Another Google redirect virus

[ruperty]

This time it's to 64.11.199.226, but pretty sure it changes on each one, mostly starting with 64.

I've tried everything. Avast scan, malware bytes, TDSS killer, checked host file, all clean.

Problem is that the redirect is very infrequent, but is annoying all the same.

I've attached OTL file. Assistance would be much appreciated!

[essexboy]

Are these alerts with firefox, IE or both ?

 Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  FF - prefs.js..extensions.enabledItems: {d57c9ff1-6389-48fc-b770-f78bd89b6e8a}:1.36
  FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{6E158481-1672-4A36-9716-FA892ABC954E}: C:\Documents and Settings\david\Local Settings\Application Data\{6E158481-1672-4A36-9716-FA892ABC954E} [2011/06/07 03:10:14 | 000,000,000 | ---D | M]
  [2011/09/13 21:18:49 | 000,000,000 | ---D | M] (SearchStatus) -- C:\Documents and Settings\david\Application Data\Mozilla\Firefox\Profiles\yiu5jc8a.default\extensions\{d57c9ff1-6389-48fc-b770-f78bd89b6e8a}
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[ruperty]

Hi essexboy. Thanks for your help.

I have no idea whether it's both IE or firefox as it's extremely hard to test. It happens on average once or twice a day, so unless I switch to IE for a week I really wouldn't know. I can start using IE instead from today and see... but I have already tried reinstalling firefox and this has made no difference. Would you like me to use IE instead from today? It might be a while before I can find out, or I can continue with firefox and I can say within a few days if the problem is still there. Such an annoying bug!

Attached logs from after the fix. Thanks again!

[ruperty]

Update. The problem appears to be still here but the symptoms may have changed. Instead of a redirect to 64.XXX.whatever, avast blocks it as going to http:// (empty).

Clicking on the details, I get:
Infection Details
Process:   file://C:\Program Files\Mozilla Firefox\firefox.exe
Infection:   url:Mal

[essexboy]

Lets try and remove that folder again

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{6E158481-1672-4A36-9716-FA892ABC954E}: C:\Documents and Settings\david\Local Settings\Application Data\{6E158481-1672-4A36-9716-FA892ABC954E} [2011/06/07 03:10:14 | 000,000,000 | ---D | M]
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[ruperty]

Hi Essexboy.

Done and done. Attached OTL.

[essexboy]

Is it still occuring ?

[ruperty]

I haven't used the computer yesterday but I'm on it over the weekend and I will see. It hasn't happened yet. I will let you know if it occurs again.

Thanks for your help!

[ruperty]

Hi Essexboy,
Damn the virus is still here. I thought it had gone for a bit as I didn't get one the whole weekend, but just got a redirect to 64.111.199.226.

Any ideas?

[essexboy]

OK bigger hammer time

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

 IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[ruperty]

Excellent, I like the sound of big hammer time.

Ran the combofix. Got a few messages asking me to run certain things, etc. I clicked yes, agree, etc. to all. Screenshots attached, along with the log at the end.

Before the reboot, combofix closed a whole lot of my windows and this caused some windows errors, asking to send error reports, etc. to which I just selected cancel or close or whatever was appropriate.

Haven't noticed any changes yet other than my windows security centre settings appear to have been changed a bit.

Thanks.

[ruperty]

hmmmm problem is still here. getting the same redirect as before...

[essexboy]

Hmm this is becoming intriguing as at the moment nothing jumps out at me.. 

Is it only firefox ?

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1
Download Mirror #2

• Ensure all Firefox windows are closed.
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  
• When prompted to run the scan, click Yes.
  
• GooredFix will check for infections, and then a log will appear.

Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).[/list]

[ruperty]

hi essexboy,
Unfortunately I'll have to try this another time. I got pulled to work for 4 months and won't be able to use this computer for a while. Hope in that time this redirect doesn't manifest itself into a monster.

Anyway, I'll repost here when I'm back in Feb. Thanks for your help.

[essexboy]

No problem - have a nice trip