Threats . . . . . . . : 0
       Traces  . . . . . . . : 0
    
       Objects scanned . . . : 1,713,713
       Files scanned . . . . : 13,151
       Remnants scanned  . . : 362,114 files / 1,338,448 keys
    
    
    
    --------------------------------------------------------------------------

    Thanks!
     

    Attached Files:

  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
     
  3. daflyingkiwi

    daflyingkiwi Private E-2

    Wow I think that worked! It found and deleted quit a bit, but sometimes the redirects can stop for a day and then be back the next. If they come back I will let you know. thanks!
     

    Attached Files:

    • JRT.txt
      File size:
      13.4 KB
      Views:
      3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    [​IMG] Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these 3 detections:
    • [ZeroAccess][FOLDER] U : C:\Windows\Installer\{e4270089-d75d-eecb-2caf-1bce2e4269ae}\U --> FOUND
    • [ZeroAccess][FOLDER] U : C:\Users\John\AppData\Local\{e4270089-d75d-eecb-2caf-1bce2e4269ae}\U --> FOUND
    • [ZeroAccess][FOLDER] L : C:\Windows\Installer\{e4270089-d75d-eecb-2caf-1bce2e4269ae}\L --> FOUND
    • [ZeroAccess][FOLDER] L : C:\Users\John\AppData\Local\{e4270089-d75d-eecb-2caf-1bce2e4269ae}\L --> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.



    Download and run OTM.


    Download OTM by Old Timer and save it to your Desktop.

    • Right-click OTM.exe And select " Run as administrator " to run it.
    • Paste the following code under the [​IMG] area. Do not include the word Code.

    Code:
    :Files
    C:\Windows\Installer\{e4270089-d75d-eecb-2caf-1bce2e4269ae}
    C:\Users\John\AppData\Local\{e4270089-d75d-eecb-2caf-1bce2e4269ae}
    
    :Commands
    [emptytemp]
    [Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.


    Now rerun RogueKiller, just a scan, and attach log.

    How are things running now?
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds