TR Forums

I’m having a lot of trouble with a google search redirect virus. I think it’s a root kit. I used Kaspersky’s free tool “TDSSKiller” which removed it one time but is not now removing it. (It came back after one day). It is redirecting some but not all of my google or yahoo search results in IE or Chrome.

I have tried AVG which was already installed, Trendmicro online scan, Spybot, and none of these found the virus. My Windows Update has always been up to date.

The next thing I am going to try is look for my hosts file and see if that got corrupted. Just wondering if anyone else has any ideas.

Reboot into safe mode, full scan with malwarebytes and MSSE.

My usual method for this is as follows: Run rkill.exe a nice free software online that clears active infections out. Then use malwarebytes. Works perfect!

Hawkwing74 wrote:

I’m having a lot of trouble with a google search redirect virus. I think it’s a root kit. I used Kaspersky’s free tool “TDSSKiller” which removed it one time but is not now removing it. (It came back after one day). It is redirecting some but not all of my google or yahoo search results in IE or Chrome.

I have tried AVG which was already installed, Trendmicro online scan, Spybot, and none of these found the virus. My Windows Update has always been up to date.

The next thing I am going to try is look for my hosts file and see if that got corrupted. Just wondering if anyone else has any ideas.

If you found a tool that is specifically made to remove the exact virus signiture that infected your system and it failed to desinfect, imo, the best place to ask questions would be on the developer's forum or online support. Personally i have tryed removing a simillar virus that redirected and prevented the user of the machine to connect to specific websites like www.microsoft.com. In that instance i thought i sucessfully removed it but after 4-5 hours the system became unresponsive and it locked the system. Even after countless reboots i couldn't get into Windows.....i was forced to reinstall the OS. Luckily it wasn't my machine.

It is not meant to remove this exact virus. It looks for around 500 root kit viruses. I will try malwarebytes when I get home.

I would enter safe mode and run Malware Bytes and MSE. After running those I would set your browsers to default settings, clear all cache and I might also add using the sfc /scannow command to make sure the essential Windows files aren't corrupted or replaced with malicious ones, if that command finds anything corrupted or changed and it shouldn't then it will replace the bad files with good ones.

I would check the hosts file as well, I've seen some malware add bogus entries there as well.

Unless you are absolutely sure a tool will completely remove the exact version of whatever malware (which you have conclusively identified) there is only one sane option with a lot of today's nastier stuff:

Plug the drive in another computer, grab your critical files* then nuke from orbit.

(only things you have no backups or easy replacements for, otherwise not worth the risk they've been trojanized)

1. combofix
2. search windows registry for nameserver redirects and any other dns bogus entries.
3. run your favorite anitvirus
4. Try some google searches.

This one is a pain, but I have managed to remove it from a few computers. I don't really remember the exact stuff I used, but the above is my normal approach. I usually start combofix from safe mode administrator and let it reboot and take over from there.

Check the hard drive for a hidden tdlfs file system. Plug the HDD in to another machine or use Hiren's boot CD.
It will be a very small (a few MBs) partition at the end of the drive. If it's there, format it and then delete it. After you do this you will need to replace the MBR with a default one and set the OS partition 'Active.'

After all this you should be able to boot windows and run TDSSKiller and MBAM to check for further infections.

Recently I had a huge bout with this problem, pretty nasty stuff.

If all the above mentioned methods did not completely remove it, it's most likely from the wireless router. I tried all the methods above and to my surprise it kept coming back, and it suddenly started showing up on a second laptop as well. So I decided to hard reset the wireless router, installed its latest firmware and flashed it to dd-wrt and I haven't had the problem since.

Good luck!

As others have said, try MBAM, if it's some simple link redirecting Adware - MBAM will probably find it and remove it. If it won't help - you might try running ComboFix, it's available here:
http://www.bleepingcomputer.com/download/combofix/

You should probably try out other tools as well - for example Avira makes a free bootable CD with antivirus scanner on it, which is updated daily, you might try it out: http://www.avira.com/en/download/produc ... cue-system
Kaspersky also has a similar rescue CD, though it's not being updated frequently, however you may still try it:
http://support.kaspersky.com/viruses/rescuedisk

Are you sure you don't have some other infected machine on your network that is re-infecting the one you're trying to fix?

...here are a couple of links which may (or may not) be helpful for you:
http://deletemalware.blogspot.com/2010/ ... virus.html

http://www.techspot.com/community/topic ... us.179907/ (look at post #16 and #17).

...also, after you hopefully will be done with this malware (whatever it is), you might want to invest some $$$ into good paid antivirus program which has better protection for system files/settings against changes/modifications by currently unknown malware (not gonna give any particular recommendation, it's up to YOU to test and see which one works best for your particular setup).

Listen to Hicks & Ripley. It's the only way to be sure.

(I wish there was a Susan Ivanova quote on point)

Captain Ned wrote:

Listen to Hicks & Ripley. It's the only way to be sure.

...an internet is quite large "place", you can't nuke all of it

JohnC wrote:

Captain Ned wrote:

Listen to Hicks & Ripley. It's the only way to be sure.

..an internet is quite large "place", you can't nuke all of it

No, just the local infections.

Wordplay aside, I simply don't try to fix stubborn infections. I know I'm eventually going to get them no matter what prevention tools I employ (The day job always makes me tell people it's not if, it's when) so I regularly image the OS and keep weekly data backups. A lather, rinse, & repeat is down to a couple of hours of mild inconvenience and that's only because the storage drives are WD Greens.

Well, fixing stubborn, "unknown" infections can be a fun experience, and such knowledge will always be useful in the future as long as you won't completely transfer to non-Microsoft OS But yea, sometimes it's more productive to just wipe everything and start anew (or restore a backup image). Of course, that doesn't guarantee that you won't be re-infected again by same exact thing (or something equally annoying) if your computer is still connected to internets

I will refer to this thread again if it comes back. AVG must have been updated during the day, because as soon as I got to my PC AVG found it and quarantined. I haven't seen the redirect effect since.

Thanks for all the advice.

Hawkwing74 wrote:

I will refer to this thread again if it comes back. AVG must have been updated during the day, because as soon as I got to my PC AVG found it and quarantined. I haven't seen the redirect effect since.

Thanks for all the advice.

It may not be worth much, but I ditched AVG a while ago since they 'sold out' - the software became slower and more bloated, and I just got tired of it. Glad to hear you may have it resolved though.

I just wanted to add, that I had a similar issue. I got rid of the infection using combofix and similar steps listed here but it was affecting my searches when using Google Chrome, not FireFox or IE. Turns out this installs an extension in Chrome called "default extension" (See Microsoft Security Encyclopedia article) Even when all my tools said there was no infection this extension remained and occasionally redirected searches. I had to dive in and delete the directory that contain the extension and haven't seen it come back.

I have continued to run frequent scans to check for re-infection and haven't seen it. Hope that helps.

steelcity_ballin wrote:

It may not be worth much, but I ditched AVG a while ago since they 'sold out' - the software became slower and more bloated, and I just got tired of it. Glad to hear you may have it resolved though.

2 babies, I can't afford paying for virus software right now. What do you use?

Just MSSE - I could probably stand more protection but the sole user and I'm pretty careful about what I do with my gam.... MY VERY IMPORTANT WORK COMPUTER USED FOR WORK THINGS LIKE SCIENCE AND STUFF.

Hawkwing74 wrote:

steelcity_ballin wrote:

It may not be worth much, but I ditched AVG a while ago since they 'sold out' - the software became slower and more bloated, and I just got tired of it. Glad to hear you may have it resolved though.

2 babies, I can't afford paying for virus software right now. What do you use?

For Windows machines I use MSE + Malwarebytes.

For Linux I typically use nothing, or ClamAV if I am feeling particularly paranoid.

Hawkwing74 wrote:

steelcity_ballin wrote:

It may not be worth much, but I ditched AVG a while ago since they 'sold out' - the software became slower and more bloated, and I just got tired of it. Glad to hear you may have it resolved though.

2 babies, I can't afford paying for virus software right now. What do you use?

Well, I doubt that paying something like $40/year will have a serious dent on family budget... But, it's up to you.
I've been recently trying out the new version (2013) of Kaspersky Antivirus... It seems to be pretty good so far - much better in terms of performance compared to previous versions (which were notorious for causing system "slow-downs" for some people), with more simple interface but still with plenty of configurable options (I especially like that I can set it to run auto-updates and other scheduled tasks only during "idle" and don't run them at all and don't bother me with any notifications if, for example, I currently have a game running in full-screen mode). Not sure about its detection rates (according to http://www.av-test.org it's very good) since I usually don't try to visit suspicious sites, but it did pop the warning once right after I have updated the "Planetside 2" client, about ps2.exe having a " potentially suspicious keylogger-like behavior" (which is somewhat valid, since it needs to submit your login information to PS2 login servers), I just marked it as "Exclusion" so it would never warn me about it again.

P.S: If you'll ever decide to pay for antivirus program (whatever it may be) - don't buy it directly from "official" site, there are plenty of stores (like Amazon and others) which sell the valid retail licenses/copies of same exact thing for much cheaper price. For example, Norton Antivirus costs $50 for a 1-year license at Symantec's own store, but it costs only $20 at Amazon (sold directly by Amazon) for same exact thing!

The popular free a/vs are AVG, Avira, Avast, and MSE. I've used all at one time or another and settled on MSE for now. The bleeping computer website http://www.bleepingcomputer.com/ is a good place to check for specific removal advice. They often have programs to restore things malware ruins such as lost desktop, programs won't run and so on. I think they are associated with Malwarebytes and rkill too.

Jim