TechSpot

Google redirect... again

By yinato
Nov 15, 2009
  1. I need help fixing my computer again. The same thing happened to me 6 months ago and I was able to get the problem fixed using this site. I followed the 8 step guide and I've attached the logs. I hope you can help me again.
     
  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Again?

    When/Where were you helped before?

    You are running two Antivirus softwares:
    Norton and AVG9

    I personally don't like either of them, but you need to decide on one or the other, and then uninstall the one you don't want
    After uninstalling them you need to run the Removal Tools as well (as both those Antiviruses will not uninstall properly without it)
    AVG Remover: http://www.avg.com/filedir/util/support/avgremover_en.exe
    Norton Removal Tool: ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe

    Note: my preference is free Avira Antivirus: http://www.free-av.com/
    If you decide to download and install this one, you will need to do a full scan as well (to pick up the things Norton and AVG missed)

    Plus you are best to update Malwarebytes again, and run another quick scan

    After that restart, and provide the new HJT and Malwarebytes log
    And how its now performing as well

    Edit:
    Also startup HJT straight away and tick these 4: Then select Fix
     
  3. yinato

    yinato TS Rookie Topic Starter Posts: 38

    I don't exactly when, but I do know that the first time it happened, I came to this website. anyway, I've uninstalled norton and have run the removal tool. Here are the logs. Also, thanks for the quick response
     
  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    DOH! I forgot to say run IE Reset

    Try IE Reset Fixit Tool:
    [​IMG]
    Or manually from here http://www.techspot.com/vb/post682762-2.html
    Then restart Internet Explorer and run through the basic settings


    -------------


    ComboFix Instructions

    Please download ComboFix from HERE or HERE to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
    1. If you are using Firefox, make sure that your download settings are as follows:
      • Tools->Options->Main tab
      • Set to "Always ask me where to Save the files".
    2. During the download, rename Combofix to Combo-Fix as follows:

      [​IMG]

      [​IMG]

    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      • Close any open browsers.
      • WARNING Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    7. Double click on combo-Fix.exe & follow the prompts.
    8. When finished, it will produce a report for you.
    9. Please attach the Combo-Fix log along with a new HijackThis log for further review. (Note You should Restart first)
    **Note: Do not mouse click combo-fix's window while it's running. That may cause it to stall**

    If you still cannot get this to run, try booting into Safe Mode, and run it there.

    To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

    If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..
    This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...


    -------------


    Also why are you not running SP3 ?
     
  5. yinato

    yinato TS Rookie Topic Starter Posts: 38

    IE fixit tool isn't working, and what's SP3? And do I have to run the IE fixit tool before proceeding with combofix?
     
  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Yes run the "Manual" IE Fix before anything else ;)

    SP3 = Service Pack 3
    Which is an automatic required update by MS for all users to stay safe and have Windows working optimally
    You can read more about SP3 here: http://support.microsoft.com/kb/936929
     
  7. yinato

    yinato TS Rookie Topic Starter Posts: 38

    I can't seem to run it manually. Is it because I'm using IE 6?
     
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Yes
    Yes it is ;) lol :D

    IE6 is very old, its so old that its outdated now, meaning really we all updated a long time ago :D

    As Windows and IE is not up to date, its no wonder you are infected
    Not only that, but if you were given support, then the support member definitely would have stated to update (otherwise it wasn't really good)

    We have to do it manually :(

    Please start up HijackThis and do a scan only
    Place a check (tick) next to the following and then select Fix (making sure that IE6 and all other programs are closed first)
    I think I got them all ;)
     
  9. yinato

    yinato TS Rookie Topic Starter Posts: 38

    thanks, btw, I DID try to upgrade it previously, but then i got the hal.dll error. Give me a few minutes
     
  10. yinato

    yinato TS Rookie Topic Starter Posts: 38

    ok done, so now I just run combofix?
     
  11. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Yes :)

    And definitely Restart if Combofix does not do it for your automatically
    After Restart your computer is going to work a hec of a lot better too by the way :)
    The HJT scan and log must be done after Restart

    BUT, we are not finished yet
     
  12. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    I must sign off
    So here are some steps you need to do anyway ;)

    ------------------

    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

    TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

    TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

    ------------------

    Uninstall Combofix
    Start > Run > Combofix /Uninstall > ok
    Note: Combofix will look as though its going to scan again (it won't) It will just uninstall

    ------------------

    You may want to update to a more secure Hosts file
    There's lots of important info on that here: http://www.mvps.org/winhelp2002/hosts.htm
    As it's difficult to see the actual download, here it is: http://www.mvps.org/winhelp2002/hosts.zip
    Important! Windows Vista requires special instructions: http://www.mvps.org/winhelp2002/hostsvista.htm

    Simply download the hosts.zip file, extract, then run mvps.bat, then restart

    ------------------

    Clear system restore points

    • Clear your existing system restore points and establish a new clean restore point:
      • Go to Start > All Programs > Accessories > System Tools > System Restore
      • Select Create a restore point, and Ok it.
      • Next, go to Start > Run and type in cleanmgr
      • Select the More options tab
      • Choose the option to clean up system restore and OK it.
      This will remove all restore points except the new one you just created.

    ------------------

    Update Java by clicking here: http://java.com/en/download/installed.jsp?detect=jre&try=1
    Then download and run JavaRa
    This will remove all your old Java stuff (that is not required)

    ------------------

    Restart
    Report how everything is running well :)

    ------------------

    If all seems well, I'd suggest updating to SP3 (but it may be best to uninstall AVG and run the removal tool first > then restart > then update :))
    SP3: http://www.microsoft.com/windows/products/windowsxp/sp3/default.mspx

    ------------------

    Also update to Internet Explorer 8: http://go.microsoft.com/fwlink/?LinkID=142198
     
  13. yinato

    yinato TS Rookie Topic Starter Posts: 38

    heres the combofix and hjt logs, I have to go to a lecture for the next few hours. Also, I've done everything but uninstalled combofix and upgrade to IE8
     
  14. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Seems you have installed AVG8 then AVG9 in the last month
    Is AVG9 the free version?
    If so, as stated above you may want to uninstall it then run the removal tool > then restart. Before updating to SP3

    Also you missed a couple of removals in HJT: (just start HJT and fix those 2)
    You have a file running here: c:\windows\system32\33D654663A.sys
    That does not come up with anything known, I suspect it may be Malware
    Please locate the file and rename it to: 33D654663A.sysOLD

    Then Restart
     
  15. yinato

    yinato TS Rookie Topic Starter Posts: 38

    I installed avg 3 days ago :p thanks for all your help, I'll do it when I get home.
     
  16. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    As stated earlier, I prefer free Avira :)
     
  17. yinato

    yinato TS Rookie Topic Starter Posts: 38

    okay, I just got back and I've already done eveything except for removing AVG
     
  18. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    I suggested removing AVG before updating to SP3

    But presently how does it seem to be running?
     
  19. yinato

    yinato TS Rookie Topic Starter Posts: 38

    okay, I've removed AVG and reset my computer. I haven't tried searching on google, as I don't have an anti virus right now(downloading avira as I type), but my computer is running quickly. Also, I can't seem to get Sp3


    ----------------------------

    just finished downloading Avira but I keep getting Cannot find server page when I try to download SP3
     
  20. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    That may help
    If not then you may need to provide another HJT log
     
  21. yinato

    yinato TS Rookie Topic Starter Posts: 38

    I'm currently running a virus scan with avira just to make sure that AVG didn't miss anything. I also already downloaded the host files earlier
     
  22. yinato

    yinato TS Rookie Topic Starter Posts: 38

    Okay, I've done everything but upgrade to IE 8 and download SP3, I've attached the HJT log. Do I need to include the Avira virus scan log as well?

    ----
    btw, I want to upgrade IE 8 at the every end if possible since the last time I upgraded my IE browser, i had the hal.dll error
     
  23. yinato

    yinato TS Rookie Topic Starter Posts: 38

    Wow...I just tried to use google search engine to see if the problem was fixed, and it isn't, but I did find out when this problem last occurred by typing yinato and combofix... it turns out this exact event happened on november 13 last year:dead:... and I got the virus this year on the 14th
     
  24. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    There is no Malware in your log
    But Symantec (Norton) still persists, plus a couple of others not required

    Start up HJT and run a scan only, place a tick next to the following and then select FIX:
    The following could also be the culprit, but again, they are not Malware as such
    I don't believe they need to be running, or even installed
    You might want to check Add/Remove programs to uninstall it, and/or FIX them in HJT as well:
    So you did do an updated Avira full scan?
    If not then definitely do it, if so (as you already stated) I expect that Avira found something ? to remove, and it did

    Restart

    What is happening now? You stated you are still being redirected?
    Which page exactly is being re-directed? All does look fine at the moment
     
  25. yinato

    yinato TS Rookie Topic Starter Posts: 38

    Here's the log that I got from Avira and a HJT log i just got. I updated avira as well. Also, I'm still being redirected while using google. I'm gong to reboot my computer now and repost a new log.
    ---------------------------
    I've noticed that symantec keeps popping up even though I use HJT. I've fixed it 4 times.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...