TechSpot

Google Redirect Nightmare

By jcml
Mar 29, 2009
  1. I have had this problem for 1 week and have spent many hours running anti-spyware/virus/malware programs to no avail. I use Firefox on Windows XP. When I click a search result from Google it almost always gets redirected. Also, Firefox frequently dies during searches, and updates to anti-virus programs often freeze. The overall performance of my computer has slowed. I have carefully followed your 8-Step instructions. I sincerely appreciate any help you can provide.

    Jeff Howard
     

    Attached Files:

  2. Spyder_1386

    Spyder_1386 TS Rookie Posts: 498

    hi jcml

    This google redirect problem seems to be one of the most frequent posts on here. I'm not sure as to whether a solution has been found yet (this is not one of my strongest troubleshooting areas - err, actually I'm not sure if i do have any strong troubleshooting areas .... but that's for another day) .... Try searching through the forum for related posts and hopefully you'll find something useful.

    Spyder_1386 :)
     
  3. jcml

    jcml TS Rookie Topic Starter

    I have looked through the numerous posts regarding this problem and they all required a deep repair that is well beyond my expertise. That is why I sent the requested logs. Hope someone can help me.
     
  4. touch

    touch TS Rookie Posts: 978

    You have Cssdll32.dll Trojan/Backdoor on your computer, that´s probably why you always gets redirected.

    There are also remnants from Norton, I´ll therefore suggest you run their own Removal Tool (SymNRT) save it to your Desktop.

    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039
    Once downloaded please close ALL open browsers, also save any work because this may require a restart.

    Go to your desktop and double click on the removal tool and then click Setup.
    Once open Click Next
    Accept the license agreement and click Next
    Type in the letters/numbers that you see into the text box then click Next.
    Then click Next and the tool will start running.
    Once finished restart the PC and run the tool again to ensure everything has been removed.

    Delete Nortonremoval tool from your Desktop.

    Reboot.

    Please download Combofix from:
    http://subs.geekstogo.com/ComboFix.exe

    And save to the desktop.

    Close all other browser windows.

    Double-click on the combofix icon found on your desktop.

    Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

    When finished, it will produce a logfile located at C:\combofix.txt.

    Attach the contents of that log in your next reply
     
  5. jcml

    jcml TS Rookie Topic Starter

    Thanks for your response. I successfully removed the Norton remnants. However, I downloaded Combfix and it will not run. It starts the little Combofix green starting line then promptly dies. I wouldn't be surprised if this virus interferes with it, since it also prevents update downloads for Malware programs. Any suggestions at this point? Thanks!
     
  6. touch

    touch TS Rookie Posts: 978

    See if combofix can run from safe mode ->

    Restart your computer.
    When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows Xp Advanced Options menu.

    Select the option for Safe Mode using the arrow keys.
    Then press enter on your keyboard to boot into Safe Mode.
     
  7. jcml

    jcml TS Rookie Topic Starter

    Good idea, but still a no go. This is a dastardly virus. I hope you like a challenge! I have full and utter confidence in you.
     
  8. touch

    touch TS Rookie Posts: 978

    Thank you, and I can´t live without challenges :D

    Please download http://oldtimer.geekstogo.com/OTViewIt.exe
    by OldTimer to your desktop.

    Double click on the OTViewIt.exe icon on your desktop.
    Check the Scan All Users checkbox and leave Use Whitelist checked. Set the File Age to 30 days.

    Click on the Run Scan button.
    Two reports that are located in the same location as OTViewIt will open.
    OTViewIt.txt <-- Will be opened
    Extra.txt <-- Will be minimized


    Attach the logs into your next reply.
     
  9. jcml

    jcml TS Rookie Topic Starter

    OTViewIt logs

    OK, here you go.
     
  10. touch

    touch TS Rookie Posts: 978

    A quick question - have you edited the hosts file ?

    C:\WINDOWS\System32\drivers\etc\Hosts


    Please download http://jpshortstuff.247fixes.com/FileLook.exe
    by jpshortstuff and save to your Desktop.
    Double-click FileLook.exe to run it.
    Ensure that BBCode Ouput is checked. Copy and paste everything in the quote box below into the empty textfield under FileLook by...


    Click the FileLook button to start the scan.
    When finished, Notepad will open with the results of the scan in a text file named fl_log.txt which will automatically be saved to the root of your system drive. (Typically C:\fl_log.txt)

    Attach that log
     
  11. jcml

    jcml TS Rookie Topic Starter

    FileLook Log

    No, I have not edited the host file, at least not on purpose (frankly, I wouldn't know how!) Here's the FileLook log. I have to hit the sack, gotta work tomorrow, but look forward to continuing this adventure. Will you be around tomorrow evening? Thanks a million. -Jeff


    FileLook.exe v2.0 by jpshortstuff
    Log created at 01:05 on 01/04/2009
    ==================================
    FileLook - "sued.dat"

    Filename: sued.dat
    Path: C:\WINDOWS\
    MD5: D40BB69179718ED9D0561E2DB6EAC0D0
    Created: 01:34:20 on 29/03/2009
    Modified: 01:47:26 on 29/03/2009
    Size: 36 bytes
    Attributes: Hidden Read-Only
    -------------------------

    ==============================

    =EOF=
     
  12. touch

    touch TS Rookie Posts: 978

    It should be safe to delete - C:\WINDOWS\sued.dat file

    Please open C:\WINDOWS\System32\drivers\etc\Hosts file using Notepad, and check if you have this line in bold:

    127.0.0.1 localhost
    # Start of entries inserted by Spybot - Search & Destroy ?

    Download http://eric.71.mespages.googlepages.com/LopSD.exe
    by Eric_71 and save it to your desktop.
    Lop S&D will only run on Windows XP and Windows Vista

    Disable your antivirus and antimalware programs so they do not interfere with the running of Lop S&D.
    Double-click LopSD.exe
    Choose the language by typing of the corresponding letter and press Enter
    Click OK at the informative window
    Type 1 to choose Option 1 then press Enter
    Wait until the end of the scan have finished.

    A report will be generated, attach the contents of it in your next reply.
     
  13. jcml

    jcml TS Rookie Topic Starter

    I opened C:\WINDOWS\System32\drivers\etc\Hosts file using Notepad, but [ # Start
    of entries inserted by Spybot - Search & Destroy ?] was not in bold. The LopSD log
    is attached. Was I supposed to delete [C:\WINDOWS\sued.dat] file ?
     
  14. touch

    touch TS Rookie Posts: 978

    Yes, please delete -C:\WINDOWS\sued.dat

    Run Lop S&D again, using this option -

    Type 2 to choose Option 2 (Fix + Hosts), then press Enter
    Wait until the end of the scan have finished.
    A report will be generated, attach the contents of it in your next reply.


    Rightclick on combofix and rename it to mike,exe

    If you can run mike/combofix exe now, please do, and attach the log, along with Lop S&D log .

    It is possible you´ll have to run combofix from safe mode
     
  15. jcml

    jcml TS Rookie Topic Starter

    Renamed ComboFix, still won't run, even in safe mode.
     
  16. touch

    touch TS Rookie Posts: 978

    Hmm :confused:

    Start->Run-> Devmgmt.msc ->ok
    On the toolbar, Click on View -> "Show hidden devices"
    2.
    Scroll down and locate Non-plug and Play Drivers
    Click the + sign to expand
    3.
    Search for “gaopdxcounter”
    More exploits: clbdriver.sys, oUltraf, seneka.sys,


    Right click on it, and select “Disable”

    4. Restart your computer

    5. Confirm 'gaopdxcounter' is disabled. Repeat Step 2-3.
    Cancel to exit.

    Let me know if you found any of them ?

    Also, post a fresh hijackthis log using this command ->

    Start-run, type/copy: hijackthis /ihatewhitelists

    It will create a hijackthis log, longer than normal
     
  17. jcml

    jcml TS Rookie Topic Starter

    No luck finding any of those funky files under Non-plug and Play Drivers. Here's the hijack log. Am I driving you nuts yet?
     
  18. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Wow one of the longest logs I've seen, stacks of things starting with Windows (26.1 KB HJT log !)
    I think so support can answer you properly we are best cleaning it up to some respectful measure.

    Please run IE Reset on your System

    Then run WinsockFix

    Then run Startup Control Panel and remove any not required startups: (should be most!) Note I have 1 only and that's my Antivirus

    Restart (probably already done once above already)

    Then download and run SDFix (I'm sorry, but I must refer you to t h i s tutorial on its use, scroll down to "SDFix Instructions")

    Download, and run the "RunThis.bat" in Safe Mode, as advised
    Then attach the log and (after the SDFix scan) a new HJT log
    Oh by the way, it says that it may take 20mins to scan! (Mine took over an hour to complete!)
     
  19. jcml

    jcml TS Rookie Topic Starter

    I use Firefox almost exclusively. Should I still Reset IE?
     
  20. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    YES


    Edit:

    Oh and your Java is out of control :D

    Update Java
    Run JavaRa
    This will remove all your old Java stuff (that is not required)
    It will also help you check for new Java updates


    Restart again

    Combofix Instructions

    • Download [​IMG]Combofix to your desktop.
    • Rename ComboFix to ComboF
    • Double click CombF & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt
    Make sure to Attach the log to a new reply
     
  21. jcml

    jcml TS Rookie Topic Starter

    Combofix will not run,even when renamed, even in safe mode.
     
  22. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    It will after SDFix is run ;)

    Edit:

    In case you come back and say it still doesn't work

    Try this ;)

    Un-install Combofix
    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK
    • [​IMG]
    • When shown the disclaimer, Select "2"
    Note #1: One space after ComboFix in that uninstall command
    Note #2: Substitute Combofix for ComboF if renamed, or try both


    Run CCleaner
    Then Restart


    Re-Download Combofix Instructions

    • Download [​IMG]Combofix to your desktop.
    • Rename ComboFix to ComboF
    • Double click ComboF & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

    And hopefully we get a log this time :confused:
    .
     
  23. jcml

    jcml TS Rookie Topic Starter

    I proceeded as directed, but...
    Can't get SDFix to run.
    Uninstalled / reinstalled / renamed ComboFix, still won't run.
    This virus is incredibly stubborn and evil.
    Any other ideas?
     
  24. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Yes :)

    You could remove the Hard drive and mount it in another computer and scan it as a secondary drive.

    Or you can use the UBCD boot CD and scan it with that
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...