google redirect - need a hand w post malware removal fix

[16k_zx81]

Machine with google redirect. Browser displayed:

you have a virus on your system that is taking over %WINDIR%

I was in a hurry to get the job done and botched the removal

Ran OTC

ipconfig /flushdns /c
[purity]
[emptytemp]
[emptyflash]
[resethosts]

Ran Malwarebytes.

I should have done the removal manually.

The page is gone but now 'unable to display webpage [diagnose]' for google and some other sites. Most direct links display OK.

checked DNS - ok
checked proxies - ok
reset hosts file from MVPS
reset IE
reset TCP/IP
reset catalogue
flushed DNS cache

no fix

ran hijackthis
- nothing malicious

In a rush to get this one finished as am going away for the wknd. Can someone lend a hand?

 

[ATTech]

Try ComboFix? Worked for the last redirect I came across.

 

[16k_zx81]

Thanks AT

The machine is W7. Sorry - should have mentioned that.

 

[ATTech]

Thanks AT

The machine is W7. Sorry - should have mentioned that.

Hmmm? If I recall correctly, ComboFix now works on Windows 7, x86 or x64.

 

[seedubya]

Thanks AT

The machine is W7. Sorry - should have mentioned that.

Combofix has supported Windows 7 for the while.

EDIT: Sorry ATTech.

 

[Xander]

Have you scanned for rootkits? TDSSkiller, GMER?

While I love a manual removal, have you scanned with MBAM/SAS?

 

[16k_zx81]

Yes did rootkit scans - nada

Yes did mbam scan - positive results but no fix. It was either OTC or MBAM that left the redirect semi-intact. My fault for rushing things though. Should have been more methodical.

Didnt know Combofix was working on OS's other than XP. Thanks AT for putting me onto that.

Ran it on the machine and the redirect is fixed

Much appreciated!

 

[MobileTechie]

Somehow some infections can do the proxy without it showing in IE settings or in apps like HJT. I don't yet know how but Hitman Pro seems to find it and reset it just fine. It's my first port of call now - cr**s on MBAM for tricky infections. If you're not using Hitman yet then I highly recommend checking it out. it often removes rogueware plus their supporting rootkits in one scan.

 

[16k_zx81]

Somehow some infections can do the proxy without it showing in IE settings or in apps like HJT. I don't yet know how but Hitman Pro seems to find it and reset it just fine. It's my first port of call now - cr**s on MBAM for tricky infections. If you're not using Hitman yet then I highly recommend checking it out. it often removes rogueware plus their supporting rootkits in one scan.

Thanks MobileTechie

I have used it a couple of times, having heard great things about it around the tracks. Will spend some more time investigating with infected machines as they come in.

 

[mikesit]

to MobileTech - does hitman have a tech license?

 

[coco3_man]

I could not find "tech" licensing but have emailed asking about a tech license.

Their web site is http://www.surfright.nl/en/home/

Tom

 

[TimJacobs]

I could not find "tech" licensing but have emailed asking about a tech license.

Their web site is http://www.surfright.nl/en/home/

Tom

When you find out let us know...

 

[Vicenarian]

Yes did rootkit scans - nada

Yes did mbam scan - positive results but no fix. It was either OTC or MBAM that left the redirect semi-intact. My fault for rushing things though. Should have been more methodical.

Didnt know Combofix was working on OS's other than XP. Thanks AT for putting me onto that.

Ran it on the machine and the redirect is fixed

Much appreciated!

Care to share the log at C:\ComboFix.txt ? It should let us all know how it fixed the redirect.

 

[16k_zx81]

Care to share the log at C:\ComboFix.txt ? It should let us all know how it fixed the redirect.

I would have been happy to do that but the machine has been dispatched to its owner.

 

[MobileTechie]

to MobileTech - does hitman have a tech license?

The licence says: "The "Free Licence" permits you to use one copy of the Software solely for personal, non-commerical purposes (service desks, computer repair centers and other businesses that serve home users are excluded from this restriction)."

So it's free for us to use for home users.

 

[atlanticjim]

With a little investigation, based on the symptomatology it looks like this was TDL4 rootkit.

More information here

http://threatpost.com/en_us/blogs/tdl4-rootkit-bypasses-windows-code-signing-protection-111610

 

[coco3_man]

Who Should Use Hitman Pro?

When you find out let us know...

Below is their response about using it on a customer machine. Now, considering that, slightly different terms are listed here... http://www.surfright.nl/en/hitmanpro and we may well fall into this category as well. Look under the section "Who Should Use Hitman Pro?"

It seems to me that the free version could be used and the free 1 time clean license could be used once per home user computer. If it is a commercial computer, then the per incident version would need to be used.

Thoughts?

Tom

**********************************
From: "Lisa Turkenburg"
Date: March 10, 2011 3:54:48 AM EST
To: "Tom Seagrove"
Subject: RE: HitmanPro Tech Licensing
Good morning Tom,

Thank you for your email.

First of all you can always download Hitman Pro on every computer for free.
Then when Hitman Pro detects malware you need to activate a license.

I think in this case the best type of license is our Incident License.
Please take a look at our website for more information:
http://www.surfright.nl/en/shop/business

These licenses stay active for three (3) days and will deactivate automatically.

Please let me know if you have any further questions.

Met vriendelijke groet,

Lisa Turkenburg
Support & Office Manager

SurfRight B.V.
Lansinkesweg 4
7553 AE Hengelo
The Netherlands
www.surfright.com