Stubborn Browser Redirect Virus

Welcome to Major Geeks!

Please attach the requested log from MGtools which is the MGlogs.zip file located on your Desktop and/or at C:\MGlogs.zip. I can see it exists per your logs which shows

Code:

29/11/2013  23:16           433,146 MGlogs.zip

Also since you have run Junkware Removal Tool and AdwCleaner, attach the logs from them too so that we do not neeed to ask for them to be run again.

Per the logs you attached, I see that you have more than one antivirus program installed. You need to uninstall all but one antivirus program now.


Question: Is the below proxy setting something you knowingly configured?

ProxyServer (hxxp=92.52.125.17:80 [Country: (Private Address) (XX), City: (Private Address)]) -> FOUND

 

Yes uninstall Spyware Terminator too.

I'm going thru the files in MGlogs.zip now.

 

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://C:/Users/Tom/AppData/Local/G...babniblemipncjj/SwitchyAuto.pac?1330374432915
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=92.52.125.17:80
O4 - HKLM\..\Run: [Search Protection] C:\ProgramData\Search Protection\SearchProtection.exe

After clicking Fix, exit HJT.

Please download OTM by Old Timer and save it to your Desktop.

• Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
  the code box

Code:

:Processes
explorer.exe

:Files
C:\ProgramData\Search Protection
C:\Windows\tasks\ErrorEND.job
C:\ProgramData\AVAST Software
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast
C:\Windows\TEMP\*.*
C:\Users\Tom\AppData\Local\Temp\*.*
:Reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"Search Protection"=-
[HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\Run]
"Search Protection"="-
[HKEY_USERS\S-1-5-21-3670608905-1586916035-2694367411-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 
"ProxyServer"=""
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
  ) and choose Paste.
• Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the C:\_OTM\MovedFiles log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

A few important things to try:

• Make sure that UAC is still disabled as requested in the READ & RUN ME FIRST
• Make sure that you shutdown protection software
• Make sure that you are using Right Click and Run As Administrator

If the above does not help, try running it from safe boot mode but boot back to normal mode for what follows OTM.

 

You did not have a virus. You had a simple browser redirect. And what we have already done has removed it.

Your new MGlogs.zip file is not properly updated. Most of the scans are from the old file. Thus it did not run properly or you did not wait for it to complete. Or protection got in the way, or UAC was not disabled, or you forgot to use Run As Administrator.

But if everything is running okay, we don't need to run it again.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
3. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
5. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
6. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
9. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
   • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore​
   • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
   • Then we want you to Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Does it only happen in Chrome? Shutdown Chrome and run Internet Explorer to see if it happens there too.

I still see Spyware Terminiator running. You were suppose to uninstall that. Did you have a problem uninstalling it?

 

Okay it may become necessary to uninstall Chrome and delete folders before reinstalling to fix this but let's run another scan first. Also in anticipation of possibly having to uninstall Chrome, I suggest that you backup any bookmarks you want to keep to reinstall later. Do not save in any Google folders though.

Please download OTL by OldTimer.

• Save it to your desktop.
• Double-click on the OTL icon on your desktopto run it. (Note: if using Vista, Win7 or Win8 use right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  drives
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

I'm not seeing anything that would be a sign of possible redirects. I do see issues with lots of leftovers from other protection software that is no longer installed. Like Avast, Ad-Aware Antivirus, Spyware Terminator. Let's clean this stuff up along with a few other junkware items and go from there.


Now shut down your protection software (antivirus, antispyware...etc) to avoid possible conflicts.

• Double-click OTL.exe to run. (Note: if using Vista, Win7 or Win8 use right-click and select Run as Administrator)
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

:OTL
PRC - [2013/10/22 06:43:36 | 003,684,488 | ---- | M] (Crawler.com) -- C:\Program Files (x86)\Spyware Terminator\SpywareTerminatorUpdate.exe
DRV:[b]64bit:[/b] - [2013/10/18 09:03:49 | 000,014,456 | ---- | M] (GFI Software) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\gfibto.sys -- (gfibto)
DRV:[b]64bit:[/b] - [2013/04/11 10:06:54 | 000,039,504 | ---- | M] (ThreatTrack Security) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\gfiark.sys -- (gfiark)
IE - HKU\S-1-5-21-3670608905-1586916035-2694367411-1000\..\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}: "URL" = [URL]http://search.conduit.com/Results.aspx?ctid=CT3317209&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=2&UP=SPB536ABA7-A515-49F6-AD52-855F69A897B7&q={searchTerms}&SSPV[/URL]=
O4:[b]64bit:[/b] - HKLM..\Run: [SBRegRebootCleaner] "C:\Program Files (x86)\Ad-Aware Antivirus\SBRC.exe" File not found
O4:[b]64bit:[/b] - HKLM..\Run: [SpywareTerminatorShield] C:\Program Files (x86)\Spyware Terminator\SpywareTerminatorShield.exe File not found
O4:[b]64bit:[/b] - HKLM..\Run: [SpywareTerminatorUpdater] C:\Program Files (x86)\Spyware Terminator\SpywareTerminatorUpdate.exe (Crawler.com)
O4 - HKLM..\Run: [Search Protection]  File not found
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - 
[2013/11/30 18:39:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Spyware Terminator
[2013/11/30 09:20:54 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\MyPC Backup
[2013/11/25 17:10:07 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Spyware Terminator
[2013/11/24 11:36:43 | 000,000,000 | ---D | C] -- C:\Users\Tom\AppData\Roaming\AVAST Software
[2013/11/24 11:34:08 | 000,334,648 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\aswBoot.exe
@Alternate Data Stream - 145 bytes -> C:\ProgramData\Temp:9B750A13
@Alternate Data Stream - 143 bytes -> C:\ProgramData\Temp:4D066AD2
@Alternate Data Stream - 136 bytes -> C:\ProgramData\Temp:2430E4FC
@Alternate Data Stream - 131 bytes -> C:\ProgramData\Temp:8173A019
@Alternate Data Stream - 129 bytes -> C:\ProgramData\Temp:C46995DA
@Alternate Data Stream - 119 bytes -> C:\ProgramData\Temp:798A3728
@Alternate Data Stream - 109 bytes -> C:\ProgramData\Temp:DFC5A2B2
:Files
C:\Program Files (x86)\Ad-Aware Antivirus
C:\ProgramData\Spyware Terminator
C:\Program Files (x86)\MyPC Backup
C:\Program Files (x86)\Spyware Terminator
C:\Users\Tom\AppData\Roaming\AVAST Software
C:\Windows\SysNative\aswBoot.exe
:Commands
[PURITY]
[EMPTYTEMP] 
[EMPTYFLASH]
[REBOOT]

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• If the fix needed a reboot please do it.
• Click the OK button (upon reboot).
• When OTL is finished, Notepad will open. Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (See: How to attach)

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the log from OTL
• C:\MGlogs.zip

Make sure you tell me how things are working now!