Norton Security Suite Won't Detect/Fix Google Redirect Virus

Norton Security | Norton Internet Security
1

Note to admin:  PLEASE DO NOT MERGE THIS POST WITH ANOTHER THREAD

 

I believe my computer has what I think is a redirect virus (1st click on Google searches often get redirected - with both Chrome and IE).   Any assistance on how to go about removing it would be appreciated.     

 

I'm running the Norton Security Suite  (Version 5.2.0.13) with updated definitions and Norton will not detect any problems.    I've read that I should not run other tools without expert advice/direction so I'm looking for advice before proceeding with other solutions.     

 

I'm running Windows 7 Home Premium/SP -1/64 bit.

 

[Edit: Clarified the subject ]

2

I see your other post and stating running Microsoft,  Microsoft what??   Essentials.

 

Quads

 

[Edit: Clarified the subject ]

3

Hi Brett,

 

Please do the scan of your computer with Norton Power Eraser.

For More info check the following link : https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?docid=v48495311_EndUserProfile_en_us&lg=english&ct=united+states&product=home&version=1&pvid=f-home

 

Let me know once you have done the scan with that.

 

Regards,

 

Sagar

 

[Edit: Clarified the subject]

 

 

4

I had also run Microsoft Windows Malicious Software Removal Tool (KB890830) x64.    It also detected nothing.   

5

Ok, I downloaded and ran Norton Power Eraser.  It reported "Scan Complete, No Risks Found".    The redirects are still there, often to the "happili" website.   

6

I have had the same experiences...nothing seems to work.

7

This did not work for me although someone else I know was successful with this tool.

8

Had the same problem, w/ happilli. Norton Power Eraser scrubbed the culprit and I'm happilly browsing without re-direct.

 

Thanks for the tip Sugar_S

c

 

9

I'll try Norton Eraser again at some point.  But I just downloaded Google Chrome and the problem seems to have gone away.

 

10

I am no longer on this thread as others are helping and NPE was used.

 

Found malware that causes this redirect,  infected my PC, ran NPE,after Windows 7 would not load properly hahahaha  used avenger to swap things around.

 

Bye

 

Quads

11

Don't use Norton Power Eraser on this Redirects group like

 

Hapili redirect

 

There is a combo of Malware that causes this.   The system is infected with the Smart HDD FakeAV /Fake HDD as well as Zeroaccess and Boot.Pihar for starters.

 

c:\programdata\isecurity.exe
c:\programdata\VHkntEBmFPbgYo
c:\programdata\VHkntEBmFPbgYo.exe
c:\programdata\wtteGLkxtw.exe
c:\users\[user]\AppData\Local\Microsoft\Windows\Temporary Internet Files\{521AEED3-63C5-4CE7-9199-EC60827D72DF}.xps
c:\users\[user]\AppData\Local\Microsoft\Windows\Temporary Internet Files\{6DC81DEA-EDEF-4A5E-8E3A-1911F1E0DB8B}.xps
c:\users\[user]\AppData\Local\Microsoft\Windows\Temporary Internet Files\{F0DBED69-1AE8-40FA-BD12-2221C3DFC332}.xps
c:\users\[user]\AppData\Local\Microsoft\Windows\Temporary Internet Files\{F73BC61D-932D-4E50-8856-2FBB0CE354F0}.xps
c:\users\[user]\AppData\Roaming\Adobe\Adobe\vmvsz.dll
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\assembly\temp\@
c:\windows\assembly\temp\cfg.ini
c:\windows\svchost.exe
c:\windows\system32\consrv.dll Do NOT Remove (subsystems) registry fixing required first.
c:\windows\system32\drivers\etc\lmhosts
c:\windows\System64
c:\programdata\Microsoft\Windows\DRM\67C2.tmp
c:\programdata\Microsoft\Windows\DRM\67E3.tmp
\Device\Harddisk0\DR0\#
\Device\Harddisk0\DR0
\Device\Harddisk0\DR0\TDLFS\ph.dll
\Device\Harddisk0\DR0\TDLFS\phx.dll
\Device\Harddisk0\DR0\TDLFS\sub.dll
\Device\Harddisk0\DR0\TDLFS\subx.dll
\Device\Harddisk0\DR0\TDLFS\phd
\Device\Harddisk0\DR0\TDLFS\phdx
\Device\Harddisk0\DR0\TDLFS\phs
\Device\Harddisk0\DR0\TDLFS\phdata
\Device\Harddisk0\DR0\TDLFS\phld
\Device\Harddisk0\DR0\TDLFS\phln
\Device\Harddisk0\DR0\TDLFS\phlx
\Device\Harddisk0\DR0\TDLFS\phm
c:\programdata\Microsoft\Windows\DRM
c:\programdata\Microsoft\Windows\DRM\blackbox.bin
c:\programdata\Microsoft\Windows\DRM\drmstore.hds
c:\programdata\Microsoft\Windows\DRM\v3ks.bla
c:\programdata\Microsoft\Windows\DRM\v3ks.sec
c:\users\[user]\AppData\Local\Temp\1.tmp\F_IN_BOX.dll
c:\windows\assembly\temp\U
c:\windows\assembly\temp\U\00000001.@
c:\windows\assembly\temp\U\00000002.@
c:\windows\assembly\temp\U\00000004.@
c:\windows\assembly\temp\U\000000c0.@
c:\windows\assembly\temp\U\000000cb.@
c:\windows\assembly\temp\U\000000cf.@
c:\windows\assembly\temp\U\80000000.@
c:\windows\assembly\temp\U\80000004.@
c:\windows\assembly\temp\U\80000032.@
c:\windows\assembly\temp\U\80000064.@
c:\windows\assembly\temp\U\800000c0.@
c:\windows\assembly\temp\U\800000cb.@
c:\windows\assembly\temp\U\800000cf.@

 

 

That is why Malware removal crews state the likes of,

 

Please do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.

 

If NPE removes Rootkits belonging to the zeroaccess, especially x64's .dll or Pihar, Boot Sector, Windows doesn't load or you are screwed.

 

Quads 

 

12

Quads, 

 

I was following the instructions from Sagar (Symantec Employee).   

 

It appears running Norton Power Eraser (NPE) corrects the problem for some situations, for others, things go very wrong as you have described above.    

 

For me, NPE did not appear to cause any problems, it also did not find/remove the virus.   

 

Any sugestions on where I should go from here would be greatly appreciated  (I will follow your directions exactly).   

 

Thank you, 

Brett

 

 

13

Another user has jumped in and told users to use Norton Power Eraser (or other more dangerous programs) without logging or knowing what is causing the problem, so to know that it won't cause Windows problems.

 

I have had to pull PC's out of the fire after using these tools and Symantec Tech Support can't fix it,   I have fixed these problems as have other Malware removal guys (and girls) I have warned and warned about the problems of just running NPE, Fixzeroaccess, FixTDSS etc.   

 

Two examples 

 

http://community.norton.com/t5/Norton-360/I-need-help-getting-my-Sony-Vaio-to-reboot-after-running-power/m-p/676583#M68273

 

http://community.norton.com/t5/Norton-360/Need-help-getting-computer-to-boot-after-using-Power-Eraser/m-p/672775#M67928

 

For that reason I am now not going to attempt it with logs and scripting, let the Symantec Employee do so.

 

Quads

14

Good to know that your issue is fixed.

Happy browing!!!

 

This message is for Cannibal713 :-)

Brett, I am cheking for other alternative soultions for helping you.

 

Regards,

 

Sagar

15

Ok, the Google re-directs seemed to have stopped.  

 

The following are the things that I did:

1)  Ran Norton Security Suite with latest definitions (I don't believe this fixed anything)

2)  Ran Norton Power Eraser (download instructions found in post above) - This may have fixed the issue for IE but not for Chrome  (Only tested Chrome at this point and the problem was still there).

3)  Deleted Java Cache  (Click windows icon, type in "Java" in search box, click on "Java (32-bit)" application under Control Panel,  Click "Settings" under Temporary Internet Files section, Click "Delete Files", Click Ok.     At this point, IE no longer had re-direct issues, but Chrome still did.

4)  Uninstalled and re-installed Chrome.   Chrome now seems to be ok also.   

 

I'll wait for a few days to see if it comes back before I mark this issues/thread as solved.  

 

A few comments:

*The symptoms of this virus (ie. happili redirects) seem to be caused by a number of different viruses and the different viruses require different solutions.  What worked for me may or may not work for you.  

*The Jedi Virus Slayer known as Quads has wisely advised users to use extreme caution in running programs such as NPE, ComboFix, TDSSKiller, etc. Because depending on the type of infection you have, you may "brick" your computer (ie. won't boot) and is a challenge to fix.

*Best approach may be to get help from individuals that will instruct you on how to do specific scans of your systems that generate logs that when properly interpreted will point to the appropriate actions to take. 

*In my experience, looking for quick solutions for this Virus/Malware/Trojan/Rootkit (not sure the right name) via Google searches did not yield very useful results (results were often confusing, conflicting, less than satisfying).

*A good place to start are places like this forum or other forms such as Bleeping Computer, once you place a post, you may want to wait for several replies on recommendations to try before you try anything  (you may get conflicting advice)

 

16

Some wise words in there Brett!  :smileywink:

 

Dave.

17

Brett, you got that right.

 

It is a lot easier to remove fully running malware on an intact Windows (the user states Norton or Malwarebytes can't remove or detect xxxxx)

Than when a user uses advanced tools like NPE, Rootkit Removal tools, Combofix, OTL, FRST................................. especially when asked, what did NPE remove??   Can't remember.

 

People like myself infect our system with these tougher Malware groups, sometimes letting it do what it wants for like 1 hour, then I work out ways to remove the infection without bricking Windows,  Everything from Ramnit / Virut though to TDL2, 3, 4 zeroaccess, Pihar and its variants.

 

Here is an example of someone who thought he was smart or got the wrong advice but he basically ripped his system apart,

http://www.bleepingcomputer.com/forums/topic451274.html

 

Quads 

18

And here is one ofter the use of TDSSkiller (like NPE, and other tools.).   

 

http://www.bleepingcomputer.com/forums/topic451265.html   Trying to fix the screw up.

 

The partition Infomation is broken

 

Quads