Google redirect

By Karina M
Nov 24, 2008
Topic Status:
Not open for further replies.
  1. Hi,

    Links from google are being redirected to ad sites and various other sites aren't loading at all. I haven't noticed any other symptoms.

    I've run SuperAntiSpyware and HiJack this and attached logs, but I can't get MalwareBytes to run (or uninstall for that matter).

    Any help with this would be hugely appreciated!

    Edit: Have uninstalled MalwareBytes and reinstalled it but it still won't run
    Edit: Managed to get MalwareBytes to run - had to rename the exe file for it. I ran a quickscan and I've attached the log for it. Currently running a full scan. Will attach the log when it has finished. I really hope someone can help with this.
  2. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    I see some norton entries and some mcafee entries - I would guess you uninstalled Norton and installed Mcafee? If so you need to run the Norton Removal Tool

    =========================================

    Disable the real time monitoring for your antivirus product - this can normally be done by right clicking it in the system tray and checking or unchecking a box.

    =========================================

    [​IMG]Combofix
    • Download Combofix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt
  3. Karina M

    Karina M Newcomer, in training Topic Starter Posts: 22

    That's strange - I uninstalled Norton and used the removal tool about 18 months ago! Ah well, ran it again.

    Ran combofix and HJT again, have attached logs, along with completed log for mbam full scan.

    Google is no longer redirecting either. Hooray! Am I fixed?
  4. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    There is still quite a bit on there, run this program then we can remove the rest manually.

    PrevX CSI: http://www.prevx.com/freescan.asp

    afterwards - click tools and settings -> save scan results -> attach here
  5. Karina M

    Karina M Newcomer, in training Topic Starter Posts: 22

    Okay, ran PrevX CSI and it came up clean, didn't find anything. Have attached new combofix log and log for PrevX.

    Edit: Have just realised you didn't ask for a new combofix log. Think my brain is scrambled!
  6. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Run CFScript

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
  7. Karina M

    Karina M Newcomer, in training Topic Starter Posts: 22

    Ok, did as instructed and have attached both logs. Thank you for all of this help by the way - it's really appreciated.
  8. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Upload a File to Virustotal
    Please visit Virustotal found HERE
    • Click the Browse... button
    • Navigate to the file C:\windows\system32\iwsnec.dll
    • Click the Open button
    • Click the Send button
    • Copy and paste the results back here please.

    ==============================================

    [​IMG]Run Kaspersky Online AV Scanner

    In order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
  9. Karina M

    Karina M Newcomer, in training Topic Starter Posts: 22

    I'm running the Kaspersky online scanner. I can't find the other file you specified though - it doesn't seem to be there.
  10. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    We will get to that after kaspersky scan then. We may have to change the files attributes for you to be able to see it
  11. Karina M

    Karina M Newcomer, in training Topic Starter Posts: 22

    Finally finished the Kaspersky scan! Have attached the log.

    Edit: It's back again! Same symptoms as before. Running mbam again, will post the log when it's done.
    Edit: Found out that my husband was trying to download somethig he shouldn't have. That's why it's back.
    Edit: Mbam log attached, PrevX also popped up with a virus warning so I've attached the log for that too.
  12. rf6647

    rf6647 TechSpot Maniac Posts: 931

    Update the scanning tools: MBAM & SAS.

    Please observe MBAM log file for the following: "Delete on reboot'. A restart of the computer is necessary.

    Scan with MBAM twice. First scan in the quick mode. Check the log. Restart the computer. The final MBAB scan specifying complete mode so as to root-out files/folders related to the infection.

    Scan with other tools that have proven value to you.

    Note to B.D. - pardon my intrusion. I spotted the need to update MBAM.
  13. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Please run Combofix again, it is the exact same files

    attach the log here

    that just set us back a few steps - but once we are all done, you should be asked before the malware is installed. We will get the security to a point where if you are infected again, it will be because you said okay to something.
     
  14. Karina M

    Karina M Newcomer, in training Topic Starter Posts: 22

    Ok, attached combofix log. Nobody will be going near the computer till we've got it sorted now!

    Edit: IE Stopped working properly - Images not loading. Ran mbam and combofix again but it hasn't helped. Have attached the logs.
  15. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Please update, and run a full scan with MBAM again attaching the fresh log here.

    I would also like to try another free tool from my favorite antivirus company
    Avira AntiRootkit Tool

    After the anti-rootkit scan please click View Report - Save that report to attach here

    I would also like to see a fresh hijackthis log.

    So in your reply I want:
    1) MBAM log
    2) Avira AR log
    3) fresh hijackthis ran after
  16. Karina M

    Karina M Newcomer, in training Topic Starter Posts: 22

    Okay, all 3 scans run. I didn't take any action after the rootkit scan except to save the log.
  17. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Good work. It's adding known bad sites to your trusted zone. I suggest you install a free tool called Spyware Blaster when we get you clean to prevent this in the future. You may also consider using an alternative browser to IE, as most malware from surfing is targeted towards the most popular browser.

    ==============================================

    Remove bad HijackThis entries
    • Run HijackThis
    • Click on the System Scan Only button
    • Put a check beside all of the items listed below (if present):

      O15 - Trusted Zone: *.antimalwareguard.com
      O15 - Trusted Zone: *.antispyexpert.com
      O15 - Trusted Zone: *.avsystemcare.com
      O15 - Trusted Zone: *.gomyhit.com
      O15 - Trusted Zone: *.onerateld.com
      O15 - Trusted Zone: *.safetydownload.com
      O15 - Trusted Zone: *.spyguardpro.com
      O15 - Trusted Zone: *.storageguardsoft.com
      O15 - Trusted Zone: *.trustedantivirus.com
      O15 - Trusted Zone: *.virusremover2008.com
      O15 - Trusted Zone: *.virusschlacht.com
    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.

    =======================================================

    Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

    ========================================================

    Was Avira Root Kit Detection able to fix the 3 registry entries it found? It doesn't look like it, but was curious.

    =========================================================
    Open Notepad (from accessories)

    copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below into Notepad.

    Code:
    @echo off
    ATTRIB -R c:\windows\system32\iwsnec.dll
    ATTRIB -R c:\windows\system32\kbmccn.dll
    del unhidedll.cmd and exit

    Save it to your desktop as File name: unhidedll.cmd
    Save as type: All Files

    Once done, double click service.cmd to run it. A command window will open briefly, then close. This is quite normal.

    ==========================================================

    Upload a File to Virustotal
    Please visit Virustotal found HERE
    • Click the Browse... button
    • Navigate to the file c:\windows\system32\iwsnec.dll
    • Click the Open button
    • Click the Send button
    • Copy and paste the results back here please.

    Do the same for c:\windows\system32\kbmccn.dll

    ===========================================================

    After you do this, we have just a few more things to remove, then can clean up and secure the system.
  18. Karina M

    Karina M Newcomer, in training Topic Starter Posts: 22

    Did everything except upload files to virustotal - they still aren't showing up, sorry.

    I don't think ARKD did clean anything up. If it did, it certainly didn't tell me about it!
  19. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    When you scan with the ARKD, after the scan does it give you the option to quarantine, in the left panel?
  20. Karina M

    Karina M Newcomer, in training Topic Starter Posts: 22

    Just rescanning now. If it does, I assume I should quarantine them?
  21. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    yes you should. I am just curious as I would like to recommend the program more often.

    If it does, post a fresh hijackthis log - i wanna see if it clears those appinetdll's.

    If not - just let me know
  22. Karina M

    Karina M Newcomer, in training Topic Starter Posts: 22

    It didn't give me the option to quarantine. I'll attach the log just in case you want to see it.
  23. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Sorry for running you around a bit. We will move forward, so you understand what we are up against.

    The AppInit_DLLs registry value contains a list of dlls that will be loaded when user32.dll is loaded. As most Windows executables use the user32.dll, that means that any DLL that is listed in the AppInit_DLLs registry key will be loaded also. This makes it very difficult to remove the DLL as it will be loaded within multiple processes, some of which can not be stopped without causing system instability. The user32.dll file is also used by processes that are automatically started by the system when you log on. This means that the files loaded in the AppInit_DLLs value will be loaded very early in the Windows startup routine allowing the DLL to hide itself or protect itself before we have access to the system.

    ================================================

    Run CFScript

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
  24. Karina M

    Karina M Newcomer, in training Topic Starter Posts: 22

    You're not running me around. Believe me, I'm very grateful for the help!

    Logs requested are attached.
  25. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Almost there

    OTMoveit3 by OldTimer
    • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      
      
    • Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.