Infected with Google Redirect / Windows Recovery

[bubbletea]

I am attempting to repair a computer that has been infected with 'Windows Recovery' and the search engine redirect malware. After reading some forum posts, I have tried the following attempts to clean the computer.

Initially, Avira AntiVir alerted the following:

Virus or unwanted program 'TR/Rootkit.Gen [trojan]'

C:\Windows\System32\spool\prtprocs\w32x86\625F93F.tmp.

C:\Windows\System32\spool\prtprocs\w32x86\2162F.tmp

C:\Windows\System32\drivers\579711D.sys.

C:\Windows\System32\drivers\6263E8.tmp.

C:\Windows\System32\drivers\1324E9C.sys

C:\Windows\System32\drivers\2233E8.tmp

C:\Users\liz\AppData\Local\Temp\ldr2220.tmp

C:\Users\liz\AppData\Local\Temp\ldr3e4a.tmp

C:\Users\liz\AppData\Local\Temp\-213E8.tmp

C:\Users\liz\AppData\Local\Temp\ldr3e3b.tmp

The files 'C:\Users\liz\AppData\Local\Temp\ldr3e4a.tmp' & C:\Users\liz\AppData\Local\Temp\ldr224f.tm

contained a virus or unwanted program 'TR/Alureon.CD.6' [trojan]

In attempt to stop the 'Windows Recovery' malware, I performed a Systems Restore. The google redirect issue seems to persist, so I attempted the following:

Started in Safe Mode. Ran 'CleanUp!' to clean up files.

Scanned with:

SUPERAntiSpyware - cleared some cookies.

Malwarebytes' Anti-Malware - cleared some cookies.

SpyBot Search & Destroy - cleared some cookies.

HijackThis - log file attached*

Restarted computer, in normal mode, redirect malware still exists. Followed instructions on this forum:

Ran DDS - log file attached*

Ran GMER - log file attached*

RKill iExplore - the following process was stopped (C:\Windows\System32\grpconv.exe)

Hitman Pro 3.5 - cleared some cookies.

Avira AntiVir scan - log file attached*

Downloaded TDSSKiller. Extracted to desktop, clicked 'run as administrator' - though nothing happens.

Any help would be greatly appreciated.

attach.zip

[screen317]

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Then run DDS again and post DDS.txt; please post all logs directly into your reply instead of attaching them unless otherwise specified.

[bubbletea]

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Then run DDS again and post DDS.txt; please post all logs directly into your reply instead of attaching them unless otherwise specified.

Apologies, I forgot to include the Malwarebytes log.

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6153

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.19019

25/03/2011 4:54:57 PM

mbam-log-2011-03-25 (16-54-57).txt

Scan type: Full scan (C:\|)

Objects scanned: 253858

Time elapsed: 1 hour(s), 4 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[screen317]

Then run DDS again and post DDS.txt

[bubbletea]

Oops - here you go.

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by liz at 17:52:51.39 on Fri 25/03/2011

Internet Explorer: 8.0.6001.19019

Microsoft

[screen317]

Hi,

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

[bubbletea]

Thank you

There were some delays due to the Windows Blue popping up, however, I was able to run ComboFix in the end! Below is the log, with the new DDS log underneath.

ComboFix 11-03-24.03 - liz 25/03/2011 19:10:13.1.2 - x86

Microsoft

[screen317]

Hi,

Please go to VirusTotal, and upload the following files for analysis:

c:\windows\system32\DRIVERS\17479511.sys

c:\windows\system32\DRIVERS\FwLnk.sys

c:\users\liz\Desktop\Virus Removal Tool\setup_9.0.0.722_23.03.2011_12-09[1]\startup.exe

c:\windows\system32\DRIVERS\17479512.sys

Post the results in your reply.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

1. Tick the box next to YES, I accept the Terms of Use.
   
2. Click Start
   
3. When asked, allow the ActiveX control to install
   
4. Click Start
   
5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
   
6. Click Scan
   Wait for the scan to finish
   
7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
   
8. Copy and paste that log as a reply to this topic
   

Next, download my Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

Let me know how things are running now and what issues remain.

-screen317

[bubbletea]

**RESULTS from VirusTotal**

File name: 17479511.sys

Submission date: 2011-03-25 09:21:18 (UTC)

Result: 0/ 41 (0.0%)

File name: FwLnk.sys

Submission date: 2011-03-25 09:12:59 (UTC)

Result: 0/ 42 (0.0%)

File name: startup.exe

Submission date: 2011-03-25 09:11:22 (UTC)

Result: 0/ 43 (0.0%)

File name: 17479512.sys

Submission date: 2011-03-25 09:17:25 (UTC)

Result: 0/ 43 (0.0%)

**RESULTS from ESET Online Scanner**

I have a slow internet connection and I am unable to get this online scanner to work.

Results of screen317's Security Check version 0.99.10

Windows Vista Service Pack 2 (UAC is disabled!)

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

Avira AntiVir Personal - Free Antivirus

WMI entry may not exist for antivirus; attempting automatic update.

Avira successfully updated!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 24

Java SE Runtime Environment 6

Adobe Flash Player

Adobe Reader 7.0.8

Out of date Adobe Reader installed!

````````````````````````````````

Process Check:

objlist.exe by Laurent

Spybot Teatimer.exe is disabled!

Avira Antivir avgnt.exe

Avira Antivir avguard.exe

``````````End of Log````````````

Thank you for your assistance. The redirect issue in Google seems to have gone.

However, I am now having an issue with Malwarebytes.

To ensure I have access rights, I run as Administrator. However, when I attempt to update Malwarebytes I receive the following error:

PROGRAM_ERROR_UPDATING (5,0, CreateFile)

Access Denied.

[screen317]

Hi,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java

[bubbletea]

Thank you for your assistance. I followed the steps and Google search has returned to normal operation and I have been able to update Malwarebytes.

[screen317]

Glad to hear it!

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

3) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

4) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

5) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

• Green to go
  
• Yellow for caution
  
• Red to stop
  

WOT has an addon available for both Firefox and IE.

6) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

[screen317]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!