TechSpot

Google Redirect Virus

By BEB
Nov 19, 2009
  1. Hi,

    I'm really please to have found this forum! I'm in the same boat as a few others here, I seem to have a google redirect virus.

    A couple of days ago I got a virus which appeared to install "advanced spyware" software. Dialog boxes kept popping up saying I had a virus. It hijacked my desktop background and replaced it with a blue background with a box in the middle saying I was infected. It blocked me from accessing sites like myspace, youtube etc. And it redirected my google search engine.

    Prior to finding this site I downloaded Malwarebytes' Anti-Malware and it seems to have removed most of the problem, except for the google re-directs. Either the search doesn't run properly at all, or if it does, any links I click get redirected to other sites, It is doing this in both IE and Firefox. I have XP on my computer.

    I have followed the 8 Step virus removal as best I can and attached the logs. Any help to get rid of the problem (and advice on how to speed up my pc if I have too many things starting up etc) would really be appreciated.

    Thanks.
     
  2. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    Welcome BEB,
    you do have quite a mess... We will see if we can clean you up a bit soon. In the mean time, fix or delete these entries in the hijackthis log...

    "O1 - Hosts: 89.149.210.61 www.google.com
    O1 - Hosts: 89.149.210.61 www.google.de
    O1 - Hosts: 89.149.210.61 www.google.fr
    O1 - Hosts: 89.149.210.61 www.google.co.uk
    O1 - Hosts: 89.149.210.61 www.google.com.br
    O1 - Hosts: 89.149.210.61 www.google.it
    O1 - Hosts: 89.149.210.61 www.google.es
    O1 - Hosts: 89.149.210.61 www.google.co.jp
    O1 - Hosts: 89.149.210.61 www.google.com.mx
    O1 - Hosts: 89.149.210.61 www.google.ca
    O1 - Hosts: 89.149.210.61 www.google.com.au
    O1 - Hosts: 89.149.210.61 www.google.nl
    O1 - Hosts: 89.149.210.61 www.google.co.za
    O1 - Hosts: 89.149.210.61 www.google.be
    O1 - Hosts: 89.149.210.61 www.google.gr
    O1 - Hosts: 89.149.210.61 www.google.at
    O1 - Hosts: 89.149.210.61 www.google.se
    O1 - Hosts: 89.149.210.61 www.google.ch
    O1 - Hosts: 89.149.210.61 www.google.pt
    O1 - Hosts: 89.149.210.61 www.google.dk
    O1 - Hosts: 89.149.210.61 www.google.fi
    O1 - Hosts: 89.149.210.61 www.google.ie
    O1 - Hosts: 89.149.210.61 www.google.no
    O1 - Hosts: 89.149.210.61 search.yahoo.com
    O1 - Hosts: 89.149.210.61 us.search.yahoo.com
    O1 - Hosts: 89.149.210.61 uk.search.yahoo.com"
     
  3. BEB

    BEB TS Rookie Topic Starter

    Hi Tmagic,

    Thanks for your help. Um... "quite a mess".. sounds ominous... I hope it can be fixed. :eek:

    I would like to delete the files you have recommended, but I don't know how to do so. It's not a directory file path, so I can't seem to search and find the files with explorer.

    Can you please advise as to how I should find and delete the files.

    Thank you!!

    BEB
     
  4. BEB

    BEB TS Rookie Topic Starter

    OK...I replied to the previous post asking how to delete those files, but it said the post had to be approved by a moderator. However I posted this one... and it went straight through.

    I had a few glasses of wine and continued to try to get rid of the problem myself.

    I appear to have fixed the redirect... I found some steps on another forum. I'll post the link and steps here (I'm not sure if the download links will work). I'm only trying to pass on what seems to have worked for me, so I apologise in advance if posting something from another forum isn't the "done thing"... however I figure we all want to learn.

    This is what I followed:

    Removal Instructions

    1.You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do. This will only take a few seconds.

    2.First disable TeaTimer:
    ◦Run Spybot-S&D
    ◦Go to the Mode menu, and make sure Advanced Mode is selected
    ◦On the left hand side, choose Tools -> Resident
    ◦Uncheck Resident TeaTimer and OK any prompts
    ◦Restart your computer.
    Instruction is also here: How to disable TeaTimer during HijackThis Cleanup

    Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.3.Then download ResetTeaTimer.exe to your desktop.
    ◦Doubleclick ResetTeaTimer.exe and let it run.
    Note: The Teatimer should be kept disabled until I give you the clean sign.

    •Download HostsXpert.zip•Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
    •Double-click HostsXpert.exe to run the program.
    •Click "Make Hosts Writable?" in the upper right corner (If available).
    •Click "Restore Microsoft's Hosts file" and then click "OK".
    •Click the X to exit the program.
    •Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

    The post with the correct links can be found at the bottom of this page:

    http://www.bleepingcomputer.com/forums/topic272556.html

    My particular google redirect was the "SearchClick10" one... so this seems to have worked so far. However I'm not sure if this means I am clean and free... so any further advice as to what you guys have found in my log files would really be appreciated.

    Thanks

    BEB
     
  5. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    Post a new hijackthis log when you have time
     
  6. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    When you run Hijackthis and the log file is presented, you have the option to "fix" these entries by selecting them and then select fix
     
  7. BEB

    BEB TS Rookie Topic Starter

    Hi,

    Sorry it has taken me a while to get back with my new logs, but my virus troubles hit right as I was in the process of packing and moving house and then going away on holidays.

    Please find attached fresh logs. My google redirect issues seem to be fixed, but I have one lingering problem. When I go to the start menu and select "shut down", there is an icon there which says there are windows updates that need to be installed, and then it looks as if it is going through the installation process.

    However whatever it is never seems to get installed and the icon is always there. Could I have something that is preventing my windows updates from installing?

    Also, my pc really seems to run very slowly on the internet, any tips on that?

    Thank very much for your time and help, it's really appreciated.

    Cheers

    BEB
     

    Attached Files:

  8. AnonymousSurfer

    AnonymousSurfer TS Guru Posts: 451   +37

    The entires have been fixed but wait for another member to help on the last steps of making sure your computer has been successfully cleaned.
     
  9. BEB

    BEB TS Rookie Topic Starter

    Hi,

    I'd really appreciate it if someone could look at the logs and see what else needs to be fixed. I haven't used my internet banking since the infection as I'm not confident I'm in the all clear year.. and that is becoming a real pain.

    I turn my laptop off every night, and it goes through the same routine of saying it's installing the updates. but it doesn't seem to do it.

    Thanks

    BEB
     
  10. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    You have got many "O18 - Protocol: bw*"... hijackthis log entries that will have to be handled. Another on-line scan may be needed
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Beb, sorry you haven't gotten correct or full help. Sometimes members try to help out but are short of knowledge.

    You have a DNS Changer malware infection and you need to turn off the Logitech messenger. Please disregard any previous replies. You should also know that malware help is customized to each person's system.

    So let's get it cleaned up: for the 018 entries:

    Turn off Logitech Desktop Messenger.
    This program is not required to start automatically as you can run it when you need to.
    It is advised that you disable it so that it does not take up necessary system resources.
    • Go to Start>All Programs>Logitech,click on Desktop Messenger.
    • There are two check boxes which are self descriptive:
    • You can choose to disable either or both check boxes.

    From Logitech:
    that's okay- you don't need them!

    DNS Changer
    You will need to do a DNS Flush, then reset your router.
    Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

    Exit the Command prompt when finished and shut the system down.-

    • [1]. Shut down your computer, and any other computer connected to your router.
      [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
      [3]. Unplug the router. Wait sixty seconds.
      [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
      [5].With the router unplugged, start your computer. Run MBAM again.
      [6].Connect to the router again. The turn the router back on.
      [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
      [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.

    When finished, please rescan with HijackThis and attach new log.

    Note: You do not need to quote our directions. They are available in the previous posts. IT can cause a reply to be too long which is what happened to you.

    Tmagic and AnonymousSurfer, please refrain from offering malware help.
     
  12. BEB

    BEB TS Rookie Topic Starter

    Hi Bobbye,

    Thank you very much for your quick response. I have one question before I try to follow the steps. My internet connection is a via a small usb stick, which gives me roaming internet access, ie it can be used anywhere. I don't see a small hole or button on the usb stick to reset it, like my old modem used to have.

    Do you have any idea how I would reset it, or will the instructions work otherwise.

    Thank you.

    BEB
     
  13. BEB

    BEB TS Rookie Topic Starter

    Hi,

    I've followed all steps apart from resetting the router, as per my previous post.

    The two check boxes for Logitech Desktop Messenger were already unchecked. I've checked them, saved it, and then unchecked them again, with no change. The files still appear in the hijack this log.

    The system updates still aren't installing properly.

    Has doing the flushdns cleared the DNS changer?

    Thanks for your help.

    BEB
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I am setting this up differently from the usual removal. I have grouped items and I have provided descriptions. None of those I'm having you check needs to start on boot and run in the background.

    After removal by HJT, each should be taken off of the Startup menu using the Windows msconfig utility.
    Please print the instruction below. You will be taking all of these off of Startup and you will be in Safe Mode. Note: Entries themselves are in Bold Black. Descriptions are in normal text:

    Please reopen HijackThis to 'do system scan only'.[ Check each of the following entries if present: (Note: Do not click on Fix Checked until ALL of the entries have been checked.

    C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe>> Logitech webcam related.
    C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe>> Note description:
    "Found on Acer laptops with webcams and Logitech webcams. Reports indicate that this process can use up a great deal of memory. If this is the case for you, it is advised that you disable it. On the other hand, further reports state that if this is disabled then the webcam will not work in quick capture mode. Please determine if this should be disabled based on your particular use and configuration."
    C:\Program Files\Logitech\SetPoint\SetPoint.exe>> Note description
    "Logitech keyboard and mouse drivers that allows you to configure and enable special features of your mouse and keyboard. This startup is only required if you use these features/"
    C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE>> Note Description:
    "Logitech Bluetooth mouse Hardware Abstraction layer. A "hardware abstraction layer" is an interface that enables adding support for new devices and new ways of connecting devices to the computer, without modifying every application that uses the device."
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

    Having a process on Global Startup means that not only will it start on boot, but it will start for every account on the machine. None of the following need to start on boot.

    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe>> Printer
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Logitech SetPoint.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    >> Note Description:
    "Application which launches common MS Office components to help speed up the launch of Office programs."
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe>> Note Description:
    "provides tray access to SQL server, the server agent and MSDTC. Available via Start -> Programs"

    Unless you specifically set the following or are aware they have been set, check each for removal:
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present


    Begin checking here:
    O18 - Protocol: bw+0 - {628101D7-EBC2-44E6-A817-B8A6A483662F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

    >>>>>>>>>>>>>>>>>>>>>>>continue checking ALL 018 entries through the following

    O18 - Protocol: offline-8876480 - {628101D7-EBC2-44E6-A817-B8A6A483662F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll


    Close all Windows except HijackThis and click on "Fix Checked."

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Click on Start> Run> type in msconfig> enter> Selective Startup> Start up menu> refer to the HijackThis removal list that you printed out> Uncheck each process that belongs to any of the entries on that list> NONE need to be on Start.

    When finished> click on Apply> OK>
    Reboot: NOTE: When you reboot the first tie after making changes using msconfig, you get a nag message that you can ignore and close after checking 'don't show this message again. Stay in Selective Startup.

    Rescan with HijackThis and give new log in next reply.
    We;ll see what was accomplished.

    Remind me to tell you to update Adobe\Acrobat 5.0\Reader to current version.
     
  15. BEB

    BEB TS Rookie Topic Starter

    Hi Bobbye,

    Thank you SO much for taking the time to give me such a detailed reply. Sorry I hadn't responded earlier, but I'm having a bad computer month - I managed to spill a cup of tea on my laptop and it has been drying out. It sort of works - having some problems with the keyboard, but I'll sort that out later.

    I managed to do nearly all of your post, except I couldn't find:

    C:\Program Files\Logitech\SetPoint\SetPoint.exe>>

    C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE>>

    I also got a message when I tried to apply the changes in selective startup saying that I was unable to made changes, but they still seem to have gone through.

    I have attached the latest log, thanks again for your help.

    cheers

    BEB
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Do you mean this one?
    Before I forget. You need to update Adobe to current version which is v9.xx. You have both v5 and v7 running:

    Visit this Adobe Reader site and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.

    I forgot to get back to you on the flash drive. That can be disinfected using a program is needed. How are you running now. The redirect was resolved earlier- any other malware related problems?

    I'd like you to do an online scan:
    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Attach that log in next reply and give me the info about any current problem.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...