Google redirection / clicksor popups

By ronblanco
May 17, 2009
  1. Hello,

    I've spent days trying to go through the 8-step process. I've learnt a lot, so that's something, but i'm still having probs. Part of the problem has been an inability to download some of the files or run some of the steps:

    couldn't download MBAM, Comodo, Zonealarm

    couldn't run superAV

    could download and run: avasti,avira, avg8, ccleaner, hijackthis

    Hijackthis log is attached. Of course most of it is gobbledigook to me so any help in deciding next course of action would be very much appreciated,



    ps Is this malware something that might have led to compromised bank details etc and require re-format and re-install?
  2. touch

    touch TS Rookie Posts: 978

    Hello ronblanco

    Remove/uninstall from "add/remove programs" in controlpanel:
    AVG 8 and Avast or Avira

    Download malwarebyte;pop&cdlPid=10878968

    Save the file as setup.exe

    Run the setup.exe file
    When it gets to the final step of the installation it will seem like it hasn't but it will take anywhere from 15mins to an hour to get through that step so just let it do its thing.
    If automatic update fail, download the manual update ->

    Reboot to safe mode ->
    "Restart your computer.
    When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows Xp Advanced Options menu.
    Select the option for Safe Mode using the arrow keys.
    Then press enter on your keyboard to boot into Safe Mode."

    Go into the Malware folder in through Program Files
    Rename the mbam.exe to mab.exe and run it.
    Do a full computer scan
    Check all and remove/fix/delete them.

    Restart your computer and attach the log
  3. ronblanco

    ronblanco TS Rookie Topic Starter

    Thanks Touch

    I have followed your steps and attached a log.

    A couple of points to note:

    1. The setup didn't take 15-60 mins as you suggested. It was very quick.
    2. Couldn't reboot to safe mode - computer kept having a problem with this - so ran mab in normal mode.

    Are these points relevant / affect results?
    Does the log file indicate anything relevant?

    much obliged,

  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    -> No action taken on MBAM scan, for found issues
    Please re-run Malwarebytes
    Confirm updated first (third tab)
    Then do the above quoted message, but this time "Remove all found issues"

    Latest MalwareBytes Rules for Manual update if that helps ;)
  5. ronblanco

    ronblanco TS Rookie Topic Starter

    Thanks kimsland,

    I've done what you asked and attached the new file,

    the problem still exists, i think!

  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Hi Ron that looks a lot better.
    But I suspect that you are still having issues though

    Please run HJT Scan Only, and place a tick next to the following entries (note: some may not exist now)
    Once all are ticked then close all/any Internet Browsers and select Fix
    Close HJT once fixed

    Then go to add/remove programs and uninstall Avast

    Then download and run the AVG removal tool, here it is:

    At last Restart ;)

    Once your computer starts back up, try updating Avira
    I usually just right click on the umbrella tray icon, and select "Start Update"
    Once Avira is confirmed updated, please run a full scan (as you had 3 AntiViruses going on, it is possible that some Virus may still be on your system)

    Please then attach the Avira Antivirus scan log and a new HJT scan log
    I think you're nearly there :)
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    ronblanco, hopefully I won't confuse you, but you need to know this:
    You have the DNSchanger malware. Mbam found an entry, but the following indicate it in the HijackThis log. this is why you are getting redirected and it requires special cleaning, including a router reset:
    O17 - HKLM\System\CCS\Services\Tcpip\..\{81CB376B-2F0A-4EC1-AB20-C32420774388}: NameServer =,

    You'll recognize this Trojan by checking the DNS server assignments on the computer that does not update. Do this by following these steps:

    • [1] Start> Run> type in cmd>
      [2] At the command prompt, type IPCONFIG /ALL and press Enter
      [3] You should be presented with the bunch of information, find the section for your Internet connection. It may be entitled Ethernet Adapter Local Area Connection or something similar.
      [4] Find the DNS Server section and double-check the numbers. Usually the DNS is a local IP like or it could be a statically assigned IP from your ISP. If the DNS numbers are remotely similar to the following IPs then you have the DNS Changer Trojan. These IPs originate in Europe.
      [5] Type Exit at the command prompt to close it

    You need to reset your router Why? Because as you can see, any computer you connect to it will be connecting to a malicious server prior to reaching the net. If you want I can post a script to hopefully bypass the bad DNS connection and force a static DNS connection to OpenDNS.

    • [1] Make sure you know the setup information for your router. You want to access the router configuration pages, and write down any information necessary to authenticate with your ISP. Please write this down, if you do not have a record elsewhere of this information. When in doubt, call your ISP and ask what is needed in the authentication fields of the router.
      [2] Shut down your computer, and any other computer connected to your router.
      [3] On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
      [4]Unplug the router. Wait sixty seconds. Now holding again the reset button, plug it back in.
      [5]Continue holding the reset button for twenty seconds.
      [6]Unplug the router again.
      [7]With the router unplugged, start your computer. Run MBAM again.
      [8]Connect again to the router. Then turn the router back on. When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
      [9]After resetting your router - go to Start -> Run -> type in cmd and press enter -> at the prompt type ipconfig /flushdns -> type EXIT and press enter.

    After you are connected again - run a fresh HijackThis scan
    Attach new Mbam and HijackThis logs.
  8. ronblanco

    ronblanco TS Rookie Topic Starter

    Thanks Kimsland,

    I will go through your suggestions in the morning when I've sobered up.

    Hi Bobbye,

    I've checked that info. I have two DNS servers listed, both starting 194. I also have an IP address and default gateway starting 86. Does that still indicate that I have the problem that you mentioned?


  9. ronblanco

    ronblanco TS Rookie Topic Starter

    (kimsland) "Please then attach the Avira Antivirus scan log and a new HJT scan log"

    Thanks Kimsland, I have done as you asked. Logs attached.

    I have not performed Bobbye's suggestion yet. One thing at a time, I thought. Do you concur with his suggestion?
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Feel free to wait for him to "concur". In the meantime, I suggest you follow through with the router reset.

    You also have files in the AVscan- gxvxcserv.sys (Registry) that will need to be removed.
  11. ronblanco

    ronblanco TS Rookie Topic Starter

    Thank you Bobbye. I did as you said and did an IPconfig, which gave me two DNS server entries starting 194. Because this was not similar to the dodgy values you warned me about, and because I wasn't sure where to find the setup info for my router, I hesitated with the router reset. However, the IPconfig did also list my IP address and default gateway starting 86 - which IS similar to the dodgy values you listed.

    In view of my IPconfig findings, I would be grateful if you could confirm that I should go ahead with it, and also how do I remove that gxvxc entry from the registry?

    Thanks for your help
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The 86 block is in France. The 85 block is in the Ukraine. I do not have enough information about the IP with '86'. Your fist HijackThis log clearly showed this infection with:
    O17 - HKLM\System\CCS\Services\Tcpip\..\{81CB376B-2F0A-4EC1-AB20-C32420774388}: NameServer =,
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D02C3BBE-DA8D-48DC-A073-073F7724EF37}: NameServer =,
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer =,
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer =,
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer =,

    But subsequent logs do not. I would reset the router as I don't see anything was done to remove the original IP. It is possible your hidden files aren't showing and that's why you don't see it.

    Then: Run SCFix:
    • Download SDFix HERE and save it to your Desktop.
    • Double click SDFix.exe and it will extract the files to %systemdrive%
      (Drive that contains the Windows Directory, typically C:\SDFix)
    • Boot into Safe Mode (Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    • Run SDFix
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    • Attach Report.txt back here
    Rescan with HijackThis. Include new logs with SDFix report.
  13. ronblanco

    ronblanco TS Rookie Topic Starter

    Hi Bobbye,

    I'm not sure if I misunderstood you regarding the router.

    My laptop is connected directly to my cable modem, which has no reset button. . I switched off the modem, ran mbam without internet connected, and followed the other instructions you gave.

    Unfortunately I could not reboot to safe mode to run sdfix - my computer refused several times. Can I run it in normal mode? When trying in normal mode it gave me a list of options but i didn't know which was correct.

    In any case I ran another HJT file and have attached.

    My google redirection persists.

    Thanks for your help so far, and please advise as to the next step,


  14. ronblanco

    ronblanco TS Rookie Topic Starter


    Bobbye, There is a small hole on the back of my modem, but is not marked reset, and not sure if it did anything. How can I check if if did reset the modem oK?

    Also, problem with safe reboot and sdfix still applies

    mbam finds Trojan DNSChanger, i delete it but but it keeps reappearing. Just as you said.
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The router didn't reset.

    Please go to the manufacture's site for the router you have and look for reset directions.
  16. ronblanco

    ronblanco TS Rookie Topic Starter

    Hi Bobbye,

    I contacted my ISP. I do not use a router. My laptop is connected directly to my ambit modem.

    I can switch the modem off and I can unscrew the external cable, but there is no reset option.

    I did this, switched off, unscrewed, ran mbam, reconnected and have attached the logs.

    I cannot run SDfix as I cannot reboot into safe mode.


    (1) I still have IP address starting 86. Does that necessarily indicate a problem?
    (2) What does SDFix do? Can I run it from normal mode?

    Thanks for your help so far.
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please clarify some things for me:

    Are you using a USB Wireless LAN Adapter?
    O4 - Global Startup: ZDConfig.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS Wireless LAN\ZDConfig.exe>>> Related to various brands of Wireless USB LAN Adapter
    From Surce Webopedia:
    Recent zdconfig News and Issues
    1. Browser hijack
    * C:\Program Files\ZyDAS Technology Corporation\ZyDAS Wireless LAN\ZDConfig.EXE C:\Program Files\Microsoft IntelliType Pro\type ... read more on site
    2. My computer has completely stopped responding. - Tech Support Forum
    * C:\Program Files\ZyDAS Technology Corporation\ZyDAS Wireless LAN\ZDConfig.exe. C:\Program Files\Google\Google Desktop Search\ ... read more on site
    Read here:

    The system has got to be confused about this: There are 2 different CLSIDs:
    O9 - Extra button: Add to Restricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
    O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
    O9 - Extra button: Add to Trusted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
    O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll

    Which zone do you want this in? What does "webzone" represent?You don't need anything in the Trusted Zone. But you also don't need to Restrict it,

    You say you don't have a router but you put the router IP in the Trusted Zone. Why is that?
    O15 - Trusted IP range:

    Hardware is not my best area so someone else might have a better question/answer.
  18. ronblanco

    ronblanco TS Rookie Topic Starter

    Hi Bobbye,

    No. I have used a Linksys Wireless router previously with this machine. But now I use an ethernet cable between my laptop and the cable modem. I'm not sure why that Zydas thing should be necessary any more. However, in the past I have noticed that sometimes my internet has seemed to only start working once the zydas icon appears.

    Sorry Bobbye. You've lost me there. I don't really know what any of that means.

    Sorry. I don't know. CLSIDs, webzones, trusted zones? None of it is something I have set manually. I just wouldn't know where to start.

    Thanks for your help. But I simply don't have the knowledge to answer those questions.

    Any suggestions?
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The questions I asked are directly to the entries in the logs. A good place for you to start is on Google:
    Trusted Zone>> anything in this zone has lower security. you don't need any sites in the Trusted Zone. But you have a router IP in the Trusted Zone But you aren't using a router.

    Wireless Network: A Network card, Network Adapter, LAN Adapter or NIC (network interface card) is a piece of computer hardware designed to allow computers to communicate over a computer network. ...

    ZDConfig is related to Wireless USB LAN Adapter. And Global Startup means that it will start no matter which account is being used.

    It looks to me that you never re-configured the computer when you went to the Ethernet direct cable instead of connecting through a router. All of these different entries that are starting up are telling the system to go in different directions!

    Zydas WLAN USB driver should have been disabled, then uninstalled.

    As for the Extra Buttons> the problem with the ones I see is that they contradict what to add to Restricted and what to add to Trusted.

    I think you need to have someone who can have hands on to help you get the computer settings corrected. Or some kind of remote help and I don't think you can solve the connection problem until they are fixed.

    It's kind of like expecting your car to drive to California and New York at the same time!
  20. ronblanco

    ronblanco TS Rookie Topic Starter

    Hi Bobbye,

    oh dear. sounds like it's the end of the road for now then.

    the google redirect in itself isn't the end of the world, but i am obviously now nervous that all of my internet traffic etc may be rerouted through the Ukraine?

    I have a number of other faults with my laptop:

    cd drive not working
    cannot boot to safe mode
    cannot open system properties
    sound fails intermittently

    so its days might be numbered anyway.

    Thanks for your help so far.

  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You should probably see if it can be fixed by a professional.
  22. ronblanco

    ronblanco TS Rookie Topic Starter

    (bobbye) "A good place for you to start is on Google"

    Hi bobbye, kimsland, touch,

    Have you made any progress solving this damned google redirection virus? You're not going to let this one beat you are you?

    My laptop is working much better now, but I still get the recurring DNSchanger virus. Mbam detects it and clears it, but it reappears after a while, even if I am not connected to the internet!

    I have been investigating it myself and removed any google software, but my laptop will not allow me to delete one google directory called Google Updater. It says the file or dir is corrupted and unreadable. Can I override this somehow? I have become very suspicious about it.

    Come on guys, let's crack this one,

  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    It makes me a little nuts when I get email feedback, click on the link and the reply is gone! Here's what I got:
    Well, I'm here but the reply isn't!
    Properties of the email show sent and received 5/27/09

    There is no quote or indication of who said this: Is this you wanting up to come up wih a magical cure?
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...