Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Googleads redirect


  • Please log in to reply
17 replies to this topic

#1 abobick

abobick

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 24 May 2011 - 12:48 AM

Hovering over Google links will show link to googleads.doubleclick (or elsewhere) sometimes. Not always. When that is happening Google Instant is also disabled and the main google search windows will not prompt with completions. Also, sometimes prevents Google background image from loading. Ran mbm and Hitman Pro. I assume should use combofix?

Thx - Aaron

Edited by Budapest, 24 May 2011 - 12:49 AM.
Moved from Virus, Trojan, Spyware, and Malware Removal Logs ~Budapest


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 AM

Posted 24 May 2011 - 12:49 AM

Try this:

http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 abobick

abobick
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 24 May 2011 - 12:52 AM

I tried the TDSS removal tool from Symantec - didn't find it. Should I try something else? (BTW: Win 7)

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 AM

Posted 24 May 2011 - 12:55 AM

Down and run this file:

http://download.bleepingcomputer.com/grinler/iExplore.exe

Post the log that is generated.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 abobick

abobick
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 24 May 2011 - 01:00 AM

TSSKiller didn't find anything. iExplore result:

********

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 05/24/2011 at 1:58:27.
Operating System: Windows 7 Professional


Processes terminated by Rkill or while it was running:

C:\Users\Aaron Bobick\AppData\Roaming\Dropbox\bin\Dropbox.exe


Rkill completed on 05/24/2011 at 1:59:06.

************

I use Dropbox all the time...

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 AM

Posted 24 May 2011 - 01:14 AM

Do you use a router?

If so you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). If you don't know the router's default password, you can look it up HERE.
Note: After resetting your router, it is important to set a non-default password, and if possible, username, on the router. This will assist in eliminating the possibility of the router being hijacked again.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 abobick

abobick
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 24 May 2011 - 09:43 AM

I haven't yet but I doubt it's a router problem. It also happens at work on a moderately secure network - though still outside our main firewall so I don't have to worry (or at least worry less) about infecting others here. The redirect is happening in the browser *before* the link is requested - if I hover with the mouse it shows the googelads page that will be accessed if I click. The next time I see that I'll look at the source document - I am pretty sure that it will have been modified to have the new targets i there.

Also, another symptom which is getting at some of the specifics of the hack: If I go to "www.Google.com" and then do a search I get a page where Google Instant isn't working, the background image doesn't load (or loads part way - starts to fade in and then stops! - and sometimes I get the Google redirecting on the mouse hover. But if I then click on the top left hand corner of the page where its says "Web" - which is the URL command "http://www.google.com/webhp?hl=en&tab=ww" it *never* has this problem of Google Instant not working and of the background image not loading. Somehow when I go to straight "google.com" I am getting different behavior than I should.

I'll keep diagnosing later. Thanks for your on going help. BTW: I have pretty strong background in CS (a few degrees from a trade school in Cambridge, Mass) so if you have some suggestions that require digging in I am willing to try most things. And the critical data on this laptop is backed up.

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 AM

Posted 24 May 2011 - 04:10 PM

What browser are you using? Does this redirect occur on other browsers?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 abobick

abobick
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 24 May 2011 - 04:29 PM

Firefox 4.0.1

Doesn't seem to happen in IE8 but haven't tried hard.

Also, in Firefox 4 now the google.com behavior of no instant google and no backgroud image is still there but the redirects seem to not be happening now. But since it didn't always happen it's hard to know.

I was going to delete all the google.com cookies and see if that helps in FF4.

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 AM

Posted 24 May 2011 - 04:38 PM

Please download GooredFix and save it to your Desktop.
Double-click GooredFix.exe to run it.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 abobick

abobick
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 24 May 2011 - 04:43 PM

Does not happen in IE8. Ignore what I said about maybe not being redirected anymore in FF. Using normal www.google.com in FF4 I saw the following when hovering with my mouse over a search result link:

http://google.ad.sgdoubleclick.net/pagead/nclk?sa=L&ai=1&fadurl=googleads.g.doubleclick.net&u=https%3A%2F%2Faddons.mozilla.org%2Fen-US%2Ffirefox%2Fextensions%2F&aclck=http%3A%2F%2Fgreatsearchonline.com%2Findex.php%3Fsearch%3Dfirefox%2Bextensions%2B4.0

When I check the source of the page I cannot find any reference to doubleclick.

I have not yet deleted any cookies or cleared the cache.

#12 abobick

abobick
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 24 May 2011 - 04:53 PM

GooredFix by jpshortstuff (03.07.10.1)
Log created at 17:53 on 24/05/2011 (Aaron Bobick)
Firefox version 4.0.1 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [04:17 05/04/2011]
{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [19:46 28/04/2010]
{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [15:33 17/09/2010]
{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [20:56 18/11/2010]
{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} [02:28 28/01/2011]
{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} [04:12 05/04/2011]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
(Key not found)

-=E.O.F=-

#13 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 AM

Posted 24 May 2011 - 05:04 PM

Has running GooredFix made any difference?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#14 abobick

abobick
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 24 May 2011 - 05:51 PM

Still have different behavior for for google.com than google.com/webhp The latter seems to be doing the right thing. The former fails in loading background images and search completions.

Should I kill the google cookies?

#15 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 AM

Posted 24 May 2011 - 06:04 PM

Yeah you can try that.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users