Oh, that nasty Google Redirecting Virus
September 3, 2008 8:01 PM   Subscribe

Oh, that nasty Google redirecting virus

My computer recently acquired a bug. The symptoms:

- Google pages look normal but redirect to nasty sites.

- Computer runs very slowly.

- Certain sites do not load; namely, tech support sites. Hence, why I'm posting this here, as opposed to on a tech support site; I've looked at many, and tried what they suggested, but it doesn't seem to work.

As many sites suggested, I ran HijackThis. Here's my logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:59:11 AM, on 9/3/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSv...
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Mozilla Firefox 3 Beta 4\firefox.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://toshibadirect.com/
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PR...
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSC... /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: AutorunsDisabled
O6 - HKCU\Software\Policies\Microsoft\Interne... Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCE...
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.D...
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
posted by LSK to Computers & Internet (15 answers total) 4 users marked this as a favorite
Look in (windows)\system32\drivers\etc\hosts. There should be only some lines starting with # and " localhost". Anything else in there might be redirecting you to a fake Google or other fake site.
posted by crapmatic at 8:20 PM on September 3, 2008

I have no way of knowing whether this will work for you, but I think it would be worth it to try out ComboFix (link goes to download and instructions). I've had to deal with similar malware infections on several computers at work, and ComboFix has been able to root out the offenders and get things running without much trouble. Good luck!
posted by Shecky at 8:20 PM on September 3, 2008

I don't see anything glaringly obvious in your logfile, but that doesn't mean much. You might want to try looking each entry up (all the .exe files) to see if any of them might be the culprit.

Is it only Google, or all search engines? Does it happen both for Firefox and for IE?
Definitely check the hosts file, make sure it's not set to redirect you. Does trying to access Google and tech sites via a proxy server work? (Try proxify.com)

Do you have more than one computer to test it with? Does it happen to all computers hooked up to your internet access?
posted by gemmy at 8:42 PM on September 3, 2008

One thing you should do is to clear your browser cache.
posted by Class Goat at 8:48 PM on September 3, 2008

Like I mentioned in a couple of other threads, try Malwarebytes.
posted by Liosliath at 9:49 PM on September 3, 2008

You can always post your logfiles here for evaluation, although there doesn't seem to be anything obviously malicious in yours.

That said: I would strongly recommend you install SP2 and either upgrade your version of Internet Explorer or switch to Firefox. Here's info about updating windows. This will surely help for the future.

Best of luck!
posted by Ljubljana at 12:16 AM on September 4, 2008

I had the same thing or something similar - mine was eventually identified as Virantix.B.

If it's the exact same one, it's sending info back to a DSN somewhere in Bulgaria, I think it was. It's sneaky in that it downloads but doesn't start up properly until you've rebooted at some point - it exploits something in the Windows reboot mechanism to get it past some virus checkers. I believe I picked it up whilst browsing an e-work website that looked quite kosher.

However, while Stopzilla and a few other products could locate it, they couldn't totally clear it away. Every time they said it was gone, it popped back up. We managed to cripple it by blocking every address in Eastern Europe and started trying to remove it. I couldn't find anything that would kill it despite trying several options (including manual removal).

I eventually did a complete format and reinstall - close perusal of our firewall logs indicate no strange activity after numerous reboots so I can only assume it's gone.
posted by ninazer0 at 12:30 AM on September 4, 2008

Download all the latest service packs and security updates on a clean machine and burn to a CD, wipe your OS & reinstall & update offline, and try to lock it down so this doesn't happen again.
There's no way I'd trust a machine for ecommerce, online banking, email, etc. once something like this has got in, especially when you've not kept the OS anywhere near up to date.
posted by malevolent at 1:15 AM on September 4, 2008

I just had this last night!! (And spent up until 3am fixing, argh.) I used a lot of "freebie" trojan/spyware apps without success as they kept reappearing.

Here's what I did, as per Symantec's site (and yeah, I ended up popping the $40 to buy their AntiVirus software so I could ensure, for sure for sure, I could get this fixed without having to reinstall the planet. :)

1. Turn off System Restore on your computer, just until you get this resolved, since many of these trojans end up copied into the System Restore area, which virus programs aren't allowed to touch. My Computer > Properties > System Restore.

2. Get the latest updates, after you've done step 1, for the AV program.

3. Run a full system scan, ensure it's checking all files and directories.

4. Once the scan is complete and the found virii fixed, go to Symantec's site, and double-check the pages for each virus found. It usually includes directions on Registry Keys to look for, and if found, delete.

I followed the above to the letter, and have been running clean for 5 hours now. :)
posted by twiki at 5:20 AM on September 4, 2008

OOh and forgot to mention as per #1, once you're totally sure you're clean, turn System Restore back on - that's important!! :)
posted by twiki at 5:21 AM on September 4, 2008

A friend of mine had a similar problem 2 weeks ago. The most important problem was that it also redirects away from windowsupdate. I looked in the hosts file. I tried HitmanPro and sp2 & sp3 by downloading them on a different machine. I could enable the automatic download&installation of critical updates.

In the end the system was clean according to all the scanners & patched to sp3 + critical patches. One of the malware removal programs updated the hosts file with a list of the sites this malware redirects to. Windowsupdate and technical sites still redirect to the nasty sites which in turn were blocked by the hosts file.

It would have saved a lot of time if I had a Windows installation CD at hand.

Format & reinstall+update offline.
posted by Akeem at 6:05 AM on September 4, 2008

Might also want to run Spybot SD, and allow it to "immunize" your system. It will add settings to permanently block known bad hosts and IE add-ons (likely by adding them to the HOSTS file, etc.). This isn't a cure-all but it can sometimes run without being blocked by trojans, etc. and having the immunization in place reduces (but does not eliminate!) your vulnerability. Spybot SD will run from a thumb drive just fine, which is what I suggest doing.

Some kind of boot disk can be helpful. The malware on your system can't start up if you are not starting from your hard drive, where it lives. There are several boot disks out there, rescue or utility disks, that contain (usually Linux-based) desktop environments containing a number of rescue, repair and antivirus tools you can run.

And to echo what was stated above: Patch your system, immediately if not sooner. If you aren't at SP3 + IE7 + all critical updates, you're asking for trouble. Critical updates are released because a vulnerability has been found, and the malware authors know it. They make their money by exploiting these security holes. If you patch the holes, you're reducing your chance of getting hit. I'd also recommend that you install some sort of antivirus program, as I didn't see anything that looks like one in your log file (LiveUpdate is listed, but none of the Symantec/Norton AV binaries I recognize are in there - so if it's installed but inactive, do something about it). If your AV has expired or stopped working, Avast is free for home use, and gets good reviews from most people.
posted by caution live frogs at 6:26 AM on September 4, 2008

As I have posted in a few other threads, this is by far the best malware removal tutorial I've ever found. It's got some great advice, and if you follow all the steps, it should clear your problem right up.
posted by joshrholloway at 8:55 AM on September 4, 2008

I just had an experience with this "google redirect" or " hijacker" yesterday. It is not limited to interfering with Google, it also redirects Yahoo. I didn't try other search engines. I am on FF3.0; I also opened an old IE6.0 and had the problem there too (quelle surprise).

Symptoms: I noticed a terrible slowdown in Google delivering search results - more than a minute. I thought it might have been a leftover burp from Google's troubles this past weekend. But then later, I noticed something weird occurring in my status bar - instead of "waiting for Google..." I saw "waiting for ..."

After hours of scans with several malware removal tools - S&D, Malwarebytes, McAfee - I still had no luck. But when I found a great thread that explained how to remove the problem - it took about 5 minutes - and I have had no recurring problems for about 24 hours now. Really simple, even for a techno-challenged person like myself.

The fix and a good discussion can be found on this Techish.net post. A guy named Richard Kreider has kindly provided a tool to identify whether your computer is infected with c:\windows\system32\wdmaud.sys (or c:\winnt\system32\wdmaud.sys). If so, simply delete the file and restart any open web browsers. Worked for me.

He found that the little bugger was being distributed via PDF JavaScript. He's been keeping an eye on the behavior. Some of the post comments are helpful too.

I know this is an old thread, but I read it yesterday and thought this info might help someone else.
posted by madamjujujive at 2:20 PM on February 3, 2009 [2 favorites]

Thank you crapmatic! Your Septmeber 3, 2008 comment to look in c:\windows\system32\drivers\etc\hosts and make sure only the localhost entry is there (with # comments) probably saved me hours of work! I found an old backup of the hosts file and used that and the redirecting stopped. I signed up with metafilter today for $5 just so I could properly thank you for saving me so much time!

I think my intall of Norton 360 and malewarebytes removed the other trojans and viruses on my pc.
posted by jmw at 9:59 AM on August 6, 2009

« Older How to remove restaurant smells from clothing?   |   My rabbit likes cat food. Newer »
This thread is closed to new comments.