• Quick note - the problem with Youtube videos not embedding on the forum appears to have been fixed, thanks to ZiprHead. If you do still see problems let me know.

Help with the "Google-redirect" rootkit

Macgyver1968

Philosopher
Macgyver1968
Joined
Jan 31, 2009
Messages
5,164
Location
Dallas, Texas
Normally, I'm the guy that answers these types of threads...But I'm getting my ass kicked. I somehow picked up the new "Google-redirect" rootkit, and I can't get rid of it. The main symptom is it redirects google search clicks to go to nefarious websites...and uses some kind of Trojan to install it's friends. Yesterday, I got a persistent pop-up pic that looked all official with symbols and everything informing me that the FBI/Interpol had locked my computer, and the only way to unlock it was to paypal them 200 bucks. Couldn't open the task manager or do anything but turn it off at the power button. I managed to get rid of that one, by running "Combofix.exe" twice in safe mode....but I still can't get rid of the initial rootkit.

Nothing will get rid of it. I even followed a manual removal step-by-step, but it didn't work either...the filenames were all different.

Any help would be appreciated.
 
OOOOooooook.

Yuck, smash your machine!

I sugegst readin the Bleeping Computer forums for help. look for Google redirect threads.

They bite, usually I would start with Rkill, and then TDSSkiller, or Combofix in safe mode. And then just to be safe I would back up data and nuke from orbit. (I tend to rebuild my machines frequently)

Here is the old page from Bleeping Computer:
http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller

I had one machine where it laughed off everything except for boot disks like Kaspersky, which is a pain because you have to sit theer and tell it to delete the files. I don't have the hardware to boot from another hard disk and scan the infected drive but I know a lot of people liek to do that.
 
Last edited:
You've got the worst virus there is. When I had it, I finally gave the computer to a professional. It cost money, but nothing I did was working.
 
First run rkill.exe (from BleepingComputer) then FixTDSS.exe (from Symantic?) then run tdsskiller.exe (from Kaspersky) ....


http://www.bleepingcomputer.com/download/rkill/dl/10/

http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe

http://support.kaspersky.com/downloads/utils/tdsskiller.exe

Then run kasperskys free virus removal tool:

http://devbuilds.kaspersky-labs.com...11/setup_11.0.0.1245.x01_2012_09_27_22_54.exe

Then maybe do all that again in Admin mode...

ETA: When I run Kaspersky Virus Removal tool I first go to settings tab (the little gear). On Security Scope side-tab check the box next to Local Disk (which is probably C: ) (leave the first 3 checked), and then on Security Level side-tab put the slider all the way up to High, and then on Actions side-tab check Select action: (and make sure both Disinfect and Delete if disinfection fails are checked).

After all that go back to Automatic Scan tab and hit Start Scanning.

Then find something else to do for about an hour. :D

ETA #2:

If that last link doesn't work you can always find the current version of kasperskys free virus removal tool at this link:

http://www.kaspersky.com/antivirus-removal-tool?form=1

Because they have kept the version number the same for almost a year now (11.0.0.1245.x01) you have to actually start the download and read the file name (Hit Download next to Version 11) to see if it's definitions have been updated.

For instance, as of typing this the file name ends with: 2012_09_27_22_54
 
rjh01 said:
If all else fails, reformat the hard drive. Good luck.
Click to expand...

Normally that would be my course of action, at this point. In fact my system is setup for it. I've got an 80gb 10k rpm Raptor drive that contains only my OS...and a great big RAID drive that holds everything else. However...I'm trying my best NOT to have to do that, because my DVD drive is been acting wonky, and I'm worried it may give me trouble during the re-install.
 
If your DVD drive is not 100% for hardware reasons buy another DVD drive. They are not expensive. A few years ago I complained to the shop my DVD drive was not working very well. The answer was "here is another DVD drive, you can install it yourself. That will be $30 thank you."
 
I had this and TDSSkiller would temporarily remove it, but there was apparently some seed still on my system, and after a few weeks it would come back. Combofix took care of it for good. Now I browse with all plugins disabled and try to only use browser plugins within a virtual machine.
 
I had this recently myself.

I searched everything to get rid of it and nothing.

I wasted more time on it than I should have. I think there is more than one version of it out there.

Learn from my mistake. Save time and just take off and nuke it from orbit.
 
rjh01 said:
If all else fails, reformat the hard drive. Good luck.
Click to expand...

I've been able to fight infestations to a usable standstill, but never get rid of them. Usually it ends in an 8 hour Saturday reinstalling the OS and most software.
 
Beerina said:
I've been able to fight infestations to a usable standstill, but never get rid of them. Usually it ends in an 8 hour Saturday reinstalling the OS and most software.
Click to expand...

Ouch, that's a lot of software!

Of course I have a slow machine as well, with XP sp2 as a base. So slow, the ones at work I can put Windows 7 professional in 15 minutes or less.
 
Dancing David said:
Ouch, that's a lot of software!

Of course I have a slow machine as well, with XP sp2 as a base. So slow, the ones at work I can put Windows 7 professional in 15 minutes or less.
Click to expand...
It's not so much loading the software as it is downloading and installing all the updates. Takes a long time even with a fast internet connection.
 
Murphy's Law: Of course the 6 spare dvd drives I had in my parts box were all IDE, and this motherboard doesn't have a IDE interface. I did find a good 40gb laptop sata drive from my old laptop. I did a trial run on it just to see if installs properly. So in a worse case scenario I have a drive with a back up OS on it.
 
WildCat said:
It's not so much loading the software as it is downloading and installing all the updates. Takes a long time even with a fast internet connection.
Click to expand...

Eight hours is a lot, at least in my experience. But then I tend to run my machines with a bare minimum of software. Usually the Windows updates are very fast on clean installs, less than two hours on my slow (eight years old) machine. Now the stupid .NET framework stuff is a pain in general.
 
Dancing David said:
Eight hours is a lot, at least in my experience. But then I tend to run my machines with a bare minimum of software. Usually the Windows updates are very fast on clean installs, less than two hours on my slow (eight years old) machine. Now the stupid .NET framework stuff is a pain in general.
Click to expand...
It was a good 6-7 hours last time I had to reformat my girlfriend's father's Win 7 machine. Besides the multiple Win 7 updates there was hundreds and hundreds of megabytes of updates for their MS Office software, and that's pretty much all he had on there. It was a long day.
 
I got around it for a while by using a browser Maxthon. Then used a search engine searcher. You select Google and do the search from the other search engine, and this virus didn't seem to realize it.

A reasonable work around but ultimately it is a reformat :(
 
WildCat said:
It was a good 6-7 hours last time I had to reformat my girlfriend's father's Win 7 machine. Besides the multiple Win 7 updates there was hundreds and hundreds of megabytes of updates for their MS Office software, and that's pretty much all he had on there. It was a long day.
Click to expand...

Wow, my experience was different, that would really suck, I just rebuilt a machine at work , rather than drop an image on it, because the WDS server is in another building and it takes about five hours. It took me less than two hours from beginning to end.

That does sound like a crappy day. A long boring crappy day.


(I installed Win7 with SP1, ran updates twice, Office 2010, ran updates, File Maker Pro, Ultra VNC and VLC media player. maybe it is because the Win7 Pro had SP 1 in it already. Now this was also on an HP Pro 4000, either of the netbooks at work would have taken much longer)
 
Does anybody know from which site(s) this stuff is coming from? I guess I am just lucky. My last virus was on a 633 MHz celeron if that gives you any idea how long ago that was.
 
You must log in or register to reply here.

Back
Top Bottom