Google redirect virus

Monopoly money comes in many flavors: 7, Vista, XP, 2K, ME, 98, etc.

Moderators: Flying Fox, Ryu Connor

Google redirect virus

Postposted on Wed Oct 03, 2012 9:28 am

I’m having a lot of trouble with a google search redirect virus. I think it’s a root kit. I used Kaspersky’s free tool “TDSSKiller” which removed it one time but is not now removing it. (It came back after one day). It is redirecting some but not all of my google or yahoo search results in IE or Chrome.

I have tried AVG which was already installed, Trendmicro online scan, Spybot, and none of these found the virus. My Windows Update has always been up to date.

The next thing I am going to try is look for my hosts file and see if that got corrupted. Just wondering if anyone else has any ideas.
Hawkwing74
His Holy Gerbilness
 
Posts: 12841
Joined: Wed Aug 20, 2003 5:51 pm
Location: Streamwood, IL

Re: Google redirect virus

Postposted on Wed Oct 03, 2012 9:40 am

Reboot into safe mode, full scan with malwarebytes and MSSE.
Corsair 600T | ASUS P8P67 PRO | Intel 2500k @ 4.4Ghz | EVGA 560 TI | G.SKILL Ripjaws Series 8GB | Corsair HX650 650W
steelcity_ballin
Gerbilus Supremus
Silver subscriber
 
 
Posts: 11913
Joined: Mon May 26, 2003 5:55 am
Location: Pittsburgh PA

Re: Google redirect virus

Postposted on Wed Oct 03, 2012 9:52 am

My usual method for this is as follows: Run rkill.exe a nice free software online that clears active infections out. Then use malwarebytes. Works perfect!
firewarrior565
Gerbil In Training
 
Posts: 6
Joined: Sun Aug 12, 2012 11:31 am

Re: Google redirect virus

Postposted on Wed Oct 03, 2012 10:16 am

Hawkwing74 wrote:I’m having a lot of trouble with a google search redirect virus. I think it’s a root kit. I used Kaspersky’s free tool “TDSSKiller” which removed it one time but is not now removing it. (It came back after one day). It is redirecting some but not all of my google or yahoo search results in IE or Chrome.

I have tried AVG which was already installed, Trendmicro online scan, Spybot, and none of these found the virus. My Windows Update has always been up to date.

The next thing I am going to try is look for my hosts file and see if that got corrupted. Just wondering if anyone else has any ideas.


If you found a tool that is specifically made to remove the exact virus signiture that infected your system and it failed to desinfect, imo, the best place to ask questions would be on the developer's forum or online support. Personally i have tryed removing a simillar virus that redirected and prevented the user of the machine to connect to specific websites like www.microsoft.com. In that instance i thought i sucessfully removed it but after 4-5 hours the system became unresponsive and it locked the system. Even after countless reboots i couldn't get into Windows.....i was forced to reinstall the OS. Luckily it wasn't my machine.
nVidia video drivers FAIL, click for more info
Disclaimer: All answers and suggestions are provided by an enthusiastic amateur and are therefore without warranty either explicit or implicit. Basically you use my suggestions at your own risk.
Arclight
Gerbil Elite
 
Posts: 696
Joined: Tue Feb 01, 2011 3:50 am

Re: Google redirect virus

Postposted on Wed Oct 03, 2012 10:25 am

It is not meant to remove this exact virus. It looks for around 500 root kit viruses. I will try malwarebytes when I get home.
Hawkwing74
His Holy Gerbilness
 
Posts: 12841
Joined: Wed Aug 20, 2003 5:51 pm
Location: Streamwood, IL

Re: Google redirect virus

Postposted on Wed Oct 03, 2012 11:41 am

I would enter safe mode and run Malware Bytes and MSE. After running those I would set your browsers to default settings, clear all cache and I might also add using the sfc /scannow command to make sure the essential Windows files aren't corrupted or replaced with malicious ones, if that command finds anything corrupted or changed and it shouldn't then it will replace the bad files with good ones.
CPU: Intel Core-i7 2600 GPU: Nvidia GTX 770 4GB MoBo: ASRock z77 Pro4 RAM: (2x8) 16GB G.Skill 1600MHz Case: Thermaltake Commander PSU: 650W SeaSonic X SSD: 128GB Crucial M4 SSD HDD: 500GB Western Digital Green OS: Windows 7
Techgoudy
Gerbil
 
Posts: 64
Joined: Tue Oct 02, 2012 5:01 pm

Re: Google redirect virus

Postposted on Wed Oct 03, 2012 12:21 pm

I would check the hosts file as well, I've seen some malware add bogus entries there as well.
i7-4790K-32Gb DDR3-1866-Zotac GTX 780ti -Samsung EVO 250GB- Samsung EVO 1TB
elmopuddy
Gerbil Elite
Gold subscriber
 
 
Posts: 899
Joined: Thu Dec 27, 2001 7:00 pm
Location: Montreal, Canada

Re: Google redirect virus

Postposted on Wed Oct 03, 2012 1:02 pm

Unless you are absolutely sure a tool will completely remove the exact version of whatever malware (which you have conclusively identified) there is only one sane option with a lot of today's nastier stuff:

Plug the drive in another computer, grab your critical files* then nuke from orbit.

(only things you have no backups or easy replacements for, otherwise not worth the risk they've been trojanized)
blah blah blah signature blah blah blah
Bauxite
Gerbil Elite
 
Posts: 609
Joined: Sat Jan 28, 2006 12:10 pm
Location: electrolytic redox smelting plant

Re: Google redirect virus

Postposted on Wed Oct 03, 2012 1:05 pm

1. combofix
2. search windows registry for nameserver redirects and any other dns bogus entries.
3. run your favorite anitvirus
4. Try some google searches.

This one is a pain, but I have managed to remove it from a few computers. I don't really remember the exact stuff I used, but the above is my normal approach. I usually start combofix from safe mode administrator and let it reboot and take over from there.
cass
Minister of Gerbil Affairs
 
Posts: 2266
Joined: Mon Feb 10, 2003 9:12 am

Re: Google redirect virus

Postposted on Wed Oct 03, 2012 1:44 pm

Check the hard drive for a hidden tdlfs file system. Plug the HDD in to another machine or use Hiren's boot CD.
It will be a very small (a few MBs) partition at the end of the drive. If it's there, format it and then delete it. After you do this you will need to replace the MBR with a default one and set the OS partition 'Active.'

After all this you should be able to boot windows and run TDSSKiller and MBAM to check for further infections.
TechieRuss
Gerbil In Training
 
Posts: 1
Joined: Wed Oct 03, 2012 1:33 pm

Re: Google redirect virus

Postposted on Wed Oct 03, 2012 2:12 pm

Recently I had a huge bout with this problem, pretty nasty stuff.

If all the above mentioned methods did not completely remove it, it's most likely from the wireless router. I tried all the methods above and to my surprise it kept coming back, and it suddenly started showing up on a second laptop as well. So I decided to hard reset the wireless router, installed its latest firmware and flashed it to dd-wrt and I haven't had the problem since.

Good luck!
zaedion
Gerbil
 
Posts: 43
Joined: Thu Mar 27, 2003 5:50 pm

Re: Google redirect virus

Postposted on Wed Oct 03, 2012 4:39 pm

As others have said, try MBAM, if it's some simple link redirecting Adware - MBAM will probably find it and remove it. If it won't help - you might try running ComboFix, it's available here:
http://www.bleepingcomputer.com/download/combofix/

You should probably try out other tools as well - for example Avira makes a free bootable CD with antivirus scanner on it, which is updated daily, you might try it out: http://www.avira.com/en/download/produc ... cue-system
Kaspersky also has a similar rescue CD, though it's not being updated frequently, however you may still try it:
http://support.kaspersky.com/viruses/rescuedisk
My subscription allows you people to exist on this site and makes me a better human being than you'll ever be
JohnC
Gerbil Jedi
Gold subscriber
 
 
Posts: 1886
Joined: Fri Jan 28, 2011 2:08 pm
Location: NY/NJ/FL

Re: Google redirect virus

Postposted on Wed Oct 03, 2012 8:43 pm

Are you sure you don't have some other infected machine on your network that is re-infecting the one you're trying to fix?
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37705
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Google redirect virus

Postposted on Wed Oct 03, 2012 9:03 pm

...here are a couple of links which may (or may not) be helpful for you:
http://deletemalware.blogspot.com/2010/ ... virus.html

http://www.techspot.com/community/topic ... us.179907/ (look at post #16 and #17).

...also, after you hopefully will be done with this malware (whatever it is), you might want to invest some $$$ into good paid antivirus program which has better protection for system files/settings against changes/modifications by currently unknown malware (not gonna give any particular recommendation, it's up to YOU to test and see which one works best for your particular setup).
Last edited by JohnC on Wed Oct 03, 2012 9:14 pm, edited 1 time in total.
My subscription allows you people to exist on this site and makes me a better human being than you'll ever be
JohnC
Gerbil Jedi
Gold subscriber
 
 
Posts: 1886
Joined: Fri Jan 28, 2011 2:08 pm
Location: NY/NJ/FL

Re: Google redirect virus

Postposted on Wed Oct 03, 2012 9:05 pm

Listen to Hicks & Ripley. It's the only way to be sure.

(I wish there was a Susan Ivanova quote on point)
It is one of the blessings of old friends that you can afford to be stupid with them. Ralph Waldo Emerson.
Captain Ned
Global Moderator
Gold subscriber
 
 
Posts: 20276
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: Google redirect virus

Postposted on Wed Oct 03, 2012 9:16 pm

Captain Ned wrote:Listen to Hicks & Ripley. It's the only way to be sure.


...an internet is quite large "place", you can't nuke all of it :wink:
My subscription allows you people to exist on this site and makes me a better human being than you'll ever be
JohnC
Gerbil Jedi
Gold subscriber
 
 
Posts: 1886
Joined: Fri Jan 28, 2011 2:08 pm
Location: NY/NJ/FL

Re: Google redirect virus

Postposted on Wed Oct 03, 2012 9:33 pm

JohnC wrote:
Captain Ned wrote:Listen to Hicks & Ripley. It's the only way to be sure.
..an internet is quite large "place", you can't nuke all of it :wink:

No, just the local infections.

Wordplay aside, I simply don't try to fix stubborn infections. I know I'm eventually going to get them no matter what prevention tools I employ (The day job always makes me tell people it's not if, it's when) so I regularly image the OS and keep weekly data backups. A lather, rinse, & repeat is down to a couple of hours of mild inconvenience and that's only because the storage drives are WD Greens.
It is one of the blessings of old friends that you can afford to be stupid with them. Ralph Waldo Emerson.
Captain Ned
Global Moderator
Gold subscriber
 
 
Posts: 20276
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: Google redirect virus

Postposted on Wed Oct 03, 2012 11:27 pm

Well, fixing stubborn, "unknown" infections can be a fun experience, and such knowledge will always be useful in the future as long as you won't completely transfer to non-Microsoft OS :wink: But yea, sometimes it's more productive to just wipe everything and start anew (or restore a backup image). Of course, that doesn't guarantee that you won't be re-infected again by same exact thing (or something equally annoying) if your computer is still connected to internets :wink:
My subscription allows you people to exist on this site and makes me a better human being than you'll ever be
JohnC
Gerbil Jedi
Gold subscriber
 
 
Posts: 1886
Joined: Fri Jan 28, 2011 2:08 pm
Location: NY/NJ/FL

Re: Google redirect virus

Postposted on Thu Oct 04, 2012 10:31 am

I will refer to this thread again if it comes back. AVG must have been updated during the day, because as soon as I got to my PC AVG found it and quarantined. I haven't seen the redirect effect since.

Thanks for all the advice.
Hawkwing74
His Holy Gerbilness
 
Posts: 12841
Joined: Wed Aug 20, 2003 5:51 pm
Location: Streamwood, IL

Re: Google redirect virus

Postposted on Thu Oct 04, 2012 10:36 am

Hawkwing74 wrote:I will refer to this thread again if it comes back. AVG must have been updated during the day, because as soon as I got to my PC AVG found it and quarantined. I haven't seen the redirect effect since.

Thanks for all the advice.

It may not be worth much, but I ditched AVG a while ago since they 'sold out' - the software became slower and more bloated, and I just got tired of it. Glad to hear you may have it resolved though.
Corsair 600T | ASUS P8P67 PRO | Intel 2500k @ 4.4Ghz | EVGA 560 TI | G.SKILL Ripjaws Series 8GB | Corsair HX650 650W
steelcity_ballin
Gerbilus Supremus
Silver subscriber
 
 
Posts: 11913
Joined: Mon May 26, 2003 5:55 am
Location: Pittsburgh PA

Re: Google redirect virus

Postposted on Thu Oct 04, 2012 10:47 am

I just wanted to add, that I had a similar issue. I got rid of the infection using combofix and similar steps listed here but it was affecting my searches when using Google Chrome, not FireFox or IE. Turns out this installs an extension in Chrome called "default extension" (See Microsoft Security Encyclopedia article) Even when all my tools said there was no infection this extension remained and occasionally redirected searches. I had to dive in and delete the directory that contain the extension and haven't seen it come back.

I have continued to run frequent scans to check for re-infection and haven't seen it. Hope that helps.
aea414
Gerbil In Training
 
Posts: 5
Joined: Thu Mar 26, 2009 11:28 am

Re: Google redirect virus

Postposted on Thu Oct 04, 2012 10:52 am

steelcity_ballin wrote:It may not be worth much, but I ditched AVG a while ago since they 'sold out' - the software became slower and more bloated, and I just got tired of it. Glad to hear you may have it resolved though.

2 babies, I can't afford paying for virus software right now. What do you use?
Hawkwing74
His Holy Gerbilness
 
Posts: 12841
Joined: Wed Aug 20, 2003 5:51 pm
Location: Streamwood, IL

Re: Google redirect virus

Postposted on Thu Oct 04, 2012 12:23 pm

Just MSSE - I could probably stand more protection but the sole user and I'm pretty careful about what I do with my gam.... MY VERY IMPORTANT WORK COMPUTER USED FOR WORK THINGS LIKE SCIENCE AND STUFF.
Corsair 600T | ASUS P8P67 PRO | Intel 2500k @ 4.4Ghz | EVGA 560 TI | G.SKILL Ripjaws Series 8GB | Corsair HX650 650W
steelcity_ballin
Gerbilus Supremus
Silver subscriber
 
 
Posts: 11913
Joined: Mon May 26, 2003 5:55 am
Location: Pittsburgh PA

Re: Google redirect virus

Postposted on Thu Oct 04, 2012 2:45 pm

Hawkwing74 wrote:
steelcity_ballin wrote:It may not be worth much, but I ditched AVG a while ago since they 'sold out' - the software became slower and more bloated, and I just got tired of it. Glad to hear you may have it resolved though.

2 babies, I can't afford paying for virus software right now. What do you use?

For Windows machines I use MSE + Malwarebytes.

For Linux I typically use nothing, or ClamAV if I am feeling particularly paranoid.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37705
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Google redirect virus

Postposted on Thu Oct 04, 2012 5:23 pm

Hawkwing74 wrote:
steelcity_ballin wrote:It may not be worth much, but I ditched AVG a while ago since they 'sold out' - the software became slower and more bloated, and I just got tired of it. Glad to hear you may have it resolved though.

2 babies, I can't afford paying for virus software right now. What do you use?


Well, I doubt that paying something like $40/year will have a serious dent on family budget... But, it's up to you.
I've been recently trying out the new version (2013) of Kaspersky Antivirus... It seems to be pretty good so far - much better in terms of performance compared to previous versions (which were notorious for causing system "slow-downs" for some people), with more simple interface but still with plenty of configurable options (I especially like that I can set it to run auto-updates and other scheduled tasks only during "idle" and don't run them at all and don't bother me with any notifications if, for example, I currently have a game running in full-screen mode). Not sure about its detection rates (according to http://www.av-test.org it's very good) since I usually don't try to visit suspicious sites, but it did pop the warning once right after I have updated the "Planetside 2" client, about ps2.exe having a " potentially suspicious keylogger-like behavior" (which is somewhat valid, since it needs to submit your login information to PS2 login servers), I just marked it as "Exclusion" so it would never warn me about it again.

P.S: If you'll ever decide to pay for antivirus program (whatever it may be) - don't buy it directly from "official" site, there are plenty of stores (like Amazon and others) which sell the valid retail licenses/copies of same exact thing for much cheaper price. For example, Norton Antivirus costs $50 for a 1-year license at Symantec's own store, but it costs only $20 at Amazon (sold directly by Amazon) for same exact thing!
My subscription allows you people to exist on this site and makes me a better human being than you'll ever be
JohnC
Gerbil Jedi
Gold subscriber
 
 
Posts: 1886
Joined: Fri Jan 28, 2011 2:08 pm
Location: NY/NJ/FL

Re: Google redirect virus

Postposted on Thu Oct 04, 2012 6:54 pm

The popular free a/vs are AVG, Avira, Avast, and MSE. I've used all at one time or another and settled on MSE for now. The bleeping computer website http://www.bleepingcomputer.com/ is a good place to check for specific removal advice. They often have programs to restore things malware ruins such as lost desktop, programs won't run and so on. I think they are associated with Malwarebytes and rkill too.

Jim
xgsound
Gerbil
 
Posts: 61
Joined: Wed Jul 20, 2005 10:48 pm
Location: Pittsburgh, PA


Return to Windows

Who is online

Users browsing this forum: No registered users and 2 guests