BleepingComputer.com: Google Redirect

Hi,

I have a problem with a Google Redirect on my Windows XP machine.

I am running an updated version of Norton 360 and it can find no infected files or spyware.

After reading a whole host of posts, there appear to be many scans that I can apply; could anyone give me advice as to which one is appropriate, how I can clear this from my system and what further protection should I proceed with in the future to prevent this from happening?

In advance, thank you...

JJ

Edit: Moved topic from AntiVirus, Firewall and Privacy Products and Protection Methods to the more appropriate forum. ~ Animal

Please download Malwarebytes' Anti-Malware (v1.50) and save it to your desktop.

Download Link 1
Download Link 2

Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
  For instructions with screenshots, please refer to this Guide.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
  
• Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  
• If an update is found, the program will automatically update itself. Press the OK button and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

• Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  
• Click on the Scan button.
  
• When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked and then click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
  
• The log is automatically saved and can be viewed by clicking the Logs tab.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  
• Exit Malwarebytes' when done.

Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.

Thanks v much for that. The program wouldnt run until I changed its name.exe but the scan did return two infected items.

JJ


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5363

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

16/02/2011 09:14:11
mbam-log-2011-02-16 (09-14-11).txt

Scan type: Full scan (C:\|F:\|)
Objects scanned: 249568
Time elapsed: 58 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Bad: (93.188.162.84,93.188.161.224) Good: () -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DBE12373-F17F-44E9-9BB9-C8517CCCBD59}\NameServer (Trojan.DNSChanger) -> Bad: (93.188.162.84,93.188.161.224) Good: () -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Your Malwarebytes Anti-Malware log indicates you are using an outdated database version.
The database shows 5363. Last I checked it was 5772.

Please update it through the program's interface <- preferable method. If malware is blocking you from updating, then manually download the database definitions from one of the following locations (they may not be the most current) and just double-click on mbam-rules.exe to install:

• download link 1 <- under Download Locations, choose the MajorGeeks link
  
• download link 2

Then perform a new Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally will prevent Malwarebytes' from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply for Budapest to review.

Hi,

The update would run - the error I received was "PROGRAM_ERROR_UPDATING(12007, 0, WINHTTPSENDREQUEST)".

However, my wired internet connection is now not functioning. I sourced an update on another system and ran a quick scan. Below are the results...

Thanks,

JJ



Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5750

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

17/02/2011 20:47:00
mbam-log-2011-02-17 (20-47-00).txt

Scan type: Quick scan
Objects scanned: 149533
Time elapsed: 1 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hi folks,

Just wondering if anyone had time to check out the latest scan from my previous post?

As I mentioned, my wired internet connection is not working but was prior to the original scan.

Any ideas?

Thanks,

JJ

There are Trojan infections (DNSChanger) which can alter DNS settings and redirect your browser to their DNS Server or other unwanted sites. Your first scan indicates such an infection was found and the second looks clean.

Reset your router with a strong logon/password (if using one). Many users seldom change the default username/password on the router and are prone to this type of infection. If you're not sure how to do this, refer to the owner's manual for your particular router model. If you do not have a manual, look for one on the vendor's web site which you can download and keep for future reference. Consult these links to find out the default username and password for your router and write down that information so it is available when doing the reset:

• Route Passwords
  
• Default Password List

These are generic instructions for how to reset a router,:

• Unplug or turn off your DSL/cable modem.
  
• Locate the router's reset button.
  
• Press, and hold, the Reset button down for 30 seconds.
  
• Wait for the Power, WLAN and Internet light to turn on (On the router).
  
• Plug in or turn on your modem (if it is separate from the router).
  
• Open your web browser to see if you have an Internet connection.
  
• If you don't have an Internet connection you may need to restart your computer.

Please Reset Internet Explorer or use Microsoft's Fix it to automatically reset registry keys and the browser back to the way it was when initially installed. If you check the Delete personal settings checkbox in Advanced settings, it will reset the home page(s), search providers and Accelerators to their default values. It will also delete temporary Internet files, history, cookies, web form information (passwords) and InPrivate Filtering data.

-- Note: Microsoft Fix it does not work in Windows 7. Instead, you can use the Internet Explorer troubleshooters to achieve this automatically.itially installed. Then clear your browser history.


Reset the IP address:

• Go to > Run... and in the open box, type: cmd
  
• Click OK or press Enter. A dos Window will appear.
  
• At the command prompt C:\>_, type: ipconfig /release
  
• Press Enter.
  
• When the prompt comes back, type: ipconfig /renew
  
• Press Enter.
  
• Close the command box and and see if that fixes the connection. No reboot needed.

-- XP users can refer to XP ipconfig Tutorial: Step 4
-- Vista users can refer to Vista ipconfig Tutorial: Step 4


If that did not resolve the problem:

• Go to > Run... and in the open box, type: cmd
  
• Click OK or press Enter. A dos Window will appear.
  
• At the command prompt C:\>_, type: ipconfig /flushdns
  
• Press Enter.
  
• You will get a confirmation that the flush was successful.
  
• Close the command box.

If the above commands did not resolve the problem, the next thing to try is to reset your network settings and Configure TCP/IP to use DNS.

• Go to > Control Panel, and choose Network Connections.
  
• Right-click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and and choose Properties.
  
• Double-click on Internet Protocol (TCP/IP) or highlight it and select Properties.
  
• Under the General tab, write down any settings in case you should need to change them back.
  
• Select the button that says "Obtain an IP address automatically" or make sure the DNS server IP address is the same as provided by your ISP.
  
• Select the button that says "Obtain DNS servers automatically".
  
• If unknown Preferred or Alternate DNS servers are listed, uncheck the box that says "Use the following DNS server address".
  
• Click OK twice to get out of the properties screen and restart your computer. If not prompted to reboot go ahead and reboot manually.

-- Vista users can refer to How to Change TCP/IP settings

CAUTION: It's possible that your ISP (Internet Service Provider) requires specific DNS settings here. Make sure you know if you need these settings or not BEFORE you make any changes or you may lose your Internet connection. If you're sure you do not need a specific DNS address, then you may proceed.


Also check your Proxy settings in Internet Explorer to make sure malware did not alter them. To do that, please refer to Steps 4-7 under the section Automated Removal Instructions for System Tool using Malwarebytes' Anti-Malware in this guide.

Alternatively, you can press the WINKEY + R keys on your keyboard or click > Run..., and in the Open dialog box, type: inetcpl.cpl
Click OK or press Enter. Click the Connections tab and continue following the instructions in the above guide.

If using FireFox, refer to these instructions to check and configure Proxy Settings under the Connection Settings Dialog.

This post has been edited by quietman7: 23 February 2011 - 12:52 PM

Thanks for that but unfort it hasn't resolved the problem.

When I typed: ipconfig /renew at the command prompt in cmd.exe I got the following error:

"An error occurred while renewing interface Local Area Connection : The RPC server is unavailable"

This is what the ipconfig returned...

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix:
IP Address: 0.0.0.0
Subnet Mask: 0.0.0.0
Default Gateway:

I have tested the cable, the modem and went through all the other steps you gave but still no joy...

JJ

This issue will require further investigation. Many of the tools we use in this forum are not capable of detecting (repairing/removing) all malware variants so more advanced tools are needed to investigate. Before that can be done you will need you to create and post a DDS log for further investigation.

Please read the pinned topic titled "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help".

• If you cannot complete a step, then skip it and continue with the next.
  
• In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the Malware Response Team.

Thanks again for your help.

The new post is as follows...

http://www.bleepingcomputer.com/forums/topic382196.html/page__p__2151719#entry2151719

JJ

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MR Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.