Google - Yahoo Redirect Virus

Hi there and welcome I am currently reviewing your logs and will get back to you with a set of instructions as soon as possible. Thanks for your patience during this time.

Kes13!

 

1. I would advise you to uninstall this out of date and rather useless piece of software from add/remove programs:

• Ad-Aware 2007

2. Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

File::
c:\program files\Common Files\profsyb.html 
C:\WINDOWS\system32\null
C:\Documents and Settings\David\Local Settings\TEMP\pcf8.tmp
C:\WINDOWS\TEMP\D653F3EC.TMP

Folder::
c:\program files\Common Files\ParetoLogic
c:\documents and settings\All Users\Application Data\ParetoLogic
c:\documents and settings\All Users\Application Data\Viewpoint

DirLook::
c:\program files\Common Files\lavum198
C:\Documents and Settings\All Users\Application Data\3e2dc5a

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


3. Also delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).

4. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix.

5. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!

6. Are you still getting redirected? Does this occur in Firefox too? (Download it and see) Do the redirects occur in safe mode too?

 

The logs are still not yielding anything much suspicious, let's try this:

1. Use Windows Explorer to locate the following bold file in the code box:

Code:

c:\program files\mozilla firefox\components\[B]WD-pp6osPS0.dll [/B]

Rename it to WD-pp6osPS0.dll.old and let me know how Firefox behaves now and if the redirects continue or not.

2. Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

FCopy::
C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\WINDOWS\system32\dllcache\atapi.sys
C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

3. Now I would like for you to run the ESET Online Scanner:

Please disable your antivirus program while running this scan to avoid running into issues with your existing program conflicting with the online scan.

Notes:

• You must use Internet Explorer to run this scan.
• If you are using Vista, right click IE and "Run as Administrator" or the online scanner will not work properly.

Click on this ESET Online Scannner to begin the process.

• Check the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to be installed.
• Click Start
• Check below options:
  • Remove found threats
  • Scan unwanted applications.
• Click Scan
• Wait for the scan to finish
• When it finishes it will create a log file here: C:\Program Files\EsetOnlineScanner\log.txt
• Attach this logfile to your next message.
  • (See: HOW TO: Attach Items To Your Post )

4. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this. Also please attach the EsetOnlineScanner\log.txt and the log from running combofix


5. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

File::
C:\Documents and Settings\David\Local Settings\Application Data\prvlcl.dat
C:\WINDOWS\TEMP\SPL1D8E.tmp

Folder::
C:\WINDOWS\TEMP\f75bf408-a202-4b61-b79d-260e3bb43ef1

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix.

 

where is it disappearing to?

We have something to try now.

Yes it's currently offline at the moment due to a bug, so the update wont complete successfully. We'll just use the version we are already using.

1. We need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

File::
c:\program files\Common Files\lavum198

Folder::
c:\documents and settings\All Users\Application Data\3e2dc5a

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

2.

• Go to TDSSKiller and Download TDSSKiller.zip to your Desktop
• Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
• Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

Code:

[B]"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v[/B]

• Follow the instructions to type in "delete" when it asks you what to do when if finds something.
• When done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents in your next reply.

3. Please disable all add-on's on your browsers and tell me if you still get rediredted then.

4. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix. and the TDSSKiller.txt log.

 

Then right click and "cut" it to your desktop.

Then you need to use the machine for a little while and test out how it behaves and then get back to me and let me know. I will be here waiting.

Yes, getting there...

 

Give it time... but what we will have to do if this keeps on occurring is the below:

If there is still a problem, try uninstalling FireFox and then delete the folders in Program Files

Navigate to the below using windows explorer and see if any firefox directories still exist and delete if present.
( C:\Program Files\Mozilla Firefox)


and App Data.
(C:\Documents and Settings\your username\Application Data\Mozilla) see if a folder such as this exists and delete if found.

Then reboot. After reboot, reinstall with no addons and see what happens.

 

Hi, what's the staus? How are things running now?

 

Good to hear! I'll link final steps below which you can follow after you've given it a bit more time to see how things run!

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!