Google Redirect Virus

[redrhino]

Hello.  I seem to have acquired the Google Redirect virus on my system.  I have run avast! Antivirus and it cleaned up a host of problems, but it did not remove the Google Redirect virus.  I then downloaded and installed Malwarebytes' Anti-Malware and the results of the scan are below.

Additionally, I followed the instructions at http://forum.avast.com/index.php?topic=53253.0 and downloaded and ran OTS.  Attached you will find the results of that scan.  

If someone can assist me in removing the Google Redirect virus from my system or advise me as to how I can determine how I can remove the virus, I would be most appreciative.  Thank you for your time and assistance in this matter.






Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7416

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

8/9/2011 11:57:46 AM
mbam-log-2011-08-09 (11-57-46).txt

Scan type: Full scan (C:\|D:\|Q:\|)
Objects scanned: 443170
Time elapsed: 1 hour(s), 55 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[redrhino]

Here is part two of the OTS log file.

[Pondus]

* download aswMBR.exe and save to desktop  http://public.avast.com/~gmerek/aswMBR.exe
* double click aswMBR icon to run
* click scan, then "Save Log" and post it here in your next reply



essexboy will arrive here soon...

[redrhino]

Thank you for your reply, Pondus.  The results of this scan are as follows:

aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-08-10 12:40:02
-----------------------------
12:40:02.290    OS Version: Windows x64 6.1.7601 Service Pack 1
12:40:02.290    Number of processors: 2 586 0x603
12:40:02.290    ComputerName: POPPY  UserName: David
12:40:04.053    Initialize success
12:40:04.147    AVAST engine defs: 11081000
12:40:17.251    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
12:40:17.251    Disk 0 Vendor: WDC_WD5000BEVT-60A0RT0 02.01A02 Size: 476940MB BusType: 11
12:40:19.294    Disk 0 MBR read successfully
12:40:19.294    Disk 0 MBR scan
12:40:19.310    Disk 0 unknown MBR code
12:40:19.326    Service scanning
12:40:20.714    Modules scanning
12:40:20.714    Disk 0 trace - called modules:
12:40:20.745    ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
12:40:20.761    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800430f060]
12:40:20.761    3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> [0xfffffa80042fc040]
12:40:20.776    5 hpdskflt.sys[fffff880019a2185] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80042e6060]
12:40:22.134    AVAST engine scan C:\Windows
12:40:28.998    AVAST engine scan C:\Windows\system32
12:42:04.969    AVAST engine scan C:\Windows\system32\drivers
12:42:18.089    AVAST engine scan C:\Users\David
12:57:50.378    Disk 0 MBR has been saved successfully to "C:\Users\David\Desktop\MBR.dat"
12:57:50.378    The log file has been saved successfully to "C:\Users\David\Desktop\aswMBR.txt"


aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-08-10 12:40:02
-----------------------------
12:40:02.290    OS Version: Windows x64 6.1.7601 Service Pack 1
12:40:02.290    Number of processors: 2 586 0x603
12:40:02.290    ComputerName: POPPY  UserName: David
12:40:04.053    Initialize success
12:40:04.147    AVAST engine defs: 11081000
12:40:17.251    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
12:40:17.251    Disk 0 Vendor: WDC_WD5000BEVT-60A0RT0 02.01A02 Size: 476940MB BusType: 11
12:40:19.294    Disk 0 MBR read successfully
12:40:19.294    Disk 0 MBR scan
12:40:19.310    Disk 0 unknown MBR code
12:40:19.326    Service scanning
12:40:20.714    Modules scanning
12:40:20.714    Disk 0 trace - called modules:
12:40:20.745    ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
12:40:20.761    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800430f060]
12:40:20.761    3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> [0xfffffa80042fc040]
12:40:20.776    5 hpdskflt.sys[fffff880019a2185] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80042e6060]
12:40:22.134    AVAST engine scan C:\Windows
12:40:28.998    AVAST engine scan C:\Windows\system32
12:42:04.969    AVAST engine scan C:\Windows\system32\drivers
12:42:18.089    AVAST engine scan C:\Users\David
12:57:50.378    Disk 0 MBR has been saved successfully to "C:\Users\David\Desktop\MBR.dat"
12:57:50.378    The log file has been saved successfully to "C:\Users\David\Desktop\aswMBR.txt"
12:58:10.088    Disk 0 MBR has been saved successfully to "C:\Users\David\Desktop\MBR.dat"
12:58:10.088    The log file has been saved successfully to "C:\Users\David\Desktop\aswMBR.txt"

[essexboy]

On completion of this run can you check for redirects please

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]


[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-19\] > ->
YN -> HKEY_USERS\S-1-5-19\: Main\\"XMLHTTP_UUID_Default" -> 43 76 41 01 46 1D 0B 42 BC 88 32 E1 34 F3 A6 E7  [binary data]
< Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > ->
YN -> HKEY_USERS\S-1-5-20\: Main\\"XMLHTTP_UUID_Default" -> 43 76 41 01 46 1D 0B 42 BC 88 32 E1 34 F3 A6 E7  [binary data]
< FireFox Extensions [User Folders] > ->
YY -> XUL Cache   -> C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\147903tf.default\extensions\{4389c4bf-9718-46e3-862d-0c48ae138c97}
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Modified Within 30 Days]
NY ->  382224080 -> C:\Windows\SysWow64\382224080
[Files - No Company Name]
NY ->  85A48F -> C:\Users\David\AppData\Roaming\85A48F
[Custom Items]
:Reg
[HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
"XMLHTTP_UUID_Default"=-
[HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
"XMLHTTP_UUID_Default"=-
:files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

[redrhino]

essexboy,

Thank you for your response and your help.  It appears that your fix has removed the Google Redirect virus from my system.  Below are the logs after running the fix.

All Processes Killed
[Registry - Safe List]
Registry key HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Main not found.
Registry key HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Main not found.
C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\147903tf.default\extensions\{4389c4bf-9718-46e3-862d-0c48ae138c97}\defaults\preferences folder moved successfully.
C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\147903tf.default\extensions\{4389c4bf-9718-46e3-862d-0c48ae138c97}\defaults folder moved successfully.
C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\147903tf.default\extensions\{4389c4bf-9718-46e3-862d-0c48ae138c97}\chrome folder moved successfully.
C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\147903tf.default\extensions\{4389c4bf-9718-46e3-862d-0c48ae138c97} folder moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
[Files/Folders - Modified Within 30 Days]
C:\Windows\SysWow64\382224080 moved successfully.
[Files - No Company Name]
C:\Users\David\AppData\Roaming\85A48F moved successfully.
[Custom Items]
========== REGISTRY ==========
Registry value HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main\\XMLHTTP_UUID_Default deleted successfully.
Registry value HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main\\XMLHTTP_UUID_Default deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\David\Downloads\cmd.bat deleted successfully.
C:\Users\David\Downloads\cmd.txt deleted successfully.
[Empty Temp Folders]
 
 
User: All Users
 
User: David
->Temp folder emptied: 1085185 bytes
->Temporary Internet Files folder emptied: 3810412 bytes
->Java cache emptied: 858149 bytes
->FireFox cache emptied: 912555694 bytes
->Google Chrome cache emptied: 1905008 bytes
->Flash cache emptied: 68358 bytes
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56468 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Public
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2374966 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50534 bytes
RecycleBin emptied: 9235502 bytes
 
Total Files Cleaned = 889.00 mb
 
 
[EMPTYFLASH]
 
User: All Users
 
User: David
->Flash cache emptied: 0 bytes
 
User: Default
->Flash cache emptied: 0 bytes
 
User: Default User
->Flash cache emptied: 0 bytes
 
User: Public
 
Total Flash Files Cleaned = 0.00 mb
 
Restore point Set: OTS Restore Point
< End of fix log >
OTS by OldTimer - Version 3.1.44.0 fix logfile created on 08102011_145856

Files\Folders moved on Reboot...
C:\Users\David\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

[essexboy]

If you are still happy tomorrow let me know and I will remove my rubbish 

[redrhino]

Everything is still great.  Thank you for all your help, essexboy!!  Are there any resources you can recommend where I can learn to analyze the output of the logs and remove the virus myself in the future?

[essexboy]

There is a tutorial for OTL at the GeeksToGo website but as to determining which files to delete that will neeed some research and training


Subject to no further problems   

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems 

Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Run OTS and hit the cleanup button.  It will remove all the programmes we have used plus itself. 

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Do not show hidden files and folders.
  
• Click Yes to confirm.
• Click OK.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

 Upgrading Java:

• Go to this site  and click Do I have Java
  
• It will check your current version and then offer to update to the latest version

SPRING CLEAN

To manually create a new Restore Point
 

• Go to Control Panel and select System
  
• Select System
  
• On the left select System Protection and accept the warning if you get one
  
• Select System Protection Tab
  
• Select Create at the bottom
  
• Type in a name i.e. Clean
• Select Create
  

Now we can purge the infected ones

• GoStart > All programs > Accessories > system tools
  
• Right click Disc cleanup and select run as administrator
  
• Select Your main drive and accept the warning if you get one
  
• For a few moments the system will make some calculations
• Select the More Options tab
  
• In the System Restore and Shadow Backups select Clean up
  
• Select Delete on the pop up
  
• Select OK
• Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Malwarebytes.  Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

• Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ?

Keep safe  :wave: