Google redirect

By prybar3
Feb 7, 2010
Topic Status:
Not open for further replies.
  1. When I do a google search, I get redirected to search sites such as info.com,informationgetter.com,on one
    web.com,address.com etc. I did the 8Steps to no avail. I'm fresh to forums so I hope I've done this right.


    Just like the Colts, I took a wrong turn and missed step #3. However, I corrected my direction and posting the current set of logs. Very sorry.

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    Please download ComboFix from Here or Here to your Desktop.


    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Please, never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  3. prybar3

    prybar3 Newcomer, in training Topic Starter Posts: 21

    Per your instructions please find attached the ComboFix log and a new Hijack This log. Thanks in advance.

    Attached Files:

  4. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    KillAll::
    
    MBR::
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
  5. prybar3

    prybar3 Newcomer, in training Topic Starter Posts: 21

    Broni-please dumb this down for me. Where do I the "killAll" and the"MBR" codes from?
  6. prybar3

    prybar3 Newcomer, in training Topic Starter Posts: 21

    Please find the attached logs as requested. Thanks

    Attached Files:

  7. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    Please, say again...
  8. prybar3

    prybar3 Newcomer, in training Topic Starter Posts: 21

    Please see post #6. Sorry for the confusion.
  9. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    How is redirection issue and what browser is getting redirected?

    Download the MBR Rootkit Detector: http://www2.gmer.net/mbr/mbr.exe to your desktop.

    * Doubleclick mbr.exe and follow prompts (Vista users: right click on mbr.exe and click "Run As Administrator").
    * A black DOS window will quickly appear then disappear.
    * When mbr.exe is finished it will create a log on your desktop.
    * Copy and paste contents of that log (mbr.log) file to your next reply.
  10. prybar3

    prybar3 Newcomer, in training Topic Starter Posts: 21

    Redirection issue same as before. I just did a search for "2010 Saturn"-google presented me with search results-I clicked on "2010 Saturn", www.kbb.com. That took me to http://hotjobs.yahoo.com(Crazy isn't it?) I am using IE 8 version 8.0.6001.18702. Please find the mbr log you requested.

    Attached Files:

    • mbr.log
      File size:
      195 bytes
      Views:
      2
  11. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    Which browser is getting redirected?


    Looks good :)


    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    =====================================================================

    Download Kenco.exe to your desktop
    • Close all windows and run the program.
    • It wont take long to run.
    • Kenco will reboot the system if it finds anything.
    • Post the log it gives you ( it will be saved in the same place as Kenco.exe).
  12. prybar3

    prybar3 Newcomer, in training Topic Starter Posts: 21

    Please find Kenco log attached.

    Attached Files:

  13. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    Download RootRepeal.zip (Mirror1, Mirror2) and unzip it to your Desktop.
    • Double click RootRepeal.exe to start the program
    • Click on the Report tab at the bottom of the program window
    • Click the Scan button
    • In the Select Scan dialog, check:

      • [*]Drivers
        [*]Files
        [*]Processes
        [*]SSDT
        [*]Stealth Objects
        [*]Hidden Services
    • Click the OK button
    • In the next dialog, select all drives showing
    • Click OK to start the scan
      Note: The scan can take some time. DO NOT run any other programs while the scan is running
    • When the scan is complete, the Save Report button will become available
    • Click this and save the report to your Desktop as RootRepeal.txt
    • Go to File, then Exit to close the program
    Open RootRepeal.txt file with Notepad, copy, and paste all content into your next reply.

    If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.
     
  14. prybar3

    prybar3 Newcomer, in training Topic Starter Posts: 21

    Please find attached RootRepeal report.

    Attached Files:

  15. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    Looks good too...

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:


    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT


    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  16. prybar3

    prybar3 Newcomer, in training Topic Starter Posts: 21

    The OTL.txt is 42714 characters-too long to post here. adding as an attachment ok?

    Attached Files:

    • OTL.Txt
      File size:
      83.4 KB
      Views:
      2
  17. prybar3

    prybar3 Newcomer, in training Topic Starter Posts: 21

    The OTL "Extras.txt" is 19686 characters long-adding as an attachment ok?

    Attached Files:

  18. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    1. Please download The Avenger to your Desktop.
    • Right click on the Avenger.zip folder and select "Extract All..."
    • Follow the prompts and extract the Avenger folder to your desktop
    2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


    Code:
    Begin copying here:
    Files to move:
    C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys
    

    3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

    • Right click on the window under Input script here:, and select Paste.
    • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
    • Click on Execute
    • Answer "Yes" twice when prompted.
    4. The Avenger will automatically do the following:

    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command windowon your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    • The Avenger will also back up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
    5. Please copy/paste the content of c:\avenger.txt into your reply
  19. prybar3

    prybar3 Newcomer, in training Topic Starter Posts: 21

    Logfile of The Avenger Version 2.0, (c) by Swandog46
    http://swandog46.geekstogo.com

    Platform: Windows XP

    *******************

    Script file opened successfully.
    Script file read successfully.

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Rootkit scan active.
    No rootkits found!

    File move operation "C:\WINDOWS\ServicePackFiles\i386\atapi.sys|C:\WINDOWS\system32\drivers\atapi.sys" completed successfully.

    Completed script processing.

    *******************

    Finished! Terminate.
  20. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    Check for redirection, please.
  21. prybar3

    prybar3 Newcomer, in training Topic Starter Posts: 21

    Checked several searches. About 7 out of 10 are redirected. Where do we go from here? Once again thanks for all the trouble.
  22. Broni

    Broni Malware Annihilator Posts: 45,217   +243

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O3 - HKLM\..\Toolbar: (no name) -  - No CLSID value found.
      [2010/01/28 18:09:25 | 000,000,056 | -H-- | M] () -- C:\WINDOWS\System32\ezsidmv.dat
      
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [resethosts]
      [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  23. prybar3

    prybar3 Newcomer, in training Topic Starter Posts: 21

    Please find OTL log attached.

    Attached Files:

    • OTL.Txt
      File size:
      71.5 KB
      Views:
      1
  24. Broni

    Broni Malware Annihilator Posts: 45,217   +243

  25. prybar3

    prybar3 Newcomer, in training Topic Starter Posts: 21

    Broni-I just ran 15 google searches and got directed to the correct page each and every time. Looks like the problem is solved. I know it's been a tough fight(at least for me) and I want to say I really appreciate the way you stayed with it. My first time on a "forum" and it's been a good experience. Thank you so very very much. Just 1 last thing, I have lost connection to the network printer somhow during this process. I'll work on that later however since it's 2:30 am here. Thanks again.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.