TechSpot

Google redirect virus

By torc
Oct 28, 2009
Topic Status:
Not open for further replies.
  1. I use Internet Explorer 8, and I have some sort of Google redirect virus. Clicking the search results directs me to different pages than the ones that I want; if I hit the "Back" button and then try again, it usually takes me to the sites that I wanted.

    I've followed the 8-step guide that's posted at the top of the forum, and attached the 3 log files as requested. Could anyone help me?
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot, torc. I'll try and help you sort this out.

    There is one entry in HijackThis that I'd like to address:

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/&s=zbz9iGppTJ3HqhEhD7ww4ypU3KY


    This port is used by the Google Desktop's buil-in HTTP server. That port is opened and used by the Google desktop indexing software.

    The next entry is overridding this:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local


    I'd like you to disable the Google Server, then try the system. Leave the second entry for now.

    Please temporarily disable the Real Time Proterction:
    Spybot Search & Destroy TeaTimer

    • Right click the TeaTimer icon in the system Tray [​IMG]
    • Then click Exit Spybot-S&D Resident
    • (One you are clean you can restart TeaTimer by going to C:\Program Files\Spybot - Search & Destroy, and double clicking on TeaTimer.exe

    Following that:
    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Follow with new scan with HijackThis> paste the new log into your next reply.

    Attach the Combofix report in next reply.
     
  3. torc

    torc TS Rookie Topic Starter

    Thanks for your reply, Bobbye. I wasn't sure what you meant by "disable the Google Server," so I went into HijackThis, selected the first entry that you had referred to:
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/&s=zbz9iGppTJ3HqhEhD7ww4ypU3KY
    and clicked "Fix selected." It deleted the entry -- I hope that was the correct thing to do.

    I then downloaded and ran ComboFix, and I've attached the log file to this message. I then ran HijackThis again, and attached the new log file -- it went over the character limit when I pasted it into this message, so I had to attach it instead.

    I tried a few Google searches, and I haven't been redirected yet -- so it seems to have worked. Please let me know if there's anything else I need to do!
     

    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Have a question for you: Is Comcast your ISP?

    For now, check this Service and make sure it's on Manual, not Automatic:

    Start> Run> type in services.msc> double-click on Background Intelligent Transfer Service (BITS)> set Startup type to Manual.

    Log review to follow.
     
  5. torc

    torc TS Rookie Topic Starter

    Comcast is not my ISP; I'm in Canada at university, so I use Bell Canada at home and the university's wireless/ethernet when I'm on campus.

    I checked the BITS settings that you specified; mine is set on Manual already, as you suggested.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Combofix deleted many entries- yet neither Mbam not SAS picked anything up! I tried to see if there was any malware profile to the deletions and got nowhere.

    You have a large number of processes running. IF they all started on boot, they will all run in the background- so if you have any slowdown problems, that's why.

    I'm going to have you run one more program, similar to Combofix- to make sure all of the malware files are gone:
    Download SDFix HERE and save it to your Desktop.
    • Double click SDFix.exe and it will extract the files to %systemdrive%
      (Drive that contains the Windows Directory, typically C:\SDFix)

      Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

      Run SDFix
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    • Attach Report.txt back here

    and follow with an online AV scan. Attach both of the logs in nexy reply. If they're clean and the problem has been resolved, I'll have you remove the cleaning tools.
    Open Kaspersky Online Scanner in Internet Explorer HERE.
    • Click Accept and the web scanner will begin to load
    • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
    • You will be prompted to install an ActiveX component from Kaspersky, click Install
    • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT and then Scan Settings
    • In the scan settings make that the following are selected:
      [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
      [o] Scan Options: Scan Archives> Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      [o] Select My Computer
    • The program will start to scan your system.
    • Once the scan is complete, click on the Save as Text button and save the file to your desktop
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.
     
  7. torc

    torc TS Rookie Topic Starter

    The Kaspersky Online Scanner is currently unavailable, so I haven't completed that part of your instructions yet. I ran SDFix, and I've attached the log. Is there a different virus scanner that would work for these purposes? I have Symantec Antivirus -- I could do a scan with that.
     

    Attached Files:

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

  9. torc

    torc TS Rookie Topic Starter

    Here's the logfile from the Kaspersky Online Scanner -- it found a few more threats/infected files, but 7 of the 8 seem to be files that Symantec has in quarantine. I had Symantec Auto-Protect off for the Kaspersky scan. Could you advise me as to what I should do next?
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Go ahead and delete the entries Norton has in Quarantine.

    Then delete the current Kaspersky log. Update and rescan once more to make sure everything is gone.

    Attach new log and give me a description of any remaining problems.
     
  11. torc

    torc TS Rookie Topic Starter

    I deleted all of the files that had been in Quarantine, including the one that was in the Qoobox quarantine. I deleted the old Kaspersky log and ran the scan again; it came up clean. The new log is attached.

    Everything's been working great since I ran ComboFix -- Google search results no longer get redirected, and my browser seems to load more quickly. Thanks so much for your help. Should I delete the cleanup programs at this point? I'm planning to keep Symantec and Spybot S&D.
     
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Yes!!! This is right where you want to be! Now let's clean up the tools:

    Uninstall ComboFix.exe And all Backups of the files it deleted
    • Click START then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    [​IMG]

    Remove all of the tools we used and the files and folders they created
    • DownloadOTCleanIt by OldTimer
    • Save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    The tool will delete itself once it finishes.

    If you are prompted to Reboot during the cleanup, select Yes.

    You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
    • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
    • Click "OK" to select the partition or drive you desire.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one. More details and screenshots for Disk Cleanup in Windows Vista can be found here.
    -----------------------------------------------------
    And here are some tips to keep it that way:
    Please follow these simple steps to keep your computer clean and secure:
    1.Disable and Enable System Restore: This will help you to drop the old restore points and set a new, clean one:

    System Restore Guide


    2.Stay current on updates:
    • Visit the Microsoft Download Sitefrequently.
      You should get All updates marked Critical and the current SP updates:Windows 2000> SP4, Windows XP> SP2, SP3, Vista> SP1
    • Visit this site[Adobe Readeroften and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    • Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

    3.Make Internet Explorer safer. Follow the suggestions HERE
    This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

    4.Remove Temporary Internet Files regularly: Use5. Use an AntiVirus Software(only one)
    6.Use a good, bi-directional firewall(one software firewall)
    [*]See Understanding and Using Firewalls including links to download a firewall.

    7.Consider these programs for Extra Security
    • Spywareblaster:
    • SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
    • IE/Spyad
    • This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    • Google Toolbar Get the free google toolbar to help stop pop up windows.

    If I can be of further assistance, please let me know. Help and support is only given in the forums but you can send a PM to me and bring my attention
    back to the thread.
     
  13. torc

    torc TS Rookie Topic Starter

    Excellent -- I followed your instructions and my computer is running well. Thanks again for your help!
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You're welcome. Stay safe and enjoy computing!
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.