239 replies to this topic

[Dawnrstevens1983]

Ok so I recently got a virus of some sort that only on Firefox redirected all of my Google searches to a site the address was www.mysearchpoint.com, I fallowed your instructions minus the OTC cause I used HijackThis to find my report on this. I already have Avast, Spybot, and Malwarebytes which did NOT pic up the virus. It did find other Trojans and Malware though. It attached itself to my host files which I had a friend who is a computer tech. find for me and he had to remove the host files completely for me. I also downloaded the Kaspersky virus removal tool and it also found other Trojans and viruses but did not get rid of this redirecting host file virus. This is the report that HijackThis gave me hope it helps you guys.....

[Essexboy]

Please start your own topic in the malware forum if you wish to be assisted

[Dawnrstevens1983]

I have fixed my issues I just wanted to make you guys aware of the virus since none of the virus or malware removers are picking it up at all..I was just hoping to put the work out for all the people that report these things to the virus data base if you need me to I can post one with what I had gotten back from HijackThis program???

[Essexboy]

Hijackthis will not show this particular malware as it does not look deep enough, plus no automated tool will clear the host file as there are too many variables - it does need to be done manually

[Dawnrstevens1983]

yes i had a friend talk me through it he's a puter tech. if you like I can still go put OTC findings up I did run it before fixing... and will post for you???

[brookecat]

Thank you!!! I had Rootkit.Win32.TDSS.tdl4 and, after following your steps, everything is so far so good!

Thank you again!

Brooke

[Richardatf]

Hello, I am following this thread in an attempt to fix google redirects. Here is my OTM results page.
All processes killed
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Owner\My Documents\Downloads\cmd.bat deleted successfully.
C:\Documents and Settings\Owner\My Documents\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Bundle

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: Documents and Settings

User: LocalService
->Temp folder emptied: 2041306 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 1977560 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Owner
->Temp folder emptied: 51407940 bytes
->Temporary Internet Files folder emptied: 15961913 bytes
->FireFox cache emptied: 89880531 bytes
->Flash cache emptied: 5042 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 7373425 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 10506 bytes

Total Files Cleaned = 161.00 mb

Restore point Set: OTM Restore Point (0)

OTM by OldTimer - Version 3.1.17.2 log created on 03242011_223245

Files moved on Reboot...
C:\Documents and Settings\Owner\Local Settings\Temp\~DF63B1.tmp moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\k4irpqgh.default\startupCache\startupCache.4.little moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\k4irpqgh.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\k4irpqgh.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\k4irpqgh.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\k4irpqgh.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\k4irpqgh.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\k4irpqgh.default\XUL.mfl moved successfully.
File C:\WINDOWS\temp\ZLT05587.TMP not found!

Registry entries deleted on Reboot...


I hope I am doing this right, I will continue following these instructions, and will check back on this site tomorrow. Thank you so much in advance for your help

[m8dman]

This didn't fix the problem. Started a thread in the malware forum.

[DianaM]

Great and easy to follow guide to fix my google redirects! Quick question- is it necessary to remove OTM or should I keep it? I still have to remove Click GiftLoad so I'm off to open a thread in another forum here..
Many thanks
Diana

[ibergGTG]

I wanted to add my thanks for posting these instructions. It appears to have worked. The only difference for me was that I had to run everything in SAFE mode because I could not get OTM.exe to run in regular Windows XP. After the fact it occurred to me to try running it in Win98 compatibility mode and that got it to appear on the screen correctly but by then I had done everything in SAFE mode.

Thanks again.

[Blottedisk]

Great and easy to follow guide to fix my google redirects! Quick question- is it necessary to remove OTM or should I keep it? I still have to remove Click GiftLoad so I'm off to open a thread in another forum here..
Many thanks
Diana

Hi Diana,

You can remove OTM.exe. If the helper needs to run this tool in your machine, he will have you download an updated version (it's a small download -- 500 KB).

Regarding Click.Giftload, this infection comes often bundled with the TDSS rootkit/backdoor, so I would suggest you to ask for help in this matter as soon as possible.

[john_]

sorry, double post please delete this one

Edited by john_, 01 April 2011 - 01:40 PM.

[john_]

If I'm allowed, by submitting the suspicious URLs to virustotal.com, the suspicious URLs will be automatically forwarded to security companies.

Many thanks for these instructions, I never heard before of OTM, I think is time to check it out .

[cluelessmare]

Thank you Rohrshach112!!!! I am a complete idiot when it comes to anything but turning on my computer. I ended up with that stupid Redirect virus and followed your instructions easily to get rid of it. You are a lifesaver!!!!!

[Carl Tyler]

Sweet Jesus on a roller coaster. Eleven pages dedicated to just this topic.

People who program this kind of malicious software should be hunted down and shot like the animals they are (that goes for ALL people who program viruses, malware, spyware, etc.)

Well, here's my story.

I stupidly tried loading something someone I trusted sent to me (WinRAR update program) and my antivirus (SUPERAntiSpyware) warned me against loading it - but since he loaded it, I figured that my spyware program was just buggy.

That was March 9, 2011.

Google searches would work once or twice, and then redirect me to sites like "Ask to Friends." The same went for AltaVista.

DOGPILE was a search engine that it did not effect.

I tried what has been recommended here and nothing worked.

I also ran Malwarebytes, Ad Aware, CWShredder, Spybot Search and Destroy, Spyware Blaster, Spyware Terminator and none of them worked.

I had previously purchased Spotmau Powersuite 2010 (last year) and had loaded that on my system back then.

I looked through some of the things that it did (today), and under "TuneUp Kit" was "Customization."

The first choice there was "IE Repair" and figured I'd give that a try.

I chose "Solution 2: Deep Repair" and ran that.

It worked, and took all of 10 seconds.

What a maroon - I had the answer to the problem all along and didn't realize it.

I would start a new thread on this - but it says I can't (sorry).