remove a Google redirect virus
How to remove a Google redirect virus
Thefollowing guide is to cure your PC from that annoying piece of malwarewhich hijacks and redirects your Google searches and other searchengines, otherwise known as a Google redirect. Other than the searchengine redirect, some other signs that you may have this infection are:
•Not being able to download, install, or run security programs like HijackThis or Malware Bytes Anti-Malware
•Being blocked from navigating to security/malware removal sites, for example : Microsoft or GeeksToGo
This infection is also commonly known by security applications as Rootkit.Win32.TDSS, Trojan.DNS_Changer, or Troj/Rustock. It also has other aliases due to the fact that it evolves and changes over time.
You may find your anti-virus or anti-spyware programs identifies any of the following:
••C:\windows\system32\drivers\SKYNETsunjnbdw.sys
•C:\windows\system32\drivers\MSIVXvvynaffpomuyaycw koiyldjssbgligea.sys
•C:\windows\system32\drivers\UACgrevmydoyiftawolx. sys
•C:\windows\system32\drivers\ovfsthhtkoslmsqrvwsnt nkdioglrpufewidyw.sys
•c:\windows\system32\drivers\TDSSmaxt.sys
•c:\windows\system32\drivers\kungsfndqriiha.sys
•c:\windows\system32\drivers\seneka.sys
Another sign of it would be this line showing up in your HijackThis orOTL log, however this is not always present so you cant rely on itcompletely to tell whether you have the infection or not:
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B8FF4B4-174F-4B7F-BE68-78043E53C8DA}: NameServer = 85.255.112.70;85.255.112.201
Now lets get onto the good stuff, removing this infection from your PC!
Before we begin, you should save these instructions in Notepad to yourdesktop, or print them, for easy reference. For the fix to workproperly we will need you to close your browser, and any securityprograms like an anti-virus or anti-spyware. If you aren't completelysure how to do that, just continue on with the guide.
Step 1 :
We need to clean out your temp files and folders to speed up the whole process.
Download TFC (Temp File Cleaner) to your desktop
•Open the file and close any other windows.
•It will close all programs itself when run, make sure to let it run uninterrupted.
•Click the Start button to begin the process. The program should not take long to finish its job
•Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean
Step 2 :
We need to make sure you don't have another infection which can causeGoogle redirects. This is unlikely to fix your problem but its best tobe safe than sorry as they say.
Please download GooredFix, making sure that you save this file to your Desktop.
•Double-click GooredFix.exe on your Desktop (Note: If you are using Vista right-click GooredFix and select Run As Administrator...)
•Select Option#1 - Find Goored (no fix), by typing 1 and pressing Enter
•A logfile should popup shortly, that will look something like this:
Check Download LinksCode: GooredFix v1.92 by jpshortstuff
Log created at 08:35 on 24/12/2008 running Option #1 (Administrator)
Firefox version 3.0.3 (en-GB)
=====Suspect Goored Entries=====
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extens ions]
"{ABB56C42-1843-46EF-A93E-482DE0F5B5AA}"="C:\Documents and Settings\Administrator\Local Settings\Application Data\{ABB56C42-1843-46EF-A93E-482DE0F5B5AA}"
C:\Program Files\Mozilla Firefox\extensions\{D96F1D71-4F95-443A-8AF3-541BFDBA096D}
=====Dumping Registry Values=====
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.3\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.3\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extens ions]
"{ABB56C42-1843-46EF-A93E-482DE0F5B5AA}"="C:\Documents and Settings\Administrator\Local Settings\Application Data\{ABB56C42-1843-46EF-A93E-482DE0F5B5AA}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extens ions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extens ions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework \v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"
•Take a look at the section highlighted in red.As shown in this log, there should be an entry there with a randomstring of numbers and letters enclosed in {} (in this case {ABB56C42-1843-46EF-A93E-482DE0F5B5AA}), that shows a folder in C:\Documents and Settings\<your name>\Local Settings\Application Data\{the same random numbers and letters}. A newer version of the infection just consists of a folder in Firefox's extenions directory, in this case: C:\Program Files\Mozilla Firefox\extensions\{D96F1D71-4F95-443A-8AF3-541BFDBA096D}.
•If these entries are present, and if there are no other entries that you think may be legitimate in the "Suspect Goored Entries" section, then do the following:
◦Close all Windows and Browsers, especially any Firefox Windows.
◦Double-click GooredFix.exe on your Desktop (Note: If you are using Vista right-click GooredFix and select Run As Administrator...)
◦Select Option#2 - Fix Goored by typing 2 and pressing Enter.
◦At the prompt, type y and press Enter.
◦GooredFix will now remove the infection (if it requires a reboot, please restart your computer).
◦Note : If no entries are under "Suspect GooredEntries" then that means you don't have this infection. Please do notrun Option #2, instead proceed straight to Step 3 below
Step 3 :
The following should remove the redirects and have your PC back to normal
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix,this is a new version that I need you to download. It is important thatit is saved and renamed following this process directly to yourdesktop**
1.If you are using Firefox, make sure that your download settings are as follows:
◦Tools->Options->Main tab
◦Set to "Always ask me where to Save the files".
2.During the download, rename Combofix to Combo-Fix as follows:
3.It is important you rename Combofix during the download, but not after.
4.Please do not rename Combofix to other names, but only to the one indicated.
5.Close any open browsers.
6.Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
◦Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before"unpredictable results". performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause
◦Click on this linkto see a list of programs that should be disabled. The list is not allinclusive. If yours is not listed and you don't know how to disable it,please ask.
-----------------------------------------------------------
◦Close any open browsers.
◦WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
◦Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
◦If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
7.Double click on combo-Fix.exe & follow the prompts.
8.Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall
9.This should fix your search engine redirects. Please restart your PC, check how its running and if there are any more redirects.
Step 4 :
This step is easy and quick, it is to remove any left over pieces of malware or anything else that may be hiding
Please download Malwarebytes' Anti-Malware from Here
Double Click mbam-setup.exe to install the application.
•Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
•If an update is found, it will download and install the latest version.
•Once the program has loaded, select "Perform Quick Scan", then click Scan.
•The scan may take some time to finish,so please be patient.
•When the scan is complete, click OK, then Show Results to view the results.
•Make sure that everything is checked, and click Remove Selected.
•When disinfection is completed it is recommended you reboot your PC
Extra Note:
If MBAMencounters a file that is difficult to remove,you will be presentedwith 1 of 2 prompts,click OK to either and let MBAM proceed with thedisinfection process,if asked to restart the computer,please do soimmediatly.
Conclusion :
Let us remove those tools we used, its best not to keep them around.
•Download OTC to your desktop and run it
•Click Yes to beginning the Cleanup process and remove these components, including this application.
•You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
Your PC should hopefully be clean from those pesky redirects ! There isnothing left to do but enjoy having a normal PC again. If that isn'tthe case then you must have some other sort of infection or a newvariant. Don't worry though, its nothing we cant fix. Just pop over tothe [COLOR=Yellow]Help Desk
However, if this guide did fix your PC, I'm glad to be of assistance.Feel free to hang around as there is plenty to read and learn here.
__________________
~It is possible to fail in many ways...while to succeed is possible only in one way.~
|