Solved

Google Redirector

Posted on 2010-09-21
15
606 Views
Last Modified: 2012-05-10
One of the machines has the Google redirector virus and I can't find any links for the steps to remove it.
 I did notice an entry in msconfig under startup tab called "oxkot" with a path of documents and settings\username\application data\uhytde\oxkot.exe. Does anyone know what this exe file is?

Also in the registry under "hkey_local_machine\software\microsoft\windows\current version\run there is a key called ybizowucafojuf run32dll.exe C:\Winnt\ogurohuge.dll,startup.  Does anyone know what this reg key is and can I delete it?  I'm thinking both these entries do not belong.
Thanks
CJA
0
Comment
Question by:cja-tech-guy
  • 5
  • 4
  • 3
  • +2
15 Comments
 
LVL 5

Accepted Solution

by:
jhill777 earned 125 total points
ID: 33729554
Download and install Spybot, Search and destroy, update, immunize and scan.
Download and install Malwarebytes, update, scan
Download Combofix and let it do its thing
What AV are you using?
0
 
LVL 5

Expert Comment

by:jhill777
ID: 33729576
*Important*  Don't do Combofix if it's a Windows 7 computer or Vista
0
 

Author Comment

by:cja-tech-guy
ID: 33729601
Symantec Endpoint
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 5

Expert Comment

by:jhill777
ID: 33729649
It's probably the Network Threat Protection that's blocking it.  Try to disable that for now.  I don't even use that portion of the software because, obviously, it doesn't work!  lol
0
 
LVL 5

Expert Comment

by:jhill777
ID: 33729660
In fact, the only thing it has ever done is create problems with my administration of the computers and not allow me to do anything.
0
 
LVL 23

Assisted Solution

by:edbedb
edbedb earned 125 total points
ID: 33730040
Yes, you can delete both of those entries.
0
 
LVL 29

Assisted Solution

by:Sudeep Sharma
Sudeep Sharma earned 125 total points
ID: 33730532
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 125 total points
ID: 33731316
"documents and settings\username\application data\uhytde\oxkot.exe"
Delete, its viral.....

"hkey_local_machine\software\microsoft\windows\current version\run there is a key called ybizowucafojuf run32dll.exe C:\Winnt\ogurohuge.dll,startup
Also delete, viral....

Delete C:\Winnt\ogurohuge.dll as well....

This can easily be done in Safe Mode, 9 times out of 10....
0
 

Author Comment

by:cja-tech-guy
ID: 33734823
I deleted the suspect files on the c drive and in the registry.  This caused the machine to go into a boot loop.  It would boot to Windows and right before the login screen it would reboot.  I did a repair and everything is working fine.  
0
 
LVL 5

Expert Comment

by:jhill777
ID: 33735410
Objection-Spybot and Malwarebytes would have removed the files and, more importantly, the registry entries that were calling the files.  Manual deletion caused the reboot loop which the repair fixed but that wasn't the initial problem.  Given C:\Winnt, I would assume that this is Windows 2000 so Combofix would have fixed as well and I would suspect that the repair on W2K will now create more problems/more work where you now have to reinstall a ton of Windows Updates and any Office installation is pretty hoarked and will need to be reinstalled.
0
 

Author Comment

by:cja-tech-guy
ID: 33735983
I agree that they told me to delete the files but that made the situation worse; it caused the machine to go into a boot loop.  It was the second issue, the boot loop, that caused me to run the reinstall.  If anyone else follows thier advice to delete those files and they can't do a Windows repair that will cause them more problems.  I will be happy to divide the points among all who responded but lets make sure anyone else who reads this knows they should not delete those files.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 33738287
"Objection-Spybot and Malwarebytes would have removed the files and, more importantly, the registry entries that were calling the files"

Thats not 100%accurate, without knowing exactly what the infected files were detected as. No way to know they would be found, and more importantly removed. Sure, teh repair might have been a bit overkill, but he had to recover from advice given here.

I would leave the OP's request of a close/refund in tact myself.....
0
 

Author Comment

by:cja-tech-guy
ID: 33738441
Malewarebytes did not find anything.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 33739794
"Malewarebytes did not find anything."

Again, I would allow the original disposition that the OP had requested....
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you got the Conficker. You could go to each machine and run the eye chart test (http://www.confickerworkinggroup.org/infection_test/cfeyechart.html), but in a bigger environment, or if you prefer to work smarter and not harder, you need some …
Change your password...do it now!. Probably the easiest point of access to your account is through guessing your password. If your password is guessable, do change it now. If not for your sake but for everyone else in your friends list. Remember …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question