Ok, New information on the Google (and others) Redirect Issue. Since Noobie up there probably made the moderators think I was being helped, I'm probably not going to get any real help. I've been trying my damnedest to figure this one out and I think I'm on to something.
First let me describe the computer I'm working with, this was originally posted in the Windows 7 forum because I didn't understand the issue as I do now, and I'm new to bleeping computer.
Windows 7 Home Premium 64bit OS
AMD Sempron LE-1300 2.3GHz
That should be sufficient. Now the issue:
"Google Redirect" It's really just about any search engine, but that's what people seem to be calling it. When I use the address bar to go to google (i.e. typing in http://www.google.com
) all of my search results have an r3.google prefix. If I refresh the search results (F5), the r3.google prefix goes away and I can use the search results as normal. Also, if I use google toolbar to perform my search, the results are legitimate (i.e. no redirect issue with toolbar search). Epoclick and other sites are the most common along with "Security Tools" downloads. These also appear as pop-ups.
Things I've tried:
Running every virus scan I can think of. No luck, it is not visible from normal mode or safe mode. I tried modifying security settings in IE and Firefox (issue appears in both browsers), no results. I set the pop-up blocker settings to their maximum so I need to ctrl+alt+click to open a pop-up, this got rid of the pop-ups (but of course not the redirect issue). Refresh search results page, this worked too; the redirect issue is gone until I use the address bar again to go to google (or other search engine). This last led me to a new idea... Watch for process memory commit when I type a seach engine into the adress bar. The moment I hit "enter" to go to google, a process lit up!
Csrss.exe is running without a user name, it will not let me go to properties (right click process name --> properties) and it will not let me go to the file path (right click process name --> Open File Location). I find this to be very peculiar behavior. I've done some searches (after refreshing the google search result page) to see what this process is intended to do. Well, according to Process library it is a trojan that steals passwords and things. So I tried to end the process and I got the "access is denied, operation could not be completed" message. But I know I'm on the right path. I'm going to be updating here to let people know what I find. I'm not a bleeping computer expert, but I know how to troubleshoot, I think I can kill it.
p.s. due to the nature of this business computer, I am not authorized to provide detailed reports from hijackthis or other similar tools. If you feel like helping me, it will have to be a more manual assistance. Thanks for your understanding.