TechSpot

Google search results redirected

By rbuxton1
Nov 11, 2008
Topic Status:
Not open for further replies.
  1. I am experiencing a problem with Google search results being intermittantly redirected to various other search pages. I have tried running Ad-Aware and SpybotSD, but the problem is still there. I am attaching a HIJT log. I will appreciate any help I can get. View attachment 37566
  2. rf6647

    rf6647 TS Maniac Posts: 931

    Follow the 8-step malware removal guide

    Post 3 logs. This gives us a common view of your complaint.

    Google redirection covers a wide spectrum of infections or just a simple reset of IE settings.

    MBAM will know how to classify this HJT finding
    O20 - Winlogon Notify: c009432E - C:\WINDOWS\SYSTEM32\c009432E.mat

    Failure to access sites for tools from the guide, may require access via this site:
    download dot com
  3. rbuxton1

    rbuxton1 TS Rookie Topic Starter

    Google redirection problem

    Hi,
    Thank you for your time and your interest in my problem. Since posting, and prior to receiving your reply, I had started on the 8 step procedure. When I ran MalWareBytes Anti-Malware, it detected and removed several Trojans. This apparently solved the Google redirection. However, when I ran MBAM again, it kept finding Trojans (eg. Files Infected:
    C:\System Volume Information\_restore{A34FB7E6-F555-47EF-8E2F-102C4B8C02A7}\RP719\A0069168.sys (Trojan.Downloader) -> Quarantined and deleted successfully.) I turned off System Restore, ran MBAM again, and turned System Restore back on. This time I got a clean run.
    Thank you in advance for any advice you can give.
    Rhon
  4. rf6647

    rf6647 TS Maniac Posts: 931

    I am still troubled by
    O20 - Winlogon Notify: c009432E - C:\WINDOWS\

    It appears to have been touched by one of the tools. Do you have any knowledge of this finding?

    If any of the MBAM / SAS logs contain any of the following
    TDSS*, brastk*, karna* , MS Juan , MS Track System

    {then I recommend ComboFix - instructions courtesy of Blind Dragon
  5. rbuxton1

    rbuxton1 TS Rookie Topic Starter

    Google redirection problem

    Thanks for your concern.
    I appended the MBAN logs together and searched for the text strings you mentioned. I couldn't find any of them.
    I have at some point run the ComboFix program and saved the log.
    The log contains a reference to the item that's troubling you.

    - - - - ORPHANS REMOVED - - - -

    Notify-c009432E - (no file)

    I am attaching the log for your information.
    I will appreciate any further help that you can give.
    Rhon
  6. rf6647

    rf6647 TS Maniac Posts: 931

    Unfortunately I don't "speak" combofix. Another specialist volunteered to review the log. He is on the other side of the world. His day is just beginning.

    ComboFix precedes the HJT log. It is unusual that ComboFix removed orphan file but left the Registry with a changed value. Normally ComboFix cleans things up left hanging from the other tools.

    Thanks for your patience with me. Since you feel things are better, I wish you happy computing. The follow-on from the specialist should confirm your feelings. I'm just trying to be thorough.
  7. rbuxton1

    rbuxton1 TS Rookie Topic Starter

    Google redirection problem

    I appreciate your care and your patience with me. I would not like to think that something bad is lurking in my system. For the time being I am using my laptop for financial transactions. I will look forward to hearing from your colleague.
    Thanks again.
    Rhon
  8. momok

    momok TS Rookie Posts: 2,272

    These are the following Combofix/CFScript instructions.

    1. Open notepad and copy/paste the text in the quote box below into it:

    2. Save this as "CFScript.txt" on the desktop.
    3. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
      [​IMG]
    4. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
      Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

    Thereafter, please post a fresh HJT log as well as the resultant ComboFix log from the above instructions as attachments into this thread.
  9. rbuxton1

    rbuxton1 TS Rookie Topic Starter

    Google redirection problem

    Hi Momok,
    When ComboFix started up, it tried to download a newer version but was uable to do so. Here are the logs from that run.
    Thanks for your help.

    Rhon
  10. rbuxton1

    rbuxton1 TS Rookie Topic Starter

    Google redirection problem

    Momok,
    I have run Combofix again with your script. This time with the latest version and with SAV turned off. I am attaching the logs from this second run.
    Thanks,
    Rhon

    Attached Files:

  11. momok

    momok TS Rookie Posts: 2,272

    Please fix these in HJT and post a fresh log thereafter.

    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
    O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) -
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -
    O20 - Winlogon Notify: c009432E - C:\WINDOWS\

    Thanks
     
  12. rbuxton1

    rbuxton1 TS Rookie Topic Starter

    Google redirection problem

    Momok,
    I ran HJT and checked the items that you recommended. After the fix, I continued with a scan from within HJT which showed the items gone. Then I rebooted my system and again ran HJT. This time the Items appear to be back. I am sending both logs.
    Should I run HJT with System Restore turned off?
    Thanks,
    Rhon

    Attached Files:

  13. rf6647

    rf6647 TS Maniac Posts: 931

    Here is a random idea.

    Theory: An existing application, brought back an optional setting. employing an icon
    Action: Visit taskbar notification section; hover over icons; make note of void in the line up or new icon
    Action: visit 'customize notifications'
    taskbar > right click unused section > properties > customize > review list

    The Trick: match icons to applications. no other info available at this level

    Working the problem in this backwards fashion takes a lot of guess work.
  14. momok

    momok TS Rookie Posts: 2,272

    Hi,
    The problem in HJT bewilders me. Could you post a MBAM and SAS log for review?
  15. rbuxton1

    rbuxton1 TS Rookie Topic Starter

    Google redirection problem

    Hi momok,
    Since my last post, I tried fixing the four items you suggested with HJT and System Restore turned off. They were gone when I rescanned with HJT, but they came back when I rebooted (as you probably expected). I found two references to the 020 Winlogon Notify item on my system. One was a file
    C:\Qoobox\Quaranteen\Registry-Backups\Notify-c009432E
    This directory was apparently created by Combofix.
    The other reference was the Winlogon Notify registry entry. I deleted the entry with Regedit and the item no longer shows up in HJT logs.
    I thought about removing all references to Shockwave from the registry, but I don't really understand the relationship between it and Adobe Flash. I don't understand why objects keep returning after being 'fixed' by HJT. Maybe you can make a recommendation. In the meantime I will run MBAM and AVG as you suggested.
    Thanks for you continued help.
    Rhon
  16. rbuxton1

    rbuxton1 TS Rookie Topic Starter

    Google redirection problem

    momok,
    I ran MBAM and SAS as you suggested and am attaching the logs. Also attaching another HJT log.
    Thanks for continuing with this.
    Rhon
  17. momok

    momok TS Rookie Posts: 2,272

    Fix these in HJT:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} -
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

    Apart from that problem seems to be gone =)
  18. rbuxton1

    rbuxton1 TS Rookie Topic Starter

    Google redirection problem

    momok,
    I have fixed the items you recommended.
    Thanks for all your help.
    Rhon
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.