TechSpot

Redirected on google searches, help please

By petr77
Nov 7, 2008
Topic Status:
Not open for further replies.
  1. Hello. Can anyone help me please. Everytime i search for something on google i get redirected to another site. Ive tried malware bytes and spybot and one says there is a trojan dns.changer and the other zlob.dns changer. Both programs say that they removed the viruses but im still being redirected. And when i rescan the appear again.

    Can someone help me please
    Thanks
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

  3. petr77

    petr77 Newcomer, in training Topic Starter

    Heres the logs, thanks

    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Nice job. Thank you.
    Mbam removed the Trojan.DNSChanger IP 85.255.112.25> UkrTeleGroup in the Ukraine

    SAS:Have SAS remove Tracking Cookies. See images. Click on any image to enlarge:
    http://superantispyware.en.softonic.com/images

    ad.yieldmanager.com basic removal and prevention:
    Reset Cookies:
    Your version of Java is now outdated
    Your Adobe Reader is out of date.
    Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below:
    (I left description of some of the processes)
    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:
    Reboot into Normal Mode. You will get a nag message that you can just close after checking 'don't show this message again'. Stay in Selective Startup.

    Please advise system status and run HijackThis again. Attach log.
  5. petr77

    petr77 Newcomer, in training Topic Starter

    hello, i havent yet done what you said yet, just wanted to let you know this. mbam says that it removed the trojan but i still get redirected on google.
    I have scanned with spybot and it removes the trojan and then my google search works fine until i restart my pc and then the trojan comes back and i then have the problem with google again. Heres the log of what it removed.

    Thanks
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    After you have finished following what I set up for you, please run HijackThis again, as requested, and attach the log. Until you do that, no more progress can be made.

    Is there some particular reason why you decided to run Spybot before you followed what I set up?
  7. petr77

    petr77 Newcomer, in training Topic Starter

    i had run spybot and a few other antivirus tools when i first found out that there was something wrong, so i thought i would send you the log because it might help. I have done the things that you said apart from one because it was my wireless connectio. I have found out that other computers on the same wireless network as me also have the same problem, just thought i would let you know.
    thanks
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    This should be removed. The router is not configured correctly.
    O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
    Here is a support site that may help with this:
    http://kbserver.netgear.com/kb_web_files/N101741.asp

    Otherwise the log is fine. Let me know system status after this is handled. We will remove the cleaning tools and old restore points.
  9. petr77

    petr77 Newcomer, in training Topic Starter

    got rid of that thing you said. still having the google redirecting problem until i use spybot to get rid of trojan or if i use mbam but will come back when restarted. ill attach the hijack this log i dont know if you need it. is it something affecting my wireless internet due to it affecting all computers on network.
    thanks
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Your original Mbam logs show the Trojan.DNSChanger entries were quarantined and deleted.

    Spybot shows Zlob.DNSChanger: [SBI $041D1396] TCP/IP Settings #2 (Undefined) (Registry change, fixed)

    The Netgear entry is now displaying correctly:
    O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe

    Clear your existing System Restore points and establish a new clean restore point:
    Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
    Next, go to Start > Run and type in cleanmgr> Select the More options tab> Choose the option to clean up System Restore and OK it.
    This will remove all restore points except the new one you just created.

    We have fixed the redirect problem- at least it appeared so. Can you please describe just what is happening regarding the wireless connection? This Netgear product appears to be a USB drive. Do you have a router?Do you have a network set up between computers?

    Frankly, I'm not sure what isn't working. And I do not understand the reports of the recurring malware. I my have you run ComboFix and ask momok to assist. He is better experienced with that program.
  11. momok

    momok Newcomer, in training Posts: 2,272

    I think running Combofix is a good idea. It can pick up some things HJT misses.
     
  12. petr77

    petr77 Newcomer, in training Topic Starter

    spybot gets rid of the dns changer but when i restart my computer it is coming back. I am on a usb device which is connected to the main router which isnt on this computer. All the computers that are connecting to the main router are getting this google redirect problem. I read somewhere about someone who had the same problem an the trojan changes the dns so he went back onto his dns settings and cleared the settings which were there which was put there by the trojan then he connected back on to his real dns settings and he then had no problems. Dont really understand much though.

    Are the 6 trojan.dns.changers that mbam is picking up the same as the zlob.dns.changer that spybot is picking up?
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please download ComboFix.: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

    Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    Also disable your internet connection.

    • Run Combo-Fix.exe and follow the prompts.
    **Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Do not click on the ComoboFix window, as it may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Please attach the log when done.

    momok, I could use your help with the ComboFix log. Thanks.
  14. petr77

    petr77 Newcomer, in training Topic Starter

    heres the combo fix log

    thanks
  15. momok

    momok Newcomer, in training Posts: 2,272

    Please boot into safe mode.

    Unhide all system files and delete the following:
    c:\windows\system32\ROC090.bac
    c:\windows\system32\ROC093.bac
    c:\temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}

    What other contents does C:\Temp have? let us know the results
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Is it possible to scan this drive?
  17. petr77

    petr77 Newcomer, in training Topic Starter

    problem has gone now, dns settings was changed so normal ones have now replaced them. Antiviruses are saying that pc is clean. So seems ok.

    may i ask what do these files do?

    c:\windows\system32\ROC090.bac
    c:\windows\system32\ROC093.bac
    c:\temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}

    within the c:\temp there is nothing apart from that above

    i have deleted system restore points

    shall i now uninstall them antivirus programs? which do you reccomend that i keep?

    thanks
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    momok instructed you on handlimng these files in Post #15.
    Please follow his instructions.[/QUOTE]

    Are you indicating you want to change from the installed functioning AVG v8? That can be done if you want. You can try Avast. The procedure is as follows:



    You can now remove the cleaning tools:
    * Download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe)
    * Click the CleanUp! button.
    * It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).

    Let us know if you need more help.
  19. petr77

    petr77 Newcomer, in training Topic Starter

    everything is sorted now thanks for your help
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You're welcome. Thank you for the update.
  21. anthstav

    anthstav Newcomer, in training

    Bobbye,

    I am having extreme trouble with this Copy-Book Google virus, it keeps directing me to copy-book.com

    What can i do? any help would be much appreciated.
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

  23. anthstav

    anthstav Newcomer, in training

    Ok thankyou Bobbeye, i will do it shortly... your help will be much appreciated!
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.