Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search redirection


  • This topic is locked This topic is locked
13 replies to this topic

#1 Louistar

Louistar

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 11 February 2010 - 03:21 PM

Hello everyone,

It seems as though my Google search results links are being hijacked, but I'm not being redirected to another site, the links are being redirected to the proper link result, but with JavaScript enabled, there seems to be some sort of a redirection happening. For one thing, when I click a link in the results page, the browser makes 2 clicking noises (in IE8): One click for the actual click, and one for the redirect.

The other evidence that suggests that the links are redirected is the fact that when I right-click the link, the status bar (and the link properties) show a different link than what is supposed to be there.

I'll provide an example here:

If I do a search from Google's home page for "Bleeping Computer", the first result is bleepingcomputer.com. If I hover over the result link, it displays as normal: "http://www.bleepingcomputer.com". But if I right-click the link, the status bar changes to:

"http://www.google.com/url?sa=t&source=web&ct=res&cd=1&ved=0CAkQFjAA&url=http%3A%2F%2Fwww.bleepingcomputer.com%2F&rct=j&q=bleeping+computer&ei=-mF0S9PqIMjM8QbGzYWsCg&usg=AFQjCNGktzYSNr7HJczoQggy3UuHlF7qBA&sig2=NXa8mFc5MDHUMWS_hlZPiw"

The same also displays if I choose "properties" from the right-click menu.

Again, I emphasize that this only happens with JavaScript enabled, and seems to be occuring in IE, FF, and Opera. Chrome doesn't indicate this.

What's interesting is that this alternate version of the link appears immediately when I do a search for something that triggers a "did you mean..." result.

Is this something built into Google? Or should I be concerned that the links I'm clicking on in Google are being tracked by malware on my system?

Thanks for any help.
Louis

Edited by Orange Blossom, 11 February 2010 - 09:22 PM.
Move to AII. ~ OB


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:52 PM

Posted 11 February 2010 - 10:41 PM

Hello and welcome.. Let's run these tools and get some logs. keep me updated on how the pc runs after these,thanks.
If you have Spybot installed temporarily disable it.

Please read and follow all these instructions very carefully.
  • Please download GooredFix and save it to your Desktop.
  • Double-click GooredFix.exe to run it.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

After download,istall and update,disconnect from the internet and scan.

Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 copotay

copotay

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 17 February 2010 - 08:44 AM

My Google, IE8, searches are doing the same thing, double click and redirect with that funny looking url, but only on my home computer, not my office computer. I had a browser redirector virus, zooclicker, that the experts here were very helpful with. My computer was clean after the assitant here checked over several logs. I still get redirected to the correct page but its going through a javascript type action before hitting the right page. For the life of me I cannot remember if it was doing this before the hijacker but I was not paying that close attention to my browser while clicking on links prior the hijacker.

It only does it on Google, so I began searching this string and it looks like it is something called ajax that google is embedding in their searching, but I think currently, from what I have been reading, its randomely using it for different users, it will not do it to every IP. And it affects all browsers because it is coming from Google directly. Here are a couple of links that kinda explains it, I sure wish there was a way to turn it off because it does slow down you surfing waiting for the redirect:

http://smackdown.blogsblogsblogs.com/2009/...-tracking-urls/

BoopME, this appears to be what is is unless you think this is something that is on our computers or just something from google that we have to live with?

tks

UPDATE: I have been researching everything I could to figure this out but have come with the same answer that it is google tracking. I have deleted all cookies, temp files, etc and it will still not go away. However it only happens when you search from the main google page. So I have a work around that I am using and put this as my home page. It does not redirect and will give the exact link you click on. Its just the main page that has the redirect so I just put in a generic google result page for instance this http://www.google.com/search?hl=en&q=google and anything searched from this page will not redirect. Until somebody or someone figures something else out this is the only way I can see to fix this. Btw BoopME, I ran both of your suggestions and came up with clean log files. Again the weird part is that I have a laptop with IE7 on the same IP and it is not doing on the laptop just like it is not doing it from a work computer which has a different IP. It must be something that google sent to my system that I cannot find unless it is recognizing my mac address. There were also several suggestions about people with gmail accounts, which I have, that if you log out and clear your google history, that google automatically keeps online with thier servers when you register and account with them and you have to turn off manually, it would remove the redirect, but that did not work either.

Edited by copotay, 17 February 2010 - 10:35 PM.


#4 Louistar

Louistar
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 18 February 2010 - 05:10 PM

Okay, I've done what was recommended in the post by Boopme. What's interesting is that it hasn't changed the behaviour of the Google search links, as I described, but it did find a number of infections, which is obviously good.

And the user copotay seems to be correct that this is something implemented by Google. It seems that it's only affecting certain people, because I know others who don't see the redirection happening.

Anyhow, here are my log files below:

From Gooredfix:

GooredFix by jpshortstuff (08.01.10.1)
Log created at 16:23 on 18/02/2010 (Louis)
Firefox version 3.5.7 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
inspector@mozilla.org [23:10 26/07/2006]
{972ce4c6-7e08-4474-a285-3208198ce6fd} [23:10 26/07/2006]
{9d613b03-9b7c-4fa0-b2f8-32f7cc24873f} [16:18 13/03/2007]
{9d613b03-9b7c-4fa0-b2f8-32f7cc24873f}(2) [21:57 11/08/2006]
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [15:08 20/04/2008]
{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} [23:35 28/01/2010]

C:\Documents and Settings\Louis\Application Data\Mozilla\Firefox\Profiles\4oap7273.default\extensions\
firebug@software.joehewitt.com [08:07 20/01/2010]
yslow@yahoo-inc.com [19:41 27/01/2010]
{3c6e1eed-a07e-4c80-9cf3-66ea0bf40b37} [21:45 04/11/2009]
{53A03D43-5363-4669-8190-99061B2DEBA5} [08:13 11/12/2009]
{c151d79e-e61b-4a90-a887-5a46d38fba99} [08:57 28/10/2009]
{c45c406e-ab73-11d8-be73-000a95be3b12} [20:10 26/07/2009]
{cc265d3d-3f6f-0170-a78b-bbbaef7a868c} [13:33 29/08/2007]
{e3f6c2cc-d8db-498c-af6c-499fb211db97} [07:47 07/02/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="C:\Program Files\Real\RealPlayer\browserrecord" [14:21 20/04/2008]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [19:32 26/09/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [23:35 28/01/2010]

-=E.O.F=-

Log file from Malware Bytes:

Malwarebytes' Anti-Malware 1.44
Database version: 3758
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/18/2010 4:56:23 PM
mbam-log-2010-02-18 (16-56-23).txt

Scan type: Quick Scan
Objects scanned: 169669
Time elapsed: 22 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 18
Registry Values Infected: 1
Registry Data Items Infected: 6
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\acm.acmfactory (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\acm.acmfactory.1 (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\t1w.ourmimefilter (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{43382522-a846-46f4-ac57-1f71ae6e1086} (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{572fb162-c0ba-4edf-8cff-e3846153b9b0} (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72a836d1-bc00-43c0-a941-17960e4fb842} (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{127df9b4-d75d-44a6-af78-8c3a8ceb03db} (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a9aae1ab-9688-42c5-86f5-c12f6b9015ad} (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0eb00690-8fa1-11d3-96c7-829e3ea50c29} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{df901432-1b9f-4f5b-9e56-301c553f9095} (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\ACM.dll (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WUSN.1 (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave (Adware.WhenU) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
C:\Documents and Settings\Louis\Local Settings\temp\e.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.

Thanks for any further help.

Louis

#5 Louistar

Louistar
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 18 February 2010 - 05:29 PM

One good thing that came out of this is that it seems that, after clearing out those infections found by Malware Bytes, my Google Chrome is now working properly. I was usually only able to load web pages in Chrome when I disabled Chrome's sandbox, which is not recommended because apparently the sandbox is for testing purposes only and will leave the browser open to attacks when disabled.

It could be that Chrome was not loading pages because of detecting malware or else conflicting with something, which seems to be corrected. Although this has happened before and it crapped out again after a few days, so we'll have to see.

Louis

#6 copotay

copotay

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 18 February 2010 - 06:46 PM

Louis, I have tried several more scanners on mine, yet I have found nothing. The only thing that I can see is as I said Google must have my mac address for my desktop or there is something very hidden on my system maybe put there by Google that the scanners are not finding. I will add that the desktop with the problem is running IE8 and the other two are running IE7

Edited by copotay, 18 February 2010 - 07:09 PM.


#7 Louistar

Louistar
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 18 February 2010 - 07:17 PM

I have a standalone version of IE7 (called IETester) and it does not seem to be happening on that. And if I remember correctly, my wife's work computer uses IE7 and she does not see the problem either.

I wonder if it's something built in to IE8 to force people to use Bing! :)

#8 copotay

copotay

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 18 February 2010 - 07:36 PM

If thats the case I am just about ready to uninstall IE8 anyway if I could be sure thats what it is, they still have not fixed the scroll page problem that makes the pages hang and become jotty when scrolling down or up the page on various websites like Lowes.com while your mouse is over the pictures with information next to the picture that has like a quickview. Its horribly navigating pages like that, you have to move your mouse over into the blank area to scroll smoothly.

Edited by copotay, 18 February 2010 - 07:57 PM.


#9 Louistar

Louistar
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 19 February 2010 - 01:22 AM

Well, IE8 is much better than IE7. I have never noticed the scrolling problem you're talking about specifically in IE8. I've noticed that any version of IE is slow in loading late-loading JavaScript code, and that causes problems and delays, which is why I'm switching to Chrome now. But I would not uninstall IE8 if I were you, because you won't find much better results in IE7 other than the redirect issue we're discussing here.

Anyways, I still have the same redirect issue happening but I've now officially moved over to Chrome, so for now I don't care. Maybe I'll call Google's local offices here and find out if they know anything. :)

Louis

#10 copotay

copotay

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 19 February 2010 - 09:07 AM

Tks for the nfo, whats weird is some people have the problem and some don't with the scrolling issue, I just happen to be one, of course. I emailed google with a complaint regarding the redirection, they have not responded yet, and I don't think they will. I have asked them to be removed from any type of testing, but it hasn't happended yet.

#11 copotay

copotay

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 20 February 2010 - 11:39 AM

To try something else I installed Firefox and its doing it with that also.

Edited by copotay, 20 February 2010 - 11:39 AM.


#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:52 PM

Posted 20 February 2010 - 08:25 PM

copotay
You will need to Download and Run DDS which will create a Pseudo HJT Report as part of its log..
If for some reason you cannot perform a step, move on to the next.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help . Then go here Virus, Trojan, Spyware, and Malware Removal Logs ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 copotay

copotay

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:52 PM

Posted 21 February 2010 - 11:35 AM

Tks boopme, I just finished everything and posted here: http://www.bleepingcomputer.com/forums/t/297469/google-redirect-but-still-google/

This google thing drives me crazy the way it slows down the browser to redirect. I know I could use another search engine but I want to make sure there is not something on my system that may not even be malaware but a script or something that google secretly put on my computer.

Also when I ran Defogger it did not make me restart and gave me this log, it looks like it did not find any cd emulation to turn off, do I still to run it and press enable after the assistance is finished?

efogger_disable by jpshortstuff (29.01.10.1)
Log created at 08:00 on 21/02/2010 (TED)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-



Tks for the help

Edited by copotay, 21 February 2010 - 11:42 AM.


#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:52 PM

Posted 21 February 2010 - 03:08 PM

Hi,, Ok don't worry about it now. I will add this to your Log post so they have the info...

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users