Solved Google redirect virus

November 14, 2011 at 12:33:20
Specs: Windows 7
How do I get rid of the Google redirect virus when even Malware's Antimalware can't.

See More: Google redirect virus

Report •

November 14, 2011 at 19:08:50

There are several tools used to detect the malware.
Then, one needs to plan the strategy to remove the malware.
Finally, there are specialized tools used to remove it.

There is no one single tool that totally removes the redirect virus, at least, not that I know of. Also, running one tool over and over again is not the way to go.

With that said, please do the following:

Please download Farbar Service Scanner to the Desktop:

Vista/Seven: Right-click and select: Run as Administrator

Press Scan

A log FSS.txt is created in the same directory where the tool is run.

Please copy/paste the FSS.txt in your reply.

Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals

Report •

November 15, 2011 at 04:46:04
Thanks for the suggestion, which was real easy and quick to follow.

However, fss.txt does not seem to contain a lot. Here it is:

Farbar Service Scanner
Ran by user (administrator) on 15-11-2011 at 07:42:23
Windows 7 Professional Service Pack 1 (X64)

Service Check:

File Check:
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit

Connection Status:
Localhost is accessible.
LAN connected.
Google site is accessible.
Yahoo site is accessible.

**** End of log ****

What should the next step be?

Report •

November 15, 2011 at 06:16:25
✔ Best Answer
Let's press on...

Please do the following running ComboFix first, and TDSSKiller next. If ComboFix does not run, press on to TDSSKiller:

If you have ComboFix (CF) already on your Desktop, please remove it. We'll download an updated version:

Save ComboFix.exe to your Desktop <--

Make sure you temporarily disable your AntiVirus, Firewall, and any other AntiSpyware applications. They may interfere with the running of CF.
Information on disabling these programs is available here:

Right-click on 'ComboFix.exe' and select: Run as Administrator, to run the program.

Click on 'Yes', to continue scanning for malware.

When finished, CF produces a report.

Please provide a copy of the C:\ComboFix.txt in your reply by uploading it to Megaupload:

Click: Browse
Select a file to upload
Upload ComboFix
To the right of 'Send', enter a file description: ComboFix
Click 'Send'
Copy the link provided, and post it in your reply.


1. Do not mouse-click the ComboFix window while it is running.
This action may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.

3. CF disconnects your machine from the internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Now, please remove any previous download of TDSSKiller (if used) and download the latest version:

Execute the file:
Windows 7: Right-click and select: Run as Administrator

Press the button: Start Scan

The tool scans and detects two object types:
'Malicious' (where the malware has been identified)
'Suspicious' (where the malware cannot be identified)

When the scan is over, the tool outputs a list of detected objects (Malicious or Suspicious) with their description.

It automatically selects an action ('Cure' or 'Delete') for 'Malicious' objects. Leave the setting as it is.

It also prompts the User to select an action to apply to 'Suspicious' objects ('Skip', by default). Leave the setting as it is.

After clicking 'Next/Continue', the tool applies the selected actions.

A Reboot Required prompt may appear after a disinfection. Please reboot.

By default, the tool outputs its log to the system disk root folder (the disk with the Windows operating system, normally C:\.

Logs have a name like:

Please post the TDSSKiller log in your reply, by uploading it also.

Uploading website:

In: Select files to upload, click 'Browse', and 'Look in' the Desktop.
Select the report you wish to upload, and click on 'Open'
You will see the following:
“Your file has been uploaded successfully: (Name and size of the file)”

Please copy the 'Download link', and provide it in your reply for each of the reports.

Need to see the following uploads in your reply:
**The 'ComboFix log'
**The 'TDSSKiller' log

Also need to know whether TDSSKiller needed a reboot!


Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals

Report •

Related Solutions

November 15, 2011 at 10:18:47
Ran Combofix and TDSSKiller (will upload the report files along with this message) but just before, I had gotten and run a recent copy of Kaspersky anti virus and I suspect that IT might have got rid of the problem; which would explain why there does not seem to be a lot in the "reports" of Combo and TDSSK (I might be wrong here, please let me know if that's the case).

Bottom line is: my system is now quieter than it has ever been (well quieter than in the last 48 hours, which have been hellish). But rest assured that I will be keeping the reference to all the interesting tools that I learned about during this exchange, and thanks again for your patience.


Report •

November 15, 2011 at 12:16:19

On: "... had gotten and run a recent copy of Kaspersky anti virus and I suspect that IT might have got rid of the problem..."

Did you download Kaspersky AV, or did you have a CD?

It would not surprise me that KAV took care of the problem, because TDSSKiller is a product of Kaspersky. It is probably using viral definitions that are contained in TDSSKiller.

The reports of CF and TDSSKiller do not show what I expected on a redirections case. Otherwise, we would have needed some scripts, etc., run in ComboFix to get rid of certain malware.

Glad you solved the problem, though!!

Would appreciate your letting me know if it was a CD or a download of KAV.


BTW, if something changes, and you need further assistance, post back!

Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals

Report •

November 15, 2011 at 14:30:21
Indeed, it was a download... done on another computer (my wife's, which was clean... the computer of course! not my wife :)

Presumably, I might have been able to work around the virus, to get to Kaspersky's site and maybe download the file by saving it on my machine under a neutral name e.g. setup.exe (a suggestion I read somewhere) to avoid the virus recognising and contaminating the download - are some virus really that smart??? i don't know, maybe...) but using an uninfected machine seemed safer of course.

I would like to mention something funny though. While KAV was running (it did take quite somme time) I searched the Internet for other users experience with Kaspersky. It did not reassured me that more than one had been unable to update their virus list; then tried to communicate with Kaspersky and getting nowhere. Add the fact that my KAV appeared to find dozens of things wrong on my HD (my reading by then had me wondering: did the virus really cause that many problems or is KAV just trying to impress me???....)

Well KAV's job had been running long enough, there was no point panicking so I let it finish (I won't talk about the cold sweats it gave me while it restarted Windows - which started to issue dozens of ominous messages... which I could only acknowledge by hitting OK each time, wondering if it would ever end!!!)

Long story short, Windows finally restarted and, lo and behold! all was quiet on the Western front,... thank God.

Do you have any comment on those negative remarks re KAV? After all, I have to agree KAV did it's job... What gives?

Report •

November 16, 2011 at 19:04:22
My apology for the delay...

Good thinking on your part to use a machine that was not infected to do the download, and to rename the file!

On KAV...
Have asked some to run KAV in the past, but, do not request it very often.

Some individuals do not allow the program to finish since it sometimes takes quite a long time, or the computer hangs up; others had a few problems with it, etc.

Kaspersky's TDSSKiller is a good program, though, and there is also a Kaspersy Rescue CD that has come in handy in certain cases. There may be other products that I have not used, or do not remember what they are.

In your case, a combination of KAV and ComboFix (which did some removals), apparently did the job.

Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals

Report •

Ask Question