- Results from Google searches got redirected to spam ads websites on first click (rerunning the search and clicking again would open the correct link)
- The pages of many sites such as IMDB or the forums on this very site got hacked with ads for bleep enhancers inserted here and there
- Impossible to run Malwarebytes' Anti-Malware mbam.exe unless it was renamed
I searched this forum for "Google redirected" and found a dozen relevant results.
It looked like ComboFix was recommended in many cases, so although it is not recommended to use on your own, I followed strictly the instructions posted for several other infected machines.
I disabled Windows Firewall and BitDefender Antivirus 2010 real time scan, and ComboFix worked more or less correctly:
- There was no option in BitDefender Antivirus 2010 to close the application altogether, ComboFix reported it but it did not create a problem to leave it on.
- A program could not execute and was closed by Windows Vista shortly after running ComboFix and also after the reboot. I thing the name started with "reg".
- The first verification phase displayed about 50 "stage_nn" verification steps.
- During that time, BitDefender Antivirus 2010 popped up to show an infected file.
- After the reboot, ComboFix said it could not backup the registry twice and asked if you wanted to restore the registry, I answered No.
- Then ComboFix fixed all the issues found, like rootkits and the infamous ESQUL files in system32 and system32\drivers.
- After the second reboot, ComboFix did not show up (I was expecting to see a log) and Windows started normally.
- I deleted manually the file reported by BitDefender Antivirus 2010 and I checked the system32 folder, there was another ESQUL file there that I also deleted manually.
Since then, I don't have any Google search results redirected to spam sites, or spam ads in the normal sites such as IMDB or this one!
I just want to let the bleepingcomputer team that they do a fantastic job and thanks to their detailed explanations on other topics, I was able to solve my problem without bothering them. Don't use ComboFix though unless you've read the instructions and you are absolutely sure of what you are doing and that it is the tool for your problem.
FYI, the cause of my spamware was a WMV file that asked for a codec to be installed. I stupidly agreed, and immediately afterwards, everything went wrong: My TCP/IP properties were changed to fixed DNS IPs instead of dynamic, Vista UAC was systematically disabled after each reboot, when browsing, a random pop-up told me my computer was at risk and asked me to install "Online Protection Tool" from publisher "Microsoft Windows", not "Microsoft", BitDefender updates were blocked, the chat to BitDefender technical support was blocked, and even worse (I admire the hackers for it), the emails to BitDefender tech support were trapped and acknowledgement mails were sent back to me as usual, but the subject line was surrounded by the tags "[SPAM]"!
Thanks, guys, your forums are the best!
A happy customer.
EDIT: Moved to a more appropriate forum
Edited by garmanma, 01 September 2009 - 10:25 AM.