Hi. Over the summer, my desktop had a google redirect virus that (I thought) was successfully eradicated with kaspersky’s tdss killer, after which I purchased Avast Internet Security. I have not had any problems for about 5 months.

The other day, I couldn’t connect to the internet, and after a lot of screwing around on the phone with my cable provider, and rebooting and changing cables on my modem and my router, I decided the problem was in the router settings. So I went back to an earlier configuration. What an idiot. :-[ The previous configuration was from around the time I had the virus, so now all my searches are getting redirected again, sometimes to revoo.com, sometimes to livesearch now.

I ran tdss killer again, and it found nothing. I did a full system scan with avast, and it found nothing. I ran antimalwarebytes, and it found a Happili trojan, and I quarantined it. But when I tried google searches again, I was still being redirected. Can you help? I’m not that technically proficient (obviously), but I can follow step by step directions most of the time. I said “most of the time” because when I did the OTL scan the first time, I did not check “all users”. But then I reran the scan with all users, and both logs (OTL and Extras) seemed to update correctly. I hope they will show the information you want.

I think I have attached all the logs that I am supposed to. I will really appreciate any help anyone can give me. Thank you.

Hi and welcome!

http://i1224.photobucket.com/albums/ee380/jeffce74/adwcleaner.jpg
AdwCleaner

[*]Close all open programs and internet browsers.
[*]Double click on adwcleaner.exe to run the tool.
[*]Click on Delete.
[*]Confirm each time with Ok.
[*]You will be prompted to restart your computer. A text file will open after the restart.
[*]Please attach the contents of that logfile with your next reply.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.

[*]Disable any script blocking protection
[*]Right-click and Run as Administrator dds to run the tool.
[*]When done, two DDS.txt’s will open.
[*]Save both reports to your desktop.

Please include the contents of the following in your next reply:

DDS.txt

Attach.txt

Hi, and thank you for your reply.

Sorry, I forgot I had already run adwcleaner. I forgot to attach the log. Here it is.

I’ll run DDS now.

FYI, this is the second time I have typed this reply. The first time, when I clicked the Post button, all of a sudden my router failed and there was no internet connection. This is the problem I was having the other day, which caused me to reconfigure my router settings in the first place. Now I am connected directly to the modem without the use of the router. Not sure if this is related at all, just thought I should mention it.

Thanks for letting me know about the internet…when you get DDS.txt and Attach.txt be sure to attach those.

Hi, again. Am I supposed to zip the attach file? I’m attaching it as txt, but let me know if you want it zipped. Thanks.

No need to zip anything…attaching is just fine.

ComboFix

Download Combofix from the link below, and save it to your desktop.
Link

Note: It is important that it is saved directly to your desktop
If you get a message saying “Illegal operation attempted on a registry key that has been marked for deletion”, please restart your computer.

---

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

---

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt for further review.

---

I’m wondering about your connection setup.
As I understand it, it is: ISP > Modem > Router > Your system
I have several questions.

1. Is it just a modem or also a router (and perhaps also a firewall) ?
2. Is it just a router or also a hardware firewall?
3. Is your system the only one connected to it?

Malware (virus, trojans and such) have nothing to do with your router settings.
It is unwanted software on your system.

I’m attaching the combofix file. I did get the message “lllegal operation etc” so I restarted the computer. When I opened IE9 I got the following security alert (which I can’t remember ever seeing before): You are about to leave a secure Internet connection. It will be possible for others to view information you sent." I ignored it. Is that ok?

Hi. Here are the short answers:

1. I have a modem (Webstar), router (wireless Belkin N300), desktop.
2. The router has a firewall, but I’ve had it turned off, since I have the Avast firewall and I was told it could cause problems to run multiple firewalls. Likewise, the Windows firewall is off also.
3. A number of other computers, ipads, etc connect wirelessly to the network (it’s a home network).

The longer answer is: I have a modem (that comes from my ISP). The cable from outside runs to the modem. Normally, there’s a ethernet (I think?) cable running from the modem to my router, then another running from the router to my desktop (Windows Vista Home Premium). The other computers etc, have been connected wirelessly to the network. That set up has been working fine. Suddenly the other day, the modem showed that I had an internet connection (ie, blinking lights), but the router hardware lights and user interface indicated there was no connection. I rebooted endlessly, contacted the cable company and ran through various ipconfiguration changes with them, but the router was still showing no connection. I replaced ethernet cables, rebooted the router, and tried anything I could think of. Finally, I was looking at the router settings, and I saw the option to restore to previous settings. It seemed like a good idea. However, it didn’t occur to me that the only previous setting I had ever saved was from last summer, when I had the Google redirect virus. When I restored the previous settings, like magic, I could use the router again. (To my knowledge, I had never made any changes to the settings, but I’m not that adept, obviously, so maybe I did somehow). Everything worked fine for about 12 hours. Then suddenly the google redirect started up again. Maybe it’s a coincidence, but it seems weird to me.

Even with the redirect, the router configuration was working fine today. However, as I mentioned in my previous post, it suddenly started with the same problem an hour or so ago. Telling me there’s no internet connection, when clearly there is. So at this moment, I’ve bypassed the router and am connected directly to the modem.

Don’t know if any of that is relevant, but I’m hoping it will provide some clues. Thanks for your interest.

I have a general question, while my desktop still has google redirect virus problems: Is it safe for me to connect an uninfected laptop directly to my cable modem (no router) so that I can work? Or could that cause the laptop to be infected also? Thank you to anyone who can answer.

could that cause the laptop to be infected also?

I don't see anything that I have seen that should be jumping systems.

ComboFix

[*]Please open Notepad (Start → Run → type notepad in the Open field → OK) and copy and paste the text present inside the box below:

ClearJavaCache::

DDS::
BHO: Expat Shield Class: {3706EE7C-3CAD-445D-8A43-03EBC3B75908} - c:\program files\expat shield\hssie\ExpatIE.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -
TB: AOL Toolbar: {DE9C389F-3316-41A7-809B-AA305ED9D922} -
uRun: [Adobe] rundll32 “c:\users\barb\appdata\local\aol\adobe\cbgfw.dll”,DllRegisterServerW
Trusted Zone: ed.gov\fafsa
Trusted Zone: facebook.com\www
Trusted Zone: google.com\mail
Trusted Zone: microsoft.com\www
Trusted Zone: mylifetime.com\www
Trusted Zone: suntimes.com\www
Trusted Zone: tcm.com\www
Trusted Zone: televisionwithoutpity.com\forums
Trusted Zone: televisionwithoutpity.com\www
Trusted Zone: tnt.tv\www
Trusted Zone: tvguide.com\www
Trusted Zone: usanetwork.com\www
Trusted Zone: wildernessresort.com\www
Trusted Zone: wowway.net\portal
Trusted Zone: youtube.com\www

[*]Save this as CFScript.txt and change the “Save as type” to “All Files” and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix may request an update; please allow it.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Post the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.

Attach the new ComboFix log and let me know how your system is running now.

Thank you very much. And thank you for all your other help so far. I really, really appreciate it. I will start on this right away.

One more question: I have an external hard drive plugged into a usb port, backing up my computer at all times. I probably should have asked this at the beginning, but I always forget it’s there. Should I unplug it, or do I need to change any scan parameters?

Ok, here is the new scan. After the log was created, when I tried to open IE, I got the statement “Illegal operation attempted…,” like I did before. But then I restarted the computer and it was fine.

I’ve tried a few random searches on google, bing, and yahoo, and they all seem to be working great! No redirecting.

I’m still working without my router hooked up. I didn’t want to connect that again until you say it’s ok to try.

Should I unplug it, or do I need to change any scan parameters?

Just go ahead and leave it. ---------

I got the statement "Illegal operation attempted...," like I did before. But then I restarted the computer and it was fine.

That is just fine....nothing to worry about. ---------

I'm still working without my router hooked up. I didn't want to connect that again until you say it's ok to try.

Go ahead and hook it up and use it for the next steps. :)

http://i1224.photobucket.com/albums/ee380/jeffce74/java.jpg
I see that your Java software is out of date. Please go to Start >> Control Panel >> Programs and Features >> uninstall all versions of Java.

Now download and install the newest version from here >> http://java.com/en/download/index.jsp

Clear Java Cache

See this page for instructions on how to clear java’s cache.

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
[*]Under Temporary Internet Files, click the Delete Files button.[*]There are three options in the window to clear the cache - Leave ALL 3 Checked
Downloaded Applets
Downloaded Applications
Other Files[*]Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.[*]Click OK to leave the Java Control Panel.

---

http://i1224.photobucket.com/albums/ee380/jeffce74/mbam-3.jpg
Malwarebytes

Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.

ESET Online Scanner

Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator
[*]Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.[*] Turn off the real time scanner of any existing antivirus program while performing the online scan[*]Tick the box next to YES, I accept the Terms of Use.[*]Click Start[*]When asked, allow the activex control to install[*]Click Start[*]Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.[*]Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.[*]Click Scan[]Wait for the scan to finish[]When the scan is done, if it shows a screen that says “Threats found!”, then click “List of found threats”, and then click “Export to text file…”[] Save that text file on your desktop. Attach the contents of that log as a reply to this topic.[]Close the ESET online scan, and let me know how things are now.

I completed the latest scans. I’m attaching the MAMB and ESET scan logs. ESET did find 4 threats.

I tried some more random searches on google, yahoo, and bing, and didn’t get redirected anywhere. My router is hooked up now, but I guess I’ll have to do some reconfiguring or something, because it’s not letting the other computers connect wirelessly. But I don’t think that’s to do with what we’ve done here. I probably just need to reset the password or uninstall or reinstall the router.

You probably saw that someone asked me about the router’s firewall. Should I have that turned on? I’m currently just using the Avast firewall.

Let’s remove this…

First open an elevated command prompt > Click Start and type cmd in Start Search.
When cmd.exe populates above, right click it and select Run as Administrator to open an elevated command prompt.

Copy the contents of the code box > right click in the command window and select paste >> Press Enter (do one line at a time if there are more than one)

rd "J:\WD SmartWare.swstor\BARB-PC\Volume.82cc7291.2c07.11dd.8056.806e6f6e6963\TDSSKiller_Quarantine" /s /q

Close the Command Prompt box.

I probably just need to reset the password or uninstall or reinstall the router.

I would say that is probably what you need to do. ----------

You probably saw that someone asked me about the router's firewall. Should I have that turned on? I'm currently just using the Avast firewall.

If you have encrypted your router with a good passphrase/word than you should be just fine with using the Avast firewall....that is just what I do myself. --------

What other malware problems are you having now?

Ok, I think I did that correctly. The contents of the code box started with the letters “rd” right?

I do keep getting that message, “You are about to leave a secure internet connection. It will be possible for others to see information you send.” Can I just click “don’t show me this message again”?

Do you have any opinion about the google toolbar? I uninstalled it when the redirect problems started up again. Should be ok to reinstall, right?

As far as I know, I am not having any other malware problems! Everything seems to be running smoothly.

Thank you so much! I can’t tell you how much I appreciate what you have done to help me. I’m very, very grateful!

The contents of the code box started with the letters "rd" right?

Yes that is correct. ----------

"You are about to leave a secure internet connection. It will be possible for others to see information you send." Can I just click "don't show me this message again"?

Yes...just click to not show you any longer. That's what I did. ----------

Do you have any opinion about the google toolbar?

I stay away from any toolbar that is offered. I have never found much use for them and mostly they have always just caused problems. ----------

Providing there are no other malware related problems…

IT APPEARS THAT YOUR LOGS ARE NOW CLEAN SO LETS DO A COUPLE OF THINGS TO WRAP THIS UP!!

This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.

The following will implement some cleanup procedures as well as reset System Restore points:

Press the Windows key + R and this will open the Run box. Copy/paste the following text into the Run box as shown and click OK.
Combofix /Uninstall
(Note: There is a space between the …X and the /U that needs to be there.)

http://i1224.photobucket.com/albums/ee380/jeffce74/CF.jpg

---

Clean up with OTL:

[*]Right-click and Run as Administrator OTL.exe to start the program.
[*]Close all other programs apart from OTL as this step will require a reboot
[*]On the OTL main screen, press the CLEANUP button
[*]Say Yes to the prompt and then allow the program to reboot your computer.

---

Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren’t cluttering up your desktop.
If you didn’t already have it I would keep Malwarebytes AntiMalware though.

Here are some tips to reduce the potential for spyware infection in the future:

1. Internet Explorer. Even if you don’t use it as your main browser it should be kept up-to-date because that is the browser Windows uses for updates.
Make your Internet Explorer more secure - This can be done by following these simple instructions:

[*]From within Internet Explorer click on the Tools menu and then click on Options.
[*]Click once on the Security tab
[*]Click once on the Internet icon so it becomes highlighted.
[*]Click once on the Custom Level button.
[*]Change the Download signed ActiveX controls to Prompt
[*]Change the Download unsigned ActiveX controls to Disable
[*]Change the Initialize and script ActiveX controls not marked as safe to Disable
[*]Change the Installation of desktop items to Prompt
[*]Change the Launching programs and files in an IFRAME to Prompt
[*]Change the Navigate sub-frames across different domains to Prompt
[*]When all these settings have been made, click on the OK button.
[*]If it prompts you as to whether or not you want to save the settings, press the Yes button.
[*]Next press the Apply button and then the OK to exit the Internet Properties page.

2. FireFox. If you use Firefox, I recommend installing the following add-ons to help make your Firefox browser more secure:
NoScript
AdBlock Plus

3. Enable Protected Mode in Internet Explorer. This helps Windows Vista users stay more protected from attack by running Internet Explorer with restricted privileges as well as reducing the ability to write, alter or destroy data on your system or install malicious code. To make sure this is running follow these steps:
[*]Open Internet Explorer
[*]Click on Tools > Internet Options
[*]Press Security tab
[*]Select Internet zone then place check next to Enable Protected Mode if not already done
[*]Do the same for Local Intranet, Trusted Sites and Restricted Sites and then press Apply
[*]Restart Internet Explorer and in the bottom right corner of your screen you will see Protected Mode: On showing you it is enabled.

4. Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

5. Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. I would personally only recommend using one of the following two below:
Online Armor Free
Agnitum Outpost Firewall Free

6. Make sure you keep your Windows OS current. Windows XP users can visit Windows update regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems. Without these you are leaving the back door open.

7. WOT (Web of Trust) As “Googling” is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT’s color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites. WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.

8.Finally, I strongly recommend that you read How to Prevent Malware found here and also PC Safety and Security - What Do I Need?.

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

Thanks.

Do you have any opinion about the google toolbar?

I stay away from any toolbar that is offered. I have never found much use for them and mostly they have always just caused problems.

That makes sense–I suppose they just add more junk to your computer.

[quote]Providing there are no other malware related problems…

IT APPEARS THAT YOUR LOGS ARE NOW CLEAN [quote]

That’s nice to hear!

[b]This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.[/b]

I understand that there are no guarantees. But I am way better off than I was a couple of days ago! So THANKS! ;D

[b]Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop. If you didn't already have it I would keep Malwarebytes AntiMalware though.[/b]

Ok. I did have Malwarbytes, but I guess I don’t run it often enough. I’ll be more careful. I’ll also look through and follow the other tips you have posted.

[b][i]Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.[/i][/b]

I am satisfied and VERY grateful! Thank you again for your help, your patience, and your advice. Is there some appreciation thread on the boards where I can sing your praises to others?

I am glad that everything is running well and I am glad that I could help.

I guess if you wanted to tell us thanks somewhere else you can in the General Topics forum if you like, but your thanks here is great!