Google results links are redirected

Status
Not open for further replies.

gregm

Posts: 8   +0
Hi,
I am working on a PC that has had a few problems. I have removed a bunch of malware but can't solve the last nagging problem.
When I do a google search, the results are successfully displayed. If I then click on one of the results, instead of going to that page, IE goes to searchmeup4.com. Sometimes it just goes to the main search page for searchmeup4.com, other times it bounces on to another page that is related to the original search topic, but not the results page that I clicked on.

I have done the "UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions" and found a few extra infections that were then removed but the problem remains.

I have attached the required logs.

I'd love to get this sorted.

Regards,
Greg
 
Wow that CA Internet Security Suite, has 13 startup entries in your HJT log, that would really slow down Windows
And you got infected anyway! Before starting any work on this infected computer of yours, are you going to keep CA Internet Security Suite?
Because if so, then I might leave it for the next support member to help you, as I'd think > Why?

I prefer Free Avira Antivirus myself
 
Thanks Ronell, but these online scans are not to be fully trusted
Not only that, but it implies that the member can just start removing bad stuff. Whereas by doing this without guidance their computer may not even start again!

Also have a read here: Special governing rules for the Virus & Malware removal board
Whilst we appreciate anyone supplying support, they must be able to read the logs themselves (and not just upload it to get auto-scanned)
 
Kimsland,
We will (unfortunately?) be staying with CA for the time being at least. This computer belongs to a client of mine who has 6 computers, all running CA and they have a multi-licence for CA.
To date I have had my suspicions about the value of CA but am yet to be able to state a good enough case to cause them to change there protection. Being a fairly large commercial entity, they are happy to pay for a professional level product and not just rely on a free product (which usually does not encourage use by commercial entities anyway).
Having said that, I will certainly look at Avira for the possible use of some other not-so-commercial clients.

Greg
 
If you even get 1 Malware stated then CA couldn't be all that good

Kimsland,
I'm not actually defending CA in this, but I don't necessarily agree with you. The 8-step process uses multiple products to resolve malware problems. This in itself implies that a single product probably can't do everything. I don't believe that there is an AV product that can detect and block every threat. Obviously some are better than others, and most are only as good as the latest update.
But no matter what product you use, if a brand new threat appears it could potentially still get thru, before the latest update has been written to block it. If this occurs and a rootkit or stealth virus infects the system, then the protection can be compromised and let in any number of other malware.
I think this is probably what has happened to this system. There were a couple of little things with CA the other day that didn't seem quite right. I tried to tidy CA up and couldn't do it. So I had to use their on-line support and ended up having to unistall/reinstall CA. It was then that CA picked up more infections.
I'm not convinced that this cannot happen to any number of anti-malware products out there. I've seen similar things with systems protected with several different products.
Still, if the overheads are high and the product proves to be not as secure as some, then I can probably swing the client to a different product. But I would really need to be sure of the new product first, otherwise if they got another infection I would be in a very awkward position!

(...just getting off the soap box ...)

Talk with you soon and hopefully make some further progress with the problem at hand.

Regards,
Greg
 
I agree

Anyway, I still believe the online scan is a good idea at this point
Its irrespective if it finds anything that all users should then change their AV product, of which they shouldn't
But it will be interesting anyway ;)
 
The on-line scan is underway. It took a while to get started because it timed-out a few times. I've got it going now and will post back when I have any results.
By the way, I did a Trend Micro on-line scan yesterday and it turned up nothing.

Greg
 
Before replying back (I thought I'd better check the log :cool: )

Start HJT Scan Only
Close all Internet browsers, and stop or close any active programs
Select all the 01 entries, then select FIX
O1 - Hosts: 89.149.210.109 www.google.com
O1 - Hosts: 89.149.210.109 www.google.de
O1 - Hosts: 89.149.210.109 www.google.fr
O1 - Hosts: 89.149.210.109 www.google.co.uk
O1 - Hosts: 89.149.210.109 www.google.com.br
O1 - Hosts: 89.149.210.109 www.google.it
O1 - Hosts: 89.149.210.109 www.google.es
O1 - Hosts: 89.149.210.109 www.google.co.jp
O1 - Hosts: 89.149.210.109 www.google.com.mx
O1 - Hosts: 89.149.210.109 www.google.ca
O1 - Hosts: 89.149.210.109 www.google.com.au
O1 - Hosts: 89.149.210.109 www.google.nl
O1 - Hosts: 89.149.210.109 www.google.co.za
O1 - Hosts: 89.149.210.109 www.google.be
O1 - Hosts: 89.149.210.109 www.google.gr
O1 - Hosts: 89.149.210.109 www.google.at
O1 - Hosts: 89.149.210.109 www.google.se
O1 - Hosts: 89.149.210.109 www.google.ch
O1 - Hosts: 89.149.210.109 www.google.pt
O1 - Hosts: 89.149.210.109 www.google.dk
O1 - Hosts: 89.149.210.109 www.google.fi
O1 - Hosts: 89.149.210.109 www.google.ie
O1 - Hosts: 89.149.210.109 www.google.no
O1 - Hosts: 89.149.210.109 search.yahoo.com
O1 - Hosts: 89.149.210.109 us.search.yahoo.com
O1 - Hosts: 89.149.210.109 uk.search.yahoo.com
Close HJT

Combofix:
  • Download Combofix to your desktop.
  • Disable your Antivirus (as Combofix will remove any found malwares)
  • Double click ComboFix & follow the prompts.
  • A window will open with a warning.
  • When the scan completes it will open a text window. Please attach that log back here
Also restart again, and provide a fresh HJT Scan log

3 logs required (if you include the online scan, but maybe don't bother if you ran one yesterday ;))
Therefore 2 log attachments required
 
Hmmm...interesting.

I did do the eset on-line scan and it picked up just 1 infection: win32/Qhost trojan, which it cleaned automatically.

I ran HJT again and there were no 01 entries at all this time - not sure what changed but I've attached the new log.

Ran combofix and it wanted to install the recovery console, so I let it. It didn't seem to find anything I don't think, but again, the log is attached.

I've checked google again and YIPPEE!! the problem appears to be gone now!

So I guess that all might now be good at this end, but if you have any further advice I'd be pleased to hear it.

Thx heaps for your assistance.

Regards,
Greg

PS. While I was collecting the attachments just now, CA has just detected another infection and cleaned it. Could there still be something going on behind the scenes?
 
Un-install Combofix
  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK
  • Any popup errors about Antivirus just ok or close
Note: 1 space after ComboFix in that uninstall command



Uninstall SUPERAntispyware
Start > Control Panel > Add/Remove Programs > SUPERAntispyware > Uninstall



Update Java and remove older Java versions
Run JavaRa
This will remove all your old Java stuff (that is not required)
It will also help you check for new Java updates Runtime updates
Or just go here and auto check: http://java.com/en/download/installed.jsp?detect=jre&try=1



Download and run TFC http://oldtimer.geekstogo.com/TFC.exe
Your computer may need to Restart



Clear & Reset System Restore's Cache
Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 and then press Enter
  • Tick on the checkbox - Turn off System Restore on all drives
  • Click Apply
Turn it back 'On' by unticking the same checkbox & click Apply, and then OK


Restart, and let me know how its performing
 
Ok, I've done all that. In the midst of it CA realtime scanning detected another infected file. It was infected with 'Win32/SillyDI.PRR' which is one that has popped up alot over the last few days. It was in a 'system restore' folder and I have now cleared the system restore cache again, so it is probably ok. The thing that concerns me is that the last time I cleared the system restore cache was yesterday after I thot it was pretty clean again. So where does that leave me?
BTW the original problem (google redirection)has not reappeared at all.
 
Sometimes Users forget to press "Apply" after removing the tick on "Turn off System Restore on all drives"
The other option is that you have somehow been infected again, but unsure how it passed by CA in the first place (?)
Who knows, but I believe its ok still (well now it is)

Also thanks for the update
 
Ok. Thanks for yuor help. I guess this thread can be closed.
I really appreciate you seeing me thru this.
Best regards,
Greg
 
Status
Not open for further replies.
Back