Google Redirect Virus

Viruses and worms
1

Hello. I seem to have acquired the Google Redirect virus on my system. I have run avast! Antivirus and it cleaned up a host of problems, but it did not remove the Google Redirect virus. I then downloaded and installed Malwarebytes’ Anti-Malware and the results of the scan are below.

Additionally, I followed the instructions at http://forum.avast.com/index.php?topic=53253.0 and downloaded and ran OTS. Attached you will find the results of that scan.

If someone can assist me in removing the Google Redirect virus from my system or advise me as to how I can determine how I can remove the virus, I would be most appreciative. Thank you for your time and assistance in this matter.

Malwarebytes’ Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7416

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

8/9/2011 11:57:46 AM
mbam-log-2011-08-09 (11-57-46).txt

Scan type: Full scan (C:|D:|Q:|)
Objects scanned: 443170
Time elapsed: 1 hour(s), 55 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

2

Here is part two of the OTS log file.

3

essexboy will arrive here soon…

4

Thank you for your reply, Pondus. The results of this scan are as follows:

aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-08-10 12:40:02

12:40:02.290 OS Version: Windows x64 6.1.7601 Service Pack 1
12:40:02.290 Number of processors: 2 586 0x603
12:40:02.290 ComputerName: POPPY UserName: David
12:40:04.053 Initialize success
12:40:04.147 AVAST engine defs: 11081000
12:40:17.251 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
12:40:17.251 Disk 0 Vendor: WDC_WD5000BEVT-60A0RT0 02.01A02 Size: 476940MB BusType: 11
12:40:19.294 Disk 0 MBR read successfully
12:40:19.294 Disk 0 MBR scan
12:40:19.310 Disk 0 unknown MBR code
12:40:19.326 Service scanning
12:40:20.714 Modules scanning
12:40:20.714 Disk 0 trace - called modules:
12:40:20.745 ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
12:40:20.761 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa800430f060]
12:40:20.761 3 CLASSPNP.SYS[fffff8800160143f] → nt!IofCallDriver → [0xfffffa80042fc040]
12:40:20.776 5 hpdskflt.sys[fffff880019a2185] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80042e6060]
12:40:22.134 AVAST engine scan C:\Windows
12:40:28.998 AVAST engine scan C:\Windows\system32
12:42:04.969 AVAST engine scan C:\Windows\system32\drivers
12:42:18.089 AVAST engine scan C:\Users\David
12:57:50.378 Disk 0 MBR has been saved successfully to “C:\Users\David\Desktop\MBR.dat”
12:57:50.378 The log file has been saved successfully to “C:\Users\David\Desktop\aswMBR.txt”

aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-08-10 12:40:02

12:40:02.290 OS Version: Windows x64 6.1.7601 Service Pack 1
12:40:02.290 Number of processors: 2 586 0x603
12:40:02.290 ComputerName: POPPY UserName: David
12:40:04.053 Initialize success
12:40:04.147 AVAST engine defs: 11081000
12:40:17.251 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
12:40:17.251 Disk 0 Vendor: WDC_WD5000BEVT-60A0RT0 02.01A02 Size: 476940MB BusType: 11
12:40:19.294 Disk 0 MBR read successfully
12:40:19.294 Disk 0 MBR scan
12:40:19.310 Disk 0 unknown MBR code
12:40:19.326 Service scanning
12:40:20.714 Modules scanning
12:40:20.714 Disk 0 trace - called modules:
12:40:20.745 ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
12:40:20.761 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa800430f060]
12:40:20.761 3 CLASSPNP.SYS[fffff8800160143f] → nt!IofCallDriver → [0xfffffa80042fc040]
12:40:20.776 5 hpdskflt.sys[fffff880019a2185] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80042e6060]
12:40:22.134 AVAST engine scan C:\Windows
12:40:28.998 AVAST engine scan C:\Windows\system32
12:42:04.969 AVAST engine scan C:\Windows\system32\drivers
12:42:18.089 AVAST engine scan C:\Users\David
12:57:50.378 Disk 0 MBR has been saved successfully to “C:\Users\David\Desktop\MBR.dat”
12:57:50.378 The log file has been saved successfully to “C:\Users\David\Desktop\aswMBR.txt”
12:58:10.088 Disk 0 MBR has been saved successfully to “C:\Users\David\Desktop\MBR.dat”
12:58:10.088 The log file has been saved successfully to “C:\Users\David\Desktop\aswMBR.txt”

5

On completion of this run can you check for redirects please

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-19\] > -> 
YN -> HKEY_USERS\S-1-5-19\: Main\\"XMLHTTP_UUID_Default" -> 43 76 41 01 46 1D 0B 42 BC 88 32 E1 34 F3 A6 E7  [binary data]
< Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > -> 
YN -> HKEY_USERS\S-1-5-20\: Main\\"XMLHTTP_UUID_Default" -> 43 76 41 01 46 1D 0B 42 BC 88 32 E1 34 F3 A6 E7  [binary data]
< FireFox Extensions [User Folders] > -> 
YY -> XUL Cache   -> C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\147903tf.default\extensions\{4389c4bf-9718-46e3-862d-0c48ae138c97}
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Modified Within 30 Days]
NY ->  382224080 -> C:\Windows\SysWow64\382224080
[Files - No Company Name]
NY ->  85A48F -> C:\Users\David\AppData\Roaming\85A48F
[Custom Items]
:Reg
[HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
"XMLHTTP_UUID_Default"=-
[HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
"XMLHTTP_UUID_Default"=-
:files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

6

essexboy,

Thank you for your response and your help. It appears that your fix has removed the Google Redirect virus from my system. Below are the logs after running the fix.

All Processes Killed
[Registry - Safe List]
Registry key HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Main not found.
Registry key HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Main not found.
C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\147903tf.default\extensions{4389c4bf-9718-46e3-862d-0c48ae138c97}\defaults\preferences folder moved successfully.
C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\147903tf.default\extensions{4389c4bf-9718-46e3-862d-0c48ae138c97}\defaults folder moved successfully.
C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\147903tf.default\extensions{4389c4bf-9718-46e3-862d-0c48ae138c97}\chrome folder moved successfully.
C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\147903tf.default\extensions{4389c4bf-9718-46e3-862d-0c48ae138c97} folder moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
[Files/Folders - Modified Within 30 Days]
C:\Windows\SysWow64\382224080 moved successfully.
[Files - No Company Name]
C:\Users\David\AppData\Roaming\85A48F moved successfully.
[Custom Items]
========== REGISTRY ==========
Registry value HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default deleted successfully.
Registry value HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\David\Downloads\cmd.bat deleted successfully.
C:\Users\David\Downloads\cmd.txt deleted successfully.
[Empty Temp Folders]

User: All Users

User: David
->Temp folder emptied: 1085185 bytes
->Temporary Internet Files folder emptied: 3810412 bytes
->Java cache emptied: 858149 bytes
->FireFox cache emptied: 912555694 bytes
->Google Chrome cache emptied: 1905008 bytes
->Flash cache emptied: 68358 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56468 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2374966 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50534 bytes
RecycleBin emptied: 9235502 bytes

Total Files Cleaned = 889.00 mb

[EMPTYFLASH]

User: All Users

User: David
->Flash cache emptied: 0 bytes

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTS Restore Point
< End of fix log >
OTS by OldTimer - Version 3.1.44.0 fix logfile created on 08102011_145856

Files\Folders moved on Reboot…
C:\Users\David\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File move failed. C:\Windows\temp_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot…

7

If you are still happy tomorrow let me know and I will remove my rubbish ;D

8

Everything is still great. Thank you for all your help, essexboy!! Are there any resources you can recommend where I can learn to analyze the output of the logs and remove the virus myself in the future?

9

There is a tutorial for OTL at the GeeksToGo website but as to determining which files to delete that will neeed some research and training

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTS and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

[] Go to this site and click Do I have Java
[] It will check your current version and then offer to update to the latest version

SPRING CLEAN

To manually create a new Restore Point

[*]Go to Control Panel and select System
[*]Select System
[*]On the left select System Protection and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create

Now we can purge the infected ones

[*]GoStart > All programs > Accessories > system tools
[*]Right click Disc cleanup and select run as administrator
[*]Select Your main drive and accept the warning if you get one
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[]Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif

Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe :wave: