Google Redirect Virus (Rootkit?) - Need Help

[killerwave7]

Hi,

About a week ago, I was using Google Chrome and I noticed that when I clicked certain links in my various searches. These searches would be about anything such as microfluidic devices for bioengineering (my major) or current events or even wanting to buy something but most of the times when I click these links for the first time they redirect me to a website that has no relation to the google searches or link I clicked on. Usually, I click the back button and click the link again and then it does work for me. However, this is a very annoying problem especially if I am trying to work on a presentation for my class and all the google scholar articles I click or webpage searches result in random advertisements and unrelated webpages.

I immediately did some online researching about the problem and read through some forums and guides especially ones that talked about asking for assistance when dealing with HijackThis, Malwarebytes Anti-Rootkit, ComboFix, TDSSkiller etc... I did a good amount of reading and I know not to touch many things unless you are trained and absolutely know what you are doing since you could cause serious damage to your operating system and windows services. Even if somehow in checking my HOSTS file and DNS settings and using TDSSkiller to just check somehow resulted in fixing the problem, I want to make sure that I am not infected and possibly check for other infections I am not aware of. I really like the Malwarebytes software and I have performed full scans with the anti-bytes program, and I also use AVG anti-virus (which I know many anti-viruses don’t detect rootkits and I can also disable it when needed). I have not had any problems like this in the past and I am pretty careful on clicking things and downloading anything. I have a good knowledge on many things from over the years but I am not a technically trained expert on software and how a lot of these things really work (on the real deep level).

I humbly come to this forum asking for help to check my computer (I am using a laptop) and learn something new

I also greatly appreciate the amount of time and effort that many of the helpers/volunteers/staff on here offer to the community (I guess you could call me a silent observer).

Thanks in advanced for reading!

~ Andrew

dds.txt

attach.txt

[jeffce]

Hi and Welcome!! My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

• I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  
• The fixes are specific to your problem and should only be used for the issues on this machine.
  
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  
• It's often worth reading through these instructions and printing them for ease of reference.
  
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  
• Please reply to this thread. Do not start a new topic.

IMPORTANT NOTE : Please do not delete anything unless instructed to.

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your system inoperable and could require a full reinstall of your OS losing all your programs and data.

Vista and Windows 7 users:

These tools MUST be run from the executable (.exe) every time you run them

with Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

---------

[jeffce]

Please download aswMBR to your desktop.

• Double click the aswMBR icon to run it.
  
• Click the Scan button to start scan.
  
• If you are asked to update the Avast Virus database please allow it to do so.
  
• When it finishes, press the save log button, save the logfile to your desktop and attach its contents in your next reply.

Click the image to enlarge it

----------

[killerwave7]

Hi Jeff,

I downloaded aswMBR and updated the database. Afterwards I clicked scan and it proceeded up until it finished scanning all the services, then I saw 1 red line afterwards and then the scanning of the computer began. However, very shortly afterwards (about 2-3 seconds), the blue screen of death appeared and I had to restart my computer.

I performed the scan again just to see if it would work a second time (total of 2 scans performed including the previous one before I replied here) and it did the same thing again with the blue screen of death.

[jeffce]

Ok let's try a different tool.

Please download TDSSKiller

• Double click TDSSKiller.exe
  
• Press Start Scan
  
• Do Not Attempt To Fix Anything Now. We just need to look over the report and be sure we are removing the correct
  items.
  
• Attach the log in your next reply
  
  • A copy of the log will be saved automatically to the root of the drive (typically C:\)
    

----------

[killerwave7]

Hi Jeff,

Here is the log from TDSSKiller

TDSSKiller.2.8.15.0_01.12.2012_20.26.54_log.txt

[jeffce]

Download Combofix from the link below, and save it to your desktop.

Link

**Note: It is important that it is saved directly to your desktop**

If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.

• When finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt for further review.

----------

[killerwave7]

Here is the ComboFix log

ComboFix.txt

[jeffce]

How is your system running?

[killerwave7]

Hi Jeff,

I still get redirects to random websites after clicking google links. Also, I noticed that I have been getting more BSOD's from yesterday evening and when I try to click on the solution that Windows offers me (the link to the Microsoft KB article), the BSOD happens again and again. I was able to click it once last night and it discussed trojan/malware but I couldn't really get any more information from that. I'm thinking that maybe I should also free up some disk space (I have about 24.0GB free out of a 451 GB hard drive)?

[jeffce]

AdwCleaner

Please download AdwCleaner by Xplode onto your desktop.

• Double click on AdwCleaner.exe to run the tool.
  
• Click on Search.
  
• A logfile will automatically open after the scan has finished.
  
• Please post the contents of that logfile with your next reply.
  
• You can find the logfile at C:\AdwCleaner[R1].txt as well.
  

----------

[killerwave7]

Here is the logfile from AdwCleaner

AdwCleanerR1.txt

[jeffce]

AdwCleaner

• Close all open programs and internet browsers.
  
• Double click on adwcleaner.exe to run the tool.
  
• Click on Delete.
  
• Confirm each time with Ok.
  
• You will be prompted to restart your computer. A text file will open after the restart.
  
• Please post the contents of that logfile with your next reply.
  
• You can find the logfile at C:\AdwCleaner[s1].txt as well.

----------

[killerwave7]

Here is the logfile from AdwCleaner [delete] option

AdwCleanerS1.txt

[jeffce]

Are you still getting redirects?

[killerwave7]

I did some browsing and it looked like there were no more redirects and then I got one just now. I have a feeling something is still around somewhere

[jeffce]

When you go the redirect, what browser were you using?

[killerwave7]

Google Chrome

[jeffce]

Sometimes the easiest way to fix Google Chrome is to uninstall it and then reinstall a fresh copy. You can download a fresh copy of Google Chrome from here.

[killerwave7]

I tried to uninstall Google Chrome by clicking on All Programs -> Google Chrome -> Uninstall

I clicked on uninstall after the first popup (where you check clear browsing data, change default browser, etc...) and received the Blue Screen of Death error immediately after

I tried it again and I got the exact same error at the exact same place.

[jeffce]

Try to uninstall by going to Control Panel >> Programs and Features.

[killerwave7]

I received the same Blue Screen of Death after clicking uninstall at the window (with the clear browsing data, change default browser, etc...

[jeffce]

Are you still able to see Google Chrome in your Programs and Features window?

[killerwave7]

Yes and now when I try to open it (after all these BSOD's), it seems the interface has changed into what I'm thinking is the newer version of Google Chrome. All my bookmarks and saved data seems to have been kept, only the look of Chrome is different aside from user profiles (it did prompt me to set up or log in but I just said skip for now).

Basically, Chrome works and for the past hour I have not encountered any redirects although I would probably wait some more time to see what happens.

I think my bigger problem would be the BSOD's and why they are occurring but that's just my thought.

[jeffce]

Ok good....run a new scan with DDS and when complete only post the Attach.txt