Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect


  • Please log in to reply
3 replies to this topic

#1 GodlySOB

GodlySOB

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 19 June 2011 - 06:26 PM

Hello recently my Google searches have been redirecting at least 5 times per link. I have ran Malwarebytes and it DOES find stuff and deletes but they keep coming back. The name of the infection is "api-ms-win-core-localregistry-l1-1-032.dll" which is in the ProgramData folder. It is also accompanied with "dot3gpui32.exe" Malwarebytes tries to delete the api but it is unsuccessful. I tried scanning in safe mode with Malwarebytes and Nod32 but still no progress. I even tried manually deleting the files but they just come back. The "dot3gpui32" cannot be killed in the process and Rkill does not detect it. I have also ran GooredFix but that doesn't find anything either.

I am using Windows 7 Ultimate 64 bit. I do not know when I got this since the redirects come and go. Nod32 does block a malicious IP once in a while, specifically when I boot to desktop and about every 20 mins a message pops up saying Nod32 has blocked an IP. Please let me know if you need anymore information.

BC AdBot (Login to Remove)

 


#2 GodlySOB

GodlySOB
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 19 June 2011 - 07:49 PM

Request for this to be closed. I fixed it with ComboFix. Scanned with MBAM and Nod32 afterwards and all clear.

#3 GodlySOB

GodlySOB
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 19 June 2011 - 11:05 PM

Actually I was wrong. It came back! After ComboFix deleted those two files, Malwarebytes came up clean and Nod32 came up with only 1 threat.

I tried using tdsskiller but still doesn't find anything.

The localregistry in the .dll was replaced with localization now. "api-ms-win-core-localization-l1-1-032"

Edited by GodlySOB, 19 June 2011 - 11:07 PM.


#4 GodlySOB

GodlySOB
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 20 June 2011 - 08:42 PM

Alright its actually gone now. It was a very nasty rootkit that latched onto everything disguising itself as uexfat32.exe in the SysWOW64 folder. Rebooted multiple times and scans. No more redirects or Nod32 blocking an IP and those other files aren't coming back. Hitman Pro identified the pesky bugger.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users