Google ReDirect Rootkit Infected Computer. MSE Bypassed. How Fix?

TomBrooklyn · 10 Jul 2012

How remove google ReDirect Virus (Rootkit) when MSE has been disabled by it?

My computer is infected with something. I think it's the Google ReDirect Virus, because when I try to go to websites like Trend Micro to get an online virus scanner, I can no longer get there.

Additionally, I am getting pop-up windows from something offering to run a security scan. Sometimes the scan starts by itself. It looks something like Microsoft Security Essentials (which I have); but it is not.

I am getting other pop-ups in bold red windows saying I have a virus; but it's not MSE; and MSE is the virus scanner I am running.

These pop-ups are malicious and I am being forced to click on them to close them, which have I don't know what other effects.

At one point I got a malicious phony full screen ad to buy some virus removal software, and clicking on the X close the page in the upper right corner had no effect to close it. I had to shut down the computer to get rid of it.

MSE seems to have completely missed this virus or rootkit and the rootkit has taken over my computer. I am typing this from a different computer.

I did an internet search for how to remove Google ReDirect, and most of the websites advise to download and run certain applications like MalWareBytes, etc. They seem to completely miss the point that many websites are now inaccessible.

Petey7 · 10 Jul 2012

First, disconnect the infected computer from the internet. On the computer you are currently using to write to us, download the installer for MalwareBytes. Also, follow this link to download an updater for Malwarebytes so that you can update it without an internet connection. Copy those files to a USB flash drive (or comparable removable storage device). Copy the files onto the infected computer and install them. You may have to do this in safe mode. If so, you can run Malwarebytes in safe mode, but it is best to try to run it in normal mode. Do a full scan with MalwareBytes. It should remove any malware, after which you should restart you computer. MSE should be running at that point, and if it is, run a full scan to make sure that MalwareBytes did not miss anything. If not, I, or one of our other experts, will post futher instructions. Please write back to let us know the results.

TomBrooklyn · 19 Jul 2012

Hi, I did not get back to this computer for a couple of days. When I turned it on, there was no sign of the virus like before.

I ran Malwarebytes, and then MSE, which was now available and working normally, and both indicated no virus.

I don't know how to explain it. I've never seen a computer get so messed up and then restore itself to normal like that before.

Golden · 19 Jul 2012

Hi Tom,

I would still treat this with some suspicion. I recommend scanning from outside the Windows boot environment, using a stand-alone scanner. Firstly, you mentioned rootkit, so run this:

Anti-rootkit utility TDSSKiller

and then follow it up with this:

Windows Defender Offline

If it doesn't work for you, let me know and I'll suggest an alternative.

Regards,
Golden

TomBrooklyn · 19 Jul 2012

Hi Golden,

I ran TDSS. It found four items it labled as Medium threats, and recommended Skipping them, but I quarantined them anyway.

They were:

C:\Windows\system32\epmntdrv.sys
C:\Windows\system32\EuGdiDrv.sys
a SiSoftware\Sandra Lite file (thats a PC benchmarking application which I downloaded but have never used)
and Adobe\Switchboard\Switchboard.exe (I use Lightroom and Photoshop, and Flash, but I don't know what this Adobe thing is.)

I got the mssstool64 thing working. I'm loading it onto a USB drive on the same computer that is/was potentially infected. It seems to be working but slowly.

I did also run before something called Microsoft Emergency Response tool or Microsoft Safety Scanner. I forgot to mention that above.

bej · 19 Jul 2012

I also have got several "You Have A Virus" warnings after clicking on an entry from Google search.

I never click anything within the warning to close these messages.

Right clicking on the task bar, then running Task Manager, then Applications, Highlight browser or website, then End Task works in the great majority of cases.

I have, however, had to power down as you did, to get rid of the message in a couple of hard core cases.

I immediately ran a virus check, and so far, have come up clean after all incidents.