Haven't met this myself, but on the Firefox help forum it was reported removing the add-on "Printing Helper 2.5" cured the problem. The user who discovered this didn't recall installing the add-on; I'd looked for any add-on that doesn't belong, since the malware creator could easily change the name of the fake add-on.
Firefox has an option "Restart with Add-ons Disabled", it's under Help. Always try this as a diagnostic step, you may need only remove an add-on to fix a problem.
Discussion on:
View:
Show:
"Some people are ghosters and some people are fighters, I happen to be both." I'm curious to see if anyone else battles viruses/malware/etc anymore. Our machines don't store anything on them and run a citrix type of environment. If someone gets a virus, we either run the virus scan and malwarebytes if we believe that is the easy fix or ghost the machine. The ghosting takes ten minutes and the virus scan takes 30 - 45 minutes. We find that ghosting is easier. What does everyone else do?
I had a very similar redirect virus and I went through all the things you have mentioned above. Scan with this, check with that.. The solution I found to the problem was to just Reset Firefox back to default settings. Mozilla has a walkthrough http://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-most-problems or you can access it by typing about:support in your firefox address bar. There is a button that says Reset Firefox as well as alot of system information in case you just like looking at stats.
working in the public sector, my workstations (25) are exposed to all kinds of malware. The only solution that I've found works is "DeepFreeze" enterprise version. No matter what the client users do on our system, thier activities and files are tossed out when they are logged off, leaving the pc's os and files pristine and malware free.
I have always found Trend Micro Titanium Internet Security 2012 to be very effective in removing these types of threats. The good thing about this is they give you a free trial that is fully functional that will remove the threats if you just need to resolve the issue. After my stress with getting rid of a trojan that not of the other programs were able to clean, I installed Trend and never looked back since. No regrets.
Another option is to download and use their housecall program to assist in removing the pest.
Another option is to download and use their housecall program to assist in removing the pest.
I will normally spend about 30 minutes trying to get rid of the infection. If that fails, I resort to using Active Kill Disk to wipe the hard drive (to ensure EVERYTHING is gone) then I re-image it. That is of course after I remove whatever data is needed from the machine. You cannot beat re-imaging as long as you have a current image. I create a new image file (using Norton Ghost) every couple of weeks.
Until you find that your images are most likely infected too. That happened to me recently. I could not get rid of a persistent infection that kept showing up no matter what tool I used to try and remove it. In the end, I decided to restore from my most recent image. All seemed fine until it wasn't. That image was also infected. Same for the prior image to that (I always keep two revisions of Ghost Image sets around).
In the end, I couldn't trust my system so I reinstalled everything. On the plus side, I now have way more free space on my C: drive because I didn't reinstall everything that I had previously installed.
In the end, I couldn't trust my system so I reinstalled everything. On the plus side, I now have way more free space on my C: drive because I didn't reinstall everything that I had previously installed.
Norton Ghost?
Reminds me of a seminar I went to and the speaker said "who uses Ghost" and very few lifted their hands. It's a dead product. Symantec barely supports it - if they still do.
Reminds me of a seminar I went to and the speaker said "who uses Ghost" and very few lifted their hands. It's a dead product. Symantec barely supports it - if they still do.
this sounds like the old "Corrupted stack" thing we delt with years ago. did you try LSPfix?
http://www.bleepingcomputer.com/tutorials/using-lsp-fix-to-remove-spyware/
http://www.bleepingcomputer.com/tutorials/using-lsp-fix-to-remove-spyware/
Google redirect virus may not be the deadliest but undoubtedly the most annoying one because of redirecting search results. Another major highlight of this infection is that no security software can claim 100% protection against this infection. The viral code has gone through lot of changes periodically making it difficult for any security software to give a final fix.
Check the link which explains the manual removal of google redirect virus. The troubleshooting steps is bit technical, but there is a step by step video which makes the job easier.
http://atechjourney.com/google-redirect-virus-remove-manually.html/
Good Luck
Check the link which explains the manual removal of google redirect virus. The troubleshooting steps is bit technical, but there is a step by step video which makes the job easier.
http://atechjourney.com/google-redirect-virus-remove-manually.html/
Good Luck
DO NOT uninstall firefox.
in browser url window
type in about:config
and hit enter
if you have not been here already- it will give a warning page . agree to it to proceed .
then in search window, type in the word SEARCH
it will then display all the related protocols to do with search parameters.
now, on EVERY LINE in the window, Right Click and select RESET.
- Could be 20 to 30 lines or more to do with search - you MUST RESET ALL lines.
once you have done that close the tab, and close Firefox.
Click on Start, RUN then in the window type the word DRIVERS and hit enter
this will take you to the "C:\Windows\System32\drivers" folder
click on the "etc" folder and look for HOSTS file this file should display as about 1kb in size - some infected files can be quite large.
Right click on the hosts file and select open with - and then select wordpad [ or notepad] .
it will display MS copyright info and some info on the host file ... a healthy host file looks like this:
# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
::1 localhost
and should not contain anything more.
If any other entries
e.g. 105.76.83.90 advert.buyers.com
delete them. and save file
open firefox again. select TOOLS - options
go to the GENERAL tab and check the home page - for the moment type in
about:blank
and apply
this gives a blank window when the browser starts.
select the ADVANCED tab then Network - and check for proxy settings.
[ sometimes a proxy jump is inserted here !]
unless you know the proxy for your ISP - select NO Proxy
then clear out the internet cache, and the offline cache.
then go back to tools, and select add-ons. and remove any browser helpers and add on toolbars - especially babylon bar, ask bar and google bar, etc.
[ these are NOT needed anyway !!! just waste internet bandwidth and memory - and some like babylon toolbar are malware !]
once you have done all that. close the browser.
go to Control Panel - internet options.
and clear all the caching there - and also check the Internet Explorer home page as well.
re-start the computer.
load the browser and do a search - firefox has the handy search window at the top right - and see if it still re-directs.
once it looks clear - if you want , you can now re-establish your original browser home page.
PS
go to control panel - add remove programs
and make sure to uninstall the helper bars from there as well ... ... ...
PPS
in case you can not see the hosts file:
go to Start - RUN - then in that window type CONTROL FOLDERS ,and hit enter.
this opens Folder Options.
go to View.
make sure to select "Show HIDDEN files"
Un-tick the next couple of HIDE options, especially the system files - this will display a warning - say ok to this . and hit apply ... ... ...
then try looking at the HOSTS file - as this MAY be where the redirects are hidden - so it is pointless trying to re-install the browser if this has been altered.
ALSO. For Google Chrome, and MSIE browsers - a similar path is needed to rid the RE-directs - IF your computer has the problem - go to another one to do a search for "Internet Explorer Google re-direct ", or "Google browser hi-jack" ETC,
PPPS
for a more thorough process go to :
http://atechjourney.com/google-redirect-virus-remove-manually.html/
[ I see some one else has also referenced this link ;^) ]
in browser url window
type in about:config
and hit enter
if you have not been here already- it will give a warning page . agree to it to proceed .
then in search window, type in the word SEARCH
it will then display all the related protocols to do with search parameters.
now, on EVERY LINE in the window, Right Click and select RESET.
- Could be 20 to 30 lines or more to do with search - you MUST RESET ALL lines.
once you have done that close the tab, and close Firefox.
Click on Start, RUN then in the window type the word DRIVERS and hit enter
this will take you to the "C:\Windows\System32\drivers" folder
click on the "etc" folder and look for HOSTS file this file should display as about 1kb in size - some infected files can be quite large.
Right click on the hosts file and select open with - and then select wordpad [ or notepad] .
it will display MS copyright info and some info on the host file ... a healthy host file looks like this:
# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
::1 localhost
and should not contain anything more.
If any other entries
e.g. 105.76.83.90 advert.buyers.com
delete them. and save file
open firefox again. select TOOLS - options
go to the GENERAL tab and check the home page - for the moment type in
about:blank
and apply
this gives a blank window when the browser starts.
select the ADVANCED tab then Network - and check for proxy settings.
[ sometimes a proxy jump is inserted here !]
unless you know the proxy for your ISP - select NO Proxy
then clear out the internet cache, and the offline cache.
then go back to tools, and select add-ons. and remove any browser helpers and add on toolbars - especially babylon bar, ask bar and google bar, etc.
[ these are NOT needed anyway !!! just waste internet bandwidth and memory - and some like babylon toolbar are malware !]
once you have done all that. close the browser.
go to Control Panel - internet options.
and clear all the caching there - and also check the Internet Explorer home page as well.
re-start the computer.
load the browser and do a search - firefox has the handy search window at the top right - and see if it still re-directs.
once it looks clear - if you want , you can now re-establish your original browser home page.
PS
go to control panel - add remove programs
and make sure to uninstall the helper bars from there as well ... ... ...
PPS
in case you can not see the hosts file:
go to Start - RUN - then in that window type CONTROL FOLDERS ,and hit enter.
this opens Folder Options.
go to View.
make sure to select "Show HIDDEN files"
Un-tick the next couple of HIDE options, especially the system files - this will display a warning - say ok to this . and hit apply ... ... ...
then try looking at the HOSTS file - as this MAY be where the redirects are hidden - so it is pointless trying to re-install the browser if this has been altered.
ALSO. For Google Chrome, and MSIE browsers - a similar path is needed to rid the RE-directs - IF your computer has the problem - go to another one to do a search for "Internet Explorer Google re-direct ", or "Google browser hi-jack" ETC,
PPPS
for a more thorough process go to :
http://atechjourney.com/google-redirect-virus-remove-manually.html/
[ I see some one else has also referenced this link ;^) ]
I'm surprised the author tried so many steps - it must have taken ages to resolve the issue. I admire his persistence and documentation of what he found, but others have already posted some good (and often very quick/simple) troubleshooting steps that may have resolved the issue much faster.
I used to work at a nan and pop computer store and dealt with virus infections all day long. I remember the first time I saw TDSS - it stumped me for a few hours. It was about that time that I changed strategy. It seems stupid to me to run rootkit scanners. Trying to check for infections on a machine where the infection already has control just seems like a bad way of handling the situation. We just made it a rule to pull the hard drive, plug it into another machine as slave and run virus scanners from there. We did this for any machine where we suspected a virus was a possibility. Since we didn't have to fix the machines Right Now, we would stop work 20 minutes before the end of the day to look at the PCs on the To Do shelf and would set them up and leave them scanning overnight. This worked wonders. By the morning the scans had run, and half the time the job was complete without needing to do any more work.
As others have mentioned, if you're in a corporate environment then reimaging the machine is probably a good idea. It feels like a cheap/defeatist thing to do and it isn't as rewarding as tracking down the problem, but it sure is fast and effective.
I used to work at a nan and pop computer store and dealt with virus infections all day long. I remember the first time I saw TDSS - it stumped me for a few hours. It was about that time that I changed strategy. It seems stupid to me to run rootkit scanners. Trying to check for infections on a machine where the infection already has control just seems like a bad way of handling the situation. We just made it a rule to pull the hard drive, plug it into another machine as slave and run virus scanners from there. We did this for any machine where we suspected a virus was a possibility. Since we didn't have to fix the machines Right Now, we would stop work 20 minutes before the end of the day to look at the PCs on the To Do shelf and would set them up and leave them scanning overnight. This worked wonders. By the morning the scans had run, and half the time the job was complete without needing to do any more work.
As others have mentioned, if you're in a corporate environment then reimaging the machine is probably a good idea. It feels like a cheap/defeatist thing to do and it isn't as rewarding as tracking down the problem, but it sure is fast and effective.
Agree (now) that it is futile running a scanner on the system while under control of the infection. Have a look at rescue/boot disks if you don't have access to another computer.
in using the above laid out procedure wherein the disk is removed and scanned outside the installed OS, almost invariably it has been my experience that doing what you describe hoses the OS. Perhaps 1 out of 10 has proven to rid the system of infection without destroying essential system files.
I only bring this up as a matter of curiosity due to so many suggestions in using this procedure. So, my thoughts are, "Why does this continue to be suggested? Is it old news for older malware variants? Perhaps a case of ones choice in utilities used?" Either way, in this day and time I find it to be an unacceptable procedure as opposed to backing up user data and reinstallation of the OS and user Apps (which incidentally I find to be a major P.I.T.A).
Today, and indeed since its arrival on the scene, if Malwarebytes and/or Combofix and occasionally HiJackThis fail to fix the issue, I generally move on to what I call the Answer To Everything or ATE procedure. By this time I usually have a little less than an hour in troubleshooting the matter and can accomplish the ATE process within enough time to avoid pricing myself out of business.
Just saying, for one whose livelihood depends on this (Outside of the Corporate Environment where the ability to direct choices of hardware/OS/Application plays a major role in choosing to use an image) it seems to me to be a fruitless endeavor.
Also, please do not misunderstand my post as an invitation to flame. I am always up for suggestions and seeking new avenues to efficiently achieve the same goals.
Edited to note, +1 on TDSS issue though. This is one I spent a good deal of time on myself. Sometimes, though it costs you time which in turn equates to money, you just don't want to give in to the bastids (malware coders).
I only bring this up as a matter of curiosity due to so many suggestions in using this procedure. So, my thoughts are, "Why does this continue to be suggested? Is it old news for older malware variants? Perhaps a case of ones choice in utilities used?" Either way, in this day and time I find it to be an unacceptable procedure as opposed to backing up user data and reinstallation of the OS and user Apps (which incidentally I find to be a major P.I.T.A).
Today, and indeed since its arrival on the scene, if Malwarebytes and/or Combofix and occasionally HiJackThis fail to fix the issue, I generally move on to what I call the Answer To Everything or ATE procedure. By this time I usually have a little less than an hour in troubleshooting the matter and can accomplish the ATE process within enough time to avoid pricing myself out of business.
Just saying, for one whose livelihood depends on this (Outside of the Corporate Environment where the ability to direct choices of hardware/OS/Application plays a major role in choosing to use an image) it seems to me to be a fruitless endeavor.
Also, please do not misunderstand my post as an invitation to flame. I am always up for suggestions and seeking new avenues to efficiently achieve the same goals.
Edited to note, +1 on TDSS issue though. This is one I spent a good deal of time on myself. Sometimes, though it costs you time which in turn equates to money, you just don't want to give in to the bastids (malware coders).
Now that you mention it, that did happen occassionally. For me it was more like 1 time out of ten that the system wouldn't boot. Perhaps the scanners I was using (Kaspersky, NOD32 and Malwarebytes) did a better job than some others, perhaps viruses were less-destructive back then, or perhaps I was just lucky.
It was about 4 years ago I stopped doing this type of work, and the vast majority of machines I worked on were Windows XP. This meant if the machine didn't boot I just had to run a repair install. This was generally pretty quick, and was pretty much guaranteed to get the machine working again.
As you would know, Windows Vista and 7 (and I presume 8) removed the ability to do a repair install (unless the OS already boots). I do recall booting from MS DaRT CDs for these OS' and running SFC, and also having tried copying the missing files in place while the drive was a slave. I had some success with these techiniques on Vitsa/7, but it was nowhere near as full-proof as a repair install on XP was.
Even so, I would still advocate removing the drive and scanning it as a slave. Sometimes it will remove the virus and the job will be mostly done, and in the times when it leaves the machine non-bootable then you know it's time to do a fresh install (without having wasted time running other tools in the infected machine).
I agree with your comments re being fast about deciding whether to format and reload or not. It's very easy to get trapped into thinking the next change you make or tool you run will fix the problem. Then suddenly you've spent 4 hours on the machine and need to format & reload anyway. I didn't want us to become a shop that formats and reloads every machine we saw, and there's always the problem that when you reload the machine will never be the same as it was before. There are always programs that the user no longer has the installer for, or customisations the user made that you can't get back, or passwords that the computer remembered but the user no longer does. So I would spend longer than it sometimes warranted trying to fix the issue without reformatting. I found over time that I got much better at knowing the registry entries and folders that malware typically infects, and I was able to fix more and more machines quickly and without needing a reformat. (This worked for TDSS - it took me 4 hours to figure it out initially, but I saw it 20 more times in the next few weeks and was able to fix it in 10 minutes and without reformatting). This also kept me sane (problem-solving is fun, reformatting is boring). But from a cost point-of-view, I have to agree that formatting early and often is a good strategy.
I developed a few programs and processes to speed up the format and reload process, and to record and restore things like passwords and settings. If you're interested I can give you a rundown, and copies of what I have. Email me - gareth@it_resourc_ing.com.au (remove the underscores).
It was about 4 years ago I stopped doing this type of work, and the vast majority of machines I worked on were Windows XP. This meant if the machine didn't boot I just had to run a repair install. This was generally pretty quick, and was pretty much guaranteed to get the machine working again.
As you would know, Windows Vista and 7 (and I presume 8) removed the ability to do a repair install (unless the OS already boots). I do recall booting from MS DaRT CDs for these OS' and running SFC, and also having tried copying the missing files in place while the drive was a slave. I had some success with these techiniques on Vitsa/7, but it was nowhere near as full-proof as a repair install on XP was.
Even so, I would still advocate removing the drive and scanning it as a slave. Sometimes it will remove the virus and the job will be mostly done, and in the times when it leaves the machine non-bootable then you know it's time to do a fresh install (without having wasted time running other tools in the infected machine).
I agree with your comments re being fast about deciding whether to format and reload or not. It's very easy to get trapped into thinking the next change you make or tool you run will fix the problem. Then suddenly you've spent 4 hours on the machine and need to format & reload anyway. I didn't want us to become a shop that formats and reloads every machine we saw, and there's always the problem that when you reload the machine will never be the same as it was before. There are always programs that the user no longer has the installer for, or customisations the user made that you can't get back, or passwords that the computer remembered but the user no longer does. So I would spend longer than it sometimes warranted trying to fix the issue without reformatting. I found over time that I got much better at knowing the registry entries and folders that malware typically infects, and I was able to fix more and more machines quickly and without needing a reformat. (This worked for TDSS - it took me 4 hours to figure it out initially, but I saw it 20 more times in the next few weeks and was able to fix it in 10 minutes and without reformatting). This also kept me sane (problem-solving is fun, reformatting is boring). But from a cost point-of-view, I have to agree that formatting early and often is a good strategy.
I developed a few programs and processes to speed up the format and reload process, and to record and restore things like passwords and settings. If you're interested I can give you a rundown, and copies of what I have. Email me - gareth@it_resourc_ing.com.au (remove the underscores).
I have the exact same problem on my laptop (IE, firefox, chrome with same redirect) but only at home and not at work. I suspected my home wireless router but there was no problems. Interestingly, since I ring 64-bit windows 7, only the 32-bit version of IE is affected and not the 64-bit. Also ran TDSSKiller, COMBOFIX as well as a bunch of malware dectectors and everything came up clean. Any thoughts?
Sometimes I find it necessary to use this to rid the system of unwanted files that load. Basically, I remove everything that is not from a recognized Vendor of my installed apps.
One last noteworthy suggestion is in the observation that these types of issues can often be due to the use of "FunWebProducts" or the "MyWebSearch" variants. I imagine there are enough droves of totally ignorant users of these products whose opposition to them being included in Malwarebytes removal process has warranted the coders of MBAM to remove them from their list of default products to be cleaned. You now must go into Settings/Scanner Settings of mbam to make them be selected in the list of things to remove. This can prove to be easy to overlook and on some systems a major pita to select the sheer numbers of them.
Generally, in the case of REDIRECTS I check Internet Options to make sure it hasnt been changed to use a Proxy, check the hosts file for suspicious entries, use HiJackThis to remove suspicious entries and finally if necessary, reset the IP/Winsock stacks/catalogs through command line. If there is a particularly problematic issue with the winsock, while Hijackthis will not remove it, it will at very least report its presence.
One last noteworthy suggestion is in the observation that these types of issues can often be due to the use of "FunWebProducts" or the "MyWebSearch" variants. I imagine there are enough droves of totally ignorant users of these products whose opposition to them being included in Malwarebytes removal process has warranted the coders of MBAM to remove them from their list of default products to be cleaned. You now must go into Settings/Scanner Settings of mbam to make them be selected in the list of things to remove. This can prove to be easy to overlook and on some systems a major pita to select the sheer numbers of them.
Generally, in the case of REDIRECTS I check Internet Options to make sure it hasnt been changed to use a Proxy, check the hosts file for suspicious entries, use HiJackThis to remove suspicious entries and finally if necessary, reset the IP/Winsock stacks/catalogs through command line. If there is a particularly problematic issue with the winsock, while Hijackthis will not remove it, it will at very least report its presence.
maybe try Superantispyware free.
It's found things Malwarebytes hasn't
(the reverse also happens)
It's found things Malwarebytes hasn't
(the reverse also happens)
I've just finished battling a similar virus on Dad's laptop. I worked through a similar list to the author and had to persist, because it takes a while to (manually) rebuild that machine.
I was interested that the redirect infected both Bing and Google on IE, Firefox and Chrome.
Eventually got it with the AVG Rescue CD
http://www.avg.com/us-en/avg-rescue-cd
I was interested that the redirect infected both Bing and Google on IE, Firefox and Chrome.
Eventually got it with the AVG Rescue CD
http://www.avg.com/us-en/avg-rescue-cd
As a sympton this has been around for years, but, as the author points out, this variant is incredibly resistant to virus checkers. I had this for about a month and fiddled sporadically with virus checkers of various sorts and nothing suspicuous flagged up. Eventually I found a dll manually in the C:windows\system 32 with a "date modified" of 2008 but a date created of 2012. I renamed it ( it was wmpns.dll ) and to date Ive not experienced any more problems. wmpns is the name of a legitimate windows media player applet, but as I never use media player, and other sites say it can be used as a threat filename, I would be curious if you find a similar file.
This problem was driving me nuts for almost a month now.Imagine considering yourself tech savvy working for IT dept. and there is nothing you can do to get rid of this infection.Forget all the AntiVirus Antispyware AntiMalware softwares that I tried.I can just go on and on naming them.After a lot of research, yesterday I was finally victorious.Thanks to the genius solution provided by Anup Raman. This guy surely know what he is doing and did a good job in explaining.
The problem was narrowed down to 4DW4R3c.dll, a dll file inside system32.This was only possible cos I tried his method of checking ntbtlog. I have never heard or seen anyone using ntbtlog for fixing rootkit issues.Not even once I heard anyone using this method on any websites.The steps he mentioned is right to the point and the video he created is so user friendly that anybody should be able to follow.No wonder why he got so many likes on youtube. Most probably I might do a presentation on this topic in my IT dept
This is the link for reference http://atechjourney.com/google-redirect-virus-remove-manually.html/ .Highly recommended.
The problem was narrowed down to 4DW4R3c.dll, a dll file inside system32.This was only possible cos I tried his method of checking ntbtlog. I have never heard or seen anyone using ntbtlog for fixing rootkit issues.Not even once I heard anyone using this method on any websites.The steps he mentioned is right to the point and the video he created is so user friendly that anybody should be able to follow.No wonder why he got so many likes on youtube. Most probably I might do a presentation on this topic in my IT dept
This is the link for reference http://atechjourney.com/google-redirect-virus-remove-manually.html/ .Highly recommended.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
