Google Redirect

[wolfbane01]

Hi there. It would seem that my laptop has been plagued with the Google Redirect virus and I was hoping someone could help me out with it.

Whenever I do a search in google I get a list of related sites as normal. However, whenever I click on any of the links I am redirected to random sites.

Any help would be great!

 

[Bobbye]

Welcome to TechSpot, wolfbang. I'll try and help you with the malware.

Question: Why did you run the Eset online scan now?

You need to update the Adobe Reader. You have v6- the current version is v9.xx and this is a vulnerability for you: Visit this Adobe Reader site and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.

You need to get the Tracking Cookies handled:
Reset Cookies

For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

Your logs are okay. About the redirects:
1. If you type a word in the Google search box, and then choose one of the sites that comes up, what happens?
2. Does a different site load?
3. Does any site load?
4. Are the sites the same/different?
5. Are you sure you're not seeing a Google page saying DNS server couldn't be contacted?

 

[wolfbane01]

Eh, I thought the eset would help.

Anyways, I've reset my cookies and updated the Adobe.

1. If you type a word in the Google search box, and then choose one of the sites that comes up, what happens?
A different site loads, usually some sort of search website

2. Does a different site load?
Yes

3. Does any site load?
Yes, just not the one I want

4. Are the sites the same/different?
They are usually different

5. Are you sure you're not seeing a Google page saying DNS server couldn't be contacted?
Yes I'm sure

 

[Bobbye]

You have clean logs! You need to uninstall Adobe v6. There is one process running I want to make sure you know about:

C:\WINDOWS\system32\rpcnet.exe>> This is a laptop tracking software. Remote Procedure Call from Absolute Software Corp. belonging to Computrace Plus

Please check this site and make sure it's something you downloaded and want running:
http://www.absolute.com/products/computrace-complete.

Thank you for answering my questions. "Google Redirect" has become the catchall phrase for whenever someone can't get the site they want. I'll have you run Combofix and see if there's anything showing up there:

Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  
• Run Combo-Fix.exe and follow the prompts.
  (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
• Wait for the scan to be completed.
• If it requires a reboot, please do it.

• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please attach the Combofix report in your next reply.

 

[wolfbane01]

First off, yes that is traking software that I downloaded myself.

Secondly, I followed the instructions to downloading and running Combo fix. I started it up and it was going fine until it started to scan. Suddenly I get this popup window that says: 'Combofix has detected the presence of rookit activity and must reboot' or something like that. I hit OK and then I'm looking at the Blue Screen with the error of BAD_POOL_CALL. I was able to restart my laptop ok, but I'm not sure if you want me to try running Combo fix again?

 

[Bobbye]

Instead of trying to run Combofix again, please do the following:

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
  • c:\windows\system32\userinit.exe
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Also scan these,

C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe


Paste the log in your next reply.

Please change all of your passwords and monitor any financial activity that you have on the internet. When that or a similar message comes up with Combifix, the malware infection becomes a more serious matter.

 

[wolfbane01]

Alright, here are the three logs you requested. I've also backed up all my important data.

 

[Bobbye]

Nice job with the logs! And a sigh of relief! And it's better that you were backed up-in case!

I'd like you to uninstall the copy of Combofix first. Then 'd like you to check the event Viewer to see if these is any Error corresponding to the BSOD Bad Pool Call message:

Uninstall ComboFix.exe And all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

Start> Run> type in eventvwr

Do this on each the System and the Applications logs:
[1]. Click to open the log>
[2]. Look for the Error>
[3] .Right click on the Error> Properties>
[4]. Click on Copy button, top right, below the down arrow >
[5]. Paste here (Ctrl V)
[6].NOTES

• You can ignore Warnings and Information Events.
• If you have a recurring Error with same ID#, same Source and same Description, only one copy is needed.
• You don't need to include the lines of code in the box below the Description, if any.
• Please do not copy the entire Event log.

Errors are time coded. Check the computer clock.
Depending on what I see, I may refer you to the Windows OS forum.

 

[wolfbane01]

Okies Combo fix has been uninstalled. Here are the errors. I couldn't remember when I tried running Combofix, sometime between 12/31 and 1/2, so I just listed the errors durring that time period:

Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 1/1/2010
Time: 6:08:48 PM
User: N/A
Computer: EMILY
Description:
Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 69 65 78 70 6c 6f iexplo
0018: 72 65 2e 65 78 65 20 38 re.exe 8
0020: 2e 30 2e 36 30 30 31 2e .0.6001.
0028: 31 38 37 30 32 20 69 6e 18702 in
0030: 20 68 75 6e 67 61 70 70 hungapp
0038: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0040: 20 61 74 20 6f 66 66 73 at offs
0048: 65 74 20 30 30 30 30 30 et 00000
0050: 30 30 30 000




Event Type: Error
Event Source: Ftdisk
Event Category: None
Event ID: 49
Date: 12/31/2009
Time: 11:41:04 AM
User: N/A
Computer: EMILY
Description:
Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 01 00 56 00 ......V.
0008: 00 00 00 00 31 00 04 c0 ....1..À
0010: 03 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........




Event Type: Error
Event Source: Ftdisk
Event Category: None
Event ID: 45
Date: 12/31/2009
Time: 11:41:04 AM
User: N/A
Computer: EMILY
Description:
The system could not sucessfully load the crash dump driver.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 01 00 56 00 ......V.
0008: 00 00 00 00 2d 00 04 c0 ....-..À
0010: 0a 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

 

[wolfbane01]

Ok... let's see if this works. I've tried to post the results twice now but I keep getting the message that I need to wait for authorization from a mod...

Anyway, I uninstalled Combofix with no problem. I couldn't remember the exact date that I got the BSOD so I posted the errors I found over a few days.

 

[Bobbye]

Nice job! I'm going to have to check and see if they changed the allowed number of characters. Sorry about that.

See See Cause and Resolution for Event 8 From Microsoft
1. Make sure your DNS is set up properly.
2. Make sure the account you are requesting with has the authority to request certificates through the Certification Authority.

Event Type:Error, Event Source:crypt32, Event ID:8
Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

The following 2 Events go together: Either The pagefile.sys needs to be increases to hold the Memory.dump file-OR- you can prevent the Memory.dump file.

Instructions for both HERE
Event Type:Error, Event Source Ftdisk, Event ID:49
Description:Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.

Event Type:Error, Event Source:Ftdisk, Event ID:45
Description:The system could not successfully load the crash dump driver.

 

[wolfbane01]

Ok, I've followed the directions to fix the errors. I've also noticed that Google is no longer redirecting. I think it happened after I tried running combofix, but how do I tell if I'm still infected?

 

[Bobbye]

Sorry- I got behind and am trying to catch up. Since you handled the Errors and you noticed a difference after you ran Combofix, I'd like you to run it again and attach the report.

Then run the Eset online scanner to be sure we didn't miss anything. Attach that log. If clean, I'll have you remove the cleaning tools and old restore points.

 

[wolfbane01]

Don't worry about it. I've been rather busy myself.

Combofix actually ran all the way through this time, so I attached that log as well as the ESET.

 

[Bobbye]

Combofix is still finding malware. Please rescan with HijackThis and leave a new log. I think the Shockwave Updater has been busy and we need to fix that.

Eset log is clean.

 

[wolfbane01]

Ok, here is the Hijackthis scan.