Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Problem


  • Please log in to reply
7 replies to this topic

#1 Moose_Hunter_35

Moose_Hunter_35

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 31 January 2010 - 06:39 PM

I am having a problem with being redirected when I select a link after a google search. It happens on a pretty regular basis to a different site every time. I am running an updated version of McAfee and Malwarebytes. Windows XP operating system. I ran Malwarebytes earlier today and it found one infected object, "Trojan.Hiloti". I removed the infected object and I am still having the redirect problem. I am not sure what else to do now. I would appreciate any help with this problem. Thanks!

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:53 PM

Posted 31 January 2010 - 10:44 PM

Hello.

Let's get a rootkit scan and see.

Download and Run GMER

We will use GMER to scan for rootkits.This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.

  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.

    If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system... Click NO.
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 Moose_Hunter_35

Moose_Hunter_35
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 01 February 2010 - 09:10 PM

I ran GMER as requested. It did not prompt me to do anything. I save the log. It is pasted below.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-01 19:56:36
Windows 6.0.6001 Service Pack 1
Running: kcsfj668.exe; Driver: C:\Users\Jacob\AppData\Local\Temp\fglcypog.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8C8D779E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8C8D7738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8C8D774C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8C8D77DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8C8D781F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8C8D7710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8C8D7724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8C8D77B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x8C8D7847]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x8C8D7833]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8C8D778A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8C8D7776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8C8D780B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8C8D77F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8C8D77C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8C8D7762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- User IAT/EAT - GMER 1.0.15 ----

IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!GetProcessHeap] 0124E660
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!FindFirstFileW] 0124E140
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!DuplicateHandle] 0124D2A0
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!IsDebuggerPresent] 0124EBE0
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!CreateThread] 0124C260
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 0124BBD0
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!GetEnvironmentStringsW] 0124BF90
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!SetFilePointer] 0124D100
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!MapViewOfFileEx] 0124D7C0
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!CreateFileMappingW] 0124D550
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!MapViewOfFile] 0124D740
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!OpenFileMappingW] 0124DC20
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!UnmapViewOfFile] 0124D930
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!GetFileType] 0124D450
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!FlushViewOfFile] 0124D690
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!GetFileSize] 0124D240
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!WriteFile] 0124D0C0
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!GetACP] 0124E680
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!TerminateProcess] 0124C110
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!GlobalAlloc] 0124E3A0
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!GlobalLock] 0124E2C0
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!GlobalUnlock] 0124E280
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!CreateFileW] 0124C940
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 0124BA30
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!CloseHandle] 0124D340
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 0124B9A0
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!FreeLibrary] 0124BC80
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!GetProcAddress] 0124A730
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!ReadFile] 0124CC90
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!GetVersion] 0124E650
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [USER32.dll!LoadIconW] 0124E920
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [USER32.dll!LoadCursorW] 0124E8C0
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [USER32.dll!CreateDialogParamW] 0124EB10
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [USER32.dll!DialogBoxParamW] 0124EBB0
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [USER32.dll!LoadStringW] 0124E9E0
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [ADVAPI32.dll!RegQueryValueA] 0124E5D0
IAT c:\ProgramData\SingleClick Systems\Advanced Networking Service\hnm_svc.exe[836] @ C:\Windows\system32\ole32.dll [ADVAPI32.dll!RegCreateKeyExW] 0124E580

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:53 PM

Posted 01 February 2010 - 09:30 PM

Hello.

Was that scan ran in Normal mode or Safe Mode? Normal mode I assume?

Where is the redirects happening? Internet Explorer? FireFox? Or Both? What/where are you getting redirect to in general?

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 Moose_Hunter_35

Moose_Hunter_35
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 01 February 2010 - 10:11 PM

It was run in normal mode. I am using firefox. The redirects have been to different sites every time. I tried a search earlier today and I was not redirected.

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:53 PM

Posted 02 February 2010 - 04:41 PM

See if it occurs in Internet Explorer too. I believe the re-directs are not happening any longer?

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 Moose_Hunter_35

Moose_Hunter_35
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 02 February 2010 - 09:29 PM

I ran Malwarebyes and nothing was found. I tried IE and Firefox Google searches today and there was no problem with redirects. I don't know what happened. I guess I'm just happy it's not doing it. You probably don't need it, but the Malwarebytes lot is below...am I okay?

Malwarebytes' Anti-Malware 1.44
Database version: 3681
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

2/2/2010 8:26:20 PM
mbam-log-2010-02-02 (20-26-20).txt

Scan type: Quick Scan
Objects scanned: 102469
Time elapsed: 7 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:53 PM

Posted 03 February 2010 - 03:47 PM

Hello.

Those logs all look fine. If there's not redirect then that's good but let's get an online scan to see if it picks up anything.

Note, that this scan may take a while to complete.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users