TechSpot

Google redirecting links help please

By ara002
Oct 31, 2009
  1. Google and yahoo on both internet explorer and firefox are redirecting my links. No virus scan or spyware scans detect anything. Occasionally, AVG will say they detect a threat but they cannot heal them or remove them. Please help me.
     
  2. Tmagic650

    Tmagic650 TS Ambassador Posts: 21,065   +169

  3. ara002

    ara002 TS Rookie Topic Starter Posts: 26

    Completed 8 steps, here are the attachments...

    The three logs are attached. Please help! thanks
     
  4. Tmagic650

    Tmagic650 TS Ambassador Posts: 21,065   +169

    How is your computer running after the 8 steps?

    Some suspicious things in the hijackthis log, but depending on the redirecting, they may be okay:
    "R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local"
    "O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)"
    "O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)"


    You need IE8 for this scan. Use Windows Update to get IE8 and any other Windows Updates that might be there:
    ESET Online Scanner

    Run the scan and report any findings
     
  5. ara002

    ara002 TS Rookie Topic Starter Posts: 26

    still redirects

    After I completed the 8 steps, it still redirects. What should I do about those files you mentioned? Here is the ESET scanner log attached. And after this it still is redirecting.
     
  6. ara002

    ara002 TS Rookie Topic Starter Posts: 26

    eset scanner log

    I forgot to attach this in the last reply.
     
  7. Tmagic650

    Tmagic650 TS Ambassador Posts: 21,065   +169

    Go ahead and delete the hijackthis lines I posted... I know the (no file) entries are not going to affect the redirect, but the .local line might affect the redirect. If you still suffer with the redirect, we will have to take a more aggressive cleaning approach
     
  8. ara002

    ara002 TS Rookie Topic Starter Posts: 26

    still redirecting
     
  9. Tmagic650

    Tmagic650 TS Ambassador Posts: 21,065   +169

    So a more aggressive cleaning approach is headed your way ;)
     
  10. kritius

    kritius TS Guru Posts: 2,087

    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    [​IMG]


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
     
  11. ara002

    ara002 TS Rookie Topic Starter Posts: 26

    Here is the combo fix log

    Here it is. Thanks for all your help.
     

    Attached Files:

     
  12. Tmagic650

    Tmagic650 TS Ambassador Posts: 21,065   +169

    Are you running good now?
     
  13. kritius

    kritius TS Guru Posts: 2,087

    go to start and then run and type cmd

    cd\
    c:\mbr.exe -t
    c:\mbr.log

    A log file (c:\mbr.log) will open. Post the contents of it to your reply
     
  14. ara002

    ara002 TS Rookie Topic Starter Posts: 26

    seems to be working

    Everything seems to be back to normal and the redirecting appears to have stopped. Should I still post that log? Also, is it necessary to keep this Superantispyware? I had ad-aware already and have always used lavasoft. Just want to know if that's ok to use in your guys opinion? Also, should I continue to use AVG or is there something better out there for free you can recommend? My last question is regarding firewalls (I don't really know anything about them). Should I use one of the free ones offered online or does the windows firewall work good enough by itself? Thank you guys so much for your help. I really appreciate this.
     
  15. Tmagic650

    Tmagic650 TS Ambassador Posts: 21,065   +169

    Adaware is outdated and obsolete now... delete superantispyware and try Advanced SystemCare free, CCleaner and switch to free Avast or Advir for your antivirus software. Keep up with the Windows Updates and run your antispyware/antimalware software often, to control those nasty cookies
     
  16. ara002

    ara002 TS Rookie Topic Starter Posts: 26

    OK thank you for the advice. My only other question is about the redirecting problem I had. Was that a big deal? It seems as if it is not an uncommon problem based on all the forums and discussions I stumbled upon online. Could anything have been compromised on my computer or could have been viewed by anyone else?
     
  17. kritius

    kritius TS Guru Posts: 2,087

    post the log I asked for
     
  18. ara002

    ara002 TS Rookie Topic Starter Posts: 26

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
    kernel: MBR read successfully
    user & kernel MBR OK
     
  19. kritius

    kritius TS Guru Posts: 2,087

    Good, no more modified hooks present.

    Post a fresh HijackThis log.
     
  20. ara002

    ara002 TS Rookie Topic Starter Posts: 26

    Here is the new hjt log. Also, can someone address my question from a couple posts above regarding whether or not the redirecting was serious or not and if it compromised anything on my computer. Thanks!
     
  21. kritius

    kritius TS Guru Posts: 2,087

    Your HJT log is clean.

    It was a pretty serious infection, one of the most annoying doing the rounds at the minute. It takes one of disk controllers for your system, in your case iastor.sys, and infects it so that it takes control on boot and was causing redirects.

    Nothing is ever guaranteed when it comes to infections, what I can say is that the steps I have asked you to run have removed the infection, confirmed that it is no longer present and now we will see if anything else is remaining.

    Please do an online scan with Kaspersky WebScanner

    Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

    1. Read through the requirements and privacy statement and click on Accept button.
    2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    3. When the downloads have finished, click on Settings.
    4. Make sure the following is checked.
      • Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
    5. Click on My Computer under Scan.
    6. Once the scan is complete, it will display the results. Click on View Scan Report.
    7. You will see a list of infected items there. Click on Save Report As....
    8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
    9. Please post this log in your next reply.
    Upgrading Java:
    • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 16.
    • Click the "Download" button to the right.
    • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
    • Click on Continue.
    • Click on the link to download Windows Offline Installation (jre-6u16-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java version.
    • Reboot your computer once all Java components are removed.
    • Make sure the C:\Program Files\JAVA folder is removed.
    • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u16-windows-i586.exe and select "Run as an Administrator.")
     
  22. ara002

    ara002 TS Rookie Topic Starter Posts: 26

    Here is the Kaspersky online log.
     

    Attached Files:

  23. Tmagic650

    Tmagic650 TS Ambassador Posts: 21,065   +169

    A rootkit virus... nasty indeed
     
  24. ara002

    ara002 TS Rookie Topic Starter Posts: 26

    so what can be done about that? is it taken care of?
     
  25. Tmagic650

    Tmagic650 TS Ambassador Posts: 21,065   +169

    You may have to run Combofix, but you have to do it very carefully, following the instructions to the letter
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.