Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect virus


  • Please log in to reply
17 replies to this topic

#1 KP BOUCHER

KP BOUCHER

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 03 August 2010 - 12:47 AM

I have been struggling with some malware for the past several weeks. Though I have been able to whittle the problems down to just a couple, I cannot seem to remove this infection entirely.

The symptoms I am still experiencing are intermittent redirects to add sites from Google search results, and pages that hang apparently trying to 'load analytics.google.com'.

Is there anything I can do to remove this without reinstalling Windows?

Thanks,
Kevin

Edited by Budapest, 03 August 2010 - 12:48 AM.
Moved from XP ~BP


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:45 PM

Posted 03 August 2010 - 12:49 AM

Try this:

http://www.bleepingcomputer.com/virus-remo...sing-tdsskiller
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 KP BOUCHER

KP BOUCHER
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 03 August 2010 - 01:03 AM

TDSKiller reported 'Infection not found'

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:45 PM

Posted 03 August 2010 - 01:12 AM

Most Internet connectivity problems arise out of corrupt Winsock settings due to the installation of a networking software or Malware infestation. If your ISP provider insists that your connection is coming through, the problem must be at your end.

Log on as an administrator, go Start > Run and type: "cmd". In the window that appears type: "netsh winsock reset". When the program is finished, you will receive the message: "Successfully reset the Winsock Catalog. You must restart the machine in order to complete the reset." Close the command box and reboot your computer.

Go Start > Run > type: "cmd" In the window that appears type: "ipconfig /flushdns". Close the command box.

Go Start > Control Panel > Network Connections. Right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and and choose Properties. Double-click on the Internet Protocol (TCP/IP) item. Select the radio button that says "Obtain DNS servers automatically". Reboot.

Warning: Some Internet Service Providers need specific DNS settings. You need to make sure that you know if such DNS settings are required before you make this change.

Please download HostsXpert 4.3
  • Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Restore MS Hosts File".
  • Click OK at the confirmation box.
  • Click "Make ReadOnly?".
  • Click the X to exit the program.
-- Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

IMPORTANT: If you use a router check that the DNS settings have not been modified.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 KP BOUCHER

KP BOUCHER
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 03 August 2010 - 01:34 AM

OK, I did all of that.

I then pulled up some google search results and clicked a link.

The first link I clicked loaded the page, continued loading additional resources and eventually the browser turned into a white screen and the status bar says 'transferring data from surveys.cnet.com' (also one of the ways the pages 'hang' similar to the google analytics mentioned above


1. searched 'google redirect virus'
2. clicked the 'How to Remove Google Redirect Virus | eHow.com' link (http://www.ehow.com/how_5842581_remove-google-redirect-virus.html)
3. observed firefox go to white screen with 'transferring data from surveys.cnet.com
4. Tried first result in search (http://www.google.com/support/forum/p/Web+Search/thread?tid=6df7e15519290612&hl=en)
3. observed firefox go to white screen with 'waiting for google-analytics.com'

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:45 PM

Posted 03 August 2010 - 01:38 AM

Did you check your router DNS settings?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 KP BOUCHER

KP BOUCHER
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 03 August 2010 - 01:45 AM

I just looked at them and they were set to use specific DNS servers (213.109.64.53, 213.109.73.74).

I have a Time Warner cable internet connection with a NETGEAR wireless router and I do not recall needing specific DNS servers set in the (NETGEAR) router.

So I set it back to 'Get Automatically From ISP' and tried again with the same results.

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:45 PM

Posted 03 August 2010 - 01:51 AM

Do you have more than one computer using this router?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 KP BOUCHER

KP BOUCHER
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 03 August 2010 - 01:52 AM

Yes. I am connected via network cable and 3 other computers connect via wireless.

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:45 PM

Posted 03 August 2010 - 01:54 AM

It could be a problem on one of the other computers that has caused the DNS settings to be changed.

If you now check the router DNS settings have they been changed back to 213.109.64.53, 213.109.73.74?

Also, run this scan:

Please download Malwarebytes Anti-Malware and save it to your desktop.Download Link 1
Download Link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 KP BOUCHER

KP BOUCHER
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 03 August 2010 - 02:01 AM

DNS settings are still set to 'Get Automatically From ISP' ...

however, even after removing the IP segments from the 'Use These DNS servers' section they are back. (but again, that particular radio button is not selected)

Malewarebytes scans have not found anything up to as recently as earlier today, but I will run another scan including my secondary hard-drive as requested.

running scan ...

#12 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:45 PM

Posted 03 August 2010 - 02:07 AM

You need to run scans on all the computers in your network. I would run Malwarebytes and TDSSKiller scans.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#13 KP BOUCHER

KP BOUCHER
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 03 August 2010 - 02:10 AM

I have shut off the wireless service, making my computer the only one connected to the network. (Tried removing those IPs again, but they still show up again in the text-boxes. They appear to be Network Solutions IPs though, so I'm not as concerned as I might otherwise be with that.

I'm running a MBAM scan on this machine now and will do that and run TDSKiller on the others tomorrow and check back in then.

Thanks!

#14 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:45 PM

Posted 03 August 2010 - 02:22 AM

Those IP addresses seem to resolve to Russia. As such you can be certain they are malicious.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#15 KP BOUCHER

KP BOUCHER
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 03 August 2010 - 04:06 PM

Though I am unable to remove those IP addresses from my router configuration, the 'Get Automatically From ISP' DNS setting remains selected, so they are not being used. I haven't experienced any further redirects since setting the router to 'Get [DNS] Automatically From ISP' from 'Use These DNS Servers' (which enables the IP textboxes)

I am running Malwarebytes' and TDSKiller on the other machines on my home network, and will report back when that is complete.

Thanks again.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users