Redirect Virus (Maybe Google or envolved one)

Hi,

I have a machine that behave like it has the Google redirect virus. Just like Google redirect virus, it will redirect click on the google search page to other page, but unlike the google virsus, it take you to real site, just not theone you want, like monster.com etc....

I have ran all the scan and my system doesn't have anything that Malwarebytes or the TDSSkiller.exe can detect as it say my system is clean. I am running Windows 7 64-bit and the acount infected is a non admin account. I have logged into other accounts and it does not seem to be prevalent (doesn't mean it isn't there, but I can't reproduce the problem). I have look at al the manual removal step and my machine does not have any one of the system. No DNS redirect, host file is not modified. LAN setting is normal. Browser is set to no Proxy. The redirect occurs both in IE as well as Mozilla.

My current work around is to make another non admin account and it does not have the symptom yet, but I want to find out what is going on. Any idea on what it could be? Could it be an ad-ware that is not consider a virus or an add on installed into the browsers itself? I once remember a way to list all the stuff your browser is running and someone told me about a Babylon(not sure if it was called that) type of program that did the same thing and was remove by deleting from the browser level, I just can't seem to locate the web page that talks about it.

The behavior seems consistent to what I am experiencing as it is localized to only one account. Any help or information would be helpful.

 

So I decided to do the scan on my admin account to see if it finds stuff and well it did. My Game account is now even more messed up as I applied the Malwarebytes fixes to it. It now has a fake anti-virus program trying pretend to scan and finds hundreds of virus asking me to buy etc... It is also blocking my access to task explorer.

The step asked to run first did not include any step to remove any stuff ided as malware in the hitman phased so my system is still hosed. I will be making two post as I had to run Malwarebytes multiple times before it said everything was safe.

here are the logs.

 

Here are the MalwareBytes logs

 

More info. My affected account now can't really browse as search result will always be redirected. This is is looking more and more isolated to the account only as other account are still behaving like normal. Any one has any idea?

 

Hello Hikarusan,

Is Hikaru the affected account? Just make sure that you are running these scans (and future ones) on the affected account.

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 31

__

Delete this folder:

• C:\ProgramData\225932FD000855EA02F1F6A1F875F002

__

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

Hi,

First I would like to thank you for spend time to help me. To answer your question, Hikaru is not affected by the problem. I am not 100% sure but I have not been able to reproduce the problem logged in as Hikaru. Hikaru is my account that has admin rights. The account that has problem is Game. I was unable to do the logging and what not because I can't set the UAC for that account to be off. I tried to but it said you need to be an admin to have it at that level. My game account does not have admin rights. So my question is should I go ahead and perform the scan without setting UAC to off?

I also know that when you run as Admin and then enter a password, all logs are created for in the Hikaru domain, I don't know if it scan Game domain or not. Please let me know how to proceed. Should I run the step you provided under my Admin account Hikaru or do it under Game but give the process access when it prompt for it.

 

If Game is the account that has the issues and is already a limited account, make it admin while you are logged into Hikaru (Control Panel => User Accounts => Manage another account).

Since all of your logs thus far have been clean because they were run from the Hikaru account, run the scans on Game (once it has been made into an admin account) instead and attach those logs for review as they should reveal something.

Also run the OTL scan while on Game after you are finished.

 

Hi thanks again,

IS there any safey precautions I can take before making Game an admin account? Once it has admin rights can it then infect my other accounts when I log into it? Would it be safer to just nuke the account if Hikaru is showing as clean?

 

Hi,

Another question about the instruction. When you say uninstall Java 6 update 31, is this for the test phased or is that a virus version?

 

If you do not have anything important (documents, pictures, music, videos, etc) on that account then yes it's the safest and fastest solution.

And yes so far Hikaru is showing as clean.

Java 6 update 31 is outdated which is why I recommended you uninstall it.
The latest (and safest) version is Java 7 Update 5.

 

Alright, I think I will opt to delete the account as it was a gaming account I use for my kids. Thanks for looking at my logs to help determine my main admin account was clean. I will also delete and update to the new Java.

 

You're welcome.
If everything is OK now, you can proceed with the below cleanup instructions.

__

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe