Getting Killed with Google Redirect Viruses

S

stsanford

New Member
Reaction score
0
Location
Long Island, NY
Hi,
Been having a rash of Google Redirects. We cannot seem to get the machines clean. Typically we will connect (our clients are remote) and run Malware Bytes, Microsoft Security Essentials and TSSKiller to try to ferret out any spyware and or rootkits. We're using the Sysinternals utilities as well as HiJack This! to try to locate and then we manually delete the nasties... Lately we seem to be a step behind. Anyone have any better, or more successful techniques?

Thanks in advance,
Scott
 
Last edited:
Not sure if this applies, but I came across the same redirect issues with a couple of clients. As it turns out "they" had configured the Verizon/Comcast Router to do the redirecting! It was weird that their system was working at the shop, but not at their home.
 
MBAM and SAS are pretty poor against rootkits. HJT is totally out of date.

Start using other tools and methods - checking for unsigned drivers, SFC to find altered system files, use tools like Kernel Detective to semi-manually keep track of hooks and hidden objects, Gmer does probably the best rootkit scan. Autoruns to see if they are adding scheduled tasks or other startups. Obviously check for changes to DNS, TCP/IP, sockets, proxies and so on.

D7 has plenty of useful tools to fight malware and repair settings.

So if you install Logmein on a machine and run Combofix, does it uninstall it? Can you not just reconnect to the machine after CF has done its work?
 
Thanks to all for the speedy replies!

eHousecalls.ca: Never heard of OTL, could you verify for me that's the Old Timer's List?

Yes, we've done all the obvious stuff. Reset IE, cleared cache (I actually DELETE the Temp and TEMPORARY INTERNET folder structures)

Thanks again, will have to try some of these tonight. Will be pulling an all-nighter on an important client's PC.

-Scott
 
Can't you just line it up, ie pop the exe on the desktop, uninstall the AV and get the customer to run Combofix and talk them thru the very few questions it asks?

Might be worth giving Hitman a go
 
Read on podnutz that there's a new rootkit which creates a small (<10)mb partition and marks it as active, which is where the rootkit hides itself. Check disk management and I'd also try gmer to check for rootkits not related to tdss.
 
You can always post the OTL log here and I am sure people will have a look through it for you.
 
stsanford said:
thanks again for all the great resources! I've downloaded the lot and am getting ready to tackle these buggers again.

Will keep you updated.
Click to expand...

Here's a common one with the ZeroAccess rootkit, there could be a $NTUninstallxxxxx$ folder in %systemroot% that contains malware. If so, the folder has a junction point on top of it to prevent access/deletion.

If you use D7, you can easily find and delete the folder by using the NTFS Junctions function on the Malware tab to scan the Windows folder and delete the junction and malicious code inside. You'll know it was malicious if the Delete Junction function doesn't work - but Destroy Junction button WILL. (NOTE: Don't delete any junctions with winsxs in them, just the $NTUninstallxxxxx$ dir, where x may be some random numbers.)

Also, a lot of redirect malware now may have an associated legacy driver installed, viewable within non-plug and play drivers in Device Manager. If malware has hidden access to view the non-plug and play drivers section in devman, D7 fixes this when you launch Computer Management from within D7's tool menu.

Been meaning to make a Youtube vid on ZeroAccess removal (and a few other newer ones) with D7 - just not enough time in the day...
 
FoolishTech said:
Here's a common one with the ZeroAccess rootkit, there could be a $NTUninstallxxxxx$ folder in %systemroot% that contains malware. If so, the folder has a junction point on top of it to prevent access/deletion.

If you use D7, you can easily find and delete the folder by using the NTFS Junctions function on the Malware tab to scan the Windows folder and delete the junction and malicious code inside. You'll know it was malicious if the Delete Junction function doesn't work - but Destroy Junction button WILL. (NOTE: Don't delete any junctions with winsxs in them, just the $NTUninstallxxxxx$ dir, where x may be some random numbers.)

Also, a lot of redirect malware now may have an associated legacy driver installed, viewable within non-plug and play drivers in Device Manager. If malware has hidden access to view the non-plug and play drivers section in devman, D7 fixes this when you launch Computer Management from within D7's tool menu.

Been meaning to make a Youtube vid on ZeroAccess removal (and a few other newer ones) with D7 - just not enough time in the day...
Click to expand...

It would be great if you do a video, thanks
 
You must log in or register to reply here.

Similar threads

lan101
google chrome home page changed etc.
Replies
6
Views
1K
Xander
Xander
T
A good Software List..must see!!
Replies
11
Views
9K
nesrinamb
N
Back
Top