TechSpot

Google Redirect

By wolfbane01
Dec 28, 2009
  1. Hi there. It would seem that my laptop has been plagued with the Google Redirect virus and I was hoping someone could help me out with it.

    Whenever I do a search in google I get a list of related sites as normal. However, whenever I click on any of the links I am redirected to random sites.

    Any help would be great!
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot, wolfbang. I'll try and help you with the malware.

    Question: Why did you run the Eset online scan now?

    You need to update the Adobe Reader. You have v6- the current version is v9.xx and this is a vulnerability for you: Visit this Adobe Reader site and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.

    You need to get the Tracking Cookies handled:
    Reset Cookies

    For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

    Your logs are okay. About the redirects:
    1. If you type a word in the Google search box, and then choose one of the sites that comes up, what happens?
    2. Does a different site load?
    3. Does any site load?
    4. Are the sites the same/different?
    5. Are you sure you're not seeing a Google page saying DNS server couldn't be contacted?
     
  3. wolfbane01

    wolfbane01 TS Rookie Topic Starter

    Eh, I thought the eset would help.

    Anyways, I've reset my cookies and updated the Adobe.

    1. If you type a word in the Google search box, and then choose one of the sites that comes up, what happens?
    A different site loads, usually some sort of search website

    2. Does a different site load?
    Yes

    3. Does any site load?
    Yes, just not the one I want

    4. Are the sites the same/different?
    They are usually different

    5. Are you sure you're not seeing a Google page saying DNS server couldn't be contacted?
    Yes I'm sure
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You have clean logs! You need to uninstall Adobe v6. There is one process running I want to make sure you know about:

    C:\WINDOWS\system32\rpcnet.exe>> This is a laptop tracking software. Remote Procedure Call from Absolute Software Corp. belonging to Computrace Plus

    Please check this site and make sure it's something you downloaded and want running:
    http://www.absolute.com/products/computrace-complete.

    Thank you for answering my questions. "Google Redirect" has become the catchall phrase for whenever someone can't get the site they want. I'll have you run Combofix and see if there's anything showing up there:

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Please attach the Combofix report in your next reply.
     
  5. wolfbane01

    wolfbane01 TS Rookie Topic Starter

    First off, yes that is traking software that I downloaded myself.

    Secondly, I followed the instructions to downloading and running Combo fix. I started it up and it was going fine until it started to scan. Suddenly I get this popup window that says: 'Combofix has detected the presence of rookit activity and must reboot' or something like that. I hit OK and then I'm looking at the Blue Screen with the error of BAD_POOL_CALL. I was able to restart my laptop ok, but I'm not sure if you want me to try running Combo fix again?
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Instead of trying to run Combofix again, please do the following:

    • Make sure to use Internet Explorer for this
    • Please go to VirSCAN.org FREE on-line scan service
    • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
      • c:\windows\system32\userinit.exe
    • Click on the Upload button
    • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
    • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
    • Paste the contents of the Clipboard in your next reply.
    Also scan these,

    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\svchost.exe


    Paste the log in your next reply.

    Please change all of your passwords and monitor any financial activity that you have on the internet. When that or a similar message comes up with Combifix, the malware infection becomes a more serious matter.
     
  7. wolfbane01

    wolfbane01 TS Rookie Topic Starter

    Alright, here are the three logs you requested. I've also backed up all my important data.
     

    Attached Files:

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Nice job with the logs! And a sigh of relief! And it's better that you were backed up-in case!

    I'd like you to uninstall the copy of Combofix first. Then 'd like you to check the event Viewer to see if these is any Error corresponding to the BSOD Bad Pool Call message:

    Uninstall ComboFix.exe And all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]


    Start> Run> type in eventvwr

    Do this on each the System and the Applications logs:
    [1]. Click to open the log>
    [2]. Look for the Error>
    [3] .Right click on the Error> Properties>
    [4]. Click on Copy button, top right, below the down arrow >
    [5]. Paste here (Ctrl V)
    [6].NOTES
    • You can ignore Warnings and Information Events.
    • If you have a recurring Error with same ID#, same Source and same Description, only one copy is needed.
    • You don't need to include the lines of code in the box below the Description, if any.
    • Please do not copy the entire Event log.

    Errors are time coded. Check the computer clock.
    Depending on what I see, I may refer you to the Windows OS forum.
     
  9. wolfbane01

    wolfbane01 TS Rookie Topic Starter

    Okies Combo fix has been uninstalled. Here are the errors. I couldn't remember when I tried running Combofix, sometime between 12/31 and 1/2, so I just listed the errors durring that time period:

    Event Type: Error
    Event Source: Application Hang
    Event Category: (101)
    Event ID: 1002
    Date: 1/1/2010
    Time: 6:08:48 PM
    User: N/A
    Computer: EMILY
    Description:
    Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 41 70 70 6c 69 63 61 74 Applicat
    0008: 69 6f 6e 20 48 61 6e 67 ion Hang
    0010: 20 20 69 65 78 70 6c 6f iexplo
    0018: 72 65 2e 65 78 65 20 38 re.exe 8
    0020: 2e 30 2e 36 30 30 31 2e .0.6001.
    0028: 31 38 37 30 32 20 69 6e 18702 in
    0030: 20 68 75 6e 67 61 70 70 hungapp
    0038: 20 30 2e 30 2e 30 2e 30 0.0.0.0
    0040: 20 61 74 20 6f 66 66 73 at offs
    0048: 65 74 20 30 30 30 30 30 et 00000
    0050: 30 30 30 000




    Event Type: Error
    Event Source: Ftdisk
    Event Category: None
    Event ID: 49
    Date: 12/31/2009
    Time: 11:41:04 AM
    User: N/A
    Computer: EMILY
    Description:
    Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 00 00 00 00 01 00 56 00 ......V.
    0008: 00 00 00 00 31 00 04 c0 ....1..À
    0010: 03 00 00 00 00 00 00 00 ........
    0018: 00 00 00 00 00 00 00 00 ........
    0020: 00 00 00 00 00 00 00 00 ........




    Event Type: Error
    Event Source: Ftdisk
    Event Category: None
    Event ID: 45
    Date: 12/31/2009
    Time: 11:41:04 AM
    User: N/A
    Computer: EMILY
    Description:
    The system could not sucessfully load the crash dump driver.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 00 00 00 00 01 00 56 00 ......V.
    0008: 00 00 00 00 2d 00 04 c0 ....-..À
    0010: 0a 00 00 00 00 00 00 00 ........
    0018: 00 00 00 00 00 00 00 00 ........
    0020: 00 00 00 00 00 00 00 00 ........
     
  10. wolfbane01

    wolfbane01 TS Rookie Topic Starter

    Ok... let's see if this works. I've tried to post the results twice now but I keep getting the message that I need to wait for authorization from a mod...

    Anyway, I uninstalled Combofix with no problem. I couldn't remember the exact date that I got the BSOD so I posted the errors I found over a few days.
     

    Attached Files:

  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Nice job! I'm going to have to check and see if they changed the allowed number of characters. Sorry about that.

    See See Cause and Resolution for Event 8 From Microsoft
    1. Make sure your DNS is set up properly.
    2. Make sure the account you are requesting with has the authority to request certificates through the Certification Authority.

    Event Type:Error, Event Source:crypt32, Event ID:8
    Description:
    Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

    The following 2 Events go together: Either The pagefile.sys needs to be increases to hold the Memory.dump file-OR- you can prevent the Memory.dump file.

    Instructions for both HERE
    Event Type:Error, Event Source Ftdisk, Event ID:49
    Description:Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.

    Event Type:Error, Event Source:Ftdisk, Event ID:45
    Description:The system could not successfully load the crash dump driver.
     
  12. wolfbane01

    wolfbane01 TS Rookie Topic Starter

    Ok, I've followed the directions to fix the errors. I've also noticed that Google is no longer redirecting. I think it happened after I tried running combofix, but how do I tell if I'm still infected?
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry- I got behind and am trying to catch up. Since you handled the Errors and you noticed a difference after you ran Combofix, I'd like you to run it again and attach the report.

    Then run the Eset online scanner to be sure we didn't miss anything. Attach that log. If clean, I'll have you remove the cleaning tools and old restore points.
     
  14. wolfbane01

    wolfbane01 TS Rookie Topic Starter

    Don't worry about it. I've been rather busy myself.

    Combofix actually ran all the way through this time, so I attached that log as well as the ESET.
     

    Attached Files:

  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Combofix is still finding malware. Please rescan with HijackThis and leave a new log. I think the Shockwave Updater has been busy and we need to fix that.

    Eset log is clean.
     
  16. wolfbane01

    wolfbane01 TS Rookie Topic Starter

    Ok, here is the Hijackthis scan.
     

    Attached Files:

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...