Google redirecting virus

May 29, 2010 at 02:01:55
Specs: Windows XP
Google links have been redirecting me to other sites and I have quite a few pop ups every 15 minutes or so, and I believe it has something to do with the redirecting of the links. =(

See More: Google redirecting virus

Report •

#1
May 29, 2010 at 02:17:31
In order to remove Google Redirect Virus, first you need to know what this threat is and how does it harm your computer? The malware lives up to its name and causes redirection of search results. If you search something on Google, this virus will redirect your to another malicious websites and advertisements. It won't let you see genuine results from Google. Apart from this, this virus can also do the following gimmicks :

A) It will show you errors saying that filename.exe is not a valid WIn32 application.
B) If you download and try to install a new program, It may tell you that setup files are corrupted and you need to download a fresh copy. It will keep bugging you again and again.
C) It will infect Internet Explorer, Firefox and then redirect you to malicious websites showing advertisements and pop ups.

Recommended Steps:

1. It is extremely important that you remove Google Redirect virus as soon as possible To remove Google Redirect Virus, you need to follow these steps :

Please click on "Start-->Run". Type "devmgmt.msc" and Click on OK. This will run Device Manager. In Device Manager, click on "View-->Show Hidden Devices".

2. Please expand all the devices by click on the "Plus" sign. Now try to find "TDSSserv.sys" right click Disable. Please make sure that you do not select the Un-Install option otherwise infection will be back once you reboot your computer.

3. Download MalwareBytes Anti-Malware

Upon installation of MBAM, follow these steps:

1. Launch Malwarebytes' Anti-Malware
2. Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
3. Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
4. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy & Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please follow up on this post!


Report •

#2
May 30, 2010 at 16:43:47
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4157

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

5/30/2010 4:32:56 PM
mbam-log-2010-05-30 (16-32-56).txt

Scan type: Quick scan
Objects scanned: 124430
Time elapsed: 21 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Explorer.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Microsoft Common\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.


Report •

#3
June 3, 2010 at 05:19:40
Your log shows that you had Trojan.Agent within your System.

The System has been cleaned now from Trojan.Agent as it has been successfully eliminated by MBAM.

Are you further encountered with any redirects or any undesired actions within your System ?

Please Follow Up This Post!


Report •

Related Solutions

#4
June 3, 2010 at 17:22:05
Yes, even though I finished scanning and eliminated the infection it has found, it still seems to redirect me to different websites. I don't know why this is happening. Need help, thank you! =(

Report •

#5
June 4, 2010 at 02:02:30
Try more powerful free tool:

http://download.bleepingcomputer.co...

It may fix your problem.

Sincerely,

;) Security Made Easy ;)


Report •

#6
June 4, 2010 at 06:20:17
I didn't find a TDSSserv.sys device, but did find a Terminal Service Device Redirector device. Same thing?

Report •

#7
June 4, 2010 at 22:43:53
I installed the combo fix and that program unfortunately won't work for me. I don't know what is the problem that is causing this. Please help >_<

Report •

#8
June 7, 2010 at 01:05:07
What you mean it wont work for you, maybe you did something wrong. Follow the instructions of how to use combofix
http://www.bleepingcomputer.com/com...

Also download file:
http://rootrepeal.psikotick.com/Roo...

1) Extract the RootRepeal.exe file from the ZIP and save the EXE file to your Desktop.
2) Disable your antivirus, antispyware, and firewalls before continuing or they may block RootRepeal from running properly.
3) Now run the RootRepeal.exe program
4) On the bottom click the Files tab and then click the Scan button
5) A Select Drives form will open. Select all of your drives
6) It will start scanning. Wait for it to finish.
7) When it finishes, click Save Report and save it somewhere you can easily find it (like your Desktop) so that you can attach it to a message in the forum.


Report •

#9
June 8, 2010 at 21:59:56
I used combofix the way it instructed me to do so, and nothing changed for me. I would still be redirected to other sites from google.

Well, here is the scan report from rootrepeal.

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/06/08 21:59
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: c:\windows\temp\perflib_perfdata_90.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\WINDOWS\Prefetch\ROOTREPEAL.EXE-0F3F623F.pf
Status: Could not get file information (Error 0xc0000008)

Path: c:\documents and settings\lqy\local settings\temp\etilqs_azrgprihmsl7ixwmnwgw
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\lqy\local settings\temp\etilqs_lri9tynscguydzpssgxq
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\lqy\local settings\temp\etilqs_o6tfj3m3jaqqrfbgvjeb
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Documents and Settings\LQY\Local Settings\temp\fla20.tmp
Status: Could not get file information (Error 0xc0000008)

Path: c:\program files\microsoft sql server\mssql.1\mssql\log\log_303.trc
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\program files\microsoft sql server\mssql.1\mssql\log\log_304.trc
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\program files\microsoft sql server\mssql.1\mssql\log\log_305.trc
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\program files\microsoft sql server\mssql.1\mssql\log\log_306.trc
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\program files\microsoft sql server\mssql.1\mssql\log\log_307.trc
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\networkservice\local settings\temporary internet files\content.ie5\8123s56z\103807_1336[1].jpg
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8123S56Z\QSXF00069310[1].swf
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8123S56Z\index_part_thum_bg[1].jpg
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8123S56Z\blank[1].gif
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8123S56Z\linebg_top_menu[1].gif
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8123S56Z\CAERSH25.htm
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8123S56Z\CAY3OFB4.htm
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8123S56Z\clip1-IA4[1].swf
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8123S56Z\CALOA99N.htm
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\GLURS9YJ\ga[1].js
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\GLURS9YJ\img[1].htm
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\GLURS9YJ\1x1_pixel[1].gif
Status: Could not get file information (Error 0xc0000008)

Path: c:\documents and settings\networkservice\local settings\temporary internet files\content.ie5\glurs9yj\1742079335_dpmp4hi_0[1].mp4
Status: Allocation size mismatch (API: 196608, Raw: 0)

Path: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\GLURS9YJ\yume_swf_library[1].swf
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\K96ZS9IJ\ad_cartoon_236_90[1].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\K96ZS9IJ\empty[1].htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\K96ZS9IJ\ico_copyrights[1].gif
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\networkservice\local settings\temporary internet files\content.ie5\klmvgtyf\yume_as2_list[1].swf
Status: Size mismatch (API: 41393, Raw: 25826)

Path: c:\documents and settings\lqy\local settings\application data\mozilla\firefox\profiles\erkksxlz.default\cache\_cache_001_
Status: Size mismatch (API: 486370, Raw: 485493)

Path: c:\documents and settings\lqy\local settings\application data\mozilla\firefox\profiles\erkksxlz.default\cache\1c2662cdd01
Status: Size mismatch (API: 13652809, Raw: 13107200)


Report •

#10
June 10, 2010 at 08:20:56
Hmm, looks clear.
What browser do you use? Try using firefox or opera.

Disable java scripting and tell me if anything is changed.
for opera: press F12, uncheck "enable javascript"
for firefox: tools-> settings-> content tab, uncheck use javascript


Report •

#11
June 10, 2010 at 21:53:13
I enable javascript on firefox and I still have the same results. I still keep being redirected to other sites. Whenever I use a program like Malwarebytes, Hitman, etc. to scan my computer and remove the threats, I still end up with the same results everytime. I even restart my computer to see if there is any changes. Please help =(!

Report •

Ask Question