Jump to content

Welcome to Geeks to Go
Geeks to Go Welcome
Create Account Login to Account
Photo

How to fix Google Redirects

- - - - -

  • Please log in to reply
239 replies to this topic

#1
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Note: Your installed Security/Protection software may warn that anything advised to be downloaded in this tutorial is a potential threat.

This is not the case and will be what is known as a False Positive detection and not a cause for concern and or may be due to the malware present for example.

How to fix Google Redirects, aka Win32/Olmarik, Rootkit.Win32.TDSS.u, Win32/Alureon.F, Backdoor.Tidserv!.inf

This infection hijacks your browsers to divert search engines to malware sites. Another symptom is getting the error message "DCOM server protocol launcher server terminated". It is important that you do not try fix this infection manually, or to let your anti-virus program do it, as it can result in an unbootable machine if removed badly. This guide is designed to remove the infection easily and effectively, with no side-effects.


Lets get onto removing the infection now.



Step 1 : Safety precautions


Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference.


Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe



Please download OTM
  • Save it to your desktop.
  • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Files
    ipconfig /flushdns /c
    
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [EMPTYFLASH]
    [Reboot]
    
  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM and reboot your PC.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Step 2 : The fix



Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • It doesn't take long to run, once it is finished move onto the next step


Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image


The infection should hopefully be removed after these steps. If this is not the case, please go to the Virus Removal forum here and follow the steps in this thread here


If this guide fixes your machine, then please read my guide on how to prevent malware and about safe computing here


Regards

GeeksToGo Team

Edited by Dakeyras, 19 August 2012 - 07:33 AM.
Added False Positive detection information.

  • 5

Advertisements


#2
jobywonkanobi

jobywonkanobi

    New Member

  • Member
  • Pip
  • 5 posts
three questions: 1.im also getting the error message plug and play terminated then my computer restarts will this also fix this? 2. I run on vista is this a problem? and 3. Do you know where this infection originated from and if so is there any way to prevent it from reinfecting my computer?
  • 0

#3
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
1) I don't know, its possible
2) No
3) Impossible to say, peer-to-peer programs are usually responsible.
  • 0

#4
KarstenH

KarstenH

    Member

  • Member
  • PipPipPip
  • 382 posts
[bleep] man, I like that info, thanks Rorschach112
  • 0

#5
jobywonkanobi

jobywonkanobi

    New Member

  • Member
  • Pip
  • 5 posts
i tried running erundt it wouldn't work and the system restore gets an error but when i try to continue it just says creating restore point but won't finish

EDIT: disregard previous comment i ran tdsskiller so far no redirects and no restarts thanks rorshach112

Edited by jobywonkanobi, 07 February 2010 - 03:15 AM.

  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Glad to hear it went ok, you can skip the ERUNT and SysRestorePoint steps, they aren't essential
  • 0

#7
tenney56

tenney56

    New Member

  • Member
  • Pip
  • 1 posts
:)
Have been searching for several days to stop this increasing bad redirect and at least got my machine running again. Have been running the machine for 5 years now and in like 15 maybe 20 or more years now never had a virus or trojan.

Well tonite after a lot of cleaning I noticed in my history file a site I had not
gone to..... oridianpcc.com which i went to with the command line that was in
the history file and low and behold It redirected what I was trying to go to a few minutes before. Hint Clear you history file and you will have only a few items to look at.

I then googled the redirect and oridianpcc and found geeks to go and it appears on
the first try the malware is gone :) ;)

How can oridianpcc stay on line with it obivious a increasing part of world knows of their malware contribution.

My lessons learned are : Be very carefull of peer to peer
Look at everything carefully when something goes wrong
Do not curse Google or Microsoft :)
Do not waste time loading "free to download" I did that more
than a few times and wasted time and a few dollars.
Thank the person above that people who support users on Geekstogo for their efforts and time.

Thank you again :) :) :)
  • 1

#8
Bourne Again

Bourne Again

    New Member

  • Member
  • Pip
  • 1 posts
Used this guide after AVG 9.0 Free started detecting "Vundo.KA" but could not heal (said it did but still in there after reboot: csrss.exe, svchost.exe, explorer.exe, iexplore.exe, memory_001a0000, memory_00270000). :)

Was having Google search redirects to random websites but not anymore, tdsskiller found rootkit in atapi.sys (which kept me from re-installing Windows XP before I found this website). Now, AVG scans clean- problem fixed! :)

Thanks for solving a big headache- apparently whatever I had was something fairly new... Possibly caught it off Facebook (app)? Not sure, but I had been trying to fix for weeks before AVG finally caught it while Spybot, Ad-Aware, SuperAntiSpyware, MAM, SpywareBlaster, and others did not catch.

KUDOS, Geekstogo :)
  • 0

#9
Coach Al

Coach Al

    New Member

  • Member
  • Pip
  • 1 posts
Thanks so much I have been trying for weeks to get this situation handled I now have no more restarts and no redirects. You are the best.:) Is there any way to make your solution the top result in all search engines. I did not do the registry and restore portion. Is it possible I will have some other problem?
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
For the search engine thing, I will ask the main admin here as I have no idea about that sort of thing.


The ERUNT and SysRestorePoint steps aren't essential, they are just a backup of your system settings in case something goes wrong, which is always a possibility with malware removal. I would do those steps now, its always good to have proper backups at hand.
  • 0

Advertisements


#11
jsta6

jsta6

    New Member

  • Member
  • Pip
  • 1 posts
I had vundo.ka and alureon.ct and I was getting the redirects when searching for sites on yahoo / google.
When I ran the TDSSKiller, it didn't find anything???
but I am not getting the redirects anymore???
is that normal?
  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
No

Something else may have removed it, possibly your anti-virus program


If you aren't having any issues, then I would keep an eye on it for a day or two, and if you need to go and post in the Virus Removal forum
  • 0

#13
admin

admin

    Founder Geek

  • Administrator
  • 24,540 posts

Is there any way to make your solution the top result in all search engines.

There's not a lot we can do, but it is a fairly democratic process. There are a number of metrics that Google uses. Among the most important is inbound links. Not a lot of people have websites of their own, but they more frequently have pages on a social network. So if you've found this post helpful you could post a link on your Facebook / Twitter page, or bookmark sharing sites like Digg, Rededit, etc.
  • 1

#14
The Topper

The Topper

    New Member

  • Member
  • Pip
  • 1 posts
Thank you. As of right now my computer is finally running normal again. This was very quick and very easy. No more redirects or other annoying things. I hope it stays this way, but as of right now, everything is good.
  • 0

#15
Voland

Voland

    Member

  • Member
  • PipPip
  • 66 posts
I would like to know why this isn't detectable by hardly anything. Also if I know a website that is intentionally distributing some or all of these specific nasties how do I report that site? Or add it to a database so that browsers will auto block it?
  • 0




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

As Featured On:

featured
Malware Removal How to Guides Windows 7 System Building Download Files Register welcome

Never used a forum? Learn how.