Google Redirect Virus: 64.111.211.158

I saw another post where you were able to help a user with cleaning the Google Redirect Virus and was hoping you could do the same for me. Attached is my OTS scan results.

Thanks in advance for all the help!

This may take ten minutes or so as your temp files are very full

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {7E853D72-626A-48EC-A868-BA8D5E23E045} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "{BA52B914-B692-46c4-B683-905236F6F655}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{4E7BD74F-2B8D-469E-95BA-ED6DB186BE32}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YN -> {F47C1DB5-ED21-4dc1-853E-D1495792D4C5}:Exec [HKLM] -> [Button: Bodog Poker]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{F47C1DB5-ED21-4dc1-853E-D1495792D4C5}" [HKLM] -> [Bodog Poker]
[Files/Folders - Modified Within 30 Days]
NY ->  ~15654692 -> C:\Documents and Settings\All Users\Application Data\~15654692
NY ->  15654692 -> C:\Documents and Settings\All Users\Application Data\15654692
NY ->  ~15654692r -> C:\Documents and Settings\All Users\Application Data\~15654692r
[Files - No Company Name]
NY ->  ~15654692r -> C:\Documents and Settings\All Users\Application Data\~15654692r
NY ->  ~15654692 -> C:\Documents and Settings\All Users\Application Data\~15654692
NY ->  15654692 -> C:\Documents and Settings\All Users\Application Data\15654692
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Purity]
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[ZipFiles]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

Attached are the results. Thanks for the quick turn-around!

Do you still have the alerts ?

Unfortunately, yes.

OK phase two

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.

As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RC1.png

[*]Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

[*]Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

No Joy. It just locked up my machine and would not run through. Looking at some of the other posts on here I am going to try TDS Killer right now…but keep me posted.

Try MalwareBytes Anti-Malware in safe mode then use CCleaner and then try ComboFix, it worked for me. G/L

TDS Killer isn’t really responding either…I await your suggestion.

Have you been able to clean any of these? The forum seems pretty well slammed with these issues.

You can try advise from
http://forum.avast.com/index.php?topic=81439.msg665856#msg665856
rerun aswMBR, use FixMBR button and reboot.
After reboot rerun aswMBR, select AV engine: (none), make Scan - it will be fast, save the log and post it.

@Bumsmonkey-
Malwarebytes in Safe comes back clean and ComboFix just freezes up or fails (safe or normal). I have not tried CCleaner yet but will…thanks.

@PSW-
I am hesitant to use aswMBR without a bit more advice on it first.

@ psw
Before making suggestions on the action to take, the OP (Silentlenn) should first run aswMBR Scan, Save Log and post the aswMBR log.

This will give us information on his system, which if FixMBR is used in certain circumstances it could harm the system.

@ Silentlenn
Wise choice to wait, though just running it to generate the Scan Log should not harm and may give useful information for essexboy.

Yes the new version of TDL is becoming rampant, I feel we are getting more detections here than anywhere else as Avast is blocking the outbound connection - so you know you have a problem

Download aswMBR.exe ( 1.8mb ) to your desktop.

Double click the aswMBR.exe to run it

Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR2-1.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://public.avast.com/~gmerek/aswMBR2.png

Scan results attached.

Ok you have an older variant

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

Unfortunately, something is preventing this from running both in safe and normal mode. I have tried running it by pasting the UNC into the Run box as well as choosing Run as. The latter seemed to chime an Avast alert so I went ahead and tried to uninstall all anti-virus software and verified that the windows firewall was turned off. No joy.

OK that is a fair indication of the new variant… aswMBR has just been updated for this nasty so download and run a fresh copy please

Download aswMBR.exe ( 1.8mb ) to your desktop.

Double click the aswMBR.exe to run it

Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR2-1.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://public.avast.com/~gmerek/aswMBR2.png

same file name as a previous posting, but scan is updated.

0:01:36.312 Disk 0 scanning C:\WINDOWS\system32\drivers 20:02:00.187 File: C:\WINDOWS\system32\drivers\volsnap.sys **INFECTED** Win32:Alureon-PS 20:02:01.390 Service scanning

Re-Run aswMBR

Click Scan

On completion of the scan

Click the FIXMBR Button

http://public.avast.com/~gmerek/aswMBR4.png

Save the log as before and post in your next reply

THEN

Re-run TDSSKiller please

Scan and post fix logs attached. TDSKiller still fails to load up. Am I beating a dead horse here? Should I cut my losses and reformat?