Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect


  • Please log in to reply
2 replies to this topic

#1 Lautzy

Lautzy

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 17 May 2010 - 11:37 PM

I've gotten a Google redirect virus, and can't seem to pin down where it lives. I'm running Windows XP service Pack 3 with all updates, and IE 8. I was running a new version of McAfee (free from my ISP, but up to date) when the infection took place. One day while surfing, McAfee said it had found a virus, but took care of it. Afterwards, when I search Google, sometimes when I click on a link, it takes me to a completely unrelated, or sometimes slightly related site.

What I've done to try to fix it:
In Safe Mode with Networking, I've disabled all services, one by one on the PC except for the ones which cause the PC to reboot if disabled (namely, RPC, DCOM and maybe a couple of others).
I've disabled all of IE8's add ons.
I uninstalled IE8, and reinstalled it (I downloaded it before I uninstalled.)
I tried using Firefox, but the redirect happens there, too.
I've run Hitman Pro 3.5 and it finds nothing.
I've uninstalled the McAfee and installed Avast! antivirus (the free one). It finds nothing.
I've cleared my temp files several times using TFC.
I've run GMER, but don't really understand what to do with it, so haven't gone very far with it.
I've run Hijack This with the hopes that something would be evident, but I see nothing other than Unknown file in Winsock LSP: c:\program files\nvidia corporation\networkaccessmanager\bin32\nvlsp.dll four times, which may be something, but I don't think so?

It even happens in Safe Mode with Networking.

Any help would be verrrrrryy apreciated.

BC AdBot (Login to Remove)

 


#2 Lautzy

Lautzy
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 18 May 2010 - 09:16 AM

OK, people. 47 views, but not one post in less than 12 hours. It seems I'm not the only one with this problem!

However, I seem to have stumbled upon the cure (at least in my case).

I should have noted that one of the problems I had was that my Microsoft Wireless keyboard stopped working when the trouble started. I uninstalled the drivers for it, and reinstalled it, but it stopped working again in a few hours.

Here's what this trojan did: It installed a piece of hardware (not really, but Windows thought it was installed), and installed the "driver" for it. This was how I got reinfected when I replaced the drivers for the keyboard (which may have been the "payload" from the virus?)

I'm probably not making much sense, I'm so excited about getting it fixed (at least it's fixed now. I'll let you know tomorrow if it stays fixed.)

Steps to fix my problem:

1. Downloaded Combofix.exe from http://download.bleepingcomputer.com/sUBs/ComboFix.exe
(don't download from combofix.org -- the program warns that this site is not affiliated with the program.)
2. Closed all IE windows.
3. Disabled my antivirus software.
4. Ran Combofix. It had to install Microsoft's Recovery Console, so I let it.
5. It found evidence of a rootkit infection (esellerateEngine.dll and c:\windows\system32\drivers\kbdhid.sys) and "Kitty had a snack." The kbdhid.sys file is a legitimate Windows file, so I'll probably have to reinstall that with my keyboard drivers.
6. Upon reboot, it seemed to fix the Google redirect issue.

I will note that upon reboot, Windows tried to install SmartSound Quicktracks plugin, which I've never had before. It failed, and I went to Add/Remove programs and uninstalled it from there (it hadn't been there before).

I'm keeping my fingers crossed, but this is the longest it's gone without redirecting. Usually, upon reboot, it started redirecting within two or three clicks.

-Steve

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:01 AM

Posted 18 May 2010 - 11:05 AM

To be sure you are clean..We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
Include the ComboFix and GMER logs.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users