Malware Fighting Fun – IE-AV

Have spent a full day this week tracking down and getting rid of some crap one of my users got while watching videos online.  I wanted to document where I found help for this as it may help others and I don’t want to forget what I did.

The problem was that everytime my user (let’s call him John) went to the internet. . he could get a site, but if he tried to click on a second link, he was directed to a bogus website that told him he needed to install the ie-av program.  John had Norton, so I ran that and it found nothing out of the ordinary, so I then did a quick install of Ad-Aware and Spybot.  They found lots of things, but didn’t really help my problem much.  So it was off to Google and a search for IE-AV which led me to a great site where there was ample information and instructions.  NOTE:  I found the comments at the end of this blog most helpful in getting this off John’s PC.

It turns out, that all I really needed to do was uninstall the .dll files that had been dumped in the WINDOWS\System32 directory.  Now, an interesting if not disturbing sidenote is that, when I went into the \WINDOWS directory and the \System32 directory it popped up IE and the same annoying site.  For me, I had three files (g2tool.dll, gtool~1.dll and Gtool.dll) that I needed to delete, and I did have to go into Safe Mode to delete one of them.  A reboot and all was good.

I still want to rebuild that computer, as I am not at all convinced it is “clean” but for now, John is happy and thinks I do great work. . .today a Hero. . .tomorrow?  Who knows?

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: