Why does NOBODY have a fix for GOOGLE REDIR?!

May 18, 2011 at 18:03:46
Specs: Windows 7
Have worked in IT for 12 years, running repair business for 8. I have never come across a more ridiculous infection than this redirect BS. Every time I see it, it takes something different to fix.

Today I have spent 3 hours trying to fix one to no avail.

I have tried:

Sophos Anti-rootkit

NOTHING WILL FIND IT. The best one I've had success with in the past is tdsskiller, but it WILL NOT RUN regardless of what I rename it. renaming it explorer.exe will generate me an error if I try to run it, but otherwise it just immediately kills itself.

Seriously ? How can an infection as common as this b---tard have no routine fix? Does ANYONE have some suggestions because I'm at my wits end.

See More: Why does NOBODY have a fix for GOOGLE REDIR?!

Report •

May 18, 2011 at 18:18:16
Have you tried renaming TDSSKiller with a .com or .scr extension before you run it?

Follow with RKill

Try running the Vipre Rescue program. It runs from the command prompt, and will scan for, and remove most malware, including rootkits. It normally runs when other programs won't.

Vipre Rescue download:

If the file does not download, copy/paste the following >without the quotes or brakets< into the address bar of your browser

Report •

May 18, 2011 at 18:29:36
Have renamed both tdsskiller and rkill to random file names with extensions *.scr, *.pif, *.com, *.bat.

RKill will "run" but nothing happens.

Add "Hitman Pro" to the list of "didn't work".

downloading vipre now.

Report •

May 18, 2011 at 19:43:25
A log named MBRCheck_date_time.txt (i.e. MBRCheck_05.18.11_10.22.51.txt) should have been created on the Desktop, or in the same folder from which you ran the program.

Can you provide the MBRCheck log in your reply?

Report •

Related Solutions

May 18, 2011 at 19:43:39
Vipre did not work either.

Report •

May 18, 2011 at 19:48:45
MBRCheck, version 1.2.3
(c) 2010, AD

Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 130):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA670000 pciide.sys
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AC000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA4BC000 UBHelper.sys
0xBA0C8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xBA0D8000 disk.sys
0xB9EEB000 fltmgr.sys
0xB9ED9000 sr.sys
0xB9EC2000 KSecDD.sys
0xB9E35000 Ntfs.sys
0xB9E08000 NDIS.sys
0xB9DEE000 Mup.sys
0xBA248000 \SystemRoot\system32\DRIVERS\processr.sys
0xB78A3000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB788F000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB784F000 \SystemRoot\system32\DRIVERS\yk51x86.sys
0xBA258000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA268000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA278000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB782C000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA5D4000 \SystemRoot\system32\DRIVERS\NTIDrvr.sys
0xBA3F0000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xB7808000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA3F8000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB77E0000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA288000 \SystemRoot\system32\DRIVERS\mf.sys
0xBA400000 \SystemRoot\system32\DRIVERS\fdc.sys
0xBA298000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA5A0000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB77CC000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA408000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5D6000 \SystemRoot\system32\DRIVERS\wpkbdclassfiltr.sys
0xBA410000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA716000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA2B8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA5A4000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB77B5000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA2C8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA2D8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA418000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB77A4000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA2E8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA420000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA428000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB7774000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA2F8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA5D8000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB7716000 \SystemRoot\system32\DRIVERS\update.sys
0xB9DB2000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA118000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA168000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5E0000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xA5C97000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xA5C59000 \SystemRoot\system32\drivers\portcls.sys
0xA7332000 \SystemRoot\system32\drivers\drmk.sys
0xA5375000 \SystemRoot\system32\DRIVERS\NmPar.sys
0xBA128000 \SystemRoot\system32\DRIVERS\nmserial.sys
0xBA3C8000 \??\C:\WINDOWS\system32\SAVRKBootTasks.sys
0xBA5B8000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xA30EE000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5BA000 \SystemRoot\System32\Drivers\Beep.SYS
0xA17A8000 \??\C:\WINDOWS\system32\drivers\SBREdrv.sys
0xA30CE000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xA3E9C000 \SystemRoot\System32\drivers\vga.sys
0xBA630000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA632000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA3EA4000 \SystemRoot\System32\Drivers\Msfs.SYS
0xA47E0000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA17D7000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA1775000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA171C000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA16F4000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA16CE000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB7631000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA17D3000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xA16AC000 \SystemRoot\System32\drivers\afd.sys
0xA52BD000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA1681000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xBA448000 \??\C:\WINDOWS\system32\drivers\OsaFsLoc.sys
0xA1611000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA1D8000 \SystemRoot\System32\Drivers\Fips.SYS
0xA15ED000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA15D5000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA5B2000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA3114000 \SystemRoot\System32\drivers\Dxapi.sys
0xA2F2D000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA6E8000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF057000 \SystemRoot\System32\ati2cqag.dll
0xBF0B3000 \SystemRoot\System32\atikvmag.dll
0xBF104000 \SystemRoot\System32\atiok3x2.dll
0xBF116000 \SystemRoot\System32\ati3duag.dll
0xBF3E5000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA7392000 \SystemRoot\system32\DRIVERS\fssfltr_tdi.sys
0xA5359000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9F2B8000 \SystemRoot\system32\drivers\wdmaud.sys
0xA3F73000 \SystemRoot\system32\drivers\sysaudio.sys
0xA4870000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x9F00B000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xBA380000 \??\C:\WINDOWS\system32\drivers\int15.sys
0x9F0C0000 \??\C:\WINDOWS\system32\drivers\netlimiter.sys
0x9EDDA000 \??\C:\WINDOWS\system32\drivers\netlock.sys
0x9ED82000 \SystemRoot\system32\DRIVERS\srv.sys
0xA30A6000 \??\C:\WINDOWS\system32\drivers\osaio.sys
0xA401E000 \??\C:\WINDOWS\system32\drivers\osanbm.sys
0x9F03C000 \??\C:\WINDOWS\system32\drivers\tvicport.sys
0xBA783000 \??\C:\WINDOWS\system32\drivers\zntport.sys
0x9E937000 \SystemRoot\System32\Drivers\HTTP.sys
0xA47F8000 \??\C:\WINDOWS\system32\Drivers\psdfilter.sys
0x9E8D4000 \??\C:\WINDOWS\system32\Drivers\psdvdisk.sys
0x9E651000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 33):
0 System Idle Process
4 System
680 C:\WINDOWS\system32\smss.exe
728 csrss.exe
756 C:\WINDOWS\system32\winlogon.exe
800 C:\WINDOWS\system32\services.exe
812 C:\WINDOWS\system32\lsass.exe
1004 C:\WINDOWS\system32\svchost.exe
1072 svchost.exe
1168 C:\WINDOWS\system32\svchost.exe
1244 svchost.exe
1332 svchost.exe
1536 C:\WINDOWS\system32\spoolsv.exe
1852 C:\WINDOWS\explorer.exe
2040 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
180 C:\WINDOWS\system32\SysMonitor.exe
192 C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
204 C:\Acer\LANScope Agent\awtray.exe
276 C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
312 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
328 C:\Program Files\Google\Gmail Notifier\gnotify.exe
440 C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
508 C:\WINDOWS\system32\ctfmon.exe
672 C:\Program Files\Internet Explorer\iexplore.exe
1140 svchost.exe
1352 C:\WINDOWS\system32\svchost.exe
1512 C:\WINDOWS\system32\searchindexer.exe
2284 C:\WINDOWS\system32\wscntfy.exe
3144 alg.exe
2372 C:\Documents and Settings\Renee\Desktop\MBRCheck.exe
2436 C:\WINDOWS\system32\searchprotocolhost.exe
2488 searchfilterhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`768ff800 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000013`4d613e00 (FAT32)

PhysicalDrive0 Model Number: HitachiHDS721616PLA380, Rev: P22OAB3A

Size Device Name MBR Status
153 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 6A37CCD118436B688B51F6BD4C2B47A895EBDF7F

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:


I should also note the hosts file is clean

Report •

May 18, 2011 at 20:08:33

Kaspersky's AVP tool has detected "MEM:Rootkit.Win32.Sst.a" but cannot remove or disinfect.

Report •

May 18, 2011 at 20:54:46

Kaspersky's AVP tool also detected TDSS.e and said it would cure upon reboot. Reboot came and went, redirect is STILL THERE.

I'm at a complete freakin loss.

Report •

May 18, 2011 at 21:00:55
*Update 3*

Have also run RootRepeal and Gooredfix to no avail.

So to consolidate, here's everything I've run and still have the redirect:

Hitman Pro
Kaspersky AVP
Sophos Anti-rootkit

12 different tools and not one has caught/fixed this effing thing. I swear I always get the oddballs.

Report •

May 18, 2011 at 21:08:44
You are on the right track. Keep cool...let's confirm and re-confirm.

Please download aswMBR;
Save to your Desktop.

Double click the aswMBR.exe icon to run it
Click the Scan button to start the scan

Upon completion of the scan, click the Save Log button
>>Save the log to your Desktop. and post it in your reply.<<

Also download GMER’s mbr.exe: http://www2.gmer.net/mbr/mbr.exe
Save it on your C drive (so the file is recognized as C:\mbr.exe).

Go to Start > Run, and type cmd in the blank area
Press: OK
At the command prompt (black screen) type or copy/paste the following commands, one at a time, and press Enter after each:


mbr.exe -t

Then, type exit and press Enter to close the command window.

The report created in the command window is saved to C:\mbr.log.

>>Please locate the mbr.log, and post it in your reply.<<

Got to get some Zzzzzs...early rise tomorow. If at all possible, let things be, and don't run any other programs for now. Will be back with you tomorrow.

Report •

May 18, 2011 at 22:08:33
Well after running aswmbr the computer decided not to boot anymore.

Ran a "repair" on the OS and everything is working now, redirect gone. Running full scan with malwarebytes just to be sure.

Was really hoping to avoid all this as they had some specialized software that will need to be re-setup, but it is what it is. What a nightmare.

Report •

May 19, 2011 at 05:51:57
Some of these viruses are designed to infect the Master Boot Record (MBR), and by doing so, the virus is able to continuously re-infect the PC after each removal.

Actually, it is better to start clean.

Vipre Rescue runs from the command prompt. You may want to give it a whirl.

Let us know how it goes.

Report •

May 19, 2011 at 08:18:35
I stated in post #4 that vipre did not work.

I know that these things hide in the MBR. What amazes me is I never have one give me as much trouble/be as undetectable as this google redirect.

Report •

May 19, 2011 at 20:52:54
Glad you finally got rid of it. I know the frustration. Part of my job is dealing with these for various users from time to time.

I'm going to keep this thread for reference later...the tools mentioned may come in handy.

Just out of curiosity, what version of Windows was this ...AND....did you ever slave the drive on another PC and run scans from there?


> PLEASE HELP OTHERS - Report back what did/didn't work for those referencing this thread.<

Report •

May 19, 2011 at 21:02:41
This was Windows XP, and no I never slaved the drive on another PC. Will try that in the future though.

Report •

May 19, 2011 at 21:20:48
'Have worked in IT for 12 years, running repair business for 8
I've been repairing PC's for 10 yrs now and do not find the problem you had hard at all, I usually have it cleaned out after about 4 different scans.

The redirects are all different animals so that's why using 4 good scanners will find it without having to mess with the registry or having to reformat.

Many of the cleaners you used are old hat already.

Some HELP in posting on Computing.net plus free progs and instructions Cheers

Report •

July 2, 2011 at 02:42:49

Could you please tell me what four scans you used that resulted in the elimination of the redirect virus? Do you run all four scans simultaneously, or one at a time?

I really don't want to have to reformat my entire computer (as many have recommended) to get rid of this virus.

Thanks for your help!

Report •

Ask Question