Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Success Story: No more Google results spam redirection

  • Please log in to reply
No replies to this topic

#1 Chimel


  • Members
  • 1 posts
  • Local time:05:28 AM

Posted 01 September 2009 - 05:53 AM

I was infected by a series of spamware last week, I got rid of most issues via standard antivirus, but nothing seemed to be able to get rid of the last symptoms:
- Results from Google searches got redirected to spam ads websites on first click (rerunning the search and clicking again would open the correct link)
- The pages of many sites such as IMDB or the forums on this very site got hacked with ads for bleep enhancers inserted here and there
- Impossible to run Malwarebytes' Anti-Malware mbam.exe unless it was renamed

I searched this forum for "Google redirected" and found a dozen relevant results.
It looked like ComboFix was recommended in many cases, so although it is not recommended to use on your own, I followed strictly the instructions posted for several other infected machines.
I disabled Windows Firewall and BitDefender Antivirus 2010 real time scan, and ComboFix worked more or less correctly:
- There was no option in BitDefender Antivirus 2010 to close the application altogether, ComboFix reported it but it did not create a problem to leave it on.
- A program could not execute and was closed by Windows Vista shortly after running ComboFix and also after the reboot. I thing the name started with "reg".
- The first verification phase displayed about 50 "stage_nn" verification steps.
- During that time, BitDefender Antivirus 2010 popped up to show an infected file.
- After the reboot, ComboFix said it could not backup the registry twice and asked if you wanted to restore the registry, I answered No.
- Then ComboFix fixed all the issues found, like rootkits and the infamous ESQUL files in system32 and system32\drivers.
- After the second reboot, ComboFix did not show up (I was expecting to see a log) and Windows started normally.
- I deleted manually the file reported by BitDefender Antivirus 2010 and I checked the system32 folder, there was another ESQUL file there that I also deleted manually.

Since then, I don't have any Google search results redirected to spam sites, or spam ads in the normal sites such as IMDB or this one!
I just want to let the bleepingcomputer team that they do a fantastic job and thanks to their detailed explanations on other topics, I was able to solve my problem without bothering them. Don't use ComboFix though unless you've read the instructions and you are absolutely sure of what you are doing and that it is the tool for your problem.
FYI, the cause of my spamware was a WMV file that asked for a codec to be installed. I stupidly agreed, and immediately afterwards, everything went wrong: My TCP/IP properties were changed to fixed DNS IPs instead of dynamic, Vista UAC was systematically disabled after each reboot, when browsing, a random pop-up told me my computer was at risk and asked me to install "Online Protection Tool" from publisher "Microsoft Windows", not "Microsoft", BitDefender updates were blocked, the chat to BitDefender technical support was blocked, and even worse (I admire the hackers for it), the emails to BitDefender tech support were trapped and acknowledgement mails were sent back to me as usual, but the subject line was surrounded by the tags "[SPAM]"!

Thanks, guys, your forums are the best!
A happy customer.

EDIT: Moved to a more appropriate forum

Edited by garmanma, 01 September 2009 - 10:25 AM.

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users