Google Redirect/Virus problem

Uninstall these outdated versions of java:

• J2SE Runtime Environment 5.0 Update 10
• J2SE Runtime Environment 5.0 Update 11
• J2SE Runtime Environment 5.0 Update 7
• J2SE Runtime Environment 5.0 Update 9
• Java(TM) 6 Update 15
• Java(TM) 6 Update 2
• Java(TM) 6 Update 3
• Java(TM) 6 Update 5
• Java(TM) 6 Update 7
• Java(TM) SE Runtime Environment 6 Update 1

Use windows explorer to find and delete this file:

• C:\Documents and Settings\Owner.YOUR-55FC4BBBE6\Application Data\4405B6

You ran an outdated version of TDSSKiller I think, run this new one now:

Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

• Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
• Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor.
• Allow the application to run and a window will open showing that it is TDSSkiller from Kaspersky
• Click Start scan
• It will run rather quickly and will notify you of whether anything is found or not.
• Follow the instructions to delete/quarantine if asks you what to do when if finds something.

Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )


Please also download MBRCheck to your desktop

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some data on it
• Right click on the screen and select > Select All
• Press Control+C
• Open a notepad and press Control+V
• now please ATTACH that report to this thread

Now go to VirusTotal and upload the following files for analysis, report back to me the results.

• c:\windows\WSYS049.SYS
• C:\Documents and Settings\Owner.YOUR-55FC4BBBE6\win_rhtdo53x4

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix exit HJT.

Reboot your machine and install the most current and up to date version of Java available here at the below link:

Java Runtime 6

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

Also include the virustotal results and the log from MBRCheck.

Let me know if you are still being redirected or not, and how things are running now?

 

And after running the current version of TDSSKiller, are you STILL having redirects? The log from TDSSKiller reports it dealt with a bad MBR and then MBRCheck says all is good. So answer this:

If you ARE still being redirected tell me whether they still occur in safe mode?

Run the tools again:

First TDSSKiller and then MBRCheck and attach the logs.

 

Okay I think it's nearly time to try and fix your MBR

I need to ask some questions:

1. Do you have any drives that has a non-windows installation on them
2. Are all drives NTFS formatted
3. Do you have any non-standard or special MBRs which can occur from companies like Dell or HP who frequently install additional partitions used for recovery partitions in lieu of giving CD/DVDs.
4. Is any program like Grub ( see:http://www.gnu.org/software/grub/ ) being used
5. Is drive-encryption being used?
6. Are any drives external USB pen drives or external hard drives being used?
7. VERY IMPORTANT: Do you have all important data backed up? You really should do this before continuing since we will need to rewrite your MBR to fix this and while most times this can be done without any problem, these infections can react badly and that could result in a PC not being bootable. You really don't have much choice though since these infections are too dangerous to your security to leave on a PC.

 

OK then let me know when you have backed up what you need.

 

Have you got your XP disk?

 

No, I think it will be okay but you never know. Anyway, there could be a change of plan here, I am discussing your issues. Although some logs are coming up normal, the TDSSKiller log is telling me there is a problem with your MBR, now we don't know for sure if TDSSKiller is correct or not but considering the fact that you state you are getting redirects in both normal and safe mode, and the fact that I am not seeing anything else unusual in your logs; then fixing the MBR might just be the best way to proceed.

You will need to boot to the Recovery Console to remove this infection.

Now boot to the Recovery Console and run the fixmbr to clear a Master Boot Record infection that you have.

You can read the below to help you do this:

http://support.microsoft.com/kb/307654


Then boot back into normal mode.

Then re-run MBRCheck and attach the new log.

 

Seeking advice from a colleague regarding this. Just to be clear,

Let me know exactly what was being detected and where.

 

Please re-run both SAS and MBAM as well as ComboFix and attach the logs. Are you still being re-directed in web searches? Once you have those logs, run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
* New MBAM log
* New SAS log
* C:\ComboFix.txt
* C:\MGlogs.zip

 

No, I don't want you to run the fixmbr. It is looking like that was a false positive.

Let's do this>

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

RenV::
c:\program files\Ahead\ODD Toolkit\DVDTray .exe
c:\program files\Avira\AntiVir Desktop\avgnt .exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier .exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\HP\HP Software Update\HPWuSchd2 .exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\Intel Audio Studio\IntelAudioStudio .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Portrait Displays\Pivot Software\wpctrl .exe
c:\windows\ehome\ehtray .exe
c:\windows\SMINST\RECGUARD .exe

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Your logs are clean. I do however suggest that you clean out your temp internet files >
C:\Documents and Settings\Owner.YOUR-55FC4BBBE6\Local Settings\Temporary Internet Files\Content.IE5

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
     
     
   
   
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
   
   
10. After doing the above, you should work thru the below link:
    
    • How to Protect yourself from malware!
    
    

Support MajorGeeks with Geek Wear!

 

Good to know. Safe surfing.