What Next

Well not really sure this is the correct forum to post this but.....

Ran Malwarebytes, did some cleaning of some nasties.
Ran Eset afterwards and it found more that Malwarebytes didnt pick up. Cleaned that up with Eset.

When I use google it redirects me to another website than what I clicked on.

So I still have something thats not getting picked up by the scanners....... Whats Next.

 

scan in safe mode with superantispyware, dr web free, etc.

 

give hitman pro a spin.......http://www.surfright.nl/en/hitmanpro

 

Get some professional help to clean the rest of the malware! https://www.wilderssecurity.com/showpost.php?p=1533481&postcount=3

TH

 

If HMP doesn't resolve the issue you may want to consider running Combofix and have someone check the log.

- I'd also recommend that your check your hosts file to make sure it lists only 127.0.0.1 localhost unless you know for sure the other entries below it are legit.

- Check the DNS entries in your router and for your network card to make sue they are correct for your router or ISP. I'd recommend using either OpenDNS or Google DNS since they generally resolve faster than your ISP and provide other layers of protection.

- Try using Firefox or Chrome

 

Checked Host file and 127.0.0.1 is the only entry, besides the 2 microsoft put above it for examples. No other entries below 127...

will have to check Router tomorrow

Already using Firefox. No IE

 

Try A-Squared, VERY powerful scanner

 

The link in post #4 is very good, but it's a lot of information.
You could also try the Avira rescue CD, and Dr Web's LiveCD.

 

Please don't get me wrong, but unless you enjoy (I doubt it, but some do) investigating/cleaning your system, there is only one sure way to clean up your computer: restoring a backup image, and if you don't have one a clean re-installation of Windows.

Security applications should prevent malware from tampering with your system, once they fail (it doesn't matter which, why, what, when, and how) you might have to spend hours, consulting specialized forums, and before you get an answer/solution, 2-3 days might have gone by...

Restoring an image backup takes from 5-20 minutes (my machines: 5 minutes and 8 minutes), and nowadays it has become very easy.

 

Funny I was just thinking this morning as my feet hit the floor, by the time I wait for responses, take a dozen different suggestions and try 3 more programs that may or may not work. That even though its a pain in the butt, backing up files, format and reinstall, im probably better off getting a clean slate that way I know everything is gone.

The problem I have now though is, what programs do I use from here on out so it doesnt happen again.
One of the 3 perhaps?
DefenseWall / GesWall / Sandboxie

 

If you decide on a clean re-installation of Windows, before you even import your private data, try a free backup program like Macrium Reflect:

http://www.macrium.com/reflectfree.asp

I personally use something else which is not free, but judging from the excellent feedback from other members, it seems to work very well (don't forget to try to restore an image straight away, it is the only way to make sure it works).

As to which sandbox/virtualizer to use in the future, you should really try them out. My personal inclination would be towards Shadow Defender (A virtualizer, I use it on 2 machines), Sandboxie has become something close to a cult application here at Wilders (I don't use it, as I think SD is enough for my habits), Returnil also offers antivirus protection along with virtualization, Defense Wall also enjoys an excellent reputation. Perhaps to know more about each of these applications a search about past threads would help a lot.

 

Looks like you have the nasty TDL3 rootkit infection. All of the above mentioned products are unable to find this infection (though they are able to find the stuff that this rootkit is installing like rogue anti-malware but the rootkit remains).

If you search for "google redirect virus" in the last week you'll notice a lot of people are having this infection. Most of them running AV software that that didn't prevent the infection. TDL3 changes it's dropper constantly resulting in that AV products relying mostly on definitions always trail behind. You need a good behavioral product to prevent infection.

Only Hitman Pro 3.5 and Combofix are currently able to find and cure the newest variants of this rootkit (you can also use Dr.Web but that one cures only the older variants).

Also, if you have a hard disk driver other than atapi.sys then Combofix won't work. So if you have a board with Intel, Nvida or Via chipset drivers installed Combofix won't work.

If you run Vista and have the Intel drivers installed, make sure you disable the iaNvStor driver as this driver is incompatible with Hitman's scanning technology resulting in that the rootkit is not detected.

 

What kind of products are these?

 

well........threatfire/mamutu/prevx......

 

Ok I downloaded HitMan Pro to see what it would do and....

So is this saying that the malware was detected by all these products?

Second can I safely delete or am I going to have problems, since it appears it is a hard drive driver.

 

HMP is doing the hard work...now just let it clean up and replace the driver. Reboot and scan with HMP again.

There is also tdss killer.

 

I think I saw somewhere here on the boards that whatever is in the HMP list is the product(s) that picked up the malware. If its not listed then that product didnt pick it up. Is that True?

 

The problem is that even though the mentioned AV products have recognition for the infection, the products itself are not up to the task to find the infection when the rootkit technology is active. It's HMP finding and removing the rootkit while the rootkit cloaking technology is active. So you really can't say that the mentioned products would have found and removed the rootkit.

 

Very nice work by Hitman Pro and good guess by erikloman.

 

Rootkit TDL3