Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
7889 Views 14 Replies Latest reply: Sep 30, 2011 9:51 AM by Hayton RSS 1 2 Previous Next
kimn Newcomer 1 posts since
Aug 28, 2011
Currently Being Moderated

Aug 28, 2011 5:46 PM

SiteAdvisor Source of Google Redirect Virus?

For the last 3 or 4 weeks, I have had a problem when I use Google search in Internet Explorer.  When I clicked on a link from a search results page, I was invariably taken to a different (but related) website.  So, for example, if I would try to go to a Wikipedia page in the search results, I would find myself directed to a newspaper website article about the same topic.  I tried to solve this problem by using Malwarebytes, with no success.  Then I disabled SiteAdvisor, which worked for a bit.  Then the problem came back.  Finally, I uninstalled McAfee entirely from my computer.  The Google redirect problem was immediately solved.  Now my Google searches work perfectly and are not hijacked.  I reinstalled McAfee, but left out the SiteAdvisor and things are working great so far.  I'm no expert, but it appears that a Google redirect virus has somehow infected McAfee, particularly the SiteAdvisor component.  Has this happened to anyone else?

  • laomao Newcomer 21 posts since
    Sep 21, 2011
    Currently Being Moderated
    1. Sep 21, 2011 7:55 PM (in response to kimn)
    Re: SiteAdvisor Source of Google Redirect Virus?

    Hi,

     

    I got this same google redirect virus today. I tried to use my McAfee total protection to scan the harddisk and found 4 files were effected. McAfee autoremoved those files. But the virus was there. I used Malwarebytes to scan and found the virus in regeidt /HOME_CLASSES_ROOT/.fsharproj. After Malwarebytes removed the virus. Everything runs fine. But after reboot, the virus came back again. Does anyone know how to remove this virus? Thanks.

  • Hayton Volunteer Moderator 4,602 posts since
    Sep 27, 2010
    Currently Being Moderated
    2. Sep 22, 2011 5:30 AM (in response to laomao)
    Re: SiteAdvisor Source of Google Redirect Virus?

    Can you make a note of the names and locations of the files which are being detected and quarantined by McAfee, and also of the name of any virus, trojan, PUP or other malware that is being detected by McAfee or Malwearebytes, and post them here?


    Volunteer Moderator  Leeds, UK
    No PM's please
  • NotBuyingIt Apprentice 86 posts since
    Jun 8, 2010
    Currently Being Moderated
    3. Sep 22, 2011 8:52 AM (in response to Hayton)
    Re: SiteAdvisor Source of Google Redirect Virus?

    @Hayton, I wonder if these incidents are related or purely coincidental

     

    https://community.mcafee.com/message/207632#207632

  • laomao Newcomer 21 posts since
    Sep 21, 2011
    Currently Being Moderated
    4. Sep 22, 2011 12:16 PM (in response to Hayton)
    Re: SiteAdvisor Source of Google Redirect Virus?

    Hi Hayton,

     

    I have figured out the virus file -- explorerwin32.dll. Those files detected and quarantined by McAfee were not related with this google redirect virus. Although I tried to use McAfee and Norton to scan my whole system, both could not detect this virus. I used Malwarebyte to scan my system and it could report the virus in regedit,

     

    HKEY_CLASSES_ROOT\.fsharproj

    HKEY_LOCLA_MACHINE\SOFTWARE\Class\.fsharproj

     

    Malwarebyte could remove these setting from register. But every reboot, these setting would come back automatically. Until I installed unhackme and used it to scan my PC. It did find this virus file -- explorerwin32.dll. After I removed it, my browser worked fine now.

  • Hayton Volunteer Moderator 4,602 posts since
    Sep 27, 2010
    Currently Being Moderated
    5. Sep 22, 2011 3:30 PM (in response to laomao)
    Re: SiteAdvisor Source of Google Redirect Virus?

    The only other place I've seen explorerwin32.dll mentioned is on baidu.com, in a post from 2008. That post mentioned a virus called Novarg B - which is also known as MyDoom. That's a known virus and McAfee will detect it.

     

    The .fsharproj entries in your registry would seem to be from a Trojan infection. If the registry entries reappear you may have a rootkit infection, and in that case you will need to ask for assistance from one of the specialist forums.


    Volunteer Moderator  Leeds, UK
    No PM's please
  • laomao Newcomer 21 posts since
    Sep 21, 2011
    Currently Being Moderated
    6. Sep 22, 2011 5:33 PM (in response to Hayton)
    Re: SiteAdvisor Source of Google Redirect Virus?

    Hi Hayton,

     

    Although I fixed the google redirect issue after I removed exploerewin32.dll, I got another issue in google search by using firefox. When I opened google.com through my firefox (3.6.22), moved the mouse to the search frame and clicked it, then the background color of the search frame will be changed from white to light blue. After that, the words (I think it may be light blue too) which I filled in could not be displayed. But I could see them after I highlight them. I clicked search button, google.com had feedback based on what I filled in.

     

    I opened the IE8 in the same PC, it got the same issue. But the words which I filled in was displayed in black color, I could see them. I opened my antoher PC, it did not have such issue when I search something through google.com, the frame background color was white.

     

    Do you know whether this was still caused by some virus because I did not fully remove them? Thank you.

  • Hayton Volunteer Moderator 4,602 posts since
    Sep 27, 2010
    Currently Being Moderated
    7. Sep 22, 2011 10:30 PM (in response to laomao)
    Re: SiteAdvisor Source of Google Redirect Virus?

    I don't know what caused the colour in the search frame to change to light blue. If it were only Firefox I would have said check the browser settings, but it happens in IE as well? Strange. Check to see whether you have any new add-ons or Browser Helper Objects. Resetting the browser options to default settings is possible in IE, and perhaps possible in Firefox. I've never had to do it, so I don't know if it will cure the problem.


    Volunteer Moderator  Leeds, UK
    No PM's please
  • laomao Newcomer 21 posts since
    Sep 21, 2011
    Currently Being Moderated
    8. Sep 26, 2011 12:56 PM (in response to Hayton)
    Re: SiteAdvisor Source of Google Redirect Virus?

    Thank you for your reply, Hayton.

     

    Yesterday my McAfee suddently reported it detetected one virus file -- DirectxTrayTray.dll. It was under \All Users\Application Data\. I did scan this suspected file wiht McAfee and Norton when I found the exploerewin32.dll under \username\Local Setting\Application Data\Microsoft\Internet Explorer. Both anti-virus software did not reported anything.

     

    Now the browser search frame issue was gone. Thanks.

  • Hayton Volunteer Moderator 4,602 posts since
    Sep 27, 2010
    Currently Being Moderated
    9. Sep 26, 2011 1:23 PM (in response to laomao)
    Re: SiteAdvisor Source of Google Redirect Virus?

    Now I have the name of that dll I know what this is. It's a Trojan, recently detected by McAfee.

     

    See http://home.mcafee.com/virusinfo/virusprofile.aspx?key=591601#none for the details.

     

    Possibly the McAfee scan did not completely remove it. The removal instructions are as follows -

    Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

    1.Disable System Restore .

    2.Update to current engine and DAT files for detection and removal.

    3.Run a complete system scan.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

     

     

    Message was edited by: Hayton on 26/09/11 19:23:22 IST

    Volunteer Moderator  Leeds, UK
    No PM's please
1 2 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points