Solved

Google Redirector

Posted on 2010-09-21
15
612 Views
Last Modified: 2012-05-10
One of the machines has the Google redirector virus and I can't find any links for the steps to remove it.
 I did notice an entry in msconfig under startup tab called "oxkot" with a path of documents and settings\username\application data\uhytde\oxkot.exe. Does anyone know what this exe file is?

Also in the registry under "hkey_local_machine\software\microsoft\windows\current version\run there is a key called ybizowucafojuf run32dll.exe C:\Winnt\ogurohuge.dll,startup.  Does anyone know what this reg key is and can I delete it?  I'm thinking both these entries do not belong.
Thanks
CJA
0
Comment
Question by:cja-tech-guy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
  • +2
15 Comments
 
LVL 5

Accepted Solution

by:
jhill777 earned 125 total points
ID: 33729554
Download and install Spybot, Search and destroy, update, immunize and scan.
Download and install Malwarebytes, update, scan
Download Combofix and let it do its thing
What AV are you using?
0
 
LVL 5

Expert Comment

by:jhill777
ID: 33729576
*Important*  Don't do Combofix if it's a Windows 7 computer or Vista
0
 

Author Comment

by:cja-tech-guy
ID: 33729601
Symantec Endpoint
0
Ready to trade in that old firewall?

Whether you need to trade-up to a shiny new Firebox or just ready to upgrade from whatever appliance you're using now, WatchGuard has the right appliance for you! Find your perfect Firebox today with appliance sizing tool!

 
LVL 5

Expert Comment

by:jhill777
ID: 33729649
It's probably the Network Threat Protection that's blocking it.  Try to disable that for now.  I don't even use that portion of the software because, obviously, it doesn't work!  lol
0
 
LVL 5

Expert Comment

by:jhill777
ID: 33729660
In fact, the only thing it has ever done is create problems with my administration of the computers and not allow me to do anything.
0
 
LVL 23

Assisted Solution

by:edbedb
edbedb earned 125 total points
ID: 33730040
Yes, you can delete both of those entries.
0
 
LVL 30

Assisted Solution

by:Sudeep Sharma
Sudeep Sharma earned 125 total points
ID: 33730532
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 125 total points
ID: 33731316
"documents and settings\username\application data\uhytde\oxkot.exe"
Delete, its viral.....

"hkey_local_machine\software\microsoft\windows\current version\run there is a key called ybizowucafojuf run32dll.exe C:\Winnt\ogurohuge.dll,startup
Also delete, viral....

Delete C:\Winnt\ogurohuge.dll as well....

This can easily be done in Safe Mode, 9 times out of 10....
0
 

Author Comment

by:cja-tech-guy
ID: 33734823
I deleted the suspect files on the c drive and in the registry.  This caused the machine to go into a boot loop.  It would boot to Windows and right before the login screen it would reboot.  I did a repair and everything is working fine.  
0
 
LVL 5

Expert Comment

by:jhill777
ID: 33735410
Objection-Spybot and Malwarebytes would have removed the files and, more importantly, the registry entries that were calling the files.  Manual deletion caused the reboot loop which the repair fixed but that wasn't the initial problem.  Given C:\Winnt, I would assume that this is Windows 2000 so Combofix would have fixed as well and I would suspect that the repair on W2K will now create more problems/more work where you now have to reinstall a ton of Windows Updates and any Office installation is pretty hoarked and will need to be reinstalled.
0
 

Author Comment

by:cja-tech-guy
ID: 33735983
I agree that they told me to delete the files but that made the situation worse; it caused the machine to go into a boot loop.  It was the second issue, the boot loop, that caused me to run the reinstall.  If anyone else follows thier advice to delete those files and they can't do a Windows repair that will cause them more problems.  I will be happy to divide the points among all who responded but lets make sure anyone else who reads this knows they should not delete those files.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 33738287
"Objection-Spybot and Malwarebytes would have removed the files and, more importantly, the registry entries that were calling the files"

Thats not 100%accurate, without knowing exactly what the infected files were detected as. No way to know they would be found, and more importantly removed. Sure, teh repair might have been a bit overkill, but he had to recover from advice given here.

I would leave the OP's request of a close/refund in tact myself.....
0
 

Author Comment

by:cja-tech-guy
ID: 33738441
Malewarebytes did not find anything.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 33739794
"Malewarebytes did not find anything."

Again, I would allow the original disposition that the OP had requested....
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question