Search Redirect Virus remains after restore

Please open this folder and slide ComboFIx.exe out of it and onto your desktop:
Running from: c:\av software\ComboFix.exe

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

It should have fixed it. Since you just got another re-direct, do go ahead and run ComboFix as well as getting me a new MGLogs.zip.

In the meantime, lets also do this:

Download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
• It will create a folder named HostsXpert in whatever folder you extract it to.
• Run HostsXpert.exe by double clicking on it.
• Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).
• Click Restore Microsoft's Hosts File and then click OK.
• Click the X to exit the program

 

@TimW: The DNS Hijacker lines are still present in runkeys.txt. I suggest that you use ComboFix to remove them. That is if ComboFix is working properly which it may not be since there is no new log.

 

Something is preventing the fixes to work. Are you sure you have disabled all AV and AS software?

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters]
"DhcpNameServer"=""
[HKEY_LOCAL_MACHINE\system\controlset001\services\tcpip\parameters]
"DhcpNameServer"=""
[HKEY_LOCAL_MACHINE\system\controlset003\services\tcpip\parameters]
"DhcpNameServer"=""
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{cf9215c0-69be-40d9-ac1e-e23fe07dd777}]
[-HKEY_LOCAL_MACHINE\system\controlset001\services\tcpip\parameters\interfaces\{cf9215c0-69be-40d9-ac1e-e23fe07dd777}]
[-HKEY_LOCAL_MACHINE\system\controlset003\services\tcpip\parameters\interfaces\{cf9215c0-69be-40d9-ac1e-e23fe07dd777}]

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

 

Sometimes these DNS Hijackers can infect router hardware. Please read and print or save the below instructions locally so that you can refer to them while offline. You will be disconnected as soon as you run the third step of the procedure with the ipconfig command and I don't want you to try reconnecting. That should be automatic later when we reboot.

Follow all steps in the order given.

Step1:

Since the infection you have is known to infect router hardware. If you have a router hooked up then you need to follow the instructions for your hardware and reset it to factory default settings. Normally there is a recessed push button type switch that needs to be held down for some number of seconds to do this. After resetting to factory defaults on your router, you will need to reconfigure the router for your network if you have made any changes to the default network setup.


Step2:



Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop but do not run it yet. We will use it later.

Step3:



Please click Start, All Program, Accessories and you will see ( among other things ) a Command Prompt entry.

• Right click the Command Prompt entry and select Run As Administrator.
• It is critical that you run it this way.
• If you do this properly, a command prompt window will open with a title of Administrator Command Prompt
• Enter the below commands at the command prompt each followed by the enter key. (note the space after ipconfig)
  • ipconfig /flushdns
    [*]ipconfig /releas
• Exit the command window

Step4:

• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Step5:

Since Avenger should have rebooted your PC, you should be backup now and have an internet connection again.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Yes, you need to do the rest of the instructions.

 

Please re-run MBAM. You still have the dns hijack.

After running MBAM, copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* MBAM log
* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

At this point, your logs are clean. You may need to post in the software forum for your remaining issues. I would first try uninstalling Chrome, run CCleaner, and after a reboot, try reinstalling it. Your main infection was with the dns changer, which is now gone.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
     
     
   
   
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
   
   
10. After doing the above, you should work thru the below link:
    
    • How to Protect yourself from malware!
    
    

 

Although he may have reset the router, if he is also infected with this, it will just keep reoccurring on your system. No matter how many times we remove it, it will come back. You need to check his system also!! Easiest way is to open a command prompt and type:
ipconfig /all

Then see if his DNS is set to
93.188.161.105
93.188.166.105

You can also try by right clicking your wireless connection, go to tcp/ip settings and see if that shows the DNS settings ( which should be on auto ).

This is what yours is set to:

Code:

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Atheros AR5007 802.11b/g WiFi Adapter
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::61a5:5748:913c:133d%10(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.1.2(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : May-20-10 8:27:17 AM
   Lease Expires . . . . . . . . . . : May-21-10 7:16:20 AM
   Default Gateway . . . . . . . . . : 192.168.1.1
   [B]DNS Servers . . . . . . . . . . . : 93.188.161.105[/B]
                                       [B]93.188.166.105[/B]
   NetBIOS over Tcpip. . . . . . . . : Enabled

If your neighbors settings are the same ( The DNS settings ) then you will not be clean until he also is clean. All of the previous fixes are valid and should work on his system as well, though it would be best to see the MGLog.zip from his system.

 

MBAM has been able to find it, but it still does not remove the registry keys. That part is also important to have done. The thing is that his system may have it slightly differently that what is on your system. Therefore, I would need to see an MGLogs.zip from his system to be sure of the exact fix. And of course, the router would again need to be reset.

 

Ok, assuming that the router has been reset to factory settings, on your computer do this:

Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now on his machine, he needs to clean out these folders:
C:\Windows\Temp\
C:\USERS\SUNTERRA\LOCALS~1\TEMP\

He needs to uninstall one of these:
Norton Internet Security
AVG Free 9.0

Then he can:
Copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Then he needs to right click his Wireless LAN adapter Wireless Network Connection, click on Internet protocol version 4 and then click properties and make sure to remove any settings and have both Obtain ip address and Obtain DNS server set to automatic.

Then re-run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\MGlogs.zip --> for both yours and his.

Make sure you tell me how things are working now!

 

Let me get this straight, he has his computer but you are still accessing through his router? If you have done the reset on his router, and the registry fix on your computer, then you are fine, but only until he returns with his infected machine and plugs it back into the router or uses his wifi with his still infected machine.

 

You just need to make sure that neither machine has the DNS settings set to this:
93.188.161.105
93.188.166.105
as well as removing the registry keys associated with that.

 

I believe you do have it!!

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
     
     
   
   
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
   
   
10. After doing the above, you should work thru the below link:
    
    • How to Protect yourself from malware!