Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Google hijack and redirect solved and Fake antivirus software popups

Status
Not open for further replies.

rws70

Technical User
Aug 18, 2005
56
US
I am an IT Professional and I picked up a nasty virus today on my home PC. I would like to post how I removed it to help others who are not professionals.

I picked up the virus browsing the web with Internet Explorer. I knew I had a virus because a FAKE antivirus program started popping up on my screen. I am using Windows XP service pack 3.

Here is my fix:
(you will need a second computer and a USB memory key)

1. Reboot your computer and start it in SAFE MODE by hitting the F8 key during reboot. (If you need more explanation do a google on Safe Mode on the second computer).

2. In safe mode do a system restore to the nearest point prior to getting the virus. Start / All Program / Accessories / System Tools / System Restore (If you need more explanation do a google on System Restore on the second computer).

3. The system restore will reboot your system, press F8 during the reboot and this time start in Safe Mode with Networking.

4. On a second computer download Malwarebytes (free at ) to your USB key. Install malwarebytes on your restored computer now running in safe mode for the second time, and run the updates on malwarebytes and then scan your computer. Malwarebytes will probably need to reboot, so go ahead and reboot into standard Windows XP.

In my case the Fake Antivirus was now gone. But I still had a problem. My Google searches were being hijacked and redirected to strange pages. This was caused by a rootkit virus.

To identify the rootkit I used a free tool: Kaspersky Virus Removal Tool 2010 from this link:

I started with just scanning the Disk Boot Sectors and made this change to the options:
On the main program page, click on Security Level - Custom, then Settings, Additional tab, and make sure Rootkit Scan and Deep Scan are checked.

The program found Rootkit.Win32.TDSS.d but could not delete it. On a second computer I googled that rootkit name and found a removal tool also from Kaspersky:

It ran a small command prompt window (window with a black background and white words) and rebooted my computer and that was it.

Fake Antivirus software cleaned and Google redirect removed.

Ironically I have never use a Kaspersky product before, but I am grateful and impressed with the results I received from the tools sourced by them, mentioned above.

I will definitely check into their basic PC antivirus program as this problem slipped right past my Norton Endpoint Security antivirus I am running.

Hope this helps lot's of people.
 
There is one thing I'd like to pick you up on. Many modern malware strains infect your system restore and a resotre may not work. The first thing I'd do is try to remove before a system restore.

Robert Wilensky:
We've all heard that a million monkeys banging on a million typewriters will eventually reproduce the entire works of Shakespeare. Now, thanks to the Internet, we know this is not true.

 
My experience with these types of malware is they block any attempt to install many types of virus removal software. So the only choice is to go back to a time before the virus.

If your restore point has been infected too, then life if not good. Fortunately I have not encountered this problem to date.
 
In addition, I've had to use several AV boots disks, one gives a clean bill of health and another may flag up something else.

So if you think you've been infected and have cleanded it up, get a second opinion.

And I knwo this nasty one you had, I spent some time getting rid of it on my folks pc.

And they only had their internet for a week...

Robert Wilensky:
We've all heard that a million monkeys banging on a million typewriters will eventually reproduce the entire works of Shakespeare. Now, thanks to the Internet, we know this is not true.

 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top