Persistent Malware, www-info.com, IE redirects

I don’t know what this customer stepped in, but it’s pretty nasty.

Trashware- popups to the extent that the computer was useless. I manually removed many of the usual suspects with Revo Uninstaller (on the most aggressive setting) and Windows Programs and Features for the ones that Revo could not find.  Of course they came back after the first reboot.

I ran Bleeping Computer’s RKill and The Killer – a similar utility that I downloaded from Bleeping Computer a year or 2 ago.  Having done that I ran Malwarebytes, Superantispyware, ADW Cleaner, Kaspersy’s TDSS Killer, Bleeping Computer’s Junkware removal tool, HiJackThis, ESET’s online scanner, Norton Power Eraser, Trend Micro’s Housecall, Combofix, and Hitman Pro.  Process Explorer does not show anything running that I can identify as bad or unusual.  Several times when I checked to see if things were actually being corrected, I found that Search Protect had reinstalled itself.  And, each utility finds different PUPs and Trojans.  Nothing has run clean yet.

 I have run several of the utilities several times.  I have also reset IE, several times and set the start page to msn.com after setting it to default did not work.  When I open IE, the start page is www-search.info no matter what I do, and when I try to go to a web page, especially one that is  involved in antivirus, a new IE window opens with either a fake Java update (Java is not installed), a fake Flash Player update, or a page allegedly from Microsoft Security Essentials telling me to call a particular phone number for help.  There are no unusual toolbars or extensions listed in Internet Options, and the only search provider is Bing.  I am unable to install Google as a search provider.  Sometimes when I recheck Trovi is listed as a search provider.  IE without add-ons displays a start page that announces that IE is running without add-ons, but behaves normally when I click the Home icon.

I suspect that when I come back to the computer in the morning, some if not all of the problems will have returned.

The OS is Windows 7.

Short of a complete reinstallation of Windows, is there anything that can be done to make this computer useful?
LVL 1
rhaveyAsked:
Who is Participating?
 
NVITCommented:
Have you tried a different user logon? If that works, maybe...
1. Backup any data from the affected user.
2. recreate that profile.
3. Copy the data over
0
 
Scott GorcesterCTOCommented:
It looks like you took logical steps to solve this, its your call when you choose to wipe and reinstall, seems to me now would be an appropriate time
0
 
Michael FowlerSolutions ConsultantCommented:
This link outlines the steps needed to remove "Search Protect". The basic steps are below for more detailed info on the site

STEP 1: Uninstall Search Protect by Conduit malicious programs from your computer
STEP 2: Remove Search Protect by Conduit virus from Internet Explorer, Firefox and Chrome
STEP 3: Remove Search Protect by Conduit browser hijacker from your computer with AdwCleaner
STEP 4: Remove Search Protect by Conduit virus with Malwarebytes Anti-Malware Free
STEP 5: Double-check for the Search Protect by Conduit infection with HitmanPro
http://malwaretips.com/blogs/search-protect-by-conduit-removal/
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Natty GregIn Theory (IT)Commented:
What I would do at this point is to take the hard drive out and put it in a usb box the attached to a working computer, grab the data and wipe the disk clean and start over fresh.
0
 
andreasSystem AdminCommented:
Flatten and rebuild is the fastest and most secuere way to be sure its clean again. Even there are no more popups/ads its not sure if you get all nasty things removed. No scanner can detect all problems.

All other solutions are tinkering.

You also may try system restore if there are any restore points left from b4 the point of infection. Mnany things can be stopped this way. (but its not sure if you really killed it totally, see above).
0
 
nobusCommented:
i agree with  what most experts say - in a case when heavily infected - the fastest way out is a fresh install
you can try many solutions - but you'll never be sure it is clean
after the install + updates and drivers - you best make an image of the drive, so you can return to it fast - if needed
0
 
*** Hopeleonie ***IT ManagerCommented:
Note also proper Malware removal will need a lot of time, so your patient’s is asked. If this is a corporate environment I strongly recommend to reimage or reinstall your client as nobody can give 100% guarantee that all Malware is removed.

Step 1: Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

Step 2: Make sure that all options are checked

Step 3: Press "Scan".

Step 4: It will create a log (FSS.txt) in the same directory the tool is run.

Step 5: Please upload the log to your next reply.
0
 
rhaveyAuthor Commented:
This is the scan log.
0
 
nobusCommented:
what?  where?
0
 
rhaveyAuthor Commented:
Trying again.  I hit Submit instead of Upload.  There isn't much in the file.
FSS.txt
0
 
nobusCommented:
it merely says that windows defender is not running
did you enable it ?  from :  http://windows.microsoft.com/en-us/windows/turn-windows-defender-on-off#turn-windows-defender-on-off=windows-7
To open Windows Defender
1. Open Windows Defender by clicking the Start button Picture of the Start button. In the search box, type Defender, and then, in the list of results, click Windows Defender.
2.Click Tools, and then click Options.
3.Click Administrator, select or clear the Use this program check box, and then click Save. Administrator permission required If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
0
 
*** Hopeleonie ***IT ManagerCommented:
Download Farbar Recovery Scan Tool (FRST) .

Click on the 32-bit version or 64-bit version button. Note it depends on the bit type of your Windows version.

Now run a FRST Scan with the default settings .
Please upload both log's on your next reply.
0
 
rhaveyAuthor Commented:
These are the logs of the FRST scans.
FRST.txt
Addition.txt
0
 
*** Hopeleonie ***IT ManagerCommented:
fixlist.txt

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for you, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

After uninstall Chrome and reinstall it from:
http://www.google.com/chrome/eula.html?system=true&standalone=1
0
 
rhaveyAuthor Commented:
The fix did not appear to do anything.  The redirect is still a problem.  The log is attached.

I tried a different profile and I do not get a redirect with it.

I had already uninstalled Chrome because it appeared to be corrupt.  I have not reinstalled it.
Fixlog.txt
0
 
NVITCommented:
> I tried a different profile and I do not get a redirect with it.
So this solution helps? http://www.experts-exchange.com/Software/Anti-Virus/Q_28659556.html#a40734912
0
 
dbruntonCommented:
So something in the profile is causing the redirect.

Fire up msconfig at the command prompt and see what is in the Startup Tab.

Or alternatively use Autoruns https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
0
 
*** Hopeleonie ***IT ManagerCommented:
Download Kaspersky Virus Removal Tool and run it:
http://www.kaspersky.com/antivirus-removal-tool?form=1

After please post the report like this:
Report
Also upload the folder
C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs

and

C:\Program Files (x86)\ESET\Esetonlinescanner\log.txt
0
 
rhaveyAuthor Commented:
I was hoping for a more elegant solution, but this one did the trick. I hid the old profile from the customer to avoid confusion.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.