TechSpot

IE google search results being redirected?

By liambower
Dec 20, 2009
  1. Hi

    im having a problem with internet explorer, everytime i do a google search result the links that google brings up all link to different sites with random advertisements. the problem is only in internet explorer, firefox works fine but id still want any malware to be removed.

    i've tried running a virus scan using avast! but this returned no results
    i've tried running SUPERantispyware and spyware blaster but both didnt find anything.
    i've read on various fourums etc that using Hijackthis can identify it but i've got no idea what im doing with it. i've attatched my hijackthis log file.

    any help will be much apreachiated
    thanks
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot Liam. If you would like us to review the system for malware, please follow the steps HERE.

    When you have finished, attach all 3 logs in your next reply.

    Since you question a Google Redirect, I'd like you to describe what's happening:
    1. If you type a word in the Google search box, and then choose one of the sites that comes up, what happens?
    2. Does a different site load?
    3. Does any site load?
    4. Are the sites the same/different?
    5. Are you sure you're not seeing a Google page saying DNS server couldn't be contacted?
     
  3. liambower

    liambower TS Rookie Topic Starter

    Reply

    i have folowed all of the steps on that list.
    i have attatched my three log files.

    In answer to your questions:
    1. When i type in google (including the google toolbar) it will do a search as normal. it will display a list of results as normal.
    2. When you click on one of the links it does not load the intened site. it is rediredtec to another side with adds relating to what i was searching.
    3. A site will always load but it in never the side i was looking for.
    4. The sites are always different.
    5. yes i am sure. it is displaying a webpage but not the correct one.

    Thanks for taking time to help.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Sorry to have to make you run through a 'redirect' list, but it helps me.

    The logs are clean- doesn't mean there is no malware- just that these programs haven't picked it up. There is one entry in the HJT log I'd like you to remove. The entry is for the Realtek HD Audio Data Rerouter. This executable comes with Realtek soundcard driver. It is a legitimate file but shouldn't be running from a temp folder.

    Please reopen HijackThis to 'do system scan only' and check this entry:

    C:\DOCUME~1\Laim\LOCALS~1\Temp\RtkBtMnt.exe

    Close all Windows except HijackThis and check "Fix Checked."

    Let's dig a bit deeper:
    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Follow with online scan:
    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Please include Combofix report and Eset log in your next reply.
     
  5. liambower

    liambower TS Rookie Topic Starter

    Reply

    i have removed the entry from the hijackthis log.

    i ran the combofix proram and it said it had found evidence of a rootkit on my computer, i think it has removed it and google is now functioning properly.

    i have still attatched the logs for you too see if there is anythign else that could have been causing problems on my computer.

    i would like to thank you, you have been a great help too me
    .
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    There are 2 copies of the Combofix report, but no log for the Eset scan. If you ran it, please include the log in your next reply. If you didn't run it, please do so now.
     
  7. liambower

    liambower TS Rookie Topic Starter

    sorry about that, i did run the scanner but it found 0 threats

    i have attatched the log file.

    thanks for the help
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You are running IE8. Did you recently install this version? did the problem begin after you installed IE8? Is IE8 set as the Default browser or is it Firefox?
     
  9. liambower

    liambower TS Rookie Topic Starter

    Reply

    i've had internet explorer 8 for a while, i cant remember the exact time i updated it, it was quite a while ago. It was all working fine for a while after it was updated. internet explorer was set as the default browser.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Liam, you should check this: On 12/06/2009, you went through BitTorrent for a download (Bad!) Other related entries are ubi.com, U3- It appears to be a game site. You downloaded something to your documents & settings> looks like an application. Please do a date search in your computer as follows:

    Start> Search> All Files & Folders> Navigate to lower section of Search> Leave the 'Look in" set to Local Hard Drive> Click on the right arrow point to "When was it Modified"> Enter date 12/06/2009? Search.

    When you locate whatever you got, please delete or uninstall it.

    Bit Torrent is a P2P or 'file sharing program: P2P Warning:
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall XXXXXXX for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.
     
  11. liambower

    liambower TS Rookie Topic Starter

    Reply

    Hi, im not entirely sure what i should be looking for, (or what date, in int the Uk.. was'nt sure if you mean the 12th of june 2009 or december 6th 2009?).

    regarding the bittorrent P2P program, i have previously unistalled it as it was part of that list of steps that you gave me to run through. (however there may be some traces of it, folder directories etc?

    you mentioned some other entries relating to Ubi.com < these were automaticaly put here after installing a game. and the U3- is another trusted program that i have installed.

    sorry for any inconvienice with this, your a great help
     
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Date is December 6, 2009.
    There also show a transaction using uTorrent on same date:
    2009-12-06 13:51 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\BitTorrent2009-12-06 13:51 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\BitTorrent

    Combofix made the following 2 deletions:
    c:\documents and settings\HelpAssistant\Application Data\inst.exe
    c:\documents and settings\Laim\Application Data\inst.exe


    Because of the great amount of activity on Dec. 6, 2009, which included HelpAssistant & Application, I'm trying to pin down the source where you got the malware.
     
  13. Spatzile

    Spatzile TS Rookie

    Same Problem

    Hi
    I am having the same problem, would you be able to fix mine?
    Attached I have my Logfile from Hijackthis, Malwarebytes' Anti-Malware and SUPERAntiSpyware.
    Thanks
    :)
     

    Attached Files:

  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Spatzile, please start your own thread. Copy you symptoms and put the logs on it.


    This thread is for the use of member liambower only. If you have a malware problem, please follow the steps in the Preliminary Virus and Malware Removal thread first.

    Start as new thread to post your problem and attach your logs.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.