Google Redirect Virus :(

Lenovothinkpad / T400
July 18, 2011 at 21:27:37
Specs: Windows Vista Home Premium, 4.00 GB
So I have the Google Redirect Virus. I've run Malwarebytes, which found 13 files and removed them, and the problem then occurred less frequently, but was not completely gone. It still occurs occasionally, and so I'd like to get it off of my computer. Anyone able to help?

See More: Google Redirect Virus :(

Report •


#1
July 18, 2011 at 21:31:42
senbdib,


Try the following:

Please download TDSSKiller
http://support.kaspersky.com/downlo...

Save it to the Desktop.

Vista/Windows 7 users, right-click the file, and select: Run As Administrator

Click the 'Start Scan' button.

Do not use the computer during the scan

If the scan completes with nothing found, click Close to exit.

When the scan finishes it displays a Scan results screen stating whether or not an infection was found on your computer.

To remove the infection, click on the Continue button.

If it does not say Cure on the results screen, leave it at the default action of Skip, and press the Continue button.

Do not change to Delete or Quarantine as it may delete infected files that are required for Windows to operate properly.

Reboot to finish the cleaning process.

A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) is created and saved to the root directory (usually Local Disk C:).

>>Please provide the contents of TDSSKiller in your reply.<<

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#2
July 19, 2011 at 17:23:54
TDSSKiller didn't find anything. perhaps it's vanished. if any signs show up again, i will head straight back to this thread. thanks for your time!

Report •

#3
July 19, 2011 at 17:41:54
scratch that! i still have it.

i was just redirected to a random phony search/ad page while clicking on a link to a page that i know to be reliable and have clicked many times before.

tdsskiller still is not finding anything. anything else i can do?


Report •

Related Solutions

#4
July 19, 2011 at 18:24:28
Check the following, and then run the program below:

Open Internet Explorer
Go to Tools, Internet Options, Connections, LAN settings
In the LAN settings prompt, make sure it is set to:
Automatically detect settings


Also check the Hosts file:
C:\Windows\System32\drivers\etc.

(Open it in Notepad)

Sample Hosts file:
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost

Check to see there are no entries added by malware.


Then, do the following:

Run the Kaspersky Virus Removal Tool:
http://www.kaspersky.com/antivirus-...

Right-click and select: Run as administrator, if the option is available. If not, double-click the file to run the program.

When it starts, to the right of 'Security Level' click 'Recommended', and select: Settings
-In the window that opens (Autoscan), in the ‘Scope’ tab, place a checkmark to the left of: 'Parse email formats'.

-Click the ‘Additional tab’ and click to place a checkmark by ’RootKit Scan’, and ‘Deep Scan‘, then click OK.

Select all the drives to scan, except for CD-ROM drives, and click the ‘Start Scan’ button

If malware is detected, place a checkmark in the ‘Apply to all’ box, and click the ‘Delete’ button (or 'Disinfect' if the button is active).

After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the ‘Neutralize all’ button.

In the window that opens, place a checkmark in the ‘Apply to all’ box, and click the ‘Delete’ button (or Disinfect if the button is active).

If advised that a special disinfection procedure is required which demands system reboot: click the OK button to close the window.

In the Scan window click the ‘Reports’ button and select ‘Save to file‘.
Name the report 'kvrt.txt', and save it to the Desktop.
Close the program.

Please copy/paste the report (of Detected malware) in your reply.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#5
July 19, 2011 at 22:28:49
Hosts file is normal, and LAN is set to automatically detect. I've also run Hitman Pro 3, and it found no threats.

Kaspersky Virus Removal Tool detected no threats. However, a lot of files were password protected and couldn't be checked during the scan... is this normal?

I'm positive that I still have at least remnants of the virus, because I continue to be redirected.

If it helps, the vast majority (like 99.9%) of the password-protected files were in folders that looked like:
C:\SWTOOLS\Apps\rnr\Z633ZAB1014HU00.TVT
but with minor variations in the name of the .TVT subfolder. They were almost all in the preboot subfolder, ie:
C:\SWTOOLS\Apps\rnr\Z633ZAB1014US00.TVT/preboot/python24/Lib/SimpleHTTPServer.pyc

and the rest of the password-protected files were:
C:\Documents and Settings\[my name]\Desktop\setup_11.0.0.1245.x01_2011_07_20_05_16.exe/#
C:\Documents and Settings\(my name)\Desktop\setup_11.0.0.1245.x01_2011_07_20_05_16.exe/9284987rar.exe
C:\Documents and Settings\(my name)\Local Settings\Temp\RarSFX0\9284987rar.exe
C:\Documents and Settings\(my name)\AppData\Local\Temp\RarSFX0\9284987rar.exe


Report •

#6
July 20, 2011 at 12:43:33

You have a Lenovo Thinkpad. It comes with ThinkVantage, and has a hidden and password protected (Lenovo has the password) restore partition on the hard drive.

However, these files, although hidden, are visible to a virus scan software that checks the entire volume, not just what is on the visible C:\ drive.


The others are RAR files, which, like ZIP files, are data containers. They store one or several files in compressed form.

Let's see if we can find some remnants of the infection:

Please download Rootkit Unhooker: http://www.kernelmode.info/ARKs/RKU...

Save to the Desktop.

Now right-click on RKUnhookerLE.exe, and select 'Run as Administrator' to run it.

Click the 'Report' tab, then click: ‘Scan’

Check: ‘Drivers’ and ‘Stealth’

Uncheck the rest.
Click OK

When prompted to Select Disks for Scan, make sure C:\ is checked
Click OK

[Note** you may get the following warning, just click OK and continue.

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"]


When the scanner finishes, click: File > Save Report

Save the report to the >Desktop<.
Click: Close

Since this report can be quite large, please go to the Uploading website:
http://uploading.com/files/upload/

In: Select files to upload, click 'Browse', and 'Look in' the Desktop.
Select the RU report, and click on 'Open'
You will see the following:
Your file has been uploaded successfully: (Name and size of the file)

Please copy the 'Download link', and provide it in your reply.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#7
July 20, 2011 at 13:05:11
Oh alright. Thanks for explaining that. The report ended up being pretty short actually, but here's the link to the download anyways:
http://uploading.com/files/1mamm435...

Report •

#8
July 20, 2011 at 13:47:35
Let's see if this one nails 'whatever' is causing the redirections...

Please download ComboFix:
http://download.bleepingcomputer.co...

Save ComboFix.exe to your >>Desktop<<!!


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of CF.

Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link: http://forums.whatthetech.com/How_t...

Now, right-click on ComboFix.exe and select: Run as Administrator
Follow the prompts.

Make sure you skip the Recovery Console part since you are running Vista.

Click on Yes, to continue scanning for malware.

When finished, CF produces a report.

Since this report can also be quite large, please go to the Uploading website:
http://uploading.com/files/upload/

In: Select files to upload, click 'Browse', and 'Look in' the Desktop.
Select the RU report, and click on 'Open'
You will see the following:
Your file has been uploaded successfully: (Name and size of the file)

Please copy the 'Download link', and provide it in your reply.

Notes:

1.Do not mouse-click the ComboFix window while it is running.
This action may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.

3. CF disconnects your machine from the internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#9
July 20, 2011 at 14:44:33
I wasn't prompted to skip the recovery console, and there was no occasion for me to click Yes to continue scanning for malware. It also restarted my computer once in the process of the scan. I hope it worked correctly. Here it the link to the log:
http://uploading.com/files/dd447mm3...

Report •

#10
July 20, 2011 at 16:03:38
Any improvement?

Still getting redirections?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#11
July 20, 2011 at 16:08:22
That just may have done it! No redirections yet. If it happens, you can bet I'll come right back. Thank you very much for your help!

Report •

#12
July 20, 2011 at 16:35:47
Good!

There is still something that we need to check...


Please submit each of the files below for analysis to Virus Total. It only accepts one file at a time:
http://www.virustotal.com/

C:\Windows\system32\DRIVERS\52152094.sys 
C:\Windows\system32\DRIVERS\65378936.sys 
C:\Windows\system32\DRIVERS\9284987drv.sys

Use the 'Browse' button to navigate to the location of each file.

Click on a file, and then click the 'Open' button.
The file is now displayed in the Submit Box.

Scroll down and click 'Send File', and wait for the results.

If you get a message saying: 'File has already been analyzed', click 'Reanalyze file now'

Once scanned, please provide the link to the results page for each file in your reply.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#13
July 20, 2011 at 16:50:01
Edited post above...

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#14
July 20, 2011 at 17:38:13
None of those files were found when I tried to submit them, and I couldn't find any of those .sys files through search either... what am i doing wrong?

Report •

#15
July 20, 2011 at 19:13:03
This should help...

How to see hidden files in Windows Vista:
http://www.bleepingcomputer.com/tut...

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#16
July 21, 2011 at 14:09:00
I enabled hidden files to be viewed, but the files still weren't found.

Report •

#17
July 21, 2011 at 14:37:07
It may be tht ComboFix took care of the problem.

If you like, run Rootkit Unhooker once again, and we will see if those entries are still there.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#18
July 21, 2011 at 14:52:05
Also, are you still doing good with no redirections?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#19
October 17, 2011 at 19:13:21
I had a re-direct problem only with Firefox 7.0.1. I started Firefox in safe mode and did not have the problem. I traced it to the add-on, XUL cache 1.0. Once I disabled the add-on in Firefox, the problem disappeared.

Report •

Ask Question