After a few funny redirects, I began to suspect that Lisa's laptop had another virus, and sadly found it to be true. Not only is this a virus, but it's an extremely dangerous rootkit and proving difficult to remove.
First, I keyed in some searches to the sites that I was being redirected to. Many of the results identified the virus as TDSS and revealed that it's more than just your average values. Many victims complained that their virus detection and removal software was not working on it. I got the following two links:
This one seems a little too simple to be correct, it just says to turn off JavaScript and then runTDSSKiller. Later it suggests hints to thwart DNS redirections:
http://www.computing.net/howtos/show/how-to-remove-the-google-redirect-virus/415.html
This link is also untrustably simple sounding, claiming that TDSSserve.sys will be hiding in the device manager and you can just disble it? Then just install your favorite antivirus tools and declare victory? Apparently there's something called "Google-Redirect-Virus-Remover' by name? MalwareBytes and SuperAntiSpyware were both famililar names recommended. Then it also goes into hints for thwarting redirection, particularly in checking for proxy server settings. The final hint, however looks useful, an also-familiar package called "UnHackMe" which apparently detects rootkits.
http://www.ehow.com/how_5842581_remove-google-redirect-virus.html
After refining my searches better, I began to get more serious postings on the topic.
The following link is to 6 pages of directions with screenshots of each step, most of which concern checking for DNS redirection, false host tables, Proxy servers, etc. Then it recommends TDSSKiller.exe. Then it recommends resetting the router, which I can believe although it would make me sad to have to figure out how to re-setup my network afterwords. After the post though are 32 pages of comments full of other hints and tips which I've only skimmed through so far. After reading this, I did everything up to TDSSkiller.exe. The name of the identified virus came back as Win32.ZAccess.k. After running, I rebooted, ran TDSSkiller again, and it found it again, probably indicating that it's refreshing itself through the registry or Master Boot Record.
http://deletemalware.blogspot.com/2010/02/remove-google-redirect-virus.html
I also kept getting results back for the "atechjourney" blog's posts about this, which seemed knowlegable but was vague and seemed to be hawking "optimizer" tools. The same vague hints were reiterated in other posts which also seemed like a bad sign. Lastly, it recommends a paid online removal service, also a bad sign but which has also been echoed by other blogs:
http://atechjourney.com/google-redirect-virus-remove-manually.html/
Hints in this forum about what to do if TDSSkiller not working include renaming TDSSKiller (doesn't seem to be something I need), run Hitman and/or ComboFix (both highly recommended on other forums too), and running TDL-4 from bitdefender:
http://answers.yahoo.com/question/index?qid=20110726110537AADZ9zp
Holy how, here's a video by a guy who did it. I know that getting rid of this thing would make anybody want to put in the extra hours to help others do it too. The comments are the usual mix of thanks and unsatiated frustration. I expect that I would find several dozen videos on this topic on youTube:
http://www.youtube.com/watch?v=N4zs42gO_fs
Update: I removed the most recent "scareware" but the rootkit seems to still remain. VERY interesting links from searching on the rootkit's name:
First off, this forum, where a user gets superlative service and is talked through a bunch of fancy ComboFix moves with log after log posted, and the "Kiss ZeroAccess Goodbye" tool is mentioned:
http://www.bleepingcomputer.com/forums/topic413198.html
Here's the link to KISS. It also mentions having to fix ACLs (Access Control Lists) which I guess I'm going to have to learn what those are:
http://blog.webroot.com/2011/08/03/new-tool-released-kiss-or-kick-zeroaccess-goodbye/
The comment section at the bottom of the release announcement lead to another page where the authors of the Anti-ZeroAccess tool revealed how much work they've put into decompiling and understandig how the malware works.
http://blog.webroot.com/2011/07/19/zeroaccess-gets-another-update/
and
http://blog.webroot.com/2011/08/08/tdl3-and-zeroaccess-more-of-the-same/
Anyhow, about to try this webroot tool, since ComboFix continues to be too scary lookng to try.
Ok, it found it in netbt.sys, which I recall seeing mentioned somewhere else regarding this rootkit. Rebooting now.
Still there. Now it's in cdrom.sys I think that I followed this one around this path before.
Here's an AMAZING link from a guy who has to fix this all the time. This is clearly a lot of work and I'm going to have to try this later. Definitely dreading the moment this leads to loss of network access which seems to be the hell that many users end up encased in when they scrub this bug out:
http://remove-malware.com/malware/rootkits/rootkit-zero-access-max-notes/
