TechSpot

Google redirect virus

By freshie
Nov 18, 2008
  1. When I click on a link after performing a google search I get randomly redirected to other sites which are completely unrelated to the original links. I performed a scan with NOD32 which detected and quarantined a trojan, but after rebooting my laptop the google redirect problem is still apparent. I have attached the HJT scan log and would be grateful for any assistance

    Thanks
     

    Attached Files:

  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    1. Download the following to your Desktop and not any other location or Folder:

    *GMER:
    *Malwarebytes Anti-Malware -- MBAM (if you have this installed, Uninstall it and download it again):
    *PrevX CSI:

    2. Run MBAM. If it wants to reboot when finished, do so.
    3. Run Prevx CSI. If it wants to reboot when finished do so.
    4. Make sure you know the setup information for your router. You want to access the router configuration pages, and write down any information necessary to authenticate with your ISP. Please write this down, if you do not have a record elsewhere of this information. When in doubt, call your ISP and ask what is needed in the authentication fields of the router.
    4. Shut down your computer, and any other computer connected to your router.
    5. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds. Unplug the router. Wait sixty seconds. Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
    6. With the router unplugged, start your computer. Run MBAM again.
    7. Run Prevx CSI again.
    8. Connect again to the router. The turn the router back on. When it stabilizes, reboot your workstation and try to aceess the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
    9. Reboot the workstation and do a final test.

    Special Note and Reading List:

    Several folks have asked why they have to RESET the router. And how on earth could malware effect the router in the first place? There are, that I have seen in the last week, in wide distribution, at least four malware infections, one rootkit-based, that at present do exactly this; and have since the last week in October. As to how this can be done, please read this short Article: http://www.geekstogo.com/2008/04/08/hav ... read-this/

    Does this mean you throw out your router and replace it? No. You do at least the RESET operation I described above. If you are exceedling cautious about the matter, visit your router manufacturer's website and download the newest firmware release for your router. Then reflash the router firmware. Since there are literally thousands of router models out there, I cannot advise you about how to reflash your router firmware. The manufacturer's website should have utilities and instructions for doing so. I cannot answser any specific questions as to how to do this. In most cases, I consider a reflash of the firmware unnecessary.
     
  3. jamesn

    jamesn TS Rookie

    Viruses Still present

    Hi Blind Dragon

    I followed the procedure you suggest for this hellish virus, the infection consisted of 4 viruses. However after expunging them to oblivion, they returned. I'm guessing it's in the router which I also applied your suggested method to. The weird thing is when my daughter comes home from University and connects to our wireless router the redirect symptoms are present on her laptop, but when she goes back to the University network the symptoms are gone. Again logic would suggest a router virus, correct? And if so what do I do.

    Regards
    James
     
  4. jamesn

    jamesn TS Rookie

    Google Redirect Logs

    Hi If Anyone can help with the google redirect virus here are my logs.
    I only uploaded logs for the apps that found stuff,

    Regards
    James
     

    Attached Files:

  5. TBolt

    TBolt TS Rookie Posts: 65

    Whoa...wait a minute here...I don't mean to chime in here but are you saying a router can be infected by a virus as well?? Great...one more friggin thing to worry about. Good luck jamesn, I'll be curious to see how this works out for you.
     
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    they are getting advanced aren't they. notice what MBAM found - DNS changer. These entries in your registry are routing you to connect to a remote server prior to accessing the net.

    *I don't see a firewall in use on this machine - this would be a good idea as you can allow/deny connections <---wait on this till after the next step, I will post some links. Try not to go online unless you have to for now

    *MBAM says no action taken in the log -> you need to have it fix these immediately

    These DNS servers seem to point the result to a junk query, for example:
    85.255.112.220 -> 99.198.101.12
    85.255.112.220 -> 99.198.101.20
    --------------------------------------------------

    Make sure MBAM fixes those entries then,

    In the windows control panel. Double click Network and Sharing Center. In the left pane, click on "manage network connections"

    Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click on the Internet Protocol version 4 (TCP/IPv4) item, then click properties and select the radio dial that says Obtain DNS servers automatically

    Next Go start and type cmd into the search area and hit enter
    type
    ipconfig /flushdns
    then hit enter, type exit hit enter
    (that space between g and / is needed)

    ================================

    [​IMG]Combofix
    • Download Combofix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt

    Attach Combofix here once complete
     
  7. jamesn

    jamesn TS Rookie

    Ongoing Help

    Hi Blind Dragon

    Thank you kindly for your prompt reply and advice. My screen just packed in on my brand new laptop so I'm using daughters machine to reply whilst mine is being repaired.

    I'll follow the steps you've posted and get back to you when my own machine is returned to me.

    Or can I do it from her machine?

    The thing that confuses me is that the redirect problem is present on her machine too when on our home network but not at her University network which is why I suggested a router virus if indeed such a creature exists?

    James

    UPDATE FOR Blind Dragon

    I've just been told a new laptop will be delivered to my home tomorrow morning (Sat 27th Dec).

    What should I do before connectiong to the network with the "clean" machine as I'm concerned about getting anything from
    the router. There are as I mentioned other machines in the house which use our wireless network and are getting the same redirection.

    James
     
  8. jamesn

    jamesn TS Rookie

    Hi TBolt, I haven't got a clue but it's weird that my daughter only get the symptoms when on our home network.

    James
     
  9. jamesn

    jamesn TS Rookie

    Google Redirect

    Hi Blind Dragon

    I took delivery of my brand new straight out of the box laptop this morning, connected to the wireless network at home and guess what. When I search google I get redirected. What do you suggest from here?

    Surely it must be the router???

    James
     
  10. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Turn off the router for 30 seconds then turn it back on, then on the back of the router hold down the reset button for 10 seconds then release.

    Then I want you to open a command prompt (hold the windows key + R, type cmd press enter) In the command prompt type exactly ipconfig /flushdns

    Go into control panel -> make sure on classic view -> go to network and sharing center -> click manage network connections -> right click your connection and select properties -> click on IPv4 then click properties -> make sure it is set to "Obtain Ip automatically" and "Obtain DNS server address automatically"

    Then retry google - also have you installed a firewall yet? I recommend Comodo free or Zone Alarm Free

    If this doesn't work you may need to flash the router with the latest firmware.
     
  11. jamesn

    jamesn TS Rookie

    All Hail Blind Dragon Redirect Virus Killed

    All Hail to the Great Blind Dragon !

    Many thanks indeed for your fantastic and totally sefless guidance on this problem. It was a real head scratcher

    That's done the trick. Was it hiding in the router and re-infecting the machines whenever they reconnected?

    I did have windows firewall on the old machine this new one has Mcafee security centre free for a month but I won't be renewing it as its rubbish. I think I'll install standalone protection. I'm considering AVG antivirus free and zonealarm free, will those suffice. I grudge paying for the like of Mcafee when they don't seem to work.

    It's my intention to regularly do manual maintainance of my computer each week
    can you advise me on which applications to use and in which order to give me good all round protection

    I've attached my most recent hijackthis log and would be grateful if you'd advise of anything that requires fixing.

    Kindest Regards
    James
     
  12. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    looks good

    I recommend:

    Antivirus:
    *Avira Antivirus Free
    *Avast Antivirus Free
    *AVG Antivirus Free (includes antispyware)


    Firewall:
    *Zone Alarm Free
    *Comodo Free

    Antispyware:
    *Malwarebytes Free
    *Superantispyware Free


    Additional Utilities:
    Winpatrol (to control startups and monitor active X)
    Spyware Blaster (to add known bad sites to the restricted zones)
    Defraggler (to defrag fragmented files)

    You can also also always use the windows tools such as going to the run prompt and typing cleanmgr or msconfig
     
  13. jamesn

    jamesn TS Rookie

    Many thanks again Blind dragon

    James
     
  14. al91206

    al91206 TS Rookie

    Blind Dragon,

    I found this posting through a google search of xalab and redirect - and this post REALLY helped me out. I looked and my DNS entries were all wrong - put in by the virus is what I'm thinking. I had downloaded ad-aware, avast and while these products found several instances of spy-ware and viruses on my system, my browser was STILL being redirected when I hit certain sites.

    All that was required after my system was cleaned of the virus / spy-ware was to:

    1. Delete entries in the prefetch directory
    2. Use the ipconfig /flushdns command you mentioned
    3. Change DNS setting back to it's original setting: Automatic DNS

    Thanks for this great post.

    Al in SoCal
     
  15. iggie45

    iggie45 TS Rookie

    Help!!!

    help please i think i have the redirect virus everytime i click on a link i get redirected to a spam site. i use to have the antivirus system pro thing but i used system restore and then everything worked fine intill i got that redirect virus please help here are my logs.
     
  16. ment2byours

    ment2byours TS Rookie

    I hope this works.
     
  17. ment2byours

    ment2byours TS Rookie

    On the 8 steps it said to add this on a separate reply & another Hijak this log at the end.
     
  18. ment2byours

    ment2byours TS Rookie

    Another Hijak run at the end.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...