Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google re-directs when clicking on search results.


  • Please log in to reply
11 replies to this topic

#1 mrZoSo

mrZoSo

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 01 July 2010 - 09:20 PM

I would say maybe 1 out of 8 searches I do on Google, I get redirected to a page that is similar to what I clicked on in the search results. Thought it might have to do with Google Analytics but no. Did some research at Google's forums and it seems to be related to possible malware. I use Avast and Spybot normally. Upon reading the Google forums I installed a couple other malware progs to try and resolve the issue. Came here and seen other people having similar issues.

Did a full scan with Spybot, it found nothing.
Did a full scan with Malwarebytes Anti-Malware, it found nothing.
Scanned with PC Tools Spyware Doctor(recommended by Google), it found nothing.
Scanned with Ad-Aware(recommended by Google), it found nothing.

I'm running Windows 7 x64
Any help with this would be greatly appreciated.

I ran defogger and dds. Log files are attached.
Tried running (as Admin too) RKUnhookerLE but it just won't run.
Tried running GMER, get an error window:
CODE
C:\Windows\system32\config\system: The system can not find file specified.

I click OK and only 4 check boxes are available:
System
Registry
Files
ADS
All others are greyed out.

EDIT: Forgot to mention, this happens with FF and Chrome, I don't use IE.

TIA

Attached Files


Edited by mrZoSo, 01 July 2010 - 11:47 PM.


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:11 AM

Posted 06 July 2010 - 06:49 AM

Hello mrZoSo

Welcome to BleepingComputer smile.gif
==========================
Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 mrZoSo

mrZoSo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 07 July 2010 - 04:39 PM

Here's the log file from GooredFix:

CODE
GooredFix by jpshortstuff (03.07.10.1)
Log created at 17:34 on 07/07/2010 (Port)
Firefox version 3.6.6 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files (x86)\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [22:24 08/03/2010]
{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [04:17 14/05/2010]

C:\Users\Port\Application Data\Mozilla\Firefox\Profiles\othyrw01.default\extensions\
optimizegoogle@optimizegoogle.com [04:38 02/07/2010]
{1392b8d2-5c05-419f-a8f6-b9f15a596612} [07:45 06/07/2010]
{35106bca-6c78-48c7-ac28-56df30b51d2a} [16:28 23/04/2010]
{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [06:27 01/05/2010]
{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} [21:05 13/04/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
(Key not found)

-=E.O.F=-



#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:11 AM

Posted 07 July 2010 - 05:43 PM

Please download TFC by Old Timer.
    Double-click TFC.exe to run the program.
    (If using Vista please Right Click and Choose "Run as Administrator")
    Click the Start button.
    Please reboot when prompted.
==============================================
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 mrZoSo

mrZoSo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 08 July 2010 - 07:24 AM

Results from the scan:

CODE
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, July 8, 2010
Operating system: Microsoft (build 7600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, July 08, 2010 01:02:10
Records in database: 4245561
Scan settings
scan using the following database     extended
Scan archives     yes
Scan e-mail databases     yes
Scan area     My Computer
C:\
D:\
E:\
F:\
Scan statistics
Objects scanned     249749
Threats found     2
Infected objects found     5
Suspicious objects found     0
Scan duration     05:10:04

File name     Threat     Threats count
C:\Users\Port\AppData\Local\CrossLoop\winvnc.exe    Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.gc    1    
C:\Users\Port\Desktop\7-5-2010 Flash Drive Backup\CCH09-10 Stuff\09 Tools\FINDTIN.exe    Infected: HackTool.Win32.Kiser.oz    1    
C:\Users\Port\Desktop\7-5-2010 Flash Drive Backup\CCH09-10 Stuff\09 Tools\OCPSetup2009.exe    Infected: HackTool.Win32.Kiser.oz    1    
C:\Users\Port\Desktop\7-5-2010 Flash Drive Backup\CCH09-10 Stuff\Tools\09 Tools\FINDTIN.exe    Infected: HackTool.Win32.Kiser.oz    1    
C:\Users\Port\Desktop\7-5-2010 Flash Drive Backup\CCH09-10 Stuff\Tools\09 Tools\OCPSetup2009.exe    Infected: HackTool.Win32.Kiser.oz    1


These 5 "infected" objects are false positives. These are tools we use at my work. Also I've only recently put them on my system, and the problem has existed for a couple weeks prior to this.
Also report says 2 threats found but gives no information about them.

That has to be one of the slowest online scanners I've ever used,, heh
It completely failed using FF, it never finished downloading the database updates, even after letting it run for over 4 hours,, lol

Oh yeah, re-directs still occur.

Edited by mrZoSo, 08 July 2010 - 07:26 AM.


#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:11 AM

Posted 08 July 2010 - 07:31 AM

Yeah I figured the redirects would still occur.
Just wanted to see if anything else was at play.
  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold

    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll

  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 mrZoSo

mrZoSo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 08 July 2010 - 07:59 AM

Results from OTL scan:

Attached Files



#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:11 AM

Posted 08 July 2010 - 08:21 AM

Download Bootkit remover to your desktop
This is a rar file if you do not have a programme to open it then download and install Peazip

Extract Remover.exe to your desktop
Right click Remover.exe and select Run as Administrator
It will show a Black screen with some data on it
Right click on the screen and select > Select All
Press Control+C
Open a notepad and press Control+V

Post the resultant log here please
=======================

Please submit the following file to one of these online file scanners.
(All you have to do is copy and paste the file path into the box when you click on Browse then once you have done that click on the open button then submit)

C:\ProgramData\7F1837F89D.sys

This will produce a report after the scan is complete, please copy and paste those results in your next post.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 mrZoSo

mrZoSo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 08 July 2010 - 08:31 AM

Results:
CODE
Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: bb4f1627d8b9beda49ac0d010229f3ff

     Size  Device Name          MBR Status
--------------------------------------------
  1397 GB  \\.\PhysicalDrive0   OK (DOS/Win32 Boot code found)


Press any key to quit...


CODE
Jotti's malware scan
Filename:     7F1837F89D.sys
Status:     
Scan finished. 0 out of 19 scanners reported malware.
Scan taken on:      Thu 8 Jul 2010 15:27:48 (CET) Permalink
            
Additional info
File size:     88 bytes
Filetype:     X11 SNF font data, LSB first
MD5:     dac7b64e9c2163e2d6d817f77a0c221f
SHA1:     4033b9bb87dccf6c47abb4280c54b1061a123754




Scanners
[ArcaVir]     
2010-07-08 Found nothing
    [G DATA]     
2010-07-08 Found nothing
[Avast! antivirus]     
2010-07-08 Found nothing
    [Ikarus]     
2010-07-08 Found nothing
[Grisoft AVG Anti-Virus]     
2010-07-08 Found nothing
    [Kaspersky Anti-Virus]     
2010-07-08 Found nothing
[Avira AntiVir]     
2010-07-08 Found nothing
    [ESET NOD32]     
2010-07-08 Found nothing
[Softwin BitDefender]     
2010-07-08 Found nothing
    [Panda Antivirus]     
2010-07-07 Found nothing
[ClamAV]     
2010-07-08 Found nothing
    [Quick Heal]     
2010-07-07 Found nothing
[CPsecure]     
2010-07-08 Found nothing
    [Sophos]     
2010-07-08 Found nothing
[Dr.Web]     
2010-07-08 Found nothing
    [VirusBlokAda VBA32]     
2010-07-08 Found nothing
[Frisk F-Prot Antivirus]     
2010-07-07 Found nothing
    [VirusBuster]     
2010-07-08 Found nothing
[F-Secure Anti-Virus]     
2010-07-08 Found nothing


#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:11 AM

Posted 09 July 2010 - 06:56 AM

There is no sign of malware you are positive it is not google analytics?
Is that a plug in or something for Chrome\Firefox?
If it is not a plug in for IE then try using IE if it doesn't happen then we know what the problem is.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 mrZoSo

mrZoSo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 09 July 2010 - 04:51 PM

No plugins. Tried IE and get the same results.
Here's info on Google Analytics
I'm thinking Google is doing it and not letting people know or lying about it? Or maybe something is happening on there end and they don't know about it?
I even loaded a fresh Win7 in a VM and it does the same thing.
I took a couple screen shots:

I'm hovering over the highlited(red) link, the URL at the bottom is showing correctly, and when I click it, it goes to the proper page.




Again, hovering over the link, but notice the URL, this is when 9 out of 10 times I'll get a redirect.



#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:11 AM

Posted 10 July 2010 - 08:26 AM

QUOTE
I even loaded a fresh Win7 in a VM and it does the same thing.
I took a couple screen shots:
If this is the case then it is not malware that is doing it.
A fresh install will not do this.

I would suspect google there would be no other explanation for it especially on a fresh install.

Are you connected through a router?
If so try to bypass it to see if it still does it plugged straight into the modem.


Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users