Google randomly redirecting...logs attached

after deleting the dds logs and trying to download from your link again, my mcafee would pop up saying it removed a trojan...i tried again and mcafee popped up with the same notification. so i shut down and restarted again, and now when i click on your dds link, i get this.....Firefox can't find the file at http://download.bleepingcomputer.com/sUBs/dds.scr. so what do we do now?.... should i try from ie instead of firefox or is there something wrong with that dds link? ughhhhhhhhhhhh....

****when i clicked the see more about on the mcafee pop up it said this about the trojan Artemis!E789EA23B49C and it's location was in my local something and cache...it wouldn't let me copy/paste or i would have put it here for you to see. the detections are currently quarantined in mcafee. should i just delete them or i have an option to send to mcafee to report, which would you suggest?****

hi bobbye...was just checking in....not sure if you read my last 2 posts yet about trying that dds download again...

Please STOP! Don't run anything else until I get thie thread cleaned up! It is very time consuming to delete the logs. They are of no use to me in the format with that registry section as part.

I can fix the McAfee problem by changing the file extension. Please tell me- has McAfee protested both time you ran DDS??

Please consider also. Everytime you make a new reply, I get an email feedback. I would appreciate it if you used the Edit feature when you just have a sentence or 2 to add,

sorry for any confusion i gave you....but i didn't actually RUN and execute dds all those times. only when you specifically asked me to and when i TRIED to download, as it gives a link to save first before installing in the pc, THEN i would get a pop up from mcafee stating that it removed a trojan and I would just X out the box asking to save so it wouldn't actually transfer files to my pc. and yes, mcafee did protest each time i tried. You might want to note that i ran it in IE to give those first logs, then was using firefox when you asked me to try again is when mcafee gave me alert pop ups. sorry for the confusions and any extra emails i created for you. certainly not my intent to frustrate anyone like this darn this does me.

Okay, I think we have all those logs out now. We are going to skip tryig to run it again- I don't know what caused that other Regirstry program to insert itself!

McAfee can be a real pain! It's the file extension making McAfee hollar at you, ut you hadn't mentioned it or I would have had you rename it. I want you to run an Eset online virus scan and the Combofix. The security program needs to be disabled when you run each. If you have any problem with either, let me know.
===========================================
Run Eset NOD32 Online AntiVirus scan HERE

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
11. Re-enable your Antivirus software.
    NOTE: If you forget to copy to the clipboard you can find the log here:
    C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

==========================================
Download Combofix to your desktop from HERE or HERE

• Double click combofix.exe & follow the prompts.
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe & follow the prompts to run.
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If we have a problem with Combofix, I'll have you rename it, but hopefully it will go well.

eset log and combofix

here's the eset log....when trying to download combo fix a window popped up stating that my os was incompatible and i needed xp or windows 7. my os is windows xp home, so not sure why it popped up with that. then an abort message box popped up and said interference detected, perform a rootkit scan. i just closed both boxes and didn't do anything further until you advise.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=fd63c632005a6c469dc163ae646a705c
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-03-19 07:27:43
# local_time=2011-03-19 02:27:43 (-0600, Central Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 23095592 23095592 0 0
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=5121 16777189 100 75 2012447 13511990 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=92658
# found=0
# cleaned=0
# scan_time=4273

Are you sure the version of Windows XP you have is a legitimate one?

See if you can run this:
Download SDFix HERE and save it to your Desktop.

• Double click SDFix.exe and it will extract the files to %systemdrive%
  (Drive that contains the Windows Directory, typically C:\SDFix)
  
  Boot into Safe Mode
• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
  
  Run SDFix
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
• Paste Report.txt back here

yes i have the original mfg disk for windows xp home that came with my pc.....it is a legitimate registered disc. i clicked on ur link for the sdfix, however, when it takes me to the webpage, i don't see where there is the link to do the actual download....it shows this....Download SDFix and save it to your Desktop. the SDFix is in blue. when i click on it, it takes me to here....Firefox can't find the server at downloads.andymanchesta.com. i tried it with both ie and firefox, no luck.

Sorry- guess they pulled the program and no longer host the site. It's an older program that I don't use much.

I checked back over the parts of logs I have and we need to check for a bootkit> maybe that's what's causing the problem:

Bootkit Remover:

Download bootkitremover.rar and save to your desktop.

1. Extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. (Windows XP has a built-in tool to extract files)
2. Double-click on the remover.exe file to run the program.
   NOTE: The tool should be run from a command line with Administrator privileges.
3. Scanning should be completed quickly
4. Paste the output in your next reply.

================================
Results should be one of the following:

• OK (DOS/Win32 Boot code found)
  - MBR boot code is clean.
• Unknown boot code
  - MBR boot code is modified. This practically corresponds to either
  an active bootkit infection, or a custom boot manager installed (such
  as GRUB).
• Controlled by rootkit!
  - a bootkit with self-hiding capabilities is detected.

==============================================
When I see which it is in the log, I will write what is needed to try and fix what is found- if needed.

bootkit log

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...

just checking in with you bobbye to see what's next

That log was okay.

Please give me an update on the system.

well, we really didn't get to do much together yet if you look back on the previous posts because of the problems with certain links that didn't work that you asked me to download some things from....but my redirecting issue certainly still exists.... so i'm just kinda waiting for further instructions from you....

With the exception of the SDFi link, as the program has apparently been pulled, the other links I gave you were okay. I don't have a clue where the added registry program in DDS came from.

The Bootcode is fine. The online virus scan was clean.

NOTE: If, for some reason, Combofix refuses to run, try one of the following:
1. Run Combofix from Safe Mode.
2. Delete Combofix file, download fresh one, but rename combofix.exe to
mcirish.exe BEFORE saving it to your desktop.
Do NOT run it yet.
3. Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

• Rkill.com
• Rkill.scr
• Rkill.pif
• Rkill.exe
  
• Double-click on the Rkill desktop icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following>>>>.

Please download exeHelper by Raktor and save it to your desktop.

• Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
• A black window should pop up, press any key to close once the fix is completed.
• A log file called exehelperlog.txt will be created and should open at the end of the scan)
• A copy of that log will also be saved in the directory where you ran exeHelper.com
• Copy and paste the contents of exehelperlog.txt in your next reply.

Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).

Rkill instructions
*************************************
Once you've gotten one of them to run, immediately run

mcirish.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

not sure if the rkill ran completely because of what the log said, but here it is....then following will be the exehelper log....trying to do combofix now and will post again shortly....

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 03/21/2011 at 20:11:17.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\Documents and Settings\Dawn\My Documents\rkill.scr
C:\WINDOWS\system32\grpconv.exe


Rkill completed on 03/21/2011 at 20:11:53.



exeHelper by Raktor
Build 20100414
Run at 20:13:33 on 03/21/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

hi bobbye....tried running that combofix again like you said after the rkill and exe helper, but still wouldn't execute (not in safe mode or with renaming).....as it did with other earlier attempt, got a pop up window error-win32 only saying incompatible os. combofix will work for workstations with windows 2000 and xp up. then another pop up window opens titled abort, which says interference detected please perform a rootkit scan. not sure why it won't work, as you had helped me last may or june with similar redirecting issue and had me run the combofix and it ran fine then. i have the same os i do now as then, windows home xp.

i said in the previous post, not sure if that rkill ran completely....but i'm thinking you will know by reading the log....

At this point, I have to recommend you do a reformat/reinstall.

It appears that you have some 'non-standard' entries in the OS. Example:
RKill stopped: C:\WINDOWS\system32\grpconv.exe
This doesn't even belong on the OS you have.

I think this-and possibly other entries like it-are the reasons the scans aren't working and tell you they won't work on the OS.

You will find excellent reformat/reinstall instructions here:
http://www.tech-101.com/tutorials/356-tutorial-windows-install-repair-xp-vista.html

bobbye.....which do you recommend that i perform of the two options that the link discusses, repair/reinstall or fresh install?

I think the fresh install would be more to your benefit. Be sure to backup whatever you want to save first.

I hope it will install only what is appropriate for the OS you have. I don't know where the file in question has come from. I'm sorry we couldn't work this through, but the messages were consistent about the 'not for this OS' when you tried to run the scans.

ok...finally back bobbye....i did a fresh reinstall and it seems no redirection at this time....is there anything i need to do further or you wish to check to ensure it's all ok especially since that mysterious \WINDOWS\system32\grpconv.exe appeared prior to the reinstall?

also which do you recommend to keep on pc, superspyware blaster or malwarebytes?