Google Redirect Malware

MVillalobosJ · Aug 21, 2011

I have a google redirect virus/malware that has apparently been active on my computer for about a week. I have followed the steps in the malware removal guide, unfortunately non of the scans ever completed without getting cut off and then being unable to start them up again. Attached is the one log I was able to get (MGlogs.zip). Any help on this would be greatly appreciated.

thisisu · Aug 21, 2011

Hi and welcome to Major Geeks!

Have you tried the following?

Fixing Google Redirection/hijacking and other redirection problems

I also want you to try the below:

Please download OTL by Old Timer to your desktop.
See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

Double-click OTL.exe to run (Vista and Win7 right click and select Run as Administrator)

When OTL opens, change the Output (at the top-right portion of the program) to Minimal Output.

Put check-marks in LOP Check and Purity Check.

Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.

When the scan is complete, a log entitled OTL.txt will be created on your desktop.
Attach this log to your next message. (How to attach items to your post)

MVillalobosJ · Sep 5, 2011

Thanks for your quick reply, sorry I took a long time to respond. This problem happened around the same time I was moving and I couldn't spend the time that I wanted to fixing this computer issue. Attached is the OTL.txt file that was requested. As for the other guide, I did complete every single step in that one as well as the general malware removal guide, each step that required a scan failed with the scanning program being locked out from further execution until a restart was done.

thisisu · Sep 5, 2011

Hi again

I see that you ran MBRCheck.exe. Can you please attach the log (MBRCheck_08.20.11_22.15.33.txt) to your next reply (it's on your desktop).

IF SOMETHING HERE DOES NOT RUN, MAKE NOTE OF IT, BUT CONTINUE ON TO THE NEXT STEP!

Now we need to make use of OTL by Old Timer.

Double-click OTL.exe to run (Vista and Win7 right click and select Run as Administrator)

When OTL opens, copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
Note: Please note in the below fix I am also removing TDSSKiller, MGtools, and ComboFix. I will give you instructions on trying to run them again in the upcoming steps.

Code:

:processes
killallprocesses
:otl
PRC - C:\WINDOWS\3444034622:3241392178.exe File not found
SRV - (AOLService) --  File not found
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search"
FF - prefs.js..keyword.URL: "http://search.avg.com/route/?d=4ced2e61&v=6.011.025.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q="
O3 - HKLM\..\Toolbar: (no name) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (AIM Search) - {40D41A8B-D79B-43D7-99A7-9EE0F344C385} -  File not found
O4 - HKLM..\Run: [AOLDialer]  File not found
O4 - HKLM..\Run: [ATIPTA]  File not found
O4 - HKLM..\Run: [HotSync]  File not found
O4 - HKLM..\Run: [Pure Networks Port Magic]  File not found
O4 - HKCU..\Run: [{416C78BA-D658-EC3E-35D0-05239C90E9AC}]  File not found
O4 - HKCU..\Run: [AOL Fast Start]  File not found
O4 - HKCU..\Run: [BackupNotify]  File not found
O4 - HKLM..\RunOnceEx: [Flags] Reg Error: Invalid data type. File not found
O4 - HKLM..\RunOnceEx: [Title]  File not found
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: atgctaebsfelorvipgaiTaskMgr = 0
O9 - Extra Button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 -  File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 -  File not found
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} http://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab (Reg Error: Key error.)
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
[2011/08/20 23:51:45 | 000,000,000 | ---- | M] () -- C:\WINDOWS\3444034622
[2011/08/20 23:25:15 | 004,179,400 | R--- | M] () -- C:\Documents and Settings\Family Villalobos\Desktop\ComboFix.exe
[2011/08/21 00:00:18 | 000,000,000 | --SD | C] -- C:\32788R22FWJFW
[2004/11/10 00:46:10 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2011/08/20 22:20:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2011/06/28 21:43:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/11/24 08:26:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Family Villalobos\Application Data\AVG10
[2011/08/20 22:24:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Family Villalobos\Application Data\Viewpoint
[2011/08/20 22:24:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2003/12/17 01:47:28 | 000,090,112 | R--- | C] () -- C:\WINDOWS\bwUnin-6.2.3.66.exe
[2011/08/20 22:11:25 | 001,405,744 | ---- | M] () -- C:\Documents and Settings\Family Villalobos\Desktop\156506.com
[2011/08/20 22:08:53 | 001,405,744 | ---- | M] () -- C:\Documents and Settings\Family Villalobos\Desktop\tdsskiller.exe
[2011/08/11 03:08:11 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/08/11 03:07:29 | 000,000,127 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2008/10/22 21:05:03 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLds.DAT
[2008/10/22 21:09:56 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
[2006/06/14 19:41:10 | 000,018,224 | ---- | C] () -- C:\WINDOWS\System32\VnCrm06r1.dat
@Alternate Data Stream - 816 bytes -> C:\WINDOWS\3444034622:3241392178.exe
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4
:services
3ecc47cd
:files
C:\Documents and Settings\Family Villalobos\Y9Y9
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\desktop.ini
C:\WINDOWS\Temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\0.2985271122680514.exe
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\2.tmp
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\3.tmp
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\7.tmp
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\CbBbjX79.exe.part
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\E.dir
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\E.tmp
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\fla4B8.tmp
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\fla4B9.tmp
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\ge1380
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\ge2124
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\ge5120
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\etilqs_9F7Kq0uO8Opa8clEe1ao-journal
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\etilqs_9F7Kq0uO8Opa8clEe1ao
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\geIconCacheLock
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\geColladaModelCacheLock
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\gN1sl+Uw.exe.part
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\IXP930.TMP
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\jar_cache489814950651748831.tmp
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\jar_cache8576565665591088841.tmp
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\jre-6u26-windows-i586-iftw-rv.exe
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\MSI369d9.LOG
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\MSIa09e4.LOG
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\MSIb5e0a.LOG
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\MSIce514.LOG
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\MSIce515.LOG
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\MSIdf00c.LOG
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\MSIf2da2.LOG
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\nsmA.tmp
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\plugtmp-50
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\plugtmp-51
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\plugtmp-44
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\plugtmp-45
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\plugtmp-46
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\plugtmp-47
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\plugtmp-48
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\plugtmp-49
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\qt_temp.Hp3340
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\qt_temp.Hp3124
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\qtplugin.log
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\qt_temp.Hp1356
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\qt_temp.Hp2768
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\qt_temp.Hp3112
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\qt_temp.Ip3112
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\qt_temp.Jp3112
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\qt_temp.Kp3112
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\qt_temp.qHp748
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\qt_temp.rHp748
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\qt_temp.Hp2892
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\qt_temp.Hp3460
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\qt_temp.Ip3340
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\qt_temp.Hp3520
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\qt_temp.Hp3936
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\RQXnDkiZ.exe.part
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\{E9C1E0AC-C9B2-4c85-94DE-9C1518918D02}.tlb
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\_TRBD.tmp
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\_TRCC5.tmp
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\ver2
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\ver3
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\ver4
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\~379.tmp
C:\Documents and Settings\Family Villalobos\Local Settings\Temp\~742.tmp
C:\mgtools
c:\mglogs.zip
c:\mgtools.exe
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
""=""%1" %*"
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\VWPT]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{D2489DCF-30B6-4BA6-883F-AA0378131714}]
:commands
[purity]
[createrestorepoint]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
OTL may ask to reboot the machine. Please do so if asked.
Click the OK button.
A report will open.
A log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach items to your post)

Please download aswMBR by Avast to your desktop.

Double-click aswMBR.exe to run it (Vista and Win7 right-click and select Run as Administrator)
Select No when asked Would you like to download latest Avast! virus definitions?
Click the [Scan] button.
Note: This scan should only take a few seconds to complete.
On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach items to your post)

Now we need to run TDSSKiller by Kaspersky
Follow the instructions here and attach your log when you are finished. (How to attach items to your post)

Now download a NEW copy of ComboFix.exe to your desktop.
Turn off any Anti-Virus software and try to run it by double-clicking it.
If it works this time around, attach the c:\ComboFix.txt (How to attach items to your post)

After you have attempted to run ComboFix, I would like you uninstall both SUPERAntiSpyware and MalwareBytes Anti-Malware (from Add/Remove programs via Control Panel)

MBAM will ask you to reboot your computer to remove the remaining traces of itself.
Please reboot now.

Once you have rebooted

Download SAS and MBAM.
Refer back to SUPERAntiSpyware - running & getting a log and Using Malwarebytes Anti-Malware for instructions on how to run these programs.
Attach the logs from both if they are able to run.

Now I need a new OTL log

Double-click OTL.exe to run (Vista and Win7 right click and select Run as Administrator)
When OTL opens, change the Output (at the top-right portion of the program) to Minimal Output.
Put check-marks in LOP Check and Purity Check.
Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.

When the scan is complete, a log entitled OTL.txt will be created on your desktop.
Attach this log to your next message. (How to attach items to your post)

Please download and run Win32kDiag per the below instructions:

Download this Win32kDiag and save to C:\Win32kDiag.exe. You must save it here!!!!
Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log (How to attach items to your post)

C:\win32kdiag.exe -f -r

Now we need to scan the system with this special tool.

Please download Junction.zip and save it to your root folder (C:\Junction.zip)
Unzip it and put junction.exe in the root folder (C:\junction.exe)
Now click Start => Run... => Copy and paste the following command in the run box and click OK:

cmd /c junction -s c:\ >C:\log.txt
A command prompt window opens and also a license agreement from SysInternals will appear.
Accept the license agreement and the scan will begin.
Wait until a log file opens. Attach this C:\log.txt when it finishes (the command prompt window will close when it finishes). (How to attach items to your post)
NOTE: It scans your whole hard disk so if can take a long time. Be patient and don't do anything else while it is scanning.

Now download a new copy of MGtools.exe to the root of your C: drive. -- This one has better detection of the infection you have.

Now run C:\MGtools.exe by double-clicking it
Attach C:\MGlogs.zip to your next message.

LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS
Also let me know if you are having any problems with hidden/missing desktop icons, start menu, quick launch, program files, etc

MVillalobosJ · Sep 6, 2011

Thisisu,

Thank you again for your reply and your help with this issue. It seems that whatever problem/virus is in this computer has progressed to the point that I can't really run the computer well anymore, let alone do anything in your post. I decided after a few frustrating hours of trying to get it to even boot up and stay booted up without freezing/crashing (even in safe mode) to just dump/reformat everything and reinstall the OS.

thisisu · Sep 6, 2011

MVillalobosJ,

Thanks for the heads-up. The type of infection you had does take quite a long time to completely remove. It is one of the most advanced rootkits I have seen so far.

All the best,
thisisu

Log in or Sign up

Google Redirect Malware

MVillalobosJ Private E-2

Attached Files:

MGlogs.zip

thisisu Malware Consultant

MVillalobosJ Private E-2

Attached Files:

OTL.Txt

thisisu Malware Consultant

MVillalobosJ Private E-2

thisisu Malware Consultant