Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Virus: Already Tried MS Essentials, MalwareBytes & SuperAntiSpyware


  • This topic is locked This topic is locked
6 replies to this topic

#1 GWBlack

GWBlack

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 23 May 2011 - 11:28 PM

Hi Folks, I have a redirect virus that re-directs my Google searches to fake commercial sites such as Scour.com, Added Success, etc. I'm running IE8 using Windows 7 64-bit. I have MS Security Essentials (MSE) as my resident AV program. After I noticed the virus slipped through, I scanned twice using MSE in Full Scan Mode. It didn't find anything. I then ran MalwareBytes and it found several threats (please see log below), but still the redirect problem persisted. So then I ran SuperAntiSpyware and it found some more threats. However, still the redirect virus persists, especially when I click on a Google search link.

Can anybody suggest another good malware removal package to try before I give up and take it to a repair shop? I'm a novice, and quite frankly some of the diagnostic activities in the "Logs" forum (using Defogger, etc.) are probably beyond my capability and patience level. I'm just looking for some additional AV programs to try that might stand a chance at removing this pesky virus. I've attached some scan log info below.

Any advice about other programs to try would be much appreciated!
Best,
Gary


Here's the Malware Bytes Log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6658

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

5/23/2011 7:03:06 PM
mbam-log-2011-05-23 (19-03-06).txt

Scan type: Full scan (C:\|)
Objects scanned: 283805
Time elapsed: 29 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 4
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Gary\AppData\Local\qjs.exe" -a "C:\Program Files (x86)\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
c:\Users\Gary\AppData\Roaming\systemproc (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files (x86)\mozilla firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d} (Worm.Prolaco.M) -> Quarantined and deleted successfully.
c:\program files (x86)\mozilla firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\chrome (Worm.Prolaco.M) -> Quarantined and deleted successfully.
c:\program files (x86)\mozilla firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\chrome\content (Worm.Prolaco.M) -> Quarantined and deleted successfully.

Files Infected:
c:\Users\Gary\AppData\Local\Temp\605.tmp (Trojan.Banker) -> Quarantined and deleted successfully.
c:\Users\Gary\AppData\Local\Temp\875.tmp (Trojan.Banker) -> Quarantined and deleted successfully.
c:\Users\Gary\AppData\Local\Temp\0.5783371089721729.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Users\Gary\AppData\Local\Temp\0.9305442682379756.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\program files (x86)\mozilla firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\chrome.manifest (Worm.Prolaco.M) -> Quarantined and deleted successfully.
c:\program files (x86)\mozilla firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\install.rdf (Worm.Prolaco.M) -> Quarantined and deleted successfully.
c:\program files (x86)\mozilla firefox\extensions\{9ce11043-9a15-4207-a565-0c94c42d590d}\chrome\content\timer.xul (Worm.Prolaco.M) -> Quarantined and deleted successfully.



Although I didn't keep original log itself, here's roughly what SuperAntiSpyware found and removed (after I ran MalwareBytes):

Adware.Tracking Cookie (roughly 15 of these)
Trojan.Agent/Gen-Koobface[Bonkers] in C:\USERS\GARY\APPDATA\LOCAL\TEMP\4.646891511851077E8.EX (maybe .EXE extension since last part was cutoff in screenshot of log I saved)

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 AM

Posted 24 May 2011 - 12:09 AM

Try this:

http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 GWBlack

GWBlack
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 24 May 2011 - 12:54 AM

Thank you for your reply. I just ran TDSS Killer. It scanned 236 objects but didn't find any infections. Whatever it is must be buried deeply or well disguised since MalwareBytes, MS Security Essentials, SuperAntiSpyware and now TDSS Killer didn't get rid of it. Any other suggestions for removal programs to try?

Thank you again very much for your help and patience,
Gary

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 AM

Posted 24 May 2011 - 12:56 AM

Run a quick scan with Malwarebytes and post the log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 GWBlack

GWBlack
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 04 June 2011 - 12:20 PM

Run a quick scan with Malwarebytes and post the log.


Hi, I'm sorry for the delayed reply. I enlisted the help of a local computer guy. He ran many programs (SpyBot S&D, ATF-Cleaner, HijackThis, TDSS Killer, ComboFix, HitmanPro and SafeReturner). I ran MalwareBytes, MS Security Essentials, Ad-Aware, SuperAntiSpyware and Avira. I now seem to be able to navigate w/o redirection as long as I use Google Chrome. But the redirection still happens in IE 8.0. In addition, I think my Windows Firewall is turned off, although that may have been done purposely by an AV program (or by the virus itself). As I mentioned in another thread, I cannot seem to turn my firewall on (in Control Panel/Windows Firewall or Control Panel/Action Center).

I'm also struggling to determine which AV programs have automatically enabled themselves after loading them for one-time scanning purposes only. I realize I'm only supposed to have one AV program active. Some programs appear, each under multiple filenames in the "Processes" or "Services" tab in Task Manager in either "Running" or "Stopped" status. As a novice, I'm not skilled at interpreting all of the information.

Anyway, I just ran MalWareBytes on all drives in full scan mode. Below is the log. It didn't find anything wrong, although I know there's still a problem somewhere. Any suggestions would be appreciated. Thank you!


Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6771

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

6/4/2011 12:05:19 PM
mbam-log-2011-06-04 (12-05-19).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 283804
Time elapsed: 39 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by GWBlack, 04 June 2011 - 12:22 PM.


#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 AM

Posted 04 June 2011 - 03:47 PM

Please follow the instructions in ==>This Guide<==. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 AM

Posted 06 June 2011 - 05:23 PM

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MR Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users