Google redirect problem - help?

Jaeger

Master Sage
Mar 2, 2008
14,339
81
48
#1
Everytime I try to perform a Google search, I get redirected to some page called webplains. It's really annoying and I can't Google the answer as, well, it just redirects me. Help?
 

keefy

Supreme Veteran
Nov 18, 2007
19,031
261
83
The Sock Gap
#4
Yes and so is malwarebytes

http://www.malwarebytes.org/

Might be your hosts file is edited due to spyware/malware

[TABLE]
[TR]
[TD]Windows 7/Vista/XP [/TD]
[TD]=[/TD]
[TD]C:\WINDOWS\SYSTEM32\DRIVERS\ETC[/TD]
[/TR]
[TR]
[TD]Windows 2K[/TD]
[TD]=[/TD]
[TD]C:\WINNT\SYSTEM32\DRIVERS\ETC[/TD]
[/TR]
[/TABLE]
 
Last edited:

Jaeger

Master Sage
Mar 2, 2008
14,339
81
48
#5
Problem sorted. I used AVG to check my disk for anything, came back negative. I then ran MalwareBytes which picked up 11 errors - deleted all the corrupted files but it didn't work. So I ran CCleaner which didn't help. I then got recommend AVG PC Tuner. I did a full scan and it's not working fine and I've recovered 4.5GB of disk space.
 

keefy

Supreme Veteran
Nov 18, 2007
19,031
261
83
The Sock Gap
#6
Use adblock and noscript to block unwanted rogue ads seen a few people complain about them on this site in the past yet I never got those warnings because they were blocked.
 

Jaeger

Master Sage
Mar 2, 2008
14,339
81
48
#7
And so the problem returns. It really is fucking annoying, I'm thinking of doing a system restore - would that do anything?
 

MavSkipper

Dedicated Member
Dec 11, 2005
1,104
7
38
38
teh UKz
msmav.blogspot.com
#8
Have the same problem with the 2 PC's at work. Admin there is pretty much useless and doesn't bother to fix it.

Anyways, I've never really have that problem with my own PC. Believe it or not, I do use MS Security Essentials/Windows Defender.
Give "Spybot Search & Destroy" a go, works great... at least with my bro's PC. I do use it every now and then though if I notice something strange happening with my PC that Windows Defender doesn't catch. :)
 

Fijiandoce

Administrator
Staff member
Oct 8, 2007
7,012
788
113
#9
i found these on the interwebs, i would advise reading all the quotes coz apparently doing it this why is somewhat tricky.
the second one sounds like what you've got, but like i say, i'd read them all

The following are only some of the malware removal forums that you might consider. During times like this, where there are very sneaky and resistant forms of malware circulating, you may have to wait a few days to get any assistance.

In some forums, if you get impatient and bump your thread (creating a response) you may be overlooked because the helpers will assume that someone else is helping you and move on to the next person.

Be sure you follow the forum directions for where to post and what kind of information to provide them with.

Malware Removal Forums

www.bleepingcomputer.com/forums/index.php?

www.dslreports.com/forum/cleanup

www.geekstogo.com/forum/forums.html

http://gladiator-antivirus.com/forum/index.php?

www.lavasoftsupport.com/index.php?act=idx >>>> (Ad-aware)

http://www.malwarebytes.org/forums/ >>>>> Malwarebytes Anti-malware

http://forums.spybot.info/ >>>>> (Spybot Search & Destroy)

www.spywareinfoforum.com/index.php?

www.techsupportforum.com/

http://forums.majorgeeks.com/forumdisplay.php?f=35
Alright, if the hosts fix didn't work, then this one is sure to do the trick! My redirect virus/malware ended up coming back after a few reboots. So my search for the solution went on and I found a magical little program called ComboFix. Go to this website and download it (ONLY download from bleepingcomputer.com -- it may be a virus if you find it anywhere else!): http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Follow the simple instructions on that website and you'll be in good shape in about 20 minutes. I had run AdAware, SpyBot, MalwareBytes, HijackThis, CWShredder, HouseCall, AVG, etc. and none of them could find/remove any of these files. Or if they did find them, they would pretend to delete them but then they'd come right back. This ComboFix program is a DOS-looking window that works like magic -- it looks for "rootkit" activity that apparently the others don't even consider. In about 20 minutes, it deleted a "MoneyBooster" malware toolbar that had snuck onto my machine, detected/repaired my corrupted atapi.sys file, and deleted a bunch of other mutated files in my Windows folder that were viruses. I am officially now virus-free after several reboots.


Here's all the stuff this program deleted according to my logfile:


((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).
c:\documents and settings\Administrator\Application Data\SystemProc
C:\LOG.TXT
c:\program files\IEToolbar
c:\program files\IEToolbar\MoneyBooster\tbhelper.dll
c:\program files\IEToolbar\MoneyBooster\tools.gif
c:\program files\IEToolbar\MoneyBooster\translate.gif
c:\program files\IEToolbar\MoneyBooster\tv.gif
c:\program files\IEToolbar\MoneyBooster\tweater_25.png
c:\program files\IEToolbar\MoneyBooster\twitter.png
c:\program files\IEToolbar\MoneyBooster\twitter_s.png
c:\program files\IEToolbar\MoneyBooster\twitter18.png
c:\program files\IEToolbar\MoneyBooster\twitters.png
c:\program files\IEToolbar\MoneyBooster\uninstall.exe
c:\program files\IEToolbar\MoneyBooster\update.exe
c:\program files\IEToolbar\MoneyBooster\useful.gif
c:\program files\IEToolbar\MoneyBooster\version.txt
c:\program files\IEToolbar\MoneyBooster\video.gif
c:\program files\IEToolbar\MoneyBooster\your_logo.png
c:\program files\IEToolbar\MoneyBooster\youtube_25.png
c:\program files\IEToolbar\MoneyBooster\youtube18.png
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
c:\recycler\S-1-5-21-1543743844-3737146546-1487997575-1005
c:\recycler\S-1-5-21-1543743844-3737146546-1487997575-500
c:\windows\AegisP.inf
c:\windows\SNMPAPI.DLL
c:\windows\system32\-1428535437.msj
c:\windows\system32\-1428535437.rcv
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Packet.dll
c:\windows\system32\Process.exe
c:\windows\system32\setup.ini
c:\windows\system32\SrchSTS.exe
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\WS2Fix.exe


Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p






Good luck to you all! Hope you enjoy the same success. It's such a burden off my shoulders after fighting this thing non-stop for 2 straight days.
Glad to hear that you are once again in the clear. While, cleaning the Hosts file is sometimes fully successful, often, as you discovered, there are other files on the system that either modify the Hosts file again, or function in other ways to continue causing problems.

However, I would like to caution others though, to carefully read the Introduction to the ComboFix documentation on the BleepingComputer site.
www.bleepingcomputer.com/combofix/how-to-use-combofix
You should not run ComboFix unless you are specifically asked to by a helper

ComboFix is a powerful tool used on many Malware Removal Forums, which is why we tend to direct users to such forums when the going gets tough. The volunteers there have the necessary training to guide others in the use of this tool, as well as others. In the hands of the untrained/inexperienced these tools can render your system useless. Of course, many of you consider your systems to be useless, at this point anyway, but they may still be salvageable in the hands of someone with the experience to work through the issues.

Even though I would discourage others from using ComboFix (unsupervised), your experience (and success) with it should be confirmation to others that there is merit in our trying to get people to try a malware removal forum for these more challenging infections.
http://www.google.com/support/forum/p/Web Search/thread?tid=6df7e15519290612&hl=en
 

Cuguy

Elite Sage
Mar 9, 2007
11,637
124
63
48
www.psu.com
#11
Combofix is awesome.. however, there are a couple versions of the redirect virus that can't be fixed using that tool, and require direct manipulation of the registry. Those SUCK. Had to cleanse 3 of the computers here are work doing that last year. Funny though, since going to Win 7 here and at home, we haven't had to deal with it.