Google search links being redirected

By yavmagic
Mar 2, 2009
Topic Status:
Not open for further replies.
  1. The links from Google searches are being redirected in both Explorer and Opera.
    I went through the 8 steps in Malware removal and saved the log files. The Antispyware only found 1 Adware and removed it but did not save a log.
    I am attaching the Malware and hijack this logs for review.

    I did remove some items found in the hijackthis scan before sending this log.
    I've attached an additional text file with the removed items listed.

    I was not certain enough about the remaining items that the scan found to remove without recommendations.

    I appreciate your help with this problem.
    Thanks
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    You do have entries that need to be removed. However, I would like you to update then run Malwarebytes gain, run a new scan with Superantispyware, then rescan with HijackThis>

    Don't do any removals yet. Attach all three new logs.

    Some should not have been removed.
  3. yavmagic

    yavmagic Newcomer, in training Topic Starter

    New Log Files

    Hi Bobby,

    Some of the items from the Hijackthis were actually not removed but changed dll files to default settings. I've attached text file lisging the files I allowed it to change not remove.

    The update said I have the latest version of Malwarebytes.
    I also have the latest versions of the other two software.

    I ran the ran the following scans again:
    Malwarebytes (it found no additional threats from the ones removed earlier)
    SuperAntiSpyware (found 7 instead of 2 earier)
    HijackThis
    I've attached the logs from all three scans.

    I quarantened the Adware threats found with the spyware but it wants me to rebook to complete the process. I'd rather wait until I have cleaned everything off to reboot if it's ok. I know some of these nasties can reappear on reboot if not fully removed. I'll wait until I hear from you to do anything.

    Thanks for the help.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    I tried doing this yesterday but had a computer problem. This reply isn't as clear as I'd like, but do what you can. When through, rescan with HijackThis, attach new log.
    Mbam clean.
    For Tracking Cookies in SAS:
    Reset Cookies:
    Special Cookie handling:
    Reboot when told.

    Update Java:
    Update Adobe:
    Uninstall many previous versions of the Adobe Reader.

    To stop the Java QuickStarter:
    Start> Run> services.msc> right click on the Java QuickStart> Properties> Change the Startup type to Disabled.

    The above with handle some of the text files you mentioned. You do no need the Java or Adobe 02BHO Toolbars. But it looks like you shut down more than the Spybot teatimer. To do this:
    SPYBOT TEATIMER
    Remove bad HijackThis entries
    • Run HijackThis
    • Click on the System Scan Only button
    • Put a check beside all of the items listed below (if present):
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    NOTE: if you have set up a homepage to open with blank screen, okay to leave this entry. If not, it is malware.
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    To stop the automatic Java update checker, do this:
    Control Panel> Java> Update tab> UNCHECK 'check auromatically for updates'> answer YES when asked to confirm.
    NOTE: the first time you do a boot into Normal Mode, you will get a nag message that can be ignored and closed after checking 'don't show this message again.' Stay in Selective Startup.

    C:\Program Files\NSNetMon\netmon.exe
    netmon.exe is a process which is registered mass-mailing worm. "This virus is distributed via the Internet through e-mail and comes in the form of an e-mail message, in the hopes that you open its hostile attachment.\r" The worm has it's own SMTP mailing engine which means it gathers E-mails from your local computer and re-distributes itself. "In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data.\r" This process is a security risk and should be removed from your system.\r

    Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.

    Rescan with HijackThis and attach new log.
  5. yavmagic

    yavmagic Newcomer, in training Topic Starter

    New Hijackthis log - still getting redirects

    Hello,

    No problem, I know how computer problems can eat up time.
    I appreciate the help.

    I did everything on the list and I'm still getting the redirects.
    The redirect always starts with a 20x.xxx.xx.xx/x/?= (with the "x" being different numbers) and ends with a long string of gibberish. I don't ever go to any site, I get a failure to connect message or the browser window shuts down.
    I noticed this is happening in Google, Yahoo and MSN searches. I've been working around it by copying the URL from the search list and pasting it in a blank window.

    The log will show the blankpage startup since I like my browser to open with a blank page. I can remove this if necessary.

    I don't think the netmon.exe is the virus one.
    We've been using this for years to monitor our internet connection and network speed. It came highly recommended by our satellite dish installer. I uninstalled it anyways.

    Thanks again.
  6. yavmagic

    yavmagic Newcomer, in training Topic Starter

    Correction...The search links are working properly

    Hello again,

    I just tried the search again and the links seem to be working properly all of a sudden. I'm not sure what did the trick but it seems to have worked.

    Is there anything else I need to do or undo.

    Thanks again for all your help.

    Yvonne
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Yvonne, I am sorry for the delay. Sometimes a simple reboot will solve a problem. You might have just done that.

    The blank page is okay of you set it. no need to change. Follow the updates I suggested in reply #4. I would also suggest updating and running Malwarebytes once more to make sure all the Antivirus XP 2008 entries were removed.

    Follow with new HijackThis scan, attach both logs. If clean, we'll remove the cleaning programs and old System Restore points.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.