Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google redirection?


  • Please log in to reply
8 replies to this topic

#1 rubenaf

rubenaf

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 04 November 2010 - 09:56 AM

Hi,

About two weeks ago I opened a suspicious .exe file that hadn't beeped with McAffee nor Malwarebytes. I instantly saw how it installed a few things and new processes started running. Malwarebytes detected and cleaned serauth1.dll, serauth2.dll, csrss.exe, rootkits (Orr.exe, Orq.exe, Ors.exe), among others... quite a messy thing, so I guess this shared computer hand't been checked in awhile.

After removing all those items it seems to be clean, but for one thing: when in Firefox I perform a google search and click on one of the hits, sometimes it redirects me to a google search blank page (http://google.com, then to http://www.google.co.uk). I have observed that there is an intermediate redirection address "http://www.eghgoritanno.com". For example I've just performed a search for bleeping computer, clicked on it and I have been redirected to the blank page through "http://www.goingonearth.com/search.php?q=bleeping%2Bcomputer&n=1288880437".
A few times I was redirected to pages other than the one I was searching for, but that occurred very, very rarely. Also, this redirection does not happen all the time: eg. if I click on a hit and open it in a new tab, it redirects me. I try again, it happens again. An so on. But then I try a different hit and it goes to the right website. Or I open let's say 5 webs on new tabs and they are all redirected, but then the 6th is not, and if I try again with the first one it opens the right website.

Unfortunately I don't have the suspected .exe file, I deleted it straight away.

Any hints on this?
Thanks a lot in advance,
R.

Edited by rubenaf, 04 November 2010 - 10:49 AM.


BC AdBot (Login to Remove)

 


#2 rubenaf

rubenaf
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 15 November 2010 - 10:02 AM

Hi,

I just wanted to recover this post, as I haven't received any answers yet and the redirection problem through hxxp:// eghgoritanno.com persists. Sometimes I'm redirected to the google.co.uk blank page, sometimes to consumer pages, and sometimes everything seems to work just fine.

Thanks,
R.

Edited by quietman7, 23 November 2010 - 02:03 PM.


#3 rubenaf

rubenaf
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 17 November 2010 - 01:26 PM

I'm getting there... I'd like to apologize as I said I couldn't find anything related to this redirect. I have just realized that it wouldn't allow me to perform any searches for "goingonearth" within firefox. Fortunately, it seems that the IE works and I've found a lot of information, mainly related to no actual removal tools?
I've seen a website where they offer a removal tool and I was wondering whether it's safe or it's just another step in the infection: http://www.spydiagnostic.com/threats-09/eghgoritanno-com-removal-instructions.html

Thanks in advance,
R.

#4 rubenaf

rubenaf
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 23 November 2010 - 01:46 PM

Hi, I would just like to report news, as it is apparently fixed.

How I saw it> I set up firefox to tell me when I was going to be redirected, and observed I was being redirected through the address www.eghgoritanno.com\...
Only in Firefox (but not in IE) > when I looked for "eghgoritanno" or "goingonearth" on the google quick search, I was ALWAYS redirected to the same microsoft website, or to the google blank page.

Where it was redirecting me> most of the time to a google search blanck page. After some time (weeks I've been studying it for, unable to fix it) to other websites ingluding bing and just once to a porn one.

Fix? > Today I run the updated Malwarebytes, which detected something. I deleted it, but the redirection problem persisted. I have just run a registry cleaner (ccleaner), then applied the recommended fixes.
I have not been redirected anymore, and I can find hits for eghgoritanno and goingonearth in Firefox.

There was nothing extremely suspicious for me among the errors the cleaner found (interestingly it found only 120 errors, while Registry Mechanic had found nearly a thousand)... but it seems to be fixed? I'll let you know. If someone is particularly interested in the elements that were deleted I can recover my registry from a backup and run the cleaner again to post them.

Best,
R.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:23 PM

Posted 23 November 2010 - 02:08 PM

Sorry for the delayed response but staff members are all volunteers who assist other members as well as you when time permits. Unfortunately, this means sometimes a topic thread will get overlooked when requests for assistance get backed up.

The link you provided in the previous post for SpyDiagnostic gives me a 404 Not Found error. Regardless, they are promoting Stopzilla, a program I do not recommend.

I'm glad to hear you resolved your problem but be aware that Bleeping Computer DOES NOT recommend the use of registry cleaners/optimizers for several reasons:

:step1: Registry cleaners are extremely powerful applications that can damage the registry by using aggressive cleaning routines and cause your computer to become unbootable.

The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system inoperable. For a more detailed explanation, read Understanding The Registry.

:step2: Not all registry cleaners are created equal. There are a number of them available but they do not all work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad entry". One cleaner may find entries on your system that will not cause problems when removed, another may not find the same entries, and still another may want to remove entries required for a program to work.

:step3: Not all registry cleaners create a backup of the registry before making changes. If the changes prevent the system from booting up, then there is no backup available to restore it in order to regain functionality. A backup of the registry is essential BEFORE making any changes to the registry.

:step4: Improperly removing registry entries can hamper malware disinfection and make the removal process more difficult if your computer becomes infected. For example, removing malware related registry entries before the infection is properly identified can contribute to system instability and even make the malware undetectable to removal tools.

:step5: The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results".

Unless you have a particular problem that requires a registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly could lead to disastrous effects on your operating system such as preventing it from ever starting again. For routine use, the benefits to your computer are negligible while the potential risks are great.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 rubenaf

rubenaf
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 23 November 2010 - 07:12 PM

Hi,
I am aware of the risks and have manipulated the registry myself in some occasions, backing up and looking carefully at what I'm doing. I confess my ignorance at points 4 and 5 though... information very much appreciated!
Thanks for getting back to me, and thanks for the hard work you do through these posts.

Best,
R.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:23 PM

Posted 23 November 2010 - 10:05 PM

You're welcome and thank you for the kind words.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 rubenaf

rubenaf
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 24 November 2010 - 06:27 PM

Hi, I've been told the redirect is still in the shared computer, oh my.
I have found the same removal instructions on several websites. Apparently they have been published around 18-19th Nov:
http://www.2-viruses.com/remove-goingonearth-com
http://spywareremove.com/removeGoingonearthcom.html
http://blog.teesupport.com/how-to-guide-remove-goingonearth-com-g-o-i-n-g-o-n-e-a-r-t-h-removal-guide/

I was just wondering whether they are genuine? If they are, I hope they help others. If they are not, I'm sorry, I'm feeling like a spammer... but I feel guilty about that computer because it was my fault the virus got there.

Best,
R.

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:23 PM

Posted 24 November 2010 - 06:58 PM

While all three sites provide basic removal instructions they are in business to make money.

2-viruses.com promotes the uuse of Spyware Doctor and spywareremove.com promotes SpyHunter's Malware Scanner.
Tee Support is an online tech support service where you pay for help per incident or can purchase a yearly subscription.

Further, 2-viruses recommends the use of other tools to include ComboFix.

No one should be using ComboFix unless specifically instructed to do so by a Malware Removal Expert who can interpret the logs. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. When issues arise due to complex malware infections, possible false detections, problems running ComboFix or with other security tools causing conflicts, experts are usually aware of them and can advise what should or should not be done while providing individual assistance. Those attempting to use ComboFix on their own do not have such information and are at risk when running the tool in an unsupervised environment. Please read the pinned topic ComboFix usage, Questions, Help? - Look here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users