TechSpot

Need help with a persistent Google redirect!

By crfloyd
May 26, 2010
  1. I am experiencing a very annoying Google redirect that I can not seem to get rid of. I have attached the requested logs. Please help in any way you can!
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    Which browser is getting redirected?

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" .
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  3. crfloyd

    crfloyd TS Rookie Topic Starter Posts: 30

    My primary browser is Firefox, but I have also had Google redirected within Internet Explorer. Attached is my ComboFix log. Thank you for the help!
     

    Attached Files:

  4. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\apikndssĀ¤.exe
    c:\windows\System32\apikndss.exe
    c:\windows\System32\apikndss(.exe
    c:\users\Floyds\AppData\Local\Temp\geurge.exe
    c:\users\Floyds\AppData\Local\Temp\k8p14819.exe
    c:\users\Floyds\AppData\Local\Temp\md22uhi.dll
    c:\windows\system32\net.net
    c:\windows\system32\msfdjgqe.dll
    c:\windows\system32\drivers\zhfwhvvrqafuy1.sys
    
    
    Folder::
    c:\users\Floyds\AppData\Roaming\.#
    c:\programdata\61606625
    
    
    RenV::
    c:\program files\Java\jre6\bin\jusched .exe
    c:\program files\Logitech\GamePanel Software\lgdevagt .exe
    c:\program files\Logitech\GamePanel Software\G-series Software\lgdcore .exe
    c:\program files\Logitech\GamePanel Software\LCD Manager\lcdmon .exe
    c:\program files\Realtek\Audio\HDA\rthdvcpl .exe
    
    
    Driver::
    lyvmuqg
    zhfwhvvrqafuy1
    
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\61606625]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\apikndss]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\apikndss(]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bazisazive]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ewrgetuj]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezLife]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hsf87sdhfush87fsufhuie3fddf]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcexecwin]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\net]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rinfri]
    
    
    RegLockDel::
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     
  5. crfloyd

    crfloyd TS Rookie Topic Starter Posts: 30

    Here are the logs. Thanks again!
     

    Attached Files:

  6. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    How is redirection issue?
     
  7. crfloyd

    crfloyd TS Rookie Topic Starter Posts: 30

    I am still being redirected. The first time I search something and click a Google link, it goes to the proper page. The second time, I get taken to a random page. :(
     
  8. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    Which browser is getting redirected?

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ===========================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:


    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    userinit.exe
    explorer.exe
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    CREATERESTOREPOINT


    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  9. crfloyd

    crfloyd TS Rookie Topic Starter Posts: 30

    It wouldn't let me copy and paste the text here as I exceeded the character limit so I have attached them instead. Thanks again!
     

    Attached Files:

  10. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    You didn't say...
     
  11. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O2 - BHO: (no name) - {79a2801f-ad64-47ee-badd-5648dcc8d214} - No CLSID value found.
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
      O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
      O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
      [2010/03/12 20:30:20 | 000,000,000 | ---D | C] -- C:\Users\Floyds\AppData\Local\ESET
      [2010/03/12 20:20:10 | 000,000,000 | ---D | C] -- C:\ProgramData\ESET
      [2010/03/12 20:20:10 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
      [2010/04/27 10:12:37 | 000,811,520 | ---- | C] () -- C:\Windows\System32\qlkytf
      
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [resethosts]
      [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  12. crfloyd

    crfloyd TS Rookie Topic Starter Posts: 30

    I apologize, I use Firefox as my primary browser and that is the one being redirected. I will also add that a couple of times, an entire new tab has been opened randomly with a random site. I will now run the scan you have advised.
     
  13. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    While you're doing that, can you take a look, if IE is redirected as well?
     
  14. crfloyd

    crfloyd TS Rookie Topic Starter Posts: 30

    I opened up IE and ran a few searches. It did fine for about 8-10 searches and then it started to redirect again. I will also add that I have a program called Hitman that starts up upon reboot and it usually tells me that IE is using a proxy server every time.
     
  15. crfloyd

    crfloyd TS Rookie Topic Starter Posts: 30

    This is the log from the fix:


    All processes killed
    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{79a2801f-ad64-47ee-badd-5648dcc8d214}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79a2801f-ad64-47ee-badd-5648dcc8d214}\ not found.
    Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
    C:\Windows\Downloaded Program Files\gp.inf not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
    C:\Users\Floyds\AppData\Local\ESET\ESET NOD32 Antivirus\Quarantine folder moved successfully.
    C:\Users\Floyds\AppData\Local\ESET\ESET NOD32 Antivirus folder moved successfully.
    C:\Users\Floyds\AppData\Local\ESET folder moved successfully.
    C:\ProgramData\ESET\ESET NOD32 Antivirus\Stats folder moved successfully.
    C:\ProgramData\ESET\ESET NOD32 Antivirus folder moved successfully.
    C:\ProgramData\ESET folder moved successfully.
    C:\Program Files\ESET folder moved successfully.
    C:\Windows\System32\qlkytf moved successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Floyds
    ->Temp folder emptied: 2864 bytes
    ->Temporary Internet Files folder emptied: 1826815 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 93693653 bytes
    ->Flash cache emptied: 2387 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    RecycleBin emptied: 38285 bytes

    Total Files Cleaned = 91.00 mb

    C:\Windows\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    OTL by OldTimer - Version 3.2.5.0 log created on 05272010_205253

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
     
  16. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    I still need this:
    Still redirecting?

    I don't see any indication of the above in your OTL log.
     
  17. crfloyd

    crfloyd TS Rookie Topic Starter Posts: 30

    This is the log from the second scan
     

    Attached Files:

    • OTL.Txt
      File size:
      108.5 KB
      Views:
      1
  18. Broni

    Broni Malware Annihilator Posts: 52,899   +344

  19. crfloyd

    crfloyd TS Rookie Topic Starter Posts: 30

    Just opened up a new browser and it redirected my first google search link that I clicked. :(
     
  20. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    OK, go ahead with those next steps.
     
  21. crfloyd

    crfloyd TS Rookie Topic Starter Posts: 30

    I am still being redirected after disconnecting for 1 min from the internet and rebooting. After a few minutes of my computer sitting idle, I had the following popup onto my screen (note: i use Firefox as my primary browser)

    [​IMG][/IMG]


    I will now download a new GMER and post the log as you sugessted.
     
  22. crfloyd

    crfloyd TS Rookie Topic Starter Posts: 30

    Here is the GMER log.
     

    Attached Files:

  23. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    GMER log looks fine.

    Please, download fresh Combofix file, run it and give me new log.
     
  24. crfloyd

    crfloyd TS Rookie Topic Starter Posts: 30

    New ComboFix log.
     

    Attached Files:

  25. crfloyd

    crfloyd TS Rookie Topic Starter Posts: 30

    FYI: While running ComboFix, i had a popup come up about 50-60 times telling me "Find String (QGREP) Utility has stopped working." Each time, I pressed "Close Program" and ComboFix would continue.

    Here is a pic of the popup:

    [​IMG]
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...