Google redirection/ABNOW virus

Hi, I have read many of the other redirect threads as well as the master thread for getting rid of this virus. I have followed all of the steps in the redirect virus thread as well as the general malware removal post. I have the logs attached below for Mbrcheck, tdsskiller, malwarebytes, superantispywear, and mglogs. I attempted to carefully follow the instructions for running combofix including downloading it directly to my desktop (had to use IE for this since firefox automatically downloads it to its own folder). I also closed all programs running using task manager and closing other programs in the system tray. I also have UAC disabled. However, I am not sure if combofix ran properly since it displays a window quickly and then posts no result or anything else, it simply closes. As the log will probably show, the only program that found anything was malwarebytes. It found several trojans and rootkits. I quarantined, deleted, and restarted the computer and the virus appeared to be eradicated. However, several hours later google stopped working properly and instead directed me to abnow.com or some other website. I have also factory reset both my modem and my wireless router. Unfortunately the virus is still present on my computer and the interesting thing is if I run malwarebytes it finds something every time, yet does not seem to be able to eradicate the source. Thank you for your time! I am afraid I will have to do a complete system erase if I cannot get this fixed since I am mostly afraid of keyloggers and my personal data being stolen. The redirect is annoying but is not my primary concern. Thanks for your help!

 

The rest of the logs for my problem!

 

Hi and welcome to Major Geeks, kw8472!

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 18
• Java(TM) 6 Update 29

Do you have a flash drive you can use? If not, let me know. Otherwise, proceed with the below instructions:

http://img827.imageshack.us/img827/1263/frst.gif For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
• Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)

 

I'm sorry I do not own a flash drive. Is it possible for me to use my smart phone as a storage device? I have access to either my android htc evo or my girlfriends iphone 4. Let me know if this is an option or if I have to buy one?

 

This probably would work as long as Windows is able to recognize the phone while in Windows Recovery Environment (WinRE).

However you can also run this from the hard drive (while you're in WinRE). I will prepare some instructions for this soon.

 

Thank you, I did uninstall the two java updates like you told me to. Was this because they were outdated and not 64 bit?

 

http://img827.imageshack.us/img827/1263/frst.gif Run FRST off the hard drive.

• Copy FRST64.exe to the root of your C: Drive ( C:\FRST64.exe )
• Reboot your PC and enter System Recovery Options

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

Important: Make note of which drive letter WinRE has assigned your operating system.
For example: Above the "Startup Repair" selection/button, you should see something along the lines of: "Operating system: Windows 7 on ( D: ) Local Disk."

• Select Command Prompt
• In the Command Prompt window, type in the following and press ENTER: D:\frst64
• Note: Replace letter D with the drive letter of your hard drive in WinRE.
• The tool will start to run. However, it may change your drive letter temporarily from D: to C: and ask you to rerun the tool. Adjust accordingly to target FRST again. It may be C:\ this time.
• When the tool opens click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) on the root of the C: drive (the same place as FRST64.exe). Please attach this log to your next reply. (How to attach)

If you have any trouble, let me know.

 

Correct. We will install the latest version later once we get towards the end of malware removal.

 

Ok, I did follow your instructions, however, running D:\frst did not work so I tried D:\frst64 and that seemed to do the trick. Maybe it is different for 64 bit operating systems? Here is the log file it generated.

Update!: I was perusing the log file and it shows zeroaccess under subsystems?! Is this the bastard?!

 

Update: Malwarebytes detected a rootkit initialization when I opened Firefox a minute ago and it showed me the file path. I checked the file path C:\Users\Locke\AppData\Local and found a hidden folder C:\Users\Locke\AppData\Local\8cc8f693 that appeared on the day and approximate time that I first began experiencing the effect of the virus (3/11 at approx 5:20pm). Should I delete this folder and its contents?

 

We're going for a fairly big fix here. If successful, the majority of your malware problems should be alleviated.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

• Save fixlist.txt to the root of the C: drive (C:\fixlist.txt)
• You should now have both fixlist.txt and FRST64.exe on the root of C:\.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make another log file at the root of C:\ (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now attempt to boot normally.

 

The above fix will do it.

Yes that's part of it.

Logging off for the night. Let me know how the system is running after you have completed the above step.

 

Hi thisisu, I ran the fixlist and have attached the log. My initial test of google is that it is working properly although it has worked for periods of time before so I must test it for awhile before I am sure. Please let me know if there is anything else I can do to test to see if I still have any malware! Thank you so much for your help so far.

 

Looks good

http://img850.imageshack.us/img850/4124/mbam.gif Update MBAM and run another Quick Scan.

• Attach the latest log. (How to attach)

Afterwards:

http://img194.imageshack.us/img194/4930/combofix.gif Attempt to run ComboFix using these directions:

• Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
• This opens the Run dialog box.
• Copy and paste the below text inside the text-field:
  • "%userprofile%\desktop\ComboFix" /nombr
• Now press ENTER
• ComboFix should launch and try to scan. Let me know exactly what happens if it does not run successfully this time around.
• Attach C:\ComboFix.txt if it was successful. (How to attach)

http://img684.imageshack.us/img684/6489/aswmbr.gif Please download aswMBR to your desktop.

• Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
• Select No when asked "Would you like to download latest Avast! virus definitions?"
• Click the [Scan] button.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Hi!
I ran the four programs and have attached the logs.

 

Your latest logs are clean. As long as you deleted those items detected by MBAM (the log says you skipped them), you should be good to go.

Last steps:

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 25 (64-bit)

http://img827.imageshack.us/img827/1263/frst.gif Delete the c:\FRST folder as we no longer need it.
You can delete FRST64.exe, FRST.txt, fixlist.txt, and fixlog.txt too.

http://img195.imageshack.us/img195/9049/javaz.gif Now install the current version of Sun Java from: jre-7u3-windows-x64.exe

__

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

 

Thank you for your time and knowledge, everything seems to be working well and I have followed your final steps. Does any of the money from superantispyware or malwarebytes go to you guys? If not let me know how I can repay you for your help! :-D

 

Glad to hear that

No.

I appreciate that but we do not accept donations. We would appreciate if you like'd us on FaceBook and/or tell your friends about us!