Nothing will get rid of Google Redirect!

February 15, 2011 at 07:23:27
Specs: Windows XP
Combofix, TDSS Killer, SuperAntiSpyware... I've tried just about everything I've found in whatever forum and nothing even picks it up, much less gets rid of it. It's making my computer run very slowly, and I got the blue screen of death when I turned my PC off the other day. Here is my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:13:45 AM, on 2/15/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17095)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
F:\Program Files\Free Download Manager\fdm.exe
F:\Program Files\Winamp\winamp.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Documents and Settings\h mellie\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://bluedevilsfootball.com/bc/2g...
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - f:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Program Files\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: FrostWire Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Download all with Free Download Manager - file://f:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://f:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://f:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://f:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - http://upload.facebook.com/controls...
O16 - DPF: {1D082E71-DF20-4AAF-863B-596428C49874} (TPIR Control) - http://www.worldwinner.com/games/v5...
O16 - DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} - http://www.seehere.com/ips-opdata/l...
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - http://lads.myspace.com/upload/MySp...
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://gfx2.hotmail.com/mail/w2/res...
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - https://webdl.symantec.com/activex/...
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinner.com/games/sh...
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - http://lads.myspace.com/upload/MySp...
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures06.aim.com/ygp/aol/p...
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v5...
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - f:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MotoConnect Service - Unknown owner - C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe (file missing)
O23 - Service: Roxio UPnP Renderer 9 - Unknown owner - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe (file missing)
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 7746 bytes

Any help would be great. This is making me nuts.


See More: Nothing will get rid of Google Redirect!

Report •


#1
February 15, 2011 at 14:12:47
Have you tryed Malware Bytes...

http://www.malwarebytes.org/

Personally I would look in my host. file for redirect problems but if it is a rootkit to IE then reinstall IE or anti-virus it.

http://www.brighthub.com/internet/s...


Report •

#2
February 15, 2011 at 14:56:13
Have you tried Prevx 3.0? This will scan for free and identify the virus in less that 5 minutes. Try it: http://info.prevx.com/downloadcsi.asp

If Prevx freezes at "Analyzing the Master boot record" then you have a TDSS rootkit and your MBR is corrupt. So you would need to run recovery console using your Windows CD and run the Fixmbr command.


Best Regards,
Abdiel A. Remon
http://www.embracedsolutions.com


Report •

#3
February 15, 2011 at 15:09:55

Report •

Related Solutions

#4
February 16, 2011 at 21:22:44
I m not sure about combofix but TDSS Killer and Super Anti-Spy ,t hese programs should have deleted google redirect virus from your system. Anyways, now you should try Malware Bytes, i hope that can remove this nasty google redirection hijacker. or you should manually remove it from your system as instructed in manual removal tutorial here
http://darfuns.com/remove-google-se...

TechVTS - Virus removal techniques


Report •

#5
February 18, 2011 at 14:37:54
Running a full scan with MalwareBytes, but the quick scan didn't pick it up. I've tried everything everyone has suggested so far, but it's still here!

Report •

#6
February 18, 2011 at 15:38:31
Did you look at your HOST file yet?

If you don't mind post your HOST file so we can see what it looks like.


Report •

#7
February 19, 2011 at 20:30:49
127.0.0.1 localhost
That is the complete content of my HOST file. Did a full scan with MalwateBytes - found nothing. I tried everything in the video, still nothing. I can't find anything on the internet I haven't tried at least once, and it's still here!!

Report •

#8
February 19, 2011 at 22:38:49
Tried prevx. It keeps scanning, telling me I have infections. So I delete and reboot, but the scan after rebooting says I have the same infections. One of them is supposed to be a game I had way before all this started, and it says I have rsmui4.dll (highly dangerous fraudulent whatever). So I tried to find it, but Windows isn't showing it and Google isn't even telling me what it is.

Report •

#9
May 8, 2011 at 17:10:08
http://bit.ly/lQyVtV will get rid of google / bing / yahoo search redirect virus 100%

Report •

#10
May 8, 2011 at 18:55:03
kahichz88,

Let's see if this will pick it up:

Please download GMER:
http://www.gmer.net/download.php

If you cannot download the file, malware may be blocking the attempt. You need to download it to a clean computer and then transfer it to the infected one using a USB flash drive, or external media (external drive or CD)..

Save the GMER file to the Desktop.

Double-click on gmer.exe

If a Windows security warning appears asking if you would like to run the program, click on the Run button to allow GMER to start.

You may get a warning about rootkit activity and GMER may ask if you want to run a full scan. If this happens, please click on the NO button.

Now, configure GMER.
Please uncheck the following settings:

IAT/EAT
Drives/Partition other than System drive (normally C:\)
Show All

Next, click on Scan (may take a while).
When GMER finishes you will be back at its main screen.

Click on the Copy button (lower right), then right-click on your Desktop, and select: New > Text document.

Once the file is created, open it, right-click again, and select: Paste.

>>Also post the GMER report in your reply.<<


Note: Please, do not take action on any of the information on the GMER report!!

Also download GMER’s mbr.exe: http://www2.gmer.net/mbr/mbr.exe
>>Save it on your C drive (so the file is recognized as C:\mbr.exe).

Go to Start >Run, and type cmd in the blank area
Press: OK
At the command prompt (black screen) type or copy/paste the following commands, one at a time, and press Enter after each:

cd\

mbr.exe -t

Then, type exit and press Enter to close the command window.

The report created in the command window is saved to C:\mbr.log.

>>Please locate the mbr.log, and post it in your reply.<<


Report •

#11
July 14, 2011 at 12:21:25
Im using XP 64 and got a rootkit! Hitman Pro (Free) from cnet fixed it by repairing my MBR (Master Boot Record) Google redirect hijack is gone!

Report •

#12
July 24, 2011 at 14:57:14
Sorry i don't have an answer but this may help other people with the suggestions.

I've recently got the google redirect too. Now I haven't had any blue screens yet..., only the redirecting. Now i have followed a lot of device but nothing has picked up or fixed the problem.

I already had McAfee total protection, and recently tried malawarebytes, tdsskiller, fixtdss, spybot search and destroy, and ccleaner.

I've done everything after first running rkill, and also in safe mode.

I've gone into my host file and erased the extra line of code.

I've checked my proxy servers and they were all on automatically detect.

I've gone into run and checked out my device manager, but couldn't find anything under tdss to delete.

I was going to delete the vol***whatever file by gaining control and getting permission and all that but none of the scanners said it was infected and i read that windows should have it.

I haven't did the router reset or whatever, I'm not exactly sure how to and i'm not sure if it'll work anyway.

I haven't used combofix because i'm not a pro and wouldn't know what to delete.

I have windows 7, use IE 9, and I could use some help. If someone knows something I haven't tried or can think of something i may have done wrong. I'm sure it would be helpful to a lot of us.

I've heard that the only way would be to reinstal windows7. But even then i'm not sure cuz i heard about disabling system restore or something. And i don't wanna lose all my programs. But...if thats the only way so be it.


Report •

#13
July 24, 2011 at 17:23:55
BudFoster,

Run the Kaspersky Virus Removal Tool:
http://www.kaspersky.com/antivirus-...

Double-click the file to run the program.
If running Vista/Windows 7, right-click and select: Run as administrator.

When it starts, to the right of 'Security Level' click 'Recommended', and select: Settings
-In the window that opens (Autoscan), in the ‘Scope’ tab, place a checkmark to the left of: 'Parse email formats'.

-Click the ‘Additional tab’ and click to place a checkmark by ’RootKit Scan’, and ‘Deep Scan‘, then click OK.

Select all the drives to scan, except for CD-ROM drives, and click the ‘Start Scan’ button

If malware is detected, place a checkmark in the ‘Apply to all’ box, and click the ‘Delete’ button (or 'Disinfect' if the button is active).

After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the ‘Neutralize all’ button.

In the window that opens, place a checkmark in the ‘Apply to all’ box, and click the ‘Delete’ button (or Disinfect if the button is active).

If advised that a special disinfection procedure is required which demands system reboot: click the OK button to close the window.

In the Scan window click the ‘Reports’ button and select ‘Save to file‘.
Name the report 'kvrt.txt', and save it to the Desktop.
Close the program.

>>Please copy/paste the report (of Detected malware), and provide in your reply.<<

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#14
July 25, 2011 at 08:38:33
Thanks for the help aaflac44,

Ok so I downloaded the program and I'm pretty sure i did everything as far as the checks and all. But it still didn't detect any threats. My report of detected Malware is blank.

I just don't know if i have some variation of the virus or what. Like i said, i have yet to get any error messages, blue screens. Only the redirecting. I DLed immunnet from google and it blocks some of the redirects from loading but it is still a pain going back and forth until a page comes up. Plus, i'm worried that eventually i will have those other problems. I appreciate everything though.

Do you have any other ideas?


Report •

#15
July 25, 2011 at 09:01:23
BudFoster,

If you do not mind, please start your own topic in this forum. It will be easier to track.

Please title: google redirect - continuation for aaflac44

That way I will be able to pick up where we left, and post new instructions.

Thank you!!

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#16
July 25, 2011 at 10:31:45
ok I started the new discussion as asked.

Report •

#17
October 6, 2011 at 02:35:18
Hi All, I had this same virus a last month. Whenever I conduct a search in Google and click on one of the search results, it takes me to a completely different website. First I tried re-installing browsers but it didn't help at all. Then I purchased and installed the Kaspersky Internet Security 2011 but even this s/w failed to detect the virus (I already had Norton in my infected machine). This virus cannot be removed with the usual virus guards, because it doesn't leave any of it's files on the machine, thus making it difficult to track.

I was just about to format the OS, but anyway I found this software http://tinyurl.com/google-redirect-support and it took only 12 minutes to completely remove the virus, so it was worth for the price ($30). Hope this will be helpful to all of you.


Report •


Ask Question