TechSpot

Followed 8 steps, still have Google redirect

By ARCHSTANTON1138
Dec 24, 2009
  1. Just like apparently tons of other people, I have the pesky Google/Yahoo redirect thing going on. Its affected both Internet Explorer and Firefox. Here are my logs from Malwarebytes, SuperAnti-Spyware, and Hijack This. Thank you for your help.
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot. I'll help with the problem.

    Malware was found in 2 saved Favorites. If these are still on the system, please delete them:
    Browser Hijacker.Favorites
    C:\DOCUMENTS AND SETTINGS\HELEN COOK\DESKTOP\COMPTR.ICONS.RARELY USED\ONLINE SECURITY GUIDE.URL
    C:\DOCUMENTS AND SETTINGS\HELEN COOK\DESKTOP\COMPTR.ICONS.RARELY USED\SECURITY TROUBLESHOOTING.URL


    Download the Norton Removal Tool HERE- like many others you have a few 'left over' entries. Save it to your desktop> don't run it yet.

    Please reopen HijackThis to 'do system scan only.' Check each of the following if present:

    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
    O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab


    Close all Windows except HijackThis. Click on "Fix Checked."


    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Double click on the Norton Removal Tool set up and run. Follow any onscreen prompts.

    Since you question a Google Redirect, I'd like you to describe what's happening:
    1. If you type a word in the Google search box, and then choose one of the sites that comes up, what happens?
    2. Does a different site load?
    3. Does any site load?
    4. Are the sites the same/different?
    5. Are you sure you're not seeing a Google page saying DNS server couldn't be contacted?

    Visit this Adobe Reader site often and update to current version (v9.xx) Uninstall any earlier updates (v7) as they are vulnerabilities.
     
  3. ARCHSTANTON1138

    ARCHSTANTON1138 TS Rookie Topic Starter

    Thank you very much for your response. As far as the Google redirect goes, it has affected both the Google and Yahoo search engines. When I search for something, the links come up as normal, but when I click on one of the links, Im redirected to usually advertising rather than the website I'm trying to access. I have noticed in the redirect process, the phrase "admarketplace" is often in the url I am being redirected to. I am thinking this might be the company involved in the creating of the virus. I will do these actions you have suggested, then I will send back a HijackThis report once I am done.

    EDIT: I just tried locating and removing the 2 files you said contained malware, when I look in the specified folder, those 2 files are not there. I did a search of the system, and they could not be found through that either.
     
  4. ARCHSTANTON1138

    ARCHSTANTON1138 TS Rookie Topic Starter

    Ok, Ive done all of the actions you recommended minus the deletion of the 2 files in the COMPTR.ICONS.RARELY USED folder, as when I opened this folder, they were not listed. I have attached my newest HijackThis log, as it appears that Im still having problems with being redirected when clicking on links from Google and Yahoo, but now I am not being redirected to advertisements, I am being redirected to completely blank pages with no address in the url bar.
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You have multiple processes loaded, starting on boot and running in the background. NONE of them need to start on boot. They are legitimate entries so the removal is Optional. To cut down on the internet activity as well as to free up some resources, I suggest you have HIJT remove them, then take each off of startup.

    NOTE: The Optional removals are in green, some with descriptions.

    Please reopen HijackThis to 'do system scan only.' Check each of the following if present:

    C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe>> Simple Star PhotoShow_Deluxe photo editing and organizing software;
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE>> monitor the status of the printer.
    O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe>> create labels after a music CD is burned using LightScribe discs.
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start>> Easy Access Buttons control panel on Compaq laptops. Only required if you use the extra keys
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe>> Default settings software
    O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe">> This program will alert you if another program attempts to change your browser's default search engine to something other than Yahoo.
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
    O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

    O4 - HKLM\..\Run: [ChangeResolution] C:\hp\bin\ChangeResolution.exe

    Close all Windows except HijackThis and click on "Fix Checked."

    If you agree with the optional removals in the log, taker them off of Startup:
    Start> Run> type in msconfig> enter> Selective Startup> Startup tab> find each of the entries in the processes you have HJT remove> UNCHECK> when through click on Apply> OK

    Start> Run> type in 'services.msc'> look for the following Service:
    YahooAUService
    Change Startup type to Manual> Close Services.

    Please note: the first time you reboot after changing the Startup using msconfig you will get a nag message that you can ignore and close after checking 'don't show this message again.' Stay in Selective Startup.

    Please submit this file to Virus scan for identification:

    Please go to http://virusscan.jotti.org/en to upload these suspicious files for analysis.
    • Browse to the following location and Copy the following files and paste in the Submit box:
      File: getPlus_Helper.dll
      File: Get1noarp


      [b[Location: [/b]O4 - HKLM\..\RunOnce: [Uninstall Adobe Download Manager] "C:\WINDOWS\system32\rundll32.exe" "C:\Program Files\NOS\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp[/b]
    • Click on Submit.
    • Wait for the scan. Paste the results in your next reply.

    Rscan with HJT and paste new log in next reply.

    Edit: Almost forgot: Go to Control Panel> Internet Options> Security tab> Restricted zone> Sites> type each of the following in> then click on ADD> click on Apply> OK when both have been added:
    *.SearchAWeb.com
    *.adMarketplace.com


    Include the *: it is a Wold Card.
     
  6. ARCHSTANTON1138

    ARCHSTANTON1138 TS Rookie Topic Starter

    Pardon me if I sound completely stupid here, but if i click on fix on the green items that you suggested, does that mean that those programs will be completely deleted off of my computer?
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    No. It just removes the process. The more you have running, the slower the load, the slower the surf and the slower the shutdown. The fewer processes you have starting up, the faster the load, the faster the surf (because you don't have all the programs running in the background) and the faster the shutdown.

    To keep them from starting, you would need to use the msconfig utility to uncheck them on the Startup menu and/or change the Startup Type of the Service..

    But they are still available to you- unless you uninstall them in Add/Remove Programs.

    And "Optional" is just that- I suggest, you decide.
     
  8. ARCHSTANTON1138

    ARCHSTANTON1138 TS Rookie Topic Starter

    Ok.....thats all i needed to know. I will do these actions now. I'll attach another HijackThis log once I am through. Thank you very much for all of your help so far.
     
  9. ARCHSTANTON1138

    ARCHSTANTON1138 TS Rookie Topic Starter

    Ok, Ive attached a new HJT log, but I was not able to scan those 2 files that you wanted me to with http://virusscan.jotti.org/en, because I could not locate them. I tried to find them manually first, and when that was unsuccessful, I did a system search that also yielded nothing. From what it looks like they were attached to Adobe, is it possible they were deleted when I uninstalled the old version of Adobe reader?
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    No problem- the path I gave you could have been wrong. The HJT log looks good. Are you still being redirected?

    I'd like you to run an online Virus scan to make sure we haven't k\missed anything:
    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Please leave the log in your next reply. If it's clean and the redirect have stopped, I'll have you remove the cleaning tools and old restore points.
     
  11. ARCHSTANTON1138

    ARCHSTANTON1138 TS Rookie Topic Starter

    Actually, yeah, I am still getting redirected. I'll run this scan, and post the log. Here's another thing, I'm using Firefox, when I edit things in Internet Options, does it affect all browsers, or just Internet Explorer? Or do I need to do something different to block websites on Firefox?
     
     
  12. ARCHSTANTON1138

    ARCHSTANTON1138 TS Rookie Topic Starter

    Here's the log from the virus scan. It found 6 threats, most of them coming from one program, which makes sense, since it was downloaded only a short time ago, and my redirect problem has only been for the last couple weeks. How should I proceed? Should I just uninstall the program, or do I need to do something a little more in depth than that?
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    It appears that the FL\FL.Studio.8.0.0.XXL.Producer.Edition is a pirated program. Any further help will depend on whether you uninstall this programs and any related entries.

    We do not support piracy.
     
  14. ARCHSTANTON1138

    ARCHSTANTON1138 TS Rookie Topic Starter

    I apologize, I have uninstalled and deleted this program. I am still having the redirection problem though. What should my next step be?
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Follow with new Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Then rescan with HijackThis.

    Attach Combofix report and Eset Log in next reply.

    Paste new HJT log into the reply.
     
  16. ARCHSTANTON1138

    ARCHSTANTON1138 TS Rookie Topic Starter

    Sorry it took so long, here are the three requested reports. The Combo-Fix and ESET logs are attached, I have also had to attach the HJT log as well because it exceeded the number of characters allowed in a response.
     

    Attached Files:

  17. kritius

    kritius TS Guru Posts: 2,087

    Bobbye asked that I look at this.

    DDS by sUBs
    Please download DDS by sUBs from HERE or HERE and save it to your Desktop.

    Vista users. Right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

    • Double click on dds to run it.
    • When done, DDS.txt will open.
    • You will receive another prompt after a while. Click Yes at the prompt. It will take another few minutes to scan.
    • When done, Attach.txt will open.
    • Please zip and attach the contents of DDS.txt and Attach.txt in your next reply.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.