Google redirect virus

[freshie]

When I click on a link after performing a google search I get randomly redirected to other sites which are completely unrelated to the original links. I performed a scan with NOD32 which detected and quarantined a trojan, but after rebooting my laptop the google redirect problem is still apparent. I have attached the HJT scan log and would be grateful for any assistance

Thanks

 

[Blind Dragon]

1. Download the following to your Desktop and not any other location or Folder:

*GMER:
*Malwarebytes Anti-Malware -- MBAM (if you have this installed, Uninstall it and download it again):
*PrevX CSI:

2. Run MBAM. If it wants to reboot when finished, do so.
3. Run Prevx CSI. If it wants to reboot when finished do so.
4. Make sure you know the setup information for your router. You want to access the router configuration pages, and write down any information necessary to authenticate with your ISP. Please write this down, if you do not have a record elsewhere of this information. When in doubt, call your ISP and ask what is needed in the authentication fields of the router.
4. Shut down your computer, and any other computer connected to your router.
5. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds. Unplug the router. Wait sixty seconds. Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
6. With the router unplugged, start your computer. Run MBAM again.
7. Run Prevx CSI again.
8. Connect again to the router. The turn the router back on. When it stabilizes, reboot your workstation and try to aceess the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
9. Reboot the workstation and do a final test.

Special Note and Reading List:

Several folks have asked why they have to RESET the router. And how on earth could malware effect the router in the first place? There are, that I have seen in the last week, in wide distribution, at least four malware infections, one rootkit-based, that at present do exactly this; and have since the last week in October. As to how this can be done, please read this short Article: http://www.geekstogo.com/2008/04/08/hav ... read-this/

Does this mean you throw out your router and replace it? No. You do at least the RESET operation I described above. If you are exceedling cautious about the matter, visit your router manufacturer's website and download the newest firmware release for your router. Then reflash the router firmware. Since there are literally thousands of router models out there, I cannot advise you about how to reflash your router firmware. The manufacturer's website should have utilities and instructions for doing so. I cannot answser any specific questions as to how to do this. In most cases, I consider a reflash of the firmware unnecessary.

 

[jamesn]

Viruses Still present

Hi Blind Dragon

I followed the procedure you suggest for this hellish virus, the infection consisted of 4 viruses. However after expunging them to oblivion, they returned. I'm guessing it's in the router which I also applied your suggested method to. The weird thing is when my daughter comes home from University and connects to our wireless router the redirect symptoms are present on her laptop, but when she goes back to the University network the symptoms are gone. Again logic would suggest a router virus, correct? And if so what do I do.

Regards
James

 

[jamesn]

Google Redirect Logs

Hi If Anyone can help with the google redirect virus here are my logs.
I only uploaded logs for the apps that found stuff,

Regards
James

 

[TBolt]

Whoa...wait a minute here...I don't mean to chime in here but are you saying a router can be infected by a virus as well?? Great...one more friggin thing to worry about. Good luck jamesn, I'll be curious to see how this works out for you.

 

[Blind Dragon]

they are getting advanced aren't they. notice what MBAM found - DNS changer. These entries in your registry are routing you to connect to a remote server prior to accessing the net.

*I don't see a firewall in use on this machine - this would be a good idea as you can allow/deny connections <---wait on this till after the next step, I will post some links. Try not to go online unless you have to for now

*MBAM says no action taken in the log -> you need to have it fix these immediately

These DNS servers seem to point the result to a junk query, for example:
85.255.112.220 -> 99.198.101.12
85.255.112.220 -> 99.198.101.20
--------------------------------------------------

Make sure MBAM fixes those entries then,

In the windows control panel. Double click Network and Sharing Center. In the left pane, click on "manage network connections"

Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click on the Internet Protocol version 4 (TCP/IPv4) item, then click properties and select the radio dial that says Obtain DNS servers automatically

Next Go start and type cmd into the search area and hit enter
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)

================================

Combofix

• Download Combofix to your desktop.
• Double click combofix.exe & follow the prompts.
• A window will open with a warning.
• When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

Attach Combofix here once complete

 

[jamesn]

Ongoing Help

Hi Blind Dragon

Thank you kindly for your prompt reply and advice. My screen just packed in on my brand new laptop so I'm using daughters machine to reply whilst mine is being repaired.

I'll follow the steps you've posted and get back to you when my own machine is returned to me.

Or can I do it from her machine?

The thing that confuses me is that the redirect problem is present on her machine too when on our home network but not at her University network which is why I suggested a router virus if indeed such a creature exists?

James

UPDATE FOR Blind Dragon

I've just been told a new laptop will be delivered to my home tomorrow morning (Sat 27th Dec).

What should I do before connectiong to the network with the "clean" machine as I'm concerned about getting anything from
the router. There are as I mentioned other machines in the house which use our wireless network and are getting the same redirection.

James

 

[jamesn]

Whoa...wait a minute here...I don't mean to chime in here but are you saying a router can be infected by a virus as well?? Great...one more friggin thing to worry about. Good luck jamesn, I'll be curious to see how this works out for you.

Hi TBolt, I haven't got a clue but it's weird that my daughter only get the symptoms when on our home network.

James

 

[jamesn]

Google Redirect

Hi Blind Dragon

I took delivery of my brand new straight out of the box laptop this morning, connected to the wireless network at home and guess what. When I search google I get redirected. What do you suggest from here?

Surely it must be the router???

James

 

[Blind Dragon]

Turn off the router for 30 seconds then turn it back on, then on the back of the router hold down the reset button for 10 seconds then release.

Then I want you to open a command prompt (hold the windows key + R, type cmd press enter) In the command prompt type exactly ipconfig /flushdns

Go into control panel -> make sure on classic view -> go to network and sharing center -> click manage network connections -> right click your connection and select properties -> click on IPv4 then click properties -> make sure it is set to "Obtain Ip automatically" and "Obtain DNS server address automatically"

Then retry google - also have you installed a firewall yet? I recommend Comodo free or Zone Alarm Free

If this doesn't work you may need to flash the router with the latest firmware.

 

[jamesn]

All Hail Blind Dragon Redirect Virus Killed

Turn off the router for 30 seconds then turn it back on, then on the back of the router hold down the reset button for 10 seconds then release.

Then I want you to open a command prompt (hold the windows key + R, type cmd press enter) In the command prompt type exactly ipconfig /flushdns

Go into control panel -> make sure on classic view -> go to network and sharing center -> click manage network connections -> right click your connection and select properties -> click on IPv4 then click properties -> make sure it is set to "Obtain Ip automatically" and "Obtain DNS server address automatically"

Then retry google - also have you installed a firewall yet? I recommend Comodo free or Zone Alarm Free

If this doesn't work you may need to flash the router with the latest firmware.

All Hail to the Great Blind Dragon !

Many thanks indeed for your fantastic and totally sefless guidance on this problem. It was a real head scratcher

That's done the trick. Was it hiding in the router and re-infecting the machines whenever they reconnected?

I did have windows firewall on the old machine this new one has Mcafee security centre free for a month but I won't be renewing it as its rubbish. I think I'll install standalone protection. I'm considering AVG antivirus free and zonealarm free, will those suffice. I grudge paying for the like of Mcafee when they don't seem to work.

It's my intention to regularly do manual maintainance of my computer each week
can you advise me on which applications to use and in which order to give me good all round protection

I've attached my most recent hijackthis log and would be grateful if you'd advise of anything that requires fixing.

Kindest Regards
James

 

[Blind Dragon]

looks good

I recommend:

Antivirus:
*Avira Antivirus Free
*Avast Antivirus Free
*AVG Antivirus Free (includes antispyware)


Firewall:
*Zone Alarm Free
*Comodo Free

Antispyware:
*Malwarebytes Free
*Superantispyware Free


Additional Utilities:
Winpatrol (to control startups and monitor active X)
Spyware Blaster (to add known bad sites to the restricted zones)
Defraggler (to defrag fragmented files)

You can also also always use the windows tools such as going to the run prompt and typing cleanmgr or msconfig

 

[jamesn]

Many thanks again Blind dragon

James

 

[al91206]

Blind Dragon,

I found this posting through a google search of xalab and redirect - and this post REALLY helped me out. I looked and my DNS entries were all wrong - put in by the virus is what I'm thinking. I had downloaded ad-aware, avast and while these products found several instances of spy-ware and viruses on my system, my browser was STILL being redirected when I hit certain sites.

All that was required after my system was cleaned of the virus / spy-ware was to:

1. Delete entries in the prefetch directory
2. Use the ipconfig /flushdns command you mentioned
3. Change DNS setting back to it's original setting: Automatic DNS

Thanks for this great post.

Al in SoCal

 

[iggie45]

Help!!!

help please i think i have the redirect virus everytime i click on a link i get redirected to a spam site. i use to have the antivirus system pro thing but i used system restore and then everything worked fine intill i got that redirect virus please help here are my logs.

 

[ment2byours]

I hope this works.

 

[ment2byours]

On the 8 steps it said to add this on a separate reply & another Hijak this log at the end.

 

[ment2byours]

Another Hijak run at the end.