Posted 19 January 2010 - 08:50 PM
I am finally cured!!!!! For all of you redirect virus affected folks, here is how i did it.
I had done multiple rounds of running all sorts of anti-virus scans, you name it i would have done it. I had run, McAfee Enterprise, Dr. Webb, Ad-aware, MBAM, Microsoft Anti-malware....None of them even reported issues. McAfee would tell me that a cookie virus was there every page click and would delete the cookie, but not solve the root cause.
Rootrepeal and Rootkitrevealer showed that some files had been created which were invisible to API were not on disk (or something like that). This however did not tell me what needed to be done next. I was able to delete/wipe a lot of the files with rootrepeat but that was not solving the problem still. The next time i browsed in IE, all issues came back. Strangely i noticed that sometimes it did not happen and sometimes it happened.
On detailed inspection, what i found was that this was not really associated with google or any search engine. A click to any page that is hosted outside of the domain seemed to be causing the issue and given that this was a pattern that occurred when we clicked search results this was occurring constantly. This was really the clue..Something was definitely not ok with how the dns was operating. The roundabout way to get over the problem was to add filters in the hosts file, but that does not take out the virus from the machine and if you are like me, that always gives a vulnerable feeling.
Finally, i used the one and only rootkit detecter, combofix and rightfully so it detected the problem to be the dns dll (i dont recollect the name, it was something like atapi.dll or something). After fixing it with combofix, i booted winXP in safe mode and ran SAS (another good antivirus that came close to solving) and that wiped out the remaining files (after two attempts). Post this, i have not found any issues at all.
The guy who created this virus should absolutely be lynched and jailed and dont know what sadistic pleasure he gets in doing this.