Another Google Redirect Attack

Hi

like everyone else at te moment it seems, I’ve been attacked by the google redirect virus: Avast reporting malicious URL redirects - google searches redirect to “findjittery” frequently…

I’ve run MBAM, Avast, superspyware, and hitman pro trying to get rid of this thing…

Please help - this thing is driving me mad!

OTS log attached

Forgot I ran aswMBR last night too before I ran OTS:

Don’t worry about the suspicious files which the .sys.mui ones we feel are due to an overly sensitive heuristics, seeing the double file extension; an old trick used to try and hide what the true file extension/purpose is.

The C:\Windows\System32\drivers\wimmount.sys we suspect is a false positive.

However, since you have a 64bit OS wait for instructions form essexboy on how to proceed.

In the meantime - Check your windows task scheduler for any tasks/jobs that you didn’t create as in some cases these have been used:
Vista, http://windows.microsoft.com/en-US/windows-vista/Schedule-a-task.
Win7, http://windows.microsoft.com/en-US/windows7/schedule-a-task.

I see that you still have Norton running on your system I would recommend that you uninstall it using this tool http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN&ln=en_US

Did you run TDSSKiller ? If so could you attach the log please

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-3345881406-1244150194-1485173227-1003\] > -> HKEY_USERS\S-1-5-21-3345881406-1244150194-1485173227-1003\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{21FA44EF-376D-4D53-9B0F-8A89D3229068}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Modified Within 30 Days]
NY ->  ADF8.AC3 -> C:\Users\Andy\AppData\Roaming\ADF8.AC3
NY ->  37084920 -> C:\ProgramData\37084920
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

I rad TDSSkiller the other day too - but as it didnt find anything, I didnt keep the log.

I have set OTS running for a second time: - but it is taking a very long time to do the “clear temp files” piece.
First time I ran it, windows crashed and rebooted: The log file it produced is as below: windows rebooted while it was clearing the temp files:

Files\Folders moved on Reboot…
File move failed. C:\Users\Andy\AppData\Local\Temp\FXSAPIDebugLogFile.txt scheduled to be moved on reboot.
File\Folder C:\Users\Andy\AppData\Local\Temp~DF0383A1D575C42245.TMP not found!
File\Folder C:\Users\Andy\AppData\Local\Temp~DF13D2083D5E5E2C29.TMP not found!
File\Folder C:\Users\Andy\AppData\Local\Temp~DF1FDCD46E8D31BD8D.TMP not found!
C:\Users\Andy\AppData\Local\Temp~DF261517529FCF9353.TMP moved successfully.
C:\Users\Andy\AppData\Local\Temp~DF64CA0FC5CED16088.TMP moved successfully.
C:\Users\Andy\AppData\Local\Temp~DF9786513CC759E5C7.TMP moved successfully.
C:\Users\Andy\AppData\Local\Temp~DF97A4998E1966272B.TMP moved successfully.
C:\Users\Andy\AppData\Local\Temp~DFAFACEFEFA6F7D76E.TMP moved successfully.
File\Folder C:\Users\Andy\AppData\Local\Temp~DFAFE19932A6F6802D.TMP not found!
C:\Users\Andy\AppData\Local\Temp~DFFEC414FE0CF764DD.TMP moved successfully.

Registry entries deleted on Reboot…

the redirect problem is still there, unfortunately!

Lets hope this is not the new one as it is being a bit of a pig to clear

Re-Run aswMBR

Click Scan

On completion of the scan

Click the FIXMBR Button

http://public.avast.com/~gmerek/aswMBR4.png

Reboot and run a fresh aswMBR scan as previously
Save the log as before and post in your next reply

Ran aswMBR: Followed by fixMBR

Rebooted Machine

Ran aswMBR again - logs from this second run attached.

Alas - the google redirect is still there - sent me to “webbuildersonline”. I have noticed, however, that avast seems to have stopped popping up the malicious URL warning since I ran aswMBR. If it changes over the day, I’ll let you know…

We may have crippled it but, do you have a windows CD ?

If not …

Download the recovery console ISO from Here
Also download Imgburn from here and install

Once Imgburn is installed double click the ISO to burn to disc

[1]Insert the disc and select start from the cd
[2]Select Repair your computer.
[3]Select the operating system you want to repair, and then click Next
[4]Select command prompt
[5]Type in the following command

Bootrec.exe /FixMbr

[6]Once finished type Exit

Allow it to do its thing and then reboot to normal windows and rerun aswMBR

Have to run out and buy a DVD to burn to - been using the backup drive as a backup.

Will the windows repair delete any files in the “my documents” area? I.e. should I back everything up before I do this next step…?

No, what the aim is - is to run the recovery console and fix the mbr from the CD when the hard drive mbr has not been called therefore it will be unprotected

Hmm -

followed the instructions and burnt the disk:

I dont get an option to start from disk - I rebooted and asked it to boot off the disk, however

If I reboot the machine and try and boot frmo the disk - it loads windows files, then asks if I want to install windows vista. That doesnt seem quite right - is it the correct ISO? As I’ve got Win7 already installed, I dont really want a second windown variant floating around…

or am I just doing something really stupid!

I have now refined my approach to this so could you try it the following way please it has pictures now which makes it easier to understand. Could you confirm you get the following when you start the CD. It will load files as it prepares the recovery console

When you reboot you will see this although yours will say windows 7. Click repair my computer

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg

Select your operating system

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg

Select Command prompt

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg

At the command prompt type the following

Bootrec.exe /FixMbr

[*]Once finished type Exit

Reboot to normal windows and run MBRcheck again please

That was the strange thing:

I dont get a windows 7 install screen when I boot off the disk - I get a windows vista “install” screen…much like the first screenshot - except it asks me to select a language for the install…I dont get a “repair my computer” option at this point…

OK select the language, and it may also ask for keyboard as well, once done you should get the repair option

Ran the script as instructed: Unfortunately - now windows is refusing to boot.

I just get a flash of a blue screen on attempting to reboot, and the options to boot off the recovery console, or try and boot normally. Trying to boot normally just leaves it caught in a loop. Unfortunately - the blue screen goes by too quickly to tell what is failing…guess it didnt like something in the MBR

Can you access safe mode ?

Have you tried a startup repair from the recovery console ?

As I have just completed one here which worked perfectly
http://www.geekstogo.com/forum/topic/304674-google-redirect-virus/page__pid__2040355#entry2040355

Hi -

Trying the recovery console fails:

Startup repair comes up, but then complains of an OS version mismatch, and refuses to complete

have I installed the wrong MBR or something strange like that?

http://www.proposedsolution.com/download/7rd64.iso, could you download and burn this one please - I may have made an error - sorry

Hi -
was away on holiday, and just come back.

Downloaded the new ISO and burned it - got the recovery console up and ran fixmbr, but still am having the failure to boot…

any suggestions?