Google Redirect Virus: bts.scour

So here's another report on the notorious bts.scour redirect virus.
I tried running the clean-up processes and tools suggested in other threads but none seemed to have worked for me.

Attached are the logs.

P.S. I ran Avira (updated to the latest) scan before all the tools and found a TR/Rogue.kdv.746477. Virus signature in Avira said that it was a rootkit type and is responsible for the redirects. Anyhoots, I deleted it with Avira after quarantine.

Still receiving redirects though. I was thinking, Avira might have just deleted the virus but not the whole rootkit responsible for producing the virus.

Well, awaiting for help. It's all yours.

 

Welcome to MajorGeeks, cris.pinoy

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:

• Coupon Printer for Windows
• Java(TM) 6 Update 35
• Web Assistant 2.0.0.445
• YTD YouTube Downloader & Converter 3.7

__

http://img805.imageshack.us/img805/9659/rktigzy.gif Delete items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Once the scan is complete, go to the Registry tab and checkmark everything except the below items:

• [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0)
• [HJ] HKLM\[...]\System : EnableLUA (0)

Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[3].txt
Attach RKreport[3].txt to your next message. (How to attach)

__

http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.

• Please save the work in your browsers before proceeding.
• Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
• Double-click JRT.exe to run (Vista/7 right-click and select Run as Administrator)
• The tool will open and start scanning your system.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Please attach JRT.txt to your next message. (How to attach)

__

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

I got two new logs by RK: RKreport[1].txt and RKreport[2].txt. No RKreport[3].txt. I'm attaching both. Successfully deleted HKEYs though, leaving only two as per instruction.

And hey, thanks for the welcome.

 

UPDATE:

Surfing without glitches now.
Any last cautions and suggestions?

Thanks a bunch! :-D

 

Can you upload this file to VirusTotal?

• C:\Windows\System32\sppsvcc.dll

Let me know the results

__

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA}:6.0.32
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}:6.0.33
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}:6.0.35
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\Program Files\Web Assistant\Firefox
[2012/06/30 20:08:18 | 000,002,310 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No CLSID value found.
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Users\discovery\AppData\Local\*.tmp files -> C:\Users\discovery\AppData\Local\*.tmp -> ]
[2012/10/14 09:06:27 | 000,000,322 | ---- | M] () -- C:\Windows\tasks\Dtqwi.job
@Alternate Data Stream - 189 bytes -> C:\ProgramData\TEMP:8E5EA40F
[COLOR="DarkRed"]:files[/COLOR]
:\Program Files\Web Assistant\Firefox /d
:\Program Files\Web Assistant /d
dir /s C:\Users\discovery\AppData\Local\visi_coupon /c
C:\Program Files\mozilla firefox\searchplugins\babylon.xml
[COLOR="DarkRed"]:commands[/COLOR]
[clearallrestorepoints]
[emptytemp]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

 

Can't find

What I found was a sppsvc.exe. Anyhoots, attached is the required log.

P.S. I read through the log and OTL didn't find certain firefox files. I'm using chrome. Maybe we missed something here? Well, just a thought.

 

http://img707.imageshack.us/img707/6703/generalxpicon.gif Download SystemLook from one of the links below and save it to your desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy and Paste the content of the following code box into the main text-field:

Code:

[COLOR="DarkRed"]:dir[/COLOR]
C:\Users\discovery\AppData\Local\visi_coupon /s
[COLOR="DarkRed"]:file[/COLOR]
C:\Windows\System32\sppsvcc.dll

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan and a file entitled SystemLook.txt will be created on your desktop.
• Attach that file to your next message. (How to attach)

 

Here goes:

 

That looks OK.

This is OK. I was mostly doing redundant fixes to make sure the items were indeed gone

__

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe

 

Oh. Okay.
I'll observe this thing for a couple of days. I'll let you know if any glitches happen.

Thanks again!