Another Google Redirect Problem

Hewlett-packard / Presario 2100 (dz414u)
August 31, 2009 at 18:45:16
Specs: Microsoft Windows XP Home Edition, 2.12 GHz / 702 MB
I also have a Google link redirect problem. I've recently been hit with trojan horses and thought I'd cleaned them out with AVG Free and Malwarebyte's Anti-malware. It seems the only residual effect now is this redirect problem.

Per the response to another's similar problem, I downloaded and ran RootRepeal uploaded the results to rapidshare. Here is the link:
http://rapidshare.com/files/2740918...

Can someone please analyze this and help me rid my computer of this annoying scum?

Thank you.


See More: Another Google Redirect Problem

Report •


#1
September 3, 2009 at 13:01:50
Here is a fix some people have had success with called GooRedFix:
http://cantalktech.com/2009/03/12/g...

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#2
September 4, 2009 at 12:03:58
Thanks for the suggestion. I have downloaded it and ran it but it didn't behave exactly like the instructions posted on MajorGeeks i.e. it didn't offer me a menu, just a Yes/No question if I wanted to continue to check and remove the infection. It created the following log file. Also the MajorGeeks instructions (posted by chaslang BTW) said the files would be named goored, not gooredfix, so I'm a little confused. Here's the log file:

GooredFix by jpshortstuff (12.07.09)
Log created at 14:55 on 04/09/2009 (default)
Firefox version 3.5.2 (en-US)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [00:16 01/09/2009]
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [02:29 10/12/2007]
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [16:39 22/06/2008]
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [00:02 20/07/2008]
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [14:49 18/01/2009]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [01:49 01/04/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox" [16:10 22/06/2008]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [14:49 18/01/2009]
"avg@igeared"="C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared" [10:17 19/08/2009]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [13:13 16/08/2009]

-=E.O.F=-

There are references to fixing this problem with Firefox, but I have the problem with Google links on IE8 as well.

Anyway, if you can tell me what I should do next,

Thank you.


Report •

#3
September 5, 2009 at 08:57:57
GooRedFix didn't eliminate the redirect problem (still existed in IE8 and Firefox 3.5), so I decided to check my system with Malwarebytes AntiMalware again. MBAM rid my system of bogus antivirus popups a few weeks ago, so I updated it yesterday and reran it. At first it found four dlls in my system32 infected with Rootkit.TDSS. It deleted them with a reboot and that seems to have fixed my Google redirect problem, but now it reports a registry key infected with the same Rootkit.TDSS:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmnrwbmlwb (Rootkit.TDSS) -> Quarantined and deleted successfully.

but it isn't deleting it because rescans (after reboots) detect it again and again, with a quick scan or a full scan.

Since my Google redirect problem is apparently solved, should I close this topic and open another one for this rootkit infection, or can someone here suggest how I can rid my system of this rootkit?

Thanks ya'll.


Report •

Related Solutions

#4
September 5, 2009 at 10:31:39
This link below shows how to use Rootrepeal ,

http://www.malwarebytes.org/forums/...

Rootrepeal you get from this link ,

http://rootrepeal.googlepages.com/

Remember we are looking for kbiwkmnrwbmlwb

You could try Sophos Anti rootkit free
http://www.sophos.com/products/free...

Or the fully functional evaluation copy of Unhackme

http://greatis.com/unhackme/downloa...

PS. If you have Spybot s&d close teatimer .
..........


Report •

#5
September 5, 2009 at 15:35:26
Unhackme would be the easiest one to use, most userfriendly for removing the rootkit.

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#6
September 7, 2009 at 08:57:29
I am trying UnHackMe but I wouldn't call it user-friendly. It has installed helpers and assistants, required countless reboots and its menu options are numerous and confusing, all this for one rootkit trojan. If I can get any legible results from it, I'll let you know.

Report •

#7
September 7, 2009 at 10:58:23
did you use the beginner guide on the left?
If so, it is extremeley easy to follow.

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#8
September 7, 2009 at 11:21:14
I don't recall the sequence of actions I took (I hadn't read the beginner's guide) but after it ran the initial check, I don't remember seeing results posted. Maybe I activated a more in-depth check that launched these other programs to install, but in the long run, I think it got rid of the rootkit, at least the one MBAM had found because it is now reporting a clean system.

Thanks for all your help.


Report •

#9
September 7, 2009 at 12:05:11
you are quite welcome, thanks for posting back :)

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •


Ask Question