like everyone else at te moment it seems, I’ve been attacked by the google redirect virus: Avast reporting malicious URL redirects - google searches redirect to “findjittery” frequently…
I’ve run MBAM, Avast, superspyware, and hitman pro trying to get rid of this thing…
Don’t worry about the suspicious files which the .sys.mui ones we feel are due to an overly sensitive heuristics, seeing the double file extension; an old trick used to try and hide what the true file extension/purpose is.
The C:\Windows\System32\drivers\wimmount.sys we suspect is a false positive.
However, since you have a 64bit OS wait for instructions form essexboy on how to proceed.
Did you run TDSSKiller ? If so could you attach the log please
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-3345881406-1244150194-1485173227-1003\] > -> HKEY_USERS\S-1-5-21-3345881406-1244150194-1485173227-1003\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{21FA44EF-376D-4D53-9B0F-8A89D3229068}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Modified Within 30 Days]
NY -> ADF8.AC3 -> C:\Users\Andy\AppData\Roaming\ADF8.AC3
NY -> 37084920 -> C:\ProgramData\37084920
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.
I rad TDSSkiller the other day too - but as it didnt find anything, I didnt keep the log.
I have set OTS running for a second time: - but it is taking a very long time to do the “clear temp files” piece.
First time I ran it, windows crashed and rebooted: The log file it produced is as below: windows rebooted while it was clearing the temp files:
Files\Folders moved on Reboot…
File move failed. C:\Users\Andy\AppData\Local\Temp\FXSAPIDebugLogFile.txt scheduled to be moved on reboot.
File\Folder C:\Users\Andy\AppData\Local\Temp~DF0383A1D575C42245.TMP not found!
File\Folder C:\Users\Andy\AppData\Local\Temp~DF13D2083D5E5E2C29.TMP not found!
File\Folder C:\Users\Andy\AppData\Local\Temp~DF1FDCD46E8D31BD8D.TMP not found!
C:\Users\Andy\AppData\Local\Temp~DF261517529FCF9353.TMP moved successfully.
C:\Users\Andy\AppData\Local\Temp~DF64CA0FC5CED16088.TMP moved successfully.
C:\Users\Andy\AppData\Local\Temp~DF9786513CC759E5C7.TMP moved successfully.
C:\Users\Andy\AppData\Local\Temp~DF97A4998E1966272B.TMP moved successfully.
C:\Users\Andy\AppData\Local\Temp~DFAFACEFEFA6F7D76E.TMP moved successfully.
File\Folder C:\Users\Andy\AppData\Local\Temp~DFAFE19932A6F6802D.TMP not found!
C:\Users\Andy\AppData\Local\Temp~DFFEC414FE0CF764DD.TMP moved successfully.
Registry entries deleted on Reboot…
the redirect problem is still there, unfortunately!
Ran aswMBR again - logs from this second run attached.
Alas - the google redirect is still there - sent me to “webbuildersonline”. I have noticed, however, that avast seems to have stopped popping up the malicious URL warning since I ran aswMBR. If it changes over the day, I’ll let you know…
We may have crippled it but, do you have a windows CD ?
If not …
Download the recovery console ISO from Here
Also download Imgburn from here and install
Once Imgburn is installed double click the ISO to burn to disc
[1]Insert the disc and select start from the cd
[2]Select Repair your computer.
[3]Select the operating system you want to repair, and then click Next
[4]Select command prompt
[5]Type in the following command
Bootrec.exe /FixMbr
[6]Once finished type Exit
Allow it to do its thing and then reboot to normal windows and rerun aswMBR
No, what the aim is - is to run the recovery console and fix the mbr from the CD when the hard drive mbr has not been called therefore it will be unprotected
I dont get an option to start from disk - I rebooted and asked it to boot off the disk, however
If I reboot the machine and try and boot frmo the disk - it loads windows files, then asks if I want to install windows vista. That doesnt seem quite right - is it the correct ISO? As I’ve got Win7 already installed, I dont really want a second windown variant floating around…
I have now refined my approach to this so could you try it the following way please it has pictures now which makes it easier to understand. Could you confirm you get the following when you start the CD. It will load files as it prepares the recovery console
When you reboot you will see this although yours will say windows 7. Click repair my computer
I dont get a windows 7 install screen when I boot off the disk - I get a windows vista “install” screen…much like the first screenshot - except it asks me to select a language for the install…I dont get a “repair my computer” option at this point…
Ran the script as instructed: Unfortunately - now windows is refusing to boot.
I just get a flash of a blue screen on attempting to reboot, and the options to boot off the recovery console, or try and boot normally. Trying to boot normally just leaves it caught in a loop. Unfortunately - the blue screen goes by too quickly to tell what is failing…guess it didnt like something in the MBR