How to remove a Google redirect virus

CybeRnotic · 06-26-2009, 08:01 PM

The following guide is to cure your PC from that annoying piece of malware which hijacks and redirects your Google searches and other search engines, otherwise known as a Google redirect. Other than the search engine redirect, some other signs that you may have this infection are:

Not being able to download, install, or run security programs like HijackThis or Malware Bytes Anti-Malware
Being blocked from navigating to security/malware removal sites, for example : Microsoft or GeeksToGo

This infection is also commonly known by security applications as Rootkit.Win32.TDSS, Trojan.DNS_Changer, or Troj/Rustock. It also has other aliases due to the fact that it evolves and changes over time.

You may find your anti-virus or anti-spyware programs identifies any of the following:

C:\windows\system32\drivers\SKYNETsunjnbdw.sys

C:\windows\system32\drivers\MSIVXvvynaffpomuyaycwkoiyldjssbgligea.sys

C:\windows\system32\drivers\UACgrevmydoyiftawolx.sys

C:\windows\system32\drivers\ovfsthhtkoslmsqrvwsntnkdioglrpufewidyw.sys

c:\windows\system32\drivers\TDSSmaxt.sys

c:\windows\system32\drivers\kungsfndqriiha.sys

c:\windows\system32\drivers\seneka.sys

Another sign of it would be this line showing up in your HijackThis or OTL log, however this is not always present so you cant rely on it completely to tell whether you have the infection or not:

O17 - HKLM\System\CCS\Services\Tcpip\..\{3B8FF4B4-174F-4B7F-BE68-78043E53C8DA}: NameServer = 85.255.112.70;85.255.112.201

Now lets get onto the good stuff, removing this infection from your PC!

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. For the fix to work properly we will need you to close your browser, and any security programs like an anti-virus or anti-spyware. If you aren't completely sure how to do that, just continue on with the guide.

Step 1 :

We need to clean out your temp files and folders to speed up the whole process.

Download TFC (Temp File Cleaner) to your desktop

Open the file and close any other windows.
It will close all programs itself when run, make sure to let it run uninterrupted.
Click the Start button to begin the process. The program should not take long to finish its job
Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Step 2 :

We need to make sure you don't have another infection which can cause Google redirects. This is unlikely to fix your problem but its best to be safe than sorry as they say.

Please download GooredFix, making sure that you save this file to your Desktop.

Double-click GooredFix.exe on your Desktop (Note: If you are using Vista right-click GooredFix and select Run As Administrator...)
Select Option#1 - Find Goored (no fix), by typing 1 and pressing Enter

A logfile should popup shortly, that will look something like this:

Check Download Links Code:

GooredFix v1.92 by jpshortstuff
Log created at 08:35 on 24/12/2008 running Option #1 (Administrator)
Firefox version 3.0.3 (en-GB)
=====Suspect Goored Entries=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{ABB56C42-1843-46EF-A93E-482DE0F5B5AA}"="C:\Documents and Settings\Administrator\Local Settings\Application Data\{ABB56C42-1843-46EF-A93E-482DE0F5B5AA}"

C:\Program Files\Mozilla Firefox\extensions\{D96F1D71-4F95-443A-8AF3-541BFDBA096D}
   
=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.3\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.3\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{ABB56C42-1843-46EF-A93E-482DE0F5B5AA}"="C:\Documents and Settings\Administrator\Local Settings\Application Data\{ABB56C42-1843-46EF-A93E-482DE0F5B5AA}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"

Take a look at the section highlighted in red. As shown in this log, there should be an entry there with a random string of numbers and letters enclosed in {} (in this case {ABB56C42-1843-46EF-A93E-482DE0F5B5AA}), that shows a folder in C:\Documents and Settings\<your name>\Local Settings\Application Data\{the same random numbers and letters}. A newer version of the infection just consists of a folder in Firefox's extenions directory, in this case: C:\Program Files\Mozilla Firefox\extensions\{D96F1D71-4F95-443A-8AF3-541BFDBA096D}.
If these entries are present, and if there are no other entries that you think may be legitimate in the "Suspect Goored Entries" section, then do the following:
- Close all Windows and Browsers, especially any Firefox Windows.
- Double-click GooredFix.exe on your Desktop (Note: If you are using Vista right-click GooredFix and select Run As Administrator...)
- Select Option#2 - Fix Goored by typing 2 and pressing Enter.
- At the prompt, type y and press Enter.
- GooredFix will now remove the infection (if it requires a reboot, please restart your computer).
- Note : If no entries are under "Suspect Goored Entries" then that means you don't have this infection. Please do not run Option #2, instead proceed straight to Step 3 below

Step 3 :

The following should remove the redirects and have your PC back to normal

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
During the download, rename Combofix to Combo-Fix as follows:
It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before"unpredictable results". performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combo-Fix.exe & follow the prompts.
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall
This should fix your search engine redirects. Please restart your PC, check how its running and if there are any more redirects.

Step 4 :

This step is easy and quick, it is to remove any left over pieces of malware or anything else that may be hiding

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed it is recommended you reboot your PC

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Conclusion :

Let us remove those tools we used, its best not to keep them around.

Download OTC to your desktop and run it
Click Yes to beginning the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Your PC should hopefully be clean from those pesky redirects ! There is nothing left to do but enjoy having a normal PC again. If that isn't the case then you must have some other sort of infection or a new variant. Don't worry though, its nothing we cant fix. Just pop over to the Help Desk

However, if this guide did fix your PC, I'm glad to be of assistance. Feel free to hang around as there is plenty to read and learn here.

Regards, CybeRnotic

bloodqman · 06-26-2009, 11:31 PM

thanks..working on it right away.

rocknstomper · 07-09-2009, 01:09 AM

Thanks as always your the man

dnvigerjr · 07-20-2009, 09:11 PM

Is there anyone where this advice has worked. I wish there was a legit software that would do this for us. I am afraid of making a mistake and wiping out my computer and all the valuable information on it.

I don't know why there isn't more being done to protect us against this Google Re-direct. Since Google makes so much money as a search engine, you would think that they above all others would develop a fix. It must be bad publicity!

ronen218 · 07-21-2009, 01:00 PM

Good and useful post. Thanks for sharing.

speedy164 · 08-06-2009, 06:55 PM

hey i just tried using goored fix but i'm using internet explorer the logfile popped up and i type in 1 and it didnt do anything i';m guessing only if i have fire fox i dont know, i'm using windows xp... please help

littlegeorge · 09-28-2009, 04:16 AM

Thanks another great tutorial..AND it worked for me!!!

Lacielee · 11-09-2009, 10:58 PM

I followed this tutorial and it worked perfectly. Well done and many thanks

bo7amood · 11-11-2009, 12:28 AM

thanks 4 u

11-09-2009, 10:58 PM	#8
Lacielee Member Join Date: Jan 2009 Posts: 3	Sincere Thanks I followed this tutorial and it worked perfectly. Well done and many thanks

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
How to remove the appz that cannot be removed in add or remove prog	Mano	Help Desk	16	08-21-2009 06:33 AM
HOW TO: Remove MSN virus from your computer	CybeRnotic	Tutorials	0	05-26-2009 11:39 PM
how to remove singer voice from a audio song	sanmbk	Help Desk	6	02-23-2009 09:04 PM

06-26-2009, 08:01 PM	#1
CybeRnotic Tech Support Join Date: Feb 2009 Location: Help Desk Posts: 2,658	How to remove a Google redirect virus The following guide is to cure your PC from that annoying piece of malware which hijacks and redirects your Google searches and other search engines, otherwise known as a Google redirect. Other than the search engine redirect, some other signs that you may have this infection are: Not being able to download, install, or run security programs like HijackThis or Malware Bytes Anti-Malware Being blocked from navigating to security/malware removal sites, for example : Microsoft or GeeksToGo This infection is also commonly known by security applications as Rootkit.Win32.TDSS, Trojan.DNS_Changer, or Troj/Rustock. It also has other aliases due to the fact that it evolves and changes over time. You may find your anti-virus or anti-spyware programs identifies any of the following: C:\windows\system32\drivers\SKYNETsunjnbdw.sys C:\windows\system32\drivers\MSIVXvvynaffpomuyaycwkoiyldjssbgligea.sys C:\windows\system32\drivers\UACgrevmydoyiftawolx.sys C:\windows\system32\drivers\ovfsthhtkoslmsqrvwsntnkdioglrpufewidyw.sys c:\windows\system32\drivers\TDSSmaxt.sys c:\windows\system32\drivers\kungsfndqriiha.sys c:\windows\system32\drivers\seneka.sys Another sign of it would be this line showing up in your HijackThis or OTL log, however this is not always present so you cant rely on it completely to tell whether you have the infection or not: O17 - HKLM\System\CCS\Services\Tcpip\..\{3B8FF4B4-174F-4B7F-BE68-78043E53C8DA}: NameServer = 85.255.112.70;85.255.112.201 Now lets get onto the good stuff, removing this infection from your PC! Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. For the fix to work properly we will need you to close your browser, and any security programs like an anti-virus or anti-spyware. If you aren't completely sure how to do that, just continue on with the guide. Step 1 : We need to clean out your temp files and folders to speed up the whole process. Download TFC (Temp File Cleaner) to your desktop Open the file and close any other windows. It will close all programs itself when run, make sure to let it run uninterrupted. Click the Start button to begin the process. The program should not take long to finish its job Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean Step 2 : We need to make sure you don't have another infection which can cause Google redirects. This is unlikely to fix your problem but its best to be safe than sorry as they say. Please download GooredFix, making sure that you save this file to your Desktop. Double-click GooredFix.exe on your Desktop (Note: If you are using Vista right-click GooredFix and select Run As Administrator...) Select Option#1 - Find Goored (no fix), by typing 1 and pressing Enter A logfile should popup shortly, that will look something like this: Check Download Links Code: GooredFix v1.92 by jpshortstuff Log created at 08:35 on 24/12/2008 running Option #1 (Administrator) Firefox version 3.0.3 (en-GB) =====Suspect Goored Entries===== [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions] "{ABB56C42-1843-46EF-A93E-482DE0F5B5AA}"="C:\Documents and Settings\Administrator\Local Settings\Application Data\{ABB56C42-1843-46EF-A93E-482DE0F5B5AA}" C:\Program Files\Mozilla Firefox\extensions\{D96F1D71-4F95-443A-8AF3-541BFDBA096D} =====Dumping Registry Values===== [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.3\extensions] "Plugins"="C:\Program Files\Mozilla Firefox\plugins" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.3\extensions] "Components"="C:\Program Files\Mozilla Firefox\components" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions] "{ABB56C42-1843-46EF-A93E-482DE0F5B5AA}"="C:\Documents and Settings\Administrator\Local Settings\Application Data\{ABB56C42-1843-46EF-A93E-482DE0F5B5AA}" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions] "jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions] "{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" Take a look at the section highlighted in red. As shown in this log, there should be an entry there with a random string of numbers and letters enclosed in {} (in this case {ABB56C42-1843-46EF-A93E-482DE0F5B5AA}), that shows a folder in C:\Documents and Settings\<your name>\Local Settings\Application Data\{the same random numbers and letters}. A newer version of the infection just consists of a folder in Firefox's extenions directory, in this case: C:\Program Files\Mozilla Firefox\extensions\{D96F1D71-4F95-443A-8AF3-541BFDBA096D}. If these entries are present, and if there are no other entries that you think may be legitimate in the "Suspect Goored Entries" section, then do the following: Close all Windows and Browsers, especially any Firefox Windows. Double-click GooredFix.exe on your Desktop (Note: If you are using Vista right-click GooredFix and select Run As Administrator...) Select Option#2 - Fix Goored by typing 2 and pressing Enter. At the prompt, type y and press Enter. GooredFix will now remove the infection (if it requires a reboot, please restart your computer). Note : If no entries are under "Suspect Goored Entries" then that means you don't have this infection. Please do not run Option #2, instead proceed straight to Step 3 below Step 3 : The following should remove the redirects and have your PC back to normal Please download ComboFix from Here or Here to your Desktop. Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop If you are using Firefox, make sure that your download settings are as follows: Tools->Options->Main tab Set to "Always ask me where to Save the files". During the download, rename Combofix to Combo-Fix as follows: It is important you rename Combofix during the download, but not after. Please do not rename Combofix to other names, but only to the one indicated. Close any open browsers. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. ----------------------------------------------------------- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before"unpredictable results". performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause Click on this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.* ----------------------------------------------------------- Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- Double click on combo-Fix.exe & follow the prompts. Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall This should fix your search engine redirects. Please restart your PC, check how its running and if there are any more redirects. Step 4 : This step is easy and quick, it is to remove any left over pieces of malware or anything else that may be hiding Please download Malwarebytes' Anti-Malware from Here Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed it is recommended you reboot your PC Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. Conclusion : Let us remove those tools we used, its best not to keep them around. Download OTC to your desktop and run it Click Yes to beginning the Cleanup process and remove these components, including this application. You will be asked to reboot the machine to finish the Cleanup process. Choose Yes. Your PC should hopefully be clean from those pesky redirects ! There is nothing left to do but enjoy having a normal PC again. If that isn't the case then you must have some other sort of infection or a new variant. Don't worry though, its nothing we cant fix. Just pop over to the Help Desk However, if this guide did fix your PC, I'm glad to be of assistance. Feel free to hang around as there is plenty to read and learn here. Regards, CybeRnotic

06-26-2009, 11:31 PM	#2
bloodqman Katz Active Member Join Date: Mar 2009 Location: Macedonia Posts: 412	thanks..working on it right away.

07-09-2009, 01:09 AM	#3
rocknstomper Katz Active Member Join Date: Nov 2008 Location: Minnesota Posts: 469	Thanks as always your the man

07-20-2009, 09:11 PM	#4
dnvigerjr Probation Join Date: Jul 2009 Posts: 1	Is there anyone where this advice has worked. I wish there was a legit software that would do this for us. I am afraid of making a mistake and wiping out my computer and all the valuable information on it. I don't know why there isn't more being done to protect us against this Google Re-direct. Since Google makes so much money as a search engine, you would think that they above all others would develop a fix. It must be bad publicity!

07-21-2009, 01:00 PM	#5
ronen218 Member Join Date: Jul 2009 Posts: 18	Good and useful post. Thanks for sharing.

08-06-2009, 06:55 PM	#6
speedy164 Member Join Date: Aug 2009 Posts: 35	hey i just tried using goored fix but i'm using internet explorer the logfile popped up and i type in 1 and it didnt do anything i';m guessing only if i have fire fox i dont know, i'm using windows xp... please help

09-28-2009, 04:16 AM	#7
littlegeorge Katz Active Member Join Date: Apr 2009 Posts: 192	Thanks another great tutorial..AND it worked for me!!!

11-11-2009, 12:28 AM	#9
bo7amood Katz Active Member Join Date: Sep 2008 Posts: 320	thanks 4 u