Solved

Google Redirector

Posted on 2010-09-21
15
605 Views
Last Modified: 2012-05-10
One of the machines has the Google redirector virus and I can't find any links for the steps to remove it.
 I did notice an entry in msconfig under startup tab called "oxkot" with a path of documents and settings\username\application data\uhytde\oxkot.exe. Does anyone know what this exe file is?

Also in the registry under "hkey_local_machine\software\microsoft\windows\current version\run there is a key called ybizowucafojuf run32dll.exe C:\Winnt\ogurohuge.dll,startup.  Does anyone know what this reg key is and can I delete it?  I'm thinking both these entries do not belong.
Thanks
CJA
0
Comment
Question by:cja-tech-guy
  • 5
  • 4
  • 3
  • +2
15 Comments
 
LVL 5

Accepted Solution

by:
jhill777 earned 125 total points
ID: 33729554
Download and install Spybot, Search and destroy, update, immunize and scan.
Download and install Malwarebytes, update, scan
Download Combofix and let it do its thing
What AV are you using?
0
 
LVL 5

Expert Comment

by:jhill777
ID: 33729576
*Important*  Don't do Combofix if it's a Windows 7 computer or Vista
0
 

Author Comment

by:cja-tech-guy
ID: 33729601
Symantec Endpoint
0
Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

 
LVL 5

Expert Comment

by:jhill777
ID: 33729649
It's probably the Network Threat Protection that's blocking it.  Try to disable that for now.  I don't even use that portion of the software because, obviously, it doesn't work!  lol
0
 
LVL 5

Expert Comment

by:jhill777
ID: 33729660
In fact, the only thing it has ever done is create problems with my administration of the computers and not allow me to do anything.
0
 
LVL 23

Assisted Solution

by:edbedb
edbedb earned 125 total points
ID: 33730040
Yes, you can delete both of those entries.
0
 
LVL 29

Assisted Solution

by:Sudeep Sharma
Sudeep Sharma earned 125 total points
ID: 33730532
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 125 total points
ID: 33731316
"documents and settings\username\application data\uhytde\oxkot.exe"
Delete, its viral.....

"hkey_local_machine\software\microsoft\windows\current version\run there is a key called ybizowucafojuf run32dll.exe C:\Winnt\ogurohuge.dll,startup
Also delete, viral....

Delete C:\Winnt\ogurohuge.dll as well....

This can easily be done in Safe Mode, 9 times out of 10....
0
 

Author Comment

by:cja-tech-guy
ID: 33734823
I deleted the suspect files on the c drive and in the registry.  This caused the machine to go into a boot loop.  It would boot to Windows and right before the login screen it would reboot.  I did a repair and everything is working fine.  
0
 
LVL 5

Expert Comment

by:jhill777
ID: 33735410
Objection-Spybot and Malwarebytes would have removed the files and, more importantly, the registry entries that were calling the files.  Manual deletion caused the reboot loop which the repair fixed but that wasn't the initial problem.  Given C:\Winnt, I would assume that this is Windows 2000 so Combofix would have fixed as well and I would suspect that the repair on W2K will now create more problems/more work where you now have to reinstall a ton of Windows Updates and any Office installation is pretty hoarked and will need to be reinstalled.
0
 

Author Comment

by:cja-tech-guy
ID: 33735983
I agree that they told me to delete the files but that made the situation worse; it caused the machine to go into a boot loop.  It was the second issue, the boot loop, that caused me to run the reinstall.  If anyone else follows thier advice to delete those files and they can't do a Windows repair that will cause them more problems.  I will be happy to divide the points among all who responded but lets make sure anyone else who reads this knows they should not delete those files.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 33738287
"Objection-Spybot and Malwarebytes would have removed the files and, more importantly, the registry entries that were calling the files"

Thats not 100%accurate, without knowing exactly what the infected files were detected as. No way to know they would be found, and more importantly removed. Sure, teh repair might have been a bit overkill, but he had to recover from advice given here.

I would leave the OP's request of a close/refund in tact myself.....
0
 

Author Comment

by:cja-tech-guy
ID: 33738441
Malewarebytes did not find anything.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 33739794
"Malewarebytes did not find anything."

Again, I would allow the original disposition that the OP had requested....
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PREFACE The purpose of this guide is to provide information to successfully add specific IIS 7.0 role services for the Symantec Endpoint Protection Manager (SEPM) to function properly when installed on Windows 2008. AUDIENCE Information Technol…
UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question