Link to home
Start Free TrialLog in
Avatar of HMCS
HMCSFlag for United States of America

asked on

Google Re-Direct Virus

For about the last 2 days or so I have been plagued when using the Google search engine with Firefox that many of my searches that I click on are redirected to sites which have literally nothing to do with my search terms.

At first I thought it was some weird Google problem and then I got to looking around and discovered there was a virus going around that mostly affected Google and different web browsers.

As far as I know my only trouble is with Google and Firefox. I super rarely use IE but from a limited use I see that as far as I know IE is not affected, as well as other search engines on both Firefox and IE.

I immediately scanned with my free Norton (from Comcast) and CC cleaner to no avail. I read somewhere that Malwarebytes might work, especially if you upgraded to a new version, etc.
I used malwarebytes and it came up with 7 trojans all of which pertain to the tracur and BHO in 2 files and in 5 registry keys.

Those 7 instances have been quarantined but I am still having the problem. I need to know if it is possible to get rid of this plague.

Does this virus/trojan do anything else to my security? Do I need to go out and change my debit card and any financial information which is on this computer.

Anyone having knowledge about this specific problem - I welcome their comments and/or suggestions.
SOLUTION
Avatar of Dangle79
Dangle79
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Thomas Zucker-Scharff
Note that Vista and Win7 have an in place reinstall of the OS.  This way you can reinstall all your OS files without affecting either your program or your settings.  You should only use this if you are sure you have cleaned the virus.

See this article: http://windowssecrets.com/top-story/win7s-no-reformat-nondestructive-reinstall/

SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Malwarebytes is meant to be run in normal mode.  See this page for instructions:

http://forums.malwarebytes.org/index.php?showtopic=69723
As noted, the developers of Malwarebytes designed it to be run in "Normal Mode" - when all processes (good and bad) are running, and SmitFraudFix hasn't been updated in years - please do not use that.

You may need to run a rogue process stopper before doing your Malwarebytes scan.

A couple of EE Articles might help you with this problem:

- "Google Hijack" - Google Search Gets Redirected: https://www.experts-exchange.com/A_3299.html

https://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)
Avatar of phototropic
phototropic

@Frosty555,

You should remove Smitfraudfix from your "cocktail" - it hasn't been updated in at least 2 years. Against any contemporary infection it is completely useless.

@HMCS,

TDSSKiller is a good first step against redirects:

http://support.kaspersky.com/faq/?qid=208280684
TDDSKiller as mentioned by phototropic and then you could also try FixTDSS.exe from Symantec

http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe

I hope that would help

Sudeep
Avatar of HMCS

ASKER

I forgot to mention that I am using Windows 7, 64 bit and it seems like TDSS Killer will not work with Windows 7 - I haven't tried  it or downloaded it but I think I need to look in a different direction.

I have run a scan with Advast at boot which was partly successful but was aborted and I'll need to try it again.

Looking at a Kaspersky forum - it seems ti indicate that  a 64 bit system cannot be attacked by this rootkit - to this I say Bravo Sierra !!!

Looks like I'll try the Semantic fix instead.
Avatar of HMCS

ASKER

Since my last post I have found this: BitDefender TDSS/TDL4 Removal Tool v1.0.0.1 (64-bit). I'm going to try it since after looking at the Semantic program it looks more complicated than I wish to get into.

It seems like to me in the sites I have seen they are calling this a rootkit rather than a virus or trojan.

SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of HMCS

ASKER

I have just completed using the TDSSKiller and it showed nothing at all !!!  

I also did a second Avast boot time scan and it came up clean but did show about 4 corrupted files, two of which involved silverlight.

Now I am a loss as to what exactly I really have.

I don't have the CD that came with the Computer - I once knew whee it was but it along with several other CDs have simply disappeared. Even if I did - for me it would not really be an option since I have programs on this computer which I do not have license keys for anymore. Even getting a new install Win 7 CD is almost out of the question.

My only thoughts on this would If I could get an OEM version of Home Premium and use it to create a dual boot situation - thus I'd be able to keep the old system. I've never done a dual boot with either Vista or 7 but I have in the past done dual and even a quad boot using XP. I really don't even want to go this route but if it would solve my problem - then I wold consider it.

My main goal here is to solve this problem with as little collateral damage as possible.

Until i hear from someone - I'm not doing a thing, since I don't want to made a bad situation any worse..
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
You can do a non-destructive reinstall of the OS in Win7.  You can use any win7 oem disc since they all have all versions of win7 on them you just need your serial number - that unlocks the correct version.

See this article: http://windowssecrets.com/top-story/win7s-no-reformat-nondestructive-reinstall/

Note only do a reinstall if it is the system files that are infected.  replacing the system files if your data files are infected will only get your system reinfected.

If you think it is a rootkit try some of the tools I reviewed here:

https://www.experts-exchange.com/articles/Virus_and_Spyware/Anti-Virus/Anti-rootkit-software.html

Avatar of HMCS

ASKER

I used the bit defender tool and it also showed nothing - I'll read the material you suggested.

Also, enclosed is the original Hijack this scan file - see if anyone can make heads or tails of it.

I'm going to see if I ca come up with a $100 for a win 7 disk. I am retired and living on SS and military retirement. Frankly, I'm rather on the poor side. The only way I can even afford an internet connection is that 7 days a week I clean the laundry rooms (2) at the apartment complex where I have lived the past 15.5 years.

I realize that dual booting will not cure this system but I would have one on a 2nd boot that would be functional for internet use. As far as I can tell if the original is not on the net I'm ok and the programs I have on this install that I don't have existing keys for could still be used, ie: photoshop CS2.
As far as I can tell my only problems is with firefox and google - nothing else seems to be affected.

Anyway - take a look at the hijack file and see what you think. This was done before I used many of the programs seeking to identify and eliminate this - whatever it is.

 hijackthis.log
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Doc -
It looks to me as though you are running a 64 Bit Operating System.
If that is true, ignore all of the "023" suggestions posted above.

SSharma - please read through the information in this EE Article and familiarize yourself with how HJT treats 64 Bit OS's.

- HijackThis reports missing files on 64-bit Systems: https://www.experts-exchange.com/A_3178.html
No doubt why some people don't trust HiJakcthis, thanks for information. Would take a note for the future reference.
Avatar of HMCS

ASKER

I am running Windows 7 Home premium 64 bit
Let me try this one more time:

"Follow the advice in this EE Article and post the logs that are generated by both RogueKiller and Malwarebytes:

https://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)"
Avatar of HMCS

ASKER

I have used Rogue Killer & am enclosing the scan results. I am a bit surprised that two items have been identified as being bad processes. I refer to TechTracker and Astropulse, which is a [art of SETI, BOINC.

I have used seti on many computers over at least 10 years. This is interesting ! RKreport-1-.txt
Avatar of HMCS

ASKER

Here is an old Malwarebytes scan on 7/18/11 and also a new one on 7/20/11 after using Rogue Killer. mbam-log-2011-07-18--14-41-48-.txt mbam-log-2011-07-20--21-38-50-.txt
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of HMCS

ASKER

My O/S is Windows 7 Home Premium, 64 bit & no I have not read that article - thanks.
Avatar of HMCS

ASKER

I've scanned through the article and frankly I don't know exactly what I have.Too bad I can't use the Gooredfix but I guess that is the problem with using a 64 bit O/S.

My problem, to the best of my knowledge, lies only with Google and Firefox.

I don't have a router - just a cable modem from Comcast.
"My O/S is Windows 7 Home Premium, 64 bit"

If nasties are only infecting the 32bit side of a 64bit system then a 32bit application will be able to fix it...
But if the nasties are infecting the 64bit location of a 64bit system then a 32bit app can't fix it because it has no access to that location, you would then need a program that can access the 64bit location.

A 32bit program that says "64bit compatible" doesn't mean it can access to the 64bit location of that system, because it only has access to the 32bit side of it.


Have you already tried disabling Firefox AddOns?
If GooredFix won't help then I'd suggest using OTL.
Avatar of HMCS

ASKER

So then it would be fruitless to attempt using a program designed for 32 bit only?

I have not disabled any add ones. Do you mean permanently ?

I'll be back later to further discuss this. I need to walk to to the post office and then on to a local grocery store with me and my little cart. The round trip is about 2 miles, which is not bad for an almost 69 year old man who had a stroke nearly 7 years ago. I can't drive due to complications caused by the stroke.
"So then it would be fruitless to attempt using a program designed for 32 bit only?"

Try GooredFix and see... who knows maybe only the 32bit part is infected. If GooredFix can't help then OTL next.

"I have not disabled any add ones. Do you mean permanently ?"

I asked because tracur usually infects Firefox extensions/addons.


Sorry to hear about your stroke...
Walk for 2 miles? that's great, and they say we're only as old as we feel, :)
Is a cart something you push like a trolley? please forgive my curiosity.
If my reply is delayed that's because I'd be asleep, it's midnight here now.


Please try the GooredFix and also OTL. OTL will not delete anything on its first run, it will just generate a logfile tht we can look at.

Download OTL, save to Desktop or other convenient location.
http://oldtimer.geekstogo.com/OTL.exe
OTL does not need to be installed, simply click the OTL icon to run
Click the Quick Scan Button.
A log will open in notepad, and OTL.txt will be saved to the same location as OTL.exe (i.e.: desktop)
Post/attach the log here.
Avatar of HMCS

ASKER

I am happy to report that I am almost positive that this problem has been solved.

I decided to use the GooredFix anyway, even tho I was using a 32 bit program on a 64 bit machine. I figured it was worth a try but lo and behold after looking at the log report I thought there might be a chance that something might have been accomplished.

After several trials using Google and Firefox I have not had one instance of a redirect. I first tried while the computer was on right after the GooredFix was used, then I tried after rebooting the computer and then as a final test I tried again, shutting the computer off, and waiting about 2 1/2 hours, while I took a nap, before trying again. In all instances I have never had a redirect happen and this is the first time in days that this has happened.

I would consider this computer fit to compute another day. Do I need to explore (test) this computer further regarding this problem, or should I conclude that the problem is now fully cured ?

I did not use the OTL but I downloaded it. I decided not to run it after what happened with the GooredFix.

Finally to answer rpggamergirl's question about my cart. I have two of them and one is larger than the other. They have 4 wheels and the back 2 are larger than the front ones and can be either pulled or pushed as required (needed). The larger one works better on a non-smooth surface than the smaller one but I use the smaller one more since it is easier to maneuver

I have another smaller cart that is my back-up in case one fails (breaks) since they are not generally available here locally. The smaller one cost me $20 at a local pharmacy and the larger one cost $40 and was bought at a local hardware store close to where I live. The smaller one is black in color and the large one is red. I use it for many things and it has given me a great deal if independence which I would not have had since I cannot carry much in my left hand due to the stroke and the right hand is used with my cane, which I always use while walking outside.

I am closing this problem and consider it closed. I will wait 24 hours for final comments and.or requests for further testing and then I'll award points.

Thanks everyone for your patience and most informative help & assistance !!! :-)

PS: I am enclosing the Goored log for your perusal.

 GooredFix.txt
Avatar of HMCS

ASKER

Now waiting 24 hours and then awarding points :-)
Avatar of HMCS

ASKER

They say a picture is worth a thousand words - here is a picture of my large cart. User generated image
Avatar of HMCS

ASKER

F/11 @ 1/250 sec, EI: 400 - Edited in "Photoscape" (free program). I only break out photoshop more f\more advance corrections.
Avatar of HMCS

ASKER

Take a look at this article I received in my email this afternoon from Information Week.

http://www.informationweek.com/news/security/vulnerabilities/231002214?cid=nl_IW_daily_2011-07-21_html

In it the article gives a link to instructions on cleaning the "hosts" file. This is one area in which I have no idea if and/or when it has been cleaned on my computer.
Avatar of HMCS

ASKER

And while I am at it, for you rpggamergirl, is a picture taken of my smaller cart.

F/11 @ 1/50 sec; EI 400 - Edited in PhotoScape. User generated image
Hi HMCS,

I'm glad you tried GooredFix, it successfully deleted one bad Firefox extension.
It could've been resolved much quicker(under 3 hours of posting your question) with younghv's first post here {http:#36216204}
My article that he linked you to also mentioned the fix for Firefox search hijacks.

Google Hijack" - Google Search Gets Redirected:
https://www.experts-exchange.com/A_3299.html


Thank you very much for indulging my curiosity and explained it in full details.
Indeed, a picture speaks a thousand words, :)
So kind and generous of you to include pictures of your carts, I feel very privileged thank you.



"In it the article gives a link to instructions on cleaning the "hosts" file. This is one area in which I have no idea if and/or when it has been cleaned on my computer."

If your Hosts file is infected and needs to be restored back to default we can help you there no problem, but I don't think it is, if your Hosts file is in fact infected, HijackThis would've caught it and will show it in the log. But the log didn't show an infected Hosts entries.

Thanks for the link, I did check the site but didn't find it helpful. I'm not very keen on sites that give me the run-around when I am looking for information.

The site says:
"Google provides instructions for manually cleaning one's Windows hosts file,."

And when I clicked on that link that suppose to tell me how to fix the Hosts file, it gave me a page that says to install an antivirus etc...
Then it says to click on another link that will answer what you're looking for. But that next page doesn't tell you how to fix the Hosts file either, it only tells you where Hosts files of all OS are located(a very incomplete info for someone trying to fix his Hosts file).
The page tells you to click on another link which kinda dead-end(as you have to register etc and ask for help on that forum), and a link to a google search results of the words "open windows hosts file".

Now here is the funny part, since your PC's google searches are redirected, you'll be redirected if you click on any of those links(unless you know the work-around to it). Not really helpful.
The site gives you the "run-around" thingie till you end up using google to look for answer.


For future reference, also check these articles out.
THINGS YOU NEED TO DO WHEN YOUR PC IS INFECTED:        
https://www.experts-exchange.com/A_1979.html

IF YOU CAN'T RUN .EXES IN AN INFECTED SYSTEM:          
https://www.experts-exchange.com/A_1995.html 



"No doubt why some people don't trust HiJakcthis, thanks for information. Would take a note for the future reference."

SSharma, HijackThis may not be an excellent tool at the moment but it is still a good tool there is no doubt about that. We need to know the limitations of every tool the we use so there are no disappointments, we can't blame the tool for our lack of knowledge of what it does.
Thanks for the Yes vote, I wrote that article over a year ago and it's been on the zone's landing page and you never read it, :).

Thanks for voting too tzucker, :)




Avatar of HMCS

ASKER

Well here it is after 3 AM and I can't sleep and don't feel all that well. I'm going to try and get some sleep since I get up at 5:30 AM and clean the 2 laundry rooms in this apartment complex . This little job which takes about an hour every day the money I get from it pays for my internet connection, cable TV and telephone. I am very lucky to be able to work and that someone would hire me considering my age and physical condition.

I thank you for the added information and kind words. Your actions got me out of a very nasty situation and one that was looking rather grim.

I took a look at your resume and was highly impressed. Since you mentioned a great time difference and seeing that you studied at the University of Mindanao, I gather this is the southern most  island of the Republic of the Philippines.

In the early 70s I was in the RP stationed at what was then known as the "Mao Camp" with BLT 1/4 and 3/4 and during that 2 year period was also aboard the U.S. ships Peoria, Schenectady and Tripoli. (LST 1183, 1185 & LPH 10). All 3 ships have long since been decommissioned.

I'll be closing out this question this afternoon and awarding points to all participants. .
@ HMCS  (not for points, obviously):
Have been monitoring this thread of yours for a couple of days, and glad to see it's resolved.
You've had some excellent folks helping you with this, and there are still two or three others out there in the wings.  
It's an interesting "Member Profile" you have, and next time you have a problem, or indeed if this one returns(unlikely!), you know where to come ...

Keep your internet connection open somehow, and good luck!
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of HMCS

ASKER

Thank you greatly to everyone who participated in this question. This was a great learning experience for me and one I will never forget.

Younghv - thanks and Semper Fi !!

Jonvee - thanks for the nice comments :-)

rpggamegirl - Thanks a million for the solution - it took much of my mind for sure. Catch ya around here sometime - Mabuhay and Shalom :-)
Avatar of HMCS

ASKER

There ! It is done now - Thanks and best wishes to all participants :-)
HMCS,

You're welcome, it was a pleasure working with you.
Mabuhay! and Shalom...

Thank you for using Experts-Exchange :)