Google Redirects

[PhoKingGuy]

Hey guys, I've got MSE installed on my Win7 Pro desktop and I got this nasty trojan (tibs.jl) somehow the other day (on facebook I think).

I found a guide online and deleted all of the offending finals and ran MSE twice and it was clean. Now about 50% of my google searches redirect to some crap websites that have nothing to do with what im looking for.

I guess I could reformat if I have to but I really would rather now if at all possible. Thanks guys, let me know what info you need and ill follow up asap.

 

[amdhunter]

Sounds like you have a TDSS infection.

Try this tool: http://support.kaspersky.com/viruses/solutions?qid=208280684
Direct dl link here: http://support.kaspersky.com/downloads/utils/tdsskiller.exe

 

[Dark Shroud]

Also give SuperAntiSpyware a try since it has a free version.

http://www.superantispyware.com/

 

[Coxa]

Had the same problem for 2 months. Tried Spybot sears and destroy, Malwearbytes,
Avg, adaware, combofix and nothing helped. Then i tried Hitman pro 3.5 and it
went away. After hitman pro 3.5 i also tried TDSSKiller from kaspersky and that came up empty.

 

[PhoKingGuy]

Thanks guys, AMDHUnters killer tool and a combination of hitman pro and Malwarebytes killed it.

 

[Modelworks]

Always check the hosts file.
Most AV software will not catch additions to it.

 

[PhoKingGuy]

Always check the hosts file.
Most AV software will not catch additions to it.

Thanks double checked that as well and its clean

 

[RebateMonger]

Always check the hosts file.
Most AV software will not catch additions to it.

I posted elsewhere on these forums my recent experience with a similar problem. In that case, the DNS and Hosts files were fine. But a web Proxy Server was running on the PC and the browser's "LAN Connection" settings had been set to use that Proxy Server. The Proxy apparently lets searches to Bing and Google to get through and return correct results. but when you click on those results, the Proxy sends you elsewhere.

 

[Ken90630]

I'd also run Microsoft's OneCareLive cleanup scanner too and fix the registry errors that almost certainly remain (pretty much all malware screws up the registry royally). I'd also run sfc /scannow from a command prompt to see if any .dll files got overwritten by the malware (again, malware does this all the time). Even if the PC seems fine, it probably isn't. Tip: Put your Windows CD in the optical drive right before you run the sfc, 'cuz if/when if finds damaged files, it will fix them right then & there from the CD. I've removed a lot of malware from infected PCs and always find a corrupted registry and almost always find damaged Windows system files even after cleaning or quarantining the infection.

As you know, the best thing after ANY malware infection nowadays is a reformat & fresh install, but if you don't wanna go to those lengths, cleaning up the registry and checking the system files after disinfection is the closest thing. Good luck.

 

[Ken90630]

I posted elsewhere on these forums my recent experience with a similar problem. In that case, the DNS and Hosts files were fine. But a web Proxy Server was running on the PC and the browser's "LAN Connection" settings had been set to use that Proxy Server. The Proxy apparently lets searches to Bing and Google to get through and return correct results. but when you click on those results, the Proxy sends you elsewhere.

I'm curious: So how did you discover the presence of the proxy server, and how did you get rid of it?

 

[RebateMonger]

I'm curious: So how did you discover the presence of the proxy server, and how did you get rid of it?

I don't recall. I didn't catch it at first, but on a second look I may have either seen somebody else reporting on rogue proxy servers or it may have just occurred to me that a proxy server was a perfect explanation why searches would return valid results but clicking on the search results would go to the wrong sites. Once you look for it, the presence of a Proxy server is obvious because you'll see the settings in I.E. or Firefox in the "Connections" settings.

With the last PC where I saw this, I could temporarily disable the bad searches by unclicking the Proxy Server settings in I.E. or Firefox. Also, I found that terminating a couple of unknown processes in Task Manager found one that turned off the internal Proxy Server.

I didn't actually "remove" this malware because the owner wanted an excuse to move to Win7 anyway. She made full data backups and we simply installed Win7 on her OS partition.

I don't particularly enjoy trying to remove malware, so I was relieved to find an easy way out. We'd already done a Windows XP System Restore back to several weeks earlier. That'd gotten rid of everything else but the search redirections remained.

After installing base Win7 and and some minimal software, we made a Win7 System Image backup so we can quickly get her system back when she gets hit again.

 

[Ken90630]

I don't recall. I didn't catch it at first, but on a second look I may have either seen somebody else reporting on rogue proxy servers or it may have just occurred to me that a proxy server was a perfect explanation why searches would return valid results but clicking on the search results would go to the wrong sites. Once you look for it, the presence of a Proxy server is obvious because you'll see the settings in I.E. or Firefox in the "Connections" settings.

With the last PC where I saw this, I could temporarily disable the bad searches by unclicking the Proxy Server settings in I.E. or Firefox. Also, I found that terminating a couple of unknown processes in Task Manager found one that turned off the internal Proxy Server.

I didn't actually "remove" this malware because the owner wanted an excuse to move to Win7 anyway. She made full data backups and we simply installed Win7 on her OS partition.

I don't particularly enjoy trying to remove malware, so I was relieved to find an easy way out. We'd already done a Windows XP System Restore back to several weeks earlier. That'd gotten rid of everything else but the search redirections remained.

After installing base Win7 and and some minimal software, we made a Win7 System Image backup so we can quickly get her system back when she gets hit again.

That's interesting. I'm glad you mentioned it, because if I ever run across a similar sitch, I'll know where to look first.

Did you by any chance run HijackThis! before doing the Win 7 install? I just wonder if it would have detected the proxy server process running (thus confirming your suspicion).

I'm with you re trying to remove malware. Nowadays, it's a nightmare. And I keep coming across machines infected with rootkits that don't get detected on the native machine's virus/spyware scan. I have to remove the HD, hook it up to my machine, and scan it that way. Then the rootkit gets detected. Whenever I encounter an infected machine (often), I always recommend a documents backup followed by a reformat & fresh Windows installation. It takes several hours, but it's really the only sure fix.

I always recommend doing an image backup immediately afterward too.
What do you use as an imaging app? I use Acronis True Image, but if you know of a free one that's effective, clue me in.

 

[RebateMonger]

Did you by any chance run HijackThis! before doing the Win 7 install? I just wonder if it would have detected the proxy server process running (thus confirming your suspicion).

There's no question that, in this case, a Proxy Server was running inside the PC. I.E.'s Connection Properties was pointing to a Proxy Server at 127.0.0.1 (the localhost).

Some "Internet Security" software will do the same thing, pre-screening web requests by passig them through an internal web proxy server before sending out web requests.

On a "production basis", the backup software I use includes:

Windows Home Server
NTBackup (XP, 2003)
Windows 7's built-in imaging backup
Server 2008's built-in imaging backup
BackupAssist (which adds extra capabilities to Window's built-in backup software)
StorageCraft's ShadowProtect Server

Occasionally I'll use CloneZilla for a low-level backup/clone.