Solved

Can not get rid of this Google Redirect Virus

Posted on 2012-03-22
12
1,386 Views
Last Modified: 2013-11-22
One of our employees has the Google redirect virus. If I run malwarebytes it would detect the virus and and remove it but being as it is a boottime virus it would return and soon as I restarted the computer. I read on the internet that tds killer and hitman pro would clear the virus permenatly.

I installed hitman pro and it removed the virus and now the virus has not shown up but when using google it still redirects me to these fraudulent web sites. Tds killer also does not find anything now but the redirect still exists.

Things I have tried..

Different antivirus
Tried to get avast to do a boot time scan but it wouldn't work
and I tried manually removing the virus with the steps below

Im desperate... dont want to reformat and reinstall windows.

Steps for Removal of Google Redirect Virus
The first place to address when removing the Google Redirect virus is in your PC’s Local Area Network (LAN) settings. The reason for this is to ensure the virus isn’t redirecting your PC’s browser traffic through a malicious proxy server.
To check your LAN settings:
In Internet Explorer:
a) Open your browser and select Tools>Internet Options, followed by the ‘Connections’ tab.
b) Click on the ‘LAN settings’ button.
c) In the next window, ensure the option ‘ Use a proxy server for your LAN’ is unchecked.
d) Select ‘OK’ and close.
In Firefox:
a) Open your browser and select Tools>Options
b) Click on the ‘Advanced’ tab and then the ‘Network’ tab, followed by ‘Settings’
c) In the next window, ensure the ‘No Proxy’ radio button is selected.
d) Click ‘OK’ and close.
The steps above might vary slightly depending on the browser version you use, but in the main should be similar to the above.
Checking LAN settings in Internet Explorer 8 & Firefox 3.6.x
   
Check your PC’s DNS Settings
Having checked that your browser traffic is not being redirected through a malicious proxy, the next step is to ensure the Google Redirect virus has not altered your PC’s DNS settings. Domain NameServers (DNS) perform a role akin to an internet telephone book to resolve browser requests and direct users to the correct website.
To check your PC’s DNS settings:
a) Open Control Panel via Start>Control Panel
b) Double-click the ‘Network Connections’ icon and right-click ‘Local Area Connection’ icon.
c) Select ‘Properties’ from the menu and highlight the ‘Internet Protocol (TCP/IP)’ option.
d) Click ‘Properties’ and in the next window ensure the option ‘Obtain DNS server address automatically’ radio button is selected.
Click ‘OK’ and close.
Checking your PC’s DNS settings
 
Check Windows HOSTS File
 It is possible that the Google Redirect virus has modified your PC’s HOSTS file.
The Windows HOSTS file contains a list of computer IP addresses which is accessed whenever a user types in a web address to their browser.
The browser will check the HOSTS file to see if the typed address exists in the HOSTS file and if so, direct the user to the relevant site.
If the address doesn’t exist in the HOSTS file, the browser will ask the user’s ISP DNS server for the web address and once obtained will direct the user to the site.
The Windows HOSTS file is a standard .TXT file and can be found in C:WindowsSystem32driversetcunder the name ‘hosts’. There is also a file called ‘lmhosts’ – make sure you select the HOSTS file! There is usually no file association with the HOSTS file, so open it by right-clicking (or double-clicking) the file and selecting ‘Open With’ followed by Notepad.
An unmodified HOSTS file should only contain the IP address 127.0.0.1 localhost. If there are other entries in the HOSTS file, remove them and then resave the file.
These checks can be applied to any suspected malware infestation, not just the Google Redirect variant. There are many viruses, malware applications and other nasties which can target any or all of the above so its always a good idea to check each one.
Killing Running Processes
 Your chances of removing the Google Redirect virus greatly increase if you can ensure there are no running processes other than those which Windows requires to run. To do this, you can either boot your PC intoSAFE MODE (keep pressing F8 right before Windows loads, the choose: Safe Mode), or download and run the RKill tool.
RKill is a freeware tool which kills active malware processes to allow malware removal tools to do their job. Note that RKill does NOT remove malware on its own, but simply stops malware processes from running.
You can download RKill from here.
Disable the Virus Hook
The Google Redirect virus typically installs itself as a service on your PC, so in order to remove it we have to first disable the service and stop it from running. To do this go to Start>Control Panel>System>Hardware>Device Manager>View>Show Hidden Devices…
Once there, scroll down to the option for ‘Non-plug and Play Drivers’ and click the ‘+’ icon to expand the driver list. Here look for the device ‘TDSSserv.sys’ and click ‘Disable’. Don’t uninstall it, as you will have to reboot the PC which will reinstall it.
You can also use the free TDSSKiller tool by Kaspersky Labs to disable and remove the malicious service.
Once you have disabled the service using either method, you can restart your computer.
Perform an Anti-Malware scan
 
Anyone have any other ideas?

M
0
Comment
Question by:meshoxford
  • 6
  • 3
  • 2
  • +1
12 Comments
 
LVL 38

Expert Comment

by:younghv
ID: 37753023
It sounds as though you are using most of the right tools, but perhaps not in the right sequence.

Many malware variants require you to use a 'rogue process stopper' before starting your scans. Some of the best scanner/tools are so effective that the malware is written specifically to interupt the work they do.

Try following the steps listed in the EE Articles below - and please post any logs generated by the scanners you use.

Rogue-Killer-What-a-great-name
Stop-the-Bleeding-First-Aid-for-Malware

Note that there are addtional 'options' in Rogue Killer that will autofix several common malware symptoms. Please make sure that you run all of them.

An alternative to RogueKiller is TheKiller
Download TheKiller to your Desktop
http://maliprog.geekstogo.com/explorer.exe

Note that TheKiller is renamed as explorer.exe
Run it by double click
Press OK button after program finish
Do not restart your system after this step, but immediately run the next scan: MalwareBytes, TDSSKiller, ComboFix
0
 

Author Comment

by:meshoxford
ID: 37753679
Hey would this be like runnking rkill then malwarebytes because we have done that. I will try the rogue killer article and get back to you.

Thank you!
0
 
LVL 38

Expert Comment

by:younghv
ID: 37753919
I used to run RKill until I found out about RogueKiller and TheKiller.
Grinler (creator or RKill) is a fantastic malware fighter - and MS MVP - but I think the other two applications are superior.

I am particularly impressed that our top malware Expert (rpggamergirl) recommends TheKiller and she understands the mechanics of these applications much better than I.

Make sure that you are running either of these immediately before doing your scans (without re-booting).
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 37760084
Good advice there from younghv as usual.
If you have logs, or have run ComboFix please post the log.

If the problem persists,
Download the yorkyt.exe disinfection tool.
http://www.pandasecurity.com/resources/tools/yorkyt.exe

Doubleclick to run.
A reboot will be requested to install a driver.
Another reboot will be requested to complete the disinfection.
When the disinfection is completed, accept the message that will be displayed.



Also check out these articles for future reference.
"Google Hijack" - Google Search Gets Redirected:
http://www.experts-exchange.com/A_3299.html

"Infected Router - Google Search Redirects Even on a Clean System"
http://www.experts-exchange.com/A_5327.html
0
 

Author Comment

by:meshoxford
ID: 37767997
man Ive run all of that but still its redirecting, I will have her check the proxy settings once again
0
 
LVL 38

Expert Comment

by:younghv
ID: 37768142
All of "what" did you run?

RogueKiller has Menu Options that will auto-fix your proxy settings and TheKiller should do that for you also.

As mentioned above, we need to see the Log Files generated by the scanners to help us understand what is happening.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 5

Expert Comment

by:9660kel
ID: 37770070
This is a long shot, but you could try clearing the DNS cashe.

open a command window (start, all programs, accessories) and type: ipconfig /flushdns

press enter, and see if it helps.


If you could post any logs you have from the scans, that would be very helpful.
0
 
LVL 38

Expert Comment

by:younghv
ID: 37770628
@9660kel -
"DNSFix" is one of the Menu Options I already suggested in previous posts (RogueKiller).
0
 
LVL 5

Expert Comment

by:9660kel
ID: 37770652
Forgot about that feature in rogue killer, I'd still like to see the logs.
0
 
LVL 38

Expert Comment

by:younghv
ID: 37770664
Concur!
"Can't tell the players without a scorecard."
0
 
LVL 5

Expert Comment

by:9660kel
ID: 37770696
There does seem to be a lot of format fanboys on the boards at the moment.

Meanwhile, there is a similar thread that looks like DNS poisoning at the router as well. Haven't gotten any feedback yet, but it might be worth looking at.

Not trying to pee in anyone's cereal, just trying to help.
0
 
LVL 38

Expert Comment

by:younghv
ID: 37770975
Yep - "Format/reinstall" - as if everyone doesn't already know that (and which doesn't work on some of the really ugly malware).

I am more concerned with an increasing tendency of the askers to post a question and then wander off for days at a time and not respond.

I'm going to unsubscribe from this one. Too many others to help.

/unsubscribe
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
Some of the most commonly posted questions in the "Virus & Malware" Zones are related to the family of rogue malware with the date "2012" somewhere in the title. Examples: XP Antispyware 2012 XP Antivirus 2012 XP Security 2012   XP Home Sec…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now