Google Redirect all browsers all computers

Note: Hi, i send a thread to start a couple hours ago with the same Title, but i didn't post any logs to it, and it hasn't been read/approved yet. So here it again, albeit without the same lengthy description, but with the logs.

Basically i have a google redirect virus on both my desktop and laptop that i think was picked up probably from googling for free online tv streaming sites. Let's try to remove it from my desk and then maybe i can repeat the process myself for my lappy. Minor Note: could have come though my router from old files on my backup desktop, but i doubt it. Just in case, i just reset the router.

Also, the problem started about feb 11th/12th i think, (13'). B4 i found your site i of course ran some AV stuff and malwarebytes and they found some spam and a couple trojans which i of course removed. I have original logs of everything to show you if you want/need to see them.

I've seen no evidence of "tdss", and it affects both IE and Chrome on both computers. I run XP SP2 on purpose, and i stick with IE8 and java v6.39 because of my employer requiring it. But, i prefer to use chrome when i can.

I ran your IE optimization/cleaning, and your Read and Run Me First, and did all the IE/XP os/Disk-Emulation/Temp-folders and java and dns cache flushing procedures, and did the tdsskiller and fixtdss procedures and the mbrcheck and downloaded all the programs in order and have the logs for you.

Hope you can help find this thing (s). Thanks. P.s. i also downloaded a program called Digsby (don't know if it works yet) to try to get real-time pop-up alerts from when you reply to my email inbox so we can work together real-time (i'm usually on the comp most of the afternoon/evening). It's the best freeware i could find to get instant email notification for hotmail; if you knno of anything better please let me know. (i don't want all the junk included with the microsoft essentials, and i could never get Messenger linked to my email either). thanks again, heres the logs:...

 

here is the 6th file, the mbrcheck.exe file.

also, i'd assume i picked up the redirect virus either during my hunt for free The Walking Dead streaming sites (mostly overseas from the .eu), or when finallly finding a decent one that worked and without any lag for americans, i.e., www.watchtvfree.me/2012/10/29/the-walking-dead-season-3-episode-3-walk-with-me/

DO NOT GO TO IT unless you want specifically want to risk picking up the virus so you can experiment with it yourself, or unless you really like the show

 

here are some quick attachments of some earlier logs of removal processes i've tried in the last month

1) an avira log showing tracur trojan and nybhfvwoi.dll and 6 succesful hkey repairs. they were from individually scanning an "opera' webbrowser file, funny thing is i don't ever remember putting opera on my computer in the 2 years since i've had it. apparently somehow i've got the whole application in my programs. maybe i copied it there 2 years ago from my old desktop. I think this was likely separate from the google redirect problem.

2) my initial RK_quarantine report basically looks like it was showing a bunch of 'chrome_frame_helper' stuff. maybe that was/is part of the problem since it is in the google family.

3.) my initial RK regular report showing 3 potential bad registries, again 2 chrome frame helpers and 1 "newstartpanel". Not sure what the MBR check stuff there means. looks like maybe ok but why 2 entries then. (bsp??)

4l) an adware cleaner log showing looks like ok except for some of those same 'windows' hkey entries.

5) my first malwarebytes log done a month ago showing successful quarantine and deletion of 2 trojans. Again, since i still have Redirect malware i doubt this is related to the problem. But what do i know??


HEY, i just noticed all the roguekiller logs i've done in the last month are showing 17 entries with something called SSDT?!! Could that be the TDSS infection i've read about, only in reverse?? That would be cool if that was it!! Could someone tell me please? And how does one remove these, if in fact they are IT? (they also say "hooked". that seems like it could be suspicious).


¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[25] : NtClose @ 0x805BAEB4 -> HOOKED (Unknown @ 0xBA7B0BDC)
SSDT[41] : NtCreateKey @ 0x80622048 -> HOOKED (Unknown @ 0xBA7B0B96)
SSDT[50] : NtCreateSection @ 0x805A9DEE -> HOOKED (Unknown @ 0xBA7B0BE6)
SSDT[53] : NtCreateThread @ 0x805CF804 -> HOOKED (Unknown @ 0xBA7B0B8C)
SSDT[63] : NtDeleteKey @ 0x806224D8 -> HOOKED (Unknown @ 0xBA7B0B9B)
SSDT[65] : NtDeleteValueKey @ 0x806226A8 -> HOOKED (Unknown @ 0xBA7B0BA5)
SSDT[68] : NtDuplicateObject @ 0x805BC890 -> HOOKED (Unknown @ 0xBA7B0BD7)
SSDT[98] : NtLoadKey @ 0x80623D78 -> HOOKED (Unknown @ 0xBA7B0BAA)
SSDT[122] : NtOpenProcess @ 0x805C9C46 -> HOOKED (Unknown @ 0xBA7B0B78)
SSDT[128] : NtOpenThread @ 0x805C9ED2 -> HOOKED (Unknown @ 0xBA7B0B7D)
SSDT[193] : NtReplaceKey @ 0x80623C28 -> HOOKED (Unknown @ 0xBA7B0BB4)
SSDT[204] : NtRestoreKey @ 0x80620450 -> HOOKED (Unknown @ 0xBA7B0BAF)
SSDT[213] : NtSetContextThread @ 0x805CFF26 -> HOOKED (Unknown @ 0xBA7B0BEB)
SSDT[247] : NtSetValueKey @ 0x80620708 -> HOOKED (Unknown @ 0xBA7B0BA0)
SSDT[257] : NtTerminateProcess @ 0x805D1170 -> HOOKED (Unknown @ 0xBA7B0B87)
S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0xBA7B0BF0)
S_SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0xBA7B0BF5)

 

Can anyone help with this?? I really need some advice. I suppose on the surface it seems somewhat innocuous, if maybe annoying, to have the constant google redirects. But from everything i've read it's supposed to be symptomatic of a deeper, hidden infection, and a likely precusor to more invasive infection. Perhaps i cleaned it, and it left the redirects which are just there as a shadow system, but perhaps not. Better to assume not. And they ARE very annoying, and time consuming. Most importantly, is having to work around a lot of my usual online activity.

Some of the things i've been reading lately about rootkits and zero-days and/or specifically THE 'zeroday', if there is/was such a thing, has me becoming increasingly paranoid. Please someone help psyche myself back out. If this malware episode is similar to what i last experienced oh maybe about 3 or 4 years ago, then i know it can be defeated. It's just that i remember it taking months and hundreds of hours of search/blog time to try to find the solution, and i don't remember how i got rid of it, although i think finding a random blog that advised someone in a similar situation to remove and specifically alter a set of "Hkeys" was part of the solution. But for all i can remember, maybe i just eventually reinstalled the OS, a direction i feel i'm sadly heading for now slowly anyways, a failure of sorts, and not knowing what the vector is so to deal with it, if again, in the future.

Should i try to remove those 17 drivers found in the roguekiller report? if so, how? should i try to run the almighty 'combofix' without any advice? is that advisable? have people done that? is it secret, is it safe? (go frodo, you must leave, now):wave Maybe i should just do a windows search for everything named google or chrome and delete it? that 'chrome-frame-helper' seems to pop up in several of the various scans i've done, although i know its a normal object 'pre-virus', but perhaps its been hijacked as a vector? I don't really want to lose all my google bookmarks and history etc.; i suppose i could sign-up for their online record-keeping-type stuff that's supposed to keep track of all that for you in their 'cloud' or whatever, but i really prefer not to. I suppose i could try it on a short term basis too, and later undo, if i can redownload my preferernces/bookmarks/favorites/or-whatever. Or is there specific google-related folders i can spare from deletion? anyone know, if this is the right way, or how, to go about it?

From what i can tell, it seems like my main hosts file is ok, and also my mbr, but i'm not an expert. the experts talking about zeroday-access over on sysinternals have me worried that it could be truly hidden, if i have it, in part since the only virus activity i've ever noticed before was analogous to their timeframes, i.e. about 3-4 years ago before respawning.

I still think the vector now is from a push-exploit from searching for walking-dead sites, but the parallels to the supposed 'zeroday' from reopening from a few years ago are similar, although in my case i simply transferred a few music torrents through my windows transfer. I also wonder if maybe avira itself has something to do with this. I've always been skeptical of them since they are a 'Gmbh', (i.e. German) company. I remember that i found out 3 weeks ago, 4 weeks after this attack hit, that my avira was shutdown; yes i know, typical virus/exploit/malware tendencies, but still, now i see that these 17 potentially suspicious sstd driver-hooks have 17 parallel roguekiller-catches in a module-path of \systemroot\system32\drivers\avipbb.sys. Does this potentially mean anything?

The whole thing is very time-consuming, and unnerving, especially for a perfectionist. I really wish i had someone to guide me through this. I'm not really super worried about personal information or vulnerability, since i've always long-since assumed that everything i do online or by phone is known, and so i've long-sinced used multiple redundancy with multiple computers and multiple phones, and try to mix up my locales (i.e on/off campus, etc) etc. I'm probably one of the few people on the planet who understand the true nature of the, say for example, financial-market 'flash-crash', etc, and my cross-border excursions what-with-the border-patrol invasions of privacy and down/up-loading of high-tech government software-related content has long-since kept me aware and responsible with regard to digital activity, not to mention my legal and financial businesses. I just hate to think that some north or central or east-european jack-boot gypsy-thugs, or heaven forbid some african or chinese wannabees, instead of someones closer to home, may have got a part of me, kinda bugs me, from a fidelity standpoint.:-o

I'd hate to lose this opportunity to appropriately source this problem, and then i'd have to re-os/wipe more than 1 comp as well. but left to my own, i'm seeing the trade-off in time as being fairly equal for the time being. anyone, help? tim? i see you've done some earlier work with google redirects a few years ago. those threads are informative, but i need personal assistance if i'm to entertain the combofix/otl/etc-type paste-fixing.

 

Thanks Chaslang. I tried a few google searches (and on the lappy too) and it seems to be working so far. Thanks a lot.

Yes sorry about the long post. I was feeling lonely and ancy.:-o

The OTM script paste hung the app and the whole computer after hitting MoveIt!. I'm also mimicking your proscriptions for my infected laptop and same thing, good up until the OTM fix and it hangs. (I altered the username of course, and removed the "opera" entries from the script since never had opera on the laptop).

In both cases the hang was persistant up to at least 20 minutes so i figure that was long enough to see if it would unhang. I'm testing again on the laptop and the hang is up to an hour now. I had to unplug my desktop here that is the subject of this post. I checked and there were no logs. I've got the MGlogs.zip though.

I updated to java 7:17, and it works for my work-linkup, but we were warned it may cause things to slow up and to revert back to 6:41 so i may revert back to 6:43 (oracles last stable release of v6). I think its possible to have dual versions somehow too, no? If i could find v7:07 or v7:15 on the oracle site i would try that but i cant find those there. (i think i had v7:07 on the lappy and it was ok <no lag>).

Thanks for your help. If i new where the thank button was so i could add to your sizable cadre of thanks i would. I would make a small donation to MG too if i knew how.

Anyways, you've helped with the redirect problem so far, so that's good enough i suppose. If you have an idea why the OTM hangs please let me know so then i could post that for you. I'm definitely pasting it right with the entire content, no header, etc. Keeping the format just perfect, etc. No extra spaces/lines before after, keeping all spaces/lines within, etc., etc.

 

Ok, working on it. I did it once and it worked. but when i reboot into normal mode and look inside the c drive otm folder it created, there is 48 files in there all basicallly printer files, 3 layers deep after the date file, dating back to the beginning of my compter a few years ago. (C:\_OTM\MovedFiles\03172013_004716\C_WINDOWS\Temp) for example.

You want the last HP printer file from this temp folder?

I'm gonna run it one more time and see what happens. I can't imagine you want all these printer files from the last few years. I clicked on the scroll bar within OTM after it ran, and then it hung a bit. maybe that was a nono.

 

ok great, i think i got it right this time. here's the .log

Also a new MGlogs just in case.

 

Still good. so far haven't noticed any redirects on chrome or ie.
I looked over some of those MG logs. You really know you're stuff if you can make sense of all that. I was a bit curious about those "active connections" nearer the bottom of the runkeys.txt and in the nwktst.txt, e.g.:

Active Connections

Proto Local Address Foreign Address State
TCP 127.0.0.1:1028 127.0.0.1:5354 ESTABLISHED
TCP 127.0.0.1:1045 127.0.0.1:27015 ESTABLISHED
TCP 127.0.0.1:5354 127.0.0.1:1028 ESTABLISHED
TCP 127.0.0.1:27015 127.0.0.1:1045 ESTABLISHED
TCP 192.168.0.100:2552 74.125.225.100:443 ESTABLISHED
TCP 192.168.0.100:2553 74.125.134.95:443 ESTABLISHED
TCP 192.168.0.100:2581 74.125.139.147:443 ESTABLISHED
TCP 192.168.0.100:2636 74.125.225.111:443 ESTABLISHED
TCP 192.168.0.100:2641 184.26.15.139:80 ESTABLISHED
TCP 192.168.0.100:2647 74.125.225.121:80 ESTABLISHED
TCP 192.168.0.100:2648 74.125.225.121:80 ESTABLISHED
TCP 192.168.0.100:2651 209.8.118.74:80 ESTABLISHED
TCP 192.168.0.100:2654 74.125.139.101:80 ESTABLISHED
TCP 192.168.0.100:2657 23.67.210.110:443 ESTABLISHED
TCP 192.168.0.100:2676 74.125.225.121:80 ESTABLISHED
TCP 192.168.0.100:2677 74.125.139.155:80 ESTABLISHED
TCP 192.168.0.100:2744 209.8.118.64:80 ESTABLISHED
TCP 192.168.0.100:2746 209.8.118.64:80 ESTABLISHED
TCP 192.168.0.100:2756 74.125.139.120:80 ESTABLISHED
TCP 192.168.0.100:2869 192.168.0.1:1050 CLOSE_WAIT
TCP 192.168.0.100:3186 74.125.225.101:443 ESTABLISHED
TCP 192.168.0.100:4150 74.125.139.91:443 ESTABLISHED
TCP 192.168.0.100:4151 74.125.225.134:443 ESTABLISHED


I feel like a marked man Is that anything to be concerned with? Or is that normal.