Desperate... Search Engine Redirection Virus

Discussion in 'Malware Help (A Specialist Will Reply)' started by MandyH, Jun 4, 2010.

  1. MandyH

    MandyH Private E-2

    Hi everyone, I've come here in hopes of figuring out what's happening to my computer. I've been bombarded with viruses apparently and my computer is still not at 100%. For the past 3 or 4 days I've been struggling to try to straighten it out to no avail. I was on the verge of tears yesterday as the frustration is really taking it's toll on me.

    As background info, I run Norton Antivirus as my primary source of protection. It always came back clean or it "resolved" any threats so I thought my computer was secure. Then one day about a month ago I got hit with Antivirus Soft scam. I did not fall for it and did not purchase the software. After doing some searches I thought I had successfully gotten rid of it. I had no issues up until this week when it popped up again. I honestly can't remember what I did this last time to get rid of it, but it is gone - or so it appears.

    Now that that's gone my search engines are acting up. I can get on to Google and do a search, but when I click on one of the results it forwards me to a completely different page. Oddly enough, to me anyway, I can do a search in the News area and it works fine. It's just normal searches that won't work. I don't recall getting any pop ups, just the redirects. I have the same issue when I try Yahoo.

    I did some more searches at work on a completely different computer and found out about Malwarebytes which I downloaded. The first time around it came back with 16 issues which were removed. I ran it again last night and it came back with 12 more (may have been 13) which were again removed. I'm planning on running it a 3rd time this afternoon. I can post the logs on all (3) scans if it'll help.

    I can't even use my System Restore function either. I tried that using 3 different checkpoints, all came back incomplete.

    Through all my reading I've seen Combofix listed numerous times, but I'm VERY hesitant in downloading anymore programs, especially considering the warnings and disclaimers I've been reading about this one. It just makes me feel very uneasy. I just don't know what else to do. Any ideas?

    I was also wondering, how serious this "search engine redirect virus" is. I know I need to get rid of it and I want to get rid of it, but can I still do other work on my computer without risking anything?

    Also, with all of these issues I'm not beyond paranoid about my computer. How will I know with 100% certainty that my computer is secure once again.

    Lastly, when it comes to AntiVirus scanning, should it be done daily? I had my Norton software do a full system scan weekly, but I'm really considering changing it to daily. Would this help at all?
     
    MandyH, Jun 4, 2010
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Welcome to Major Geeks!

    Please read ALL of this message including the notes before doing anything.

    Pleases follow the instructions in the below link:

    READ & RUN ME FIRST. Malware Removal Guide


    and attach the requested logs when you finish these instructions.

    • **** If something does not run, write down the info to explain to us later but keep on going. ****
    • Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.


    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:


    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this aother user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
    4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:

    Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
    TimW, Jun 4, 2010
    #2
  3. MandyH

    MandyH Private E-2

    Here are the logs requested. I only had one program that I was unable to run for some reason. It was the ROOTREPEAL. It would start the initializing process, but then freeze. I have no log available for this program.

    Also, after I ran ComboFix it looks like my Google Searches are back on and working correctly again. I'm not sure if there's still something dangerous in my system though.
     

    Attached Files:

    MandyH, Jun 5, 2010
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    The only thing I question is this file:
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\tnvhypset --> if you don't know what it is, delete it. Otherwise, your logs are clean.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:

     
    TimW, Jun 5, 2010
    #4
  5. MandyH

    MandyH Private E-2

    I can't even begin to thank you enough for your help! Everything I tried went smoothly with the exception of the RootRepeal that wouldn't run.

    I've gone through the steps you listed and made the adjustments to my PC accordingly. My computer rebooted much faster than it has been recently and I can now access my search engines!

    I do have a couple of other questions though if you don't mind...

    #1 - svchost.exe - What is this process? When I go into my task manager I see it listed multiple times. Is this normal?

    #2 - My computer for the most part is pretty quiet, but every now and then it gets really loud like it's really thinking about doing something. It almost sounds like a CD is spinning inside (I don't have CD's in there). Is this normal of PCs or is it a sign of something going wrong?

    #3 - Since my computer was infected, is it possible that it spread to my father's computer if we're on the same network? We have a wireless connection. Should I run the same steps to his computer?

    Thanks again!
     
    MandyH, Jun 5, 2010
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes, it is normal.
    It may be that your hard drive needs to be defragged. You may need to ask this question in the hardware section.
    Unless you have reason to believe that his is also infected, I doubt you would have infected his machine thru the wireless connection, but it is possible. I would suggest you at the least run SAS and MBAM on his machine.
    You are most welcome. Safe surfing. :)
     
    TimW, Jun 6, 2010
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds