Cannot remove google redirect virus

March 30, 2011 at 13:30:12
Specs: Windows 7, 4gig
Last 2 computers I worked on had the 'Google Redirect' virus on them and I cannot remove it with: Malwarebytes - Safe Mode
Spybot - Safe Mode
Adaware (free and paid editions) - Safe Mode
PC Tools Spyware Doctor - Safe Mode
AVG - Safe Mode
Kaspersky - Safe Mode
Rkill - Safe Mode
TDSSKill - Safe Mode
And I have also removed the drives and ran all of these 'cleaners' on them via USB on different PC's. After each time that I have used them I have run ccleaner & ccleaner registry cleaner. I also used Malwarebytes after each cleaner. Help. All opinions and replies are greatly appreciated.

Loretta


See More: Cannot remove google redirect virus

Report •

#1
March 30, 2011 at 14:09:43
Check your Host Files for problems:
http://www.computing.net/howtos/sho...

Report •

#2
March 30, 2011 at 17:15:39
Thanks for the reply.Sorry I didn't mention the host file correction. I have corrected to the host file so that there is only one entry for local host. In Firefox, I corrected the 'proxy' setting to 'No Proxy server'. Also, made sure the network settings were set to 'automatic' in IE 'Options/Connections'. I need some more ammo....and this is the place. I don't like being stumped!

Loretta


Report •

#3
March 30, 2011 at 17:31:00
I would run the downloaded programs again in this order:
Rkill
TDSSkiller
Malwarebytes
HitmanPro3.5 download:
http://download.cnet.com/Hitman-Pro...
Also add ESET online scanner this time:
http://www.eset.com/us/online-scanner
Note: HitmanPro doesn't work with 64bit, if yours is go straight to eset scanner.

Report •

Related Solutions

#4
March 30, 2011 at 17:46:33
Thanks...Thanks! for the reply. Run any or all in Safe Mode? I will try this and come back tomorrow.

Loretta


Report •

#5
March 30, 2011 at 18:12:59
You can try both normal and safe mode. safe mode will have to be Safe Mode with Networking for the online scanner to work.
Download HighJackThis and send in the log with your next post.
http://download.cnet.com/Trend-Micr...

Report •

#6
March 31, 2011 at 08:05:55
Thanks for the replies. I tried all of them exactly in order and in Safe Mode and out. No luck. I got the same results. The eset scanner found 2 infections and healed them. But the problem remains. How much more is to be tried before a 'wipe and reload'?.

Loretta


Report •

#7
March 31, 2011 at 08:06:53
Sorry. I will now try HiJack this and post the results.

Report •

#8
March 31, 2011 at 08:11:04
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:07:52 AM, on 3/31/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v9.00 (9.00.8080.16413)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files (x86)\AWS\WeatherBug\Weather.exe
C:\Program Files (x86)\NETGEAR\WN111v2\WN111v2.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\PROGRA~2\Java\jre6\bin\jp2launcher.exe
C:\Program Files (x86)\Java\jre6\bin\java.exe
C:\Users\Rocco\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Rocco\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\Rocco\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Rocco\Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files (x86)\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Google Update] "C:\Users\Rocco\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: NETGEAR WN111v2 Smart Wizard.lnk = C:\Program Files (x86)\NETGEAR\WN111v2\WN111v2.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/Nirv...
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eo...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~1\Office12\GRA32A~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgpp.dll
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: Comodo Online Storage Service (COSService.exe) - Unknown owner - C:\Program Files\COMODO\COMODO BackUp\COSService.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files (x86)\NETGEAR\WN111v2\jswpsapi.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Comodo BackUp Service (SynchronizationService.exe) - Unknown owner - C:\Program Files\COMODO\COMODO BackUp\SynchronizationService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 8658 bytes


Report •

#9
March 31, 2011 at 12:59:44
Don't mean to "hijack" (excuse the pun) the thread, but, looking through your log you have a lot of unneeded tool bars and some malware (along with a lot missing files). On a side note though, I believe the missing file errors are due to Hijack This not being fully supported on a 64-bit OS, but, anyway. The files that I do know are malicious are "IOBit SystemCare", "WeatherBug", and the "PCPitStop" utility that's also installed.

What I suggest doing is re-downloading Rkill from here and running it: http://download.bleepingcomputer.co...

Then downloading and running CCleaner Portable: http://www.piriform.com/ccleaner/do... (Once downloaded, remove those three programs).

As for your re-direct issue, what make/model# is your router?. You'll most likely need to reset your router, and if you give me your make/model# I can find the manual for you.

Life With Out
Geek Squad: Your blog for tips, info on viruses, and more!


Report •

#10
March 31, 2011 at 13:24:20
Thanks so much for the reply! When I downloaded rkill today (twice) avg let me know that it is malware. So I deleted it. I have ccleaner on my system now. But I do use Revo Uninstaller to uninstall programs and it has served me well to this point. I have not used the ccleaner app to uninstall programs before, just to disable them. What is the difference between ccleaner and ccleaner 'portable'?. As far as 'Weatherbug' goes, I have been getting quite a few 'script' errors recently when restarting my system. I have just ignored them. The only reason I go to PCPitstop is to measure my Internet speed from time to time. But I will get right on your suggestions. Thanks again!
Loretta

Report •

#11
March 31, 2011 at 13:43:21
Sorry, my router make\model is a Netgear WN111v2. Thanks.

Report •

#12
March 31, 2011 at 13:55:39
You're welcome!. The difference between the two CCleaner programs is that the portable version does not have to be installed, you simply download it and run the .exe file. As for AVG/Rkill, AVG is complete garbage to be honest. It picked up (Rkill) as a false positive when it's not (A false positive is when a legit program is picked up by AV software as a virus) (Rkill is used on many tech support forums to stop malicious processes from running at the current time), Since you mentioned deleting the file as AVG thought it was a virus...I'd recommend disabling AVG completely THEN re-downloading/running Rkill: http://download.bleepingcomputer.co... and TDSSKiller from here: http://support.kaspersky.com/viruse... I'd also look into AVAST! Anti-Virus or Kaspersky, as they are much better programs.

Now as for resetting the router, that's going to be your next step if disabling AVG completely, redownloading/running Rkill and TDSSKiller don't get the job done.

Here's the manual: http://kb.netgear.com/app/answers/d...

If you don't have a PDF reader installed (on your clean computer), download and use this: http://portableapps.com/apps/office...

Life With Out
Geek Squad: Your blog for tips, info on viruses, and more!


Report •

#13
March 31, 2011 at 18:55:34
Thanks for the reply. It appears that the router was the 'redirecting' issue. I used those two programs (disabling AVG) to begin with and they found several infections and my system now appears to be clean after of couple of reboots. Oh, followed the instructions for the 'HiJack This' procedure and the speed has increased dramatically. I am just working on the wireless part of the router now. It's a bit stubborn, but so am I. Thanks for all of your help again...and again...and again. You guys are still the cats after all of these years. Ciao for now

Loretta


Report •

#14
March 31, 2011 at 22:39:19
You're very welcome, glad your problems have been resolved =].

Life With Out
Geek Squad: Your blog for tips, info on viruses, and more!


Report •

#15
March 31, 2011 at 23:57:29
Run HJT again and put a check mark next to this entry unless you set this proxy?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

I would remove Advanced System care from your pc.
C:\Program Files (x86)\IObit\Advanced SystemCare 3\AWC.exe


Report •

#16
April 1, 2011 at 11:28:57
Thanks for the reply. I will get on it and I did uninstall Advanced System Care.

Loretta


Report •

Ask Question