There is a new google redirect virus out- HELP!!!

OK, I admit it. I let my guard down on one of my XP boxes. Don't know, I keep the updates up to date, OS and AV (run AVG). But now, I get a redirect when I'm searching for stuff.

First time goes ok. I can view any of the results just fine.

Second and subsequent attempts to look at any results get redirect. There is a variety of sights, most of them look like advertising, but they sure aren't my desired results; about half the time, the redirect fails. There is also an icon of a blue, hand written number "2" on the redirect page.

AVG finds nothing.
Malwarebytes finds nothing.
ZoneAlarm hasn't yelled at me in a few weeks.
I can't find anything new and interesting in my registry.
I can account for every non-cache file created or modified in the past week.

It is consistant with all Google searches in Firefox, IE7 (can't go to 8, in case I have to work from home), and Opera10. In Opera, I got it to do the same thing with a yahoo search, but was unable to recreate that with the other browsers.

Anyone seen anything that fits this profile?

Bah. I need to do some research, and it's my desktop that is unwell. Doing real work on a netbook is possible but not fun

Not specific to this situation but it is usually good practice to dump your browser cache, cookies, flash cookies and any other junk files first thing. If you don't have a cleaner program get one. CCleaner usually does a good job and its free. Get the trash out and you get rid of a lot of problems if the situation isn't caused by anything too malevolent.

If that doesn't help you will need to undertake sterner steps.

Do a system restore back to a date before you had the problem.

http://support.microsoft.com/kb/306084

Has the hosts file been modified and do you see any redirects of common website names to IP address?

c:\windows\system32\drivers\etc\hosts

This is just a text file and can be opened with notepad.

Checked that- going home to 127 0 0 1.

Thanks guys- been doing IT for too long, and I'm running out of ideas. Unfortunately, my system backups have not been as frequent as they should be, but all the key stuff is stored in a external hdd that hasn't even been powered since this started.

Thought I'd gotten it, but not only is it redirecting still, I've got scvhost going nuts.

I'm going to bed. Probably missing the obvious at this point.

I had good results with combofix, where malware bytes was not able to fix some customer pc's

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Try Spybot Search & Destroy

Better yet, boot from ultimate boot cd for windows and then run spybot/avg .... from the boot cd

You also might be interested in autopatcher, makes it easier to manage the updates

IR, System Restore is a Windows function. It should be automatically turned on and working. Go to Windows Help and type in 'system restore wizard' This restore will not over-write your personal data, only system settings. I have had good luck knocking out viruses this way as a first step.

Thanks Garly.

I"ve had like 6 hours of sleep in the past two days, and was up until dawn on Saturday with someone else's computer problems. Amazing what doesn't process right when you need to defrag your head.

OK, I'm to the point I'm thinking I got a rootkit or something else deep, deep down. What every it is survived window restore points back to February.

I guess I'm on my netbook until this weekend. Hadn't planned on spending a day rebuilding a PC. Waste of a good day off.

A clean re-installation of your OS would likely clear it but it seems like a lot of trouble for a virus that is just screwing with your DNS or Host file.

Sounds like you really just need a good anti-virus program. There is even the chance you purged the bug when you cleared your cache/s and all you need to do is repair the damage.

If and when you get the system clean you might consider installing something like Spybot Search & destroy and allow it to lock your host file and system settings.

combofix can fix a number of rootkits.

First run Security Task Manager.
Quarantine anything that looks suspicious (to you, not STM).

Then run CCleaner.
Best temp file and cache cleaner out there.
Also cleans up dead registry files and lets you access the startup menu.

Then run Spybot S&D.
I've had pretty good luck killing re-directors with this.

Lastly install and use Super Anti-Spyware.
This is the free version.

I <3 Linux. Good luck w/the rebuild!