Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google search links getting re-directed


  • This topic is locked This topic is locked
18 replies to this topic

#1 coldfire0101

coldfire0101

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 22 November 2009 - 05:43 AM

help ive been infected bt something that re-directs my google search links. ive tried all sorts of progs to get rid of it but nothing seems to find and kill it, ive used malwarebytes anti malware, spybot, avg9, avast, SUPERAntiSpyware.

system os is win7

ive attatched the dds report but when i try to run rootrepel it gives me an error

thanks in advance for any help

Attached Files


Edited by coldfire0101, 22 November 2009 - 05:43 AM.


BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 AM

Posted 28 November 2009 - 10:34 AM

Hello,
Do you still desire help? Please outline your current problems and inform me of what you have done since your last post.
Kind regards,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 coldfire0101

coldfire0101
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 29 November 2009 - 02:52 PM

hello and yes i most certainly do still need help with this problem. what's happening is when i do a google search and click on the links but they get redirected to different sites for various things, i can open the link in a new tab and it opens to the correct page or click the link and go back a couple of times for the correct page to open.

since the last post all ive done is run more av test's/anti spyware test's but have had no luck finding the problem

#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 AM

Posted 29 November 2009 - 05:36 PM

Hello,

64 bit Windows 7!! This could prove to be a bit tricky.

Let's begin....

:( P2P Warning :(

Your log indicates that you have uTorrent installed.

Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.

- They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.

- Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.

- The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel>> Add / Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


==========

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Spybot

It will interfere with our fix.

Additional instructions can be found here if needed.

==========

Please download OTS by OldTimer and save it to your Desktop
  • Double click OTS.exe and mouse click Run
    • If you are running on Vista/W7 then right-click the program and choose Run as Administrator
  • Please check Scan All Users, Include MD5, "Extras" & Reg - Drivers32
  • Next press Run Scan
    • Please be patient as this scan will take some time to complete
    • Do not run any other programs while OTS is scanning
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click Format and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit)
  • The log will be located in the OTS folder and named OTS.txt.
==========

Download Sophos Anti-rootkit & save it to your desktop.
Be sure to read the Sophos Anti-Rookit User Manual. A copy of this manual sarman.pdf can also be found inside the program folder after installation.
  • Double-click sarsfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
  • Make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click "Start scan".
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will be done when you restart your computer. Click "Restart Now".
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Note: If the scan is performed while the computer is in use, false positives may appear in the scan results. This is caused by files or registry entries being deleted, including temporary files being deleted automatically.

===========

With your next post please provide:

* OTS.txt
* Sarscan.log

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 coldfire0101

coldfire0101
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 30 November 2009 - 09:26 AM

its the 32bit win 7 i'm running. the sophos scanner did pick up various temp files and 1 non removeable hidden registry entry, unfortunately im still having the google redirects. please find the requested logs attatched.

Attached Files



#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 AM

Posted 30 November 2009 - 06:24 PM

Thanks for the clarification.

I see you have run Combofix unsupervised.....this is ill advised!! Particularly on a window 7 machine in that it is incompatible with this OS!!!!! :)

:( This is a complex and powerful tool that should not be used except under the supervision and direction of a malware expert. It can and will render your computer unbootable permanently!! Also realize that in most circumstances a single run of Combofix is ineffective. Specialized scripts will be written specifically directing this program to clean-up based on your logs!! :(

I would like to see your most recent CF logs. You will find them @ C:\ComboFix.txt & C:\Qoobox\ComboFix-quarantined-files.txt


==========

:) P2P Warning :)

Your log indicates that you have uTorrent installed.

Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.

- They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.

- Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.

- The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel>> Add / Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

===========

Do you have your Windows 7 install disc? We are probably going to need it!

==========

Show hidden files in Windows 7. Follow the instructions here.

==========

Step 1

Read the following instructions carefully. If you encounter problems stop and tell me about it. Don't forget to right click and run as Admin for to make the downloads run.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    *atapi*
    *sptd*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

==========

Step 2

Do this.....carefully!!!!!!!!

1. Go to the c:\windows\system32\drivers

2. Locate the file - atapi.sys

3. Drag and move the file to Desktop

4. Wait 5 secs and press F5 to see if the operating system regenerated a fresh copy in c:\windows\system32\drivers folder

5a. If a fresh copy is regenerated, reboot the machine

5b. If a fresh copy ISN'T regenerated, move the copy from Desktop back to its original location. <--- If you fail to perform this step you will render your computer unbootable!!!

==========

Step 3

Still getting redirected??

If so then please do this...

1. Download the file TDSSKiller.zip and extract it to your desktop.
2. Click start->run->copy-paste "%userprofile%desktop\TDSSKiller.exe" -l report.txt -v into the textbox and press enter.
3. report.txt should be generated into same location with TDSSKiller.exe. Post contents of that report, please.

==========

Step 4

If the prior steps solve the redirection problem then repeat Step 1.

==========

With your next post please provide:

* Prior Combofix logs
* Answer to question
* SystemLook.txt
* Drag & drop success?
* TDSSkiller success?
* Report.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 coldfire0101

coldfire0101
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 01 December 2009 - 03:52 PM

hi. i dont have any logs from combofix as it never actually ran properly. i had been talking to my works IT man about my comp problem just before posting here and he sugested running combofix(he never told me it wasnt compatible with win 7)
i do have my win 7 install disk if its needed
had no success with drag and drop, got a pop up box saying "you need permission to perform this action", when i looked at file permission i only have read/execute and read access to it
also no tdsskiller did not appear to find anythin
logs attatched


edit

since running the test you asked for i have been getting explorer.exe crashing when i right click on certain file types, and a little investigation and pinned it down to imgshl32.dll which relates to the version DAEMON Tools pro i had installed so tried to uninstall it via control panel and noticed it was no longer listed in there, well i eventually managed to get it uninstalled and the google re-directs seem to have stopped and am noticing that various programs especially my browser are showing an increase in speed.

Attached Files


Edited by coldfire0101, 01 December 2009 - 06:31 PM.


#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 AM

Posted 01 December 2009 - 08:57 PM

Good. :(

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Please copy and paste the ESET log. Are you experiencing any more troubles?

Kind regards,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 coldfire0101

coldfire0101
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 02 December 2009 - 02:38 PM

i've had no more problems with google being re-directed since last post, i have run the eset scanner and it did pick up 4 threats which it has deleted here's the log for it

Attached Files

  • Attached File  eset.txt   312bytes   4 downloads


#10 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 AM

Posted 02 December 2009 - 03:11 PM

Hurray! :(

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
Will you please re-run ESET and make sure it comes up clean.

Thanks,
~ t

Edited by thcbytes, 02 December 2009 - 03:12 PM.

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#11 coldfire0101

coldfire0101
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 03 December 2009 - 03:34 PM

here's my gooredfix log, eset has found nothing with the latest scan.

Attached Files


Edited by coldfire0101, 03 December 2009 - 03:34 PM.


#12 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 AM

Posted 03 December 2009 - 08:28 PM

Still running smooth?
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#13 coldfire0101

coldfire0101
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 04 December 2009 - 02:29 PM

thanks for all your help thcbytes, my machine is running really smooth at the moment, internet speeds seem to be a lot faster.

#14 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 AM

Posted 04 December 2009 - 04:32 PM

Your welcome. :(
One more log please.....

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.Posted Image
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#15 coldfire0101

coldfire0101
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 05 December 2009 - 08:58 AM

here you go, otl logs for you

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users