Redirected on google searches, help please

[petr77]

Hello. Can anyone help me please. Everytime i search for something on google i get redirected to another site. Ive tried malware bytes and spybot and one says there is a trojan dns.changer and the other zlob.dns changer. Both programs say that they removed the viruses but im still being redirected. And when i rescan the appear again.

Can someone help me please
Thanks

 

[Bobbye]

Please follow this guide and attach the logs when finished:

https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

We can't do anything until we see these results.

 

[petr77]

Heres the logs, thanks

 

[Bobbye]

Nice job. Thank you.
Mbam removed the Trojan.DNSChanger IP 85.255.112.25> UkrTeleGroup in the Ukraine

SAS:Have SAS remove Tracking Cookies. See images. Click on any image to enlarge:
http://superantispyware.en.softonic.com/images

ad.yieldmanager.com basic removal and prevention:

ad.yieldmanrger usually puts itself in the Trusted Zone so we will remove it from there and put it in the Restricted Zone:
Open Internet Options (through Tools or Control Panel)> Security tab> Trusted sites> Sites button> A window will open with the trusted sites...allowing you to add or remove entries> Remove the Ad.yieldmanager entry from the list> OK
Then click on Restricted Sites> Sites button and type in *.ad.yieldmanager> Add> OK> Apply> OK

Reset Cookies:

Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

Your version of Java is now outdated

. Java vulnerabilities are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 6.0 Update 10 ): http://java.com/en/download/manual.jsp
Please install it and then reboot your computer.

Your Adobe Reader is out of date.

Vulnerabilities can be exploited. Click here to download the latest version v9:
https://www.techspot.com/downloads/2083-adobe-reader-dc.html
OR
Install the FoxIt Reader: this does the same thing as Adobe, but doesn’t have the bloat: http://www.foxitsoftware.com/pdf/rd_intro.php
Click on ‘Get it Free button

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below:
(I left description of some of the processes)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16 (Dell printer software - reports back on printer and cartridge useage )
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
(This is a DLL to enable multiple display monitors on a single computer. It can be a cause of numerous problems on some computers)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install (Setup for nvidia video chipset. nwiz.exe /install runs when you do the nview initial setup.)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
(Intializes the clock and memory settings on nVidia based graphics cards. Enable if you overclock your card)
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\Generic\Seticon.exe (Installed by a 6-in-1 (4 Media Card slots, a floppy drive and a USB connection) device. Constantly updates the icons for the four Media Card slots that it has and is a resource hog)
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe (a Printer Communication System belonging to Printer Communication System)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:

Start> Run> type in 'msconfig' without quotes> Enter> Selective Startup> Startup tab> UNCHECK the following:
Any Dell entries
Adobe Reader (may show as AcroIEHelper)
nVidia processes- unless you are using the dual monitors
SetIcon

Control Panel> Display> Settings tab> Advance button> GeForce or nVidia graphics card tab> Review the setting you have here. You are loading to use dual monitors.>>click on Desktop Manager on the left and UNCHECK 'nVidia Desktop Manager' and the manager Wizard UNLESS you are using dual monitors> Apply> OK

Control Panel> Add/Remove Programs> UNINSTALL the following if present:
All Java EXCEPT v6u10
All Adobe Reader EXCEPT v9 (if you updated Adobe. If you choose FoxIt instead, remove ALL Adobe Reader entries)
SetIcon.

Start> Run> services.msc> right click on DLCFComs> Properties> change Startup type to Manual> Apply> OK

Reboot into Normal Mode. You will get a nag message that you can just close after checking 'don't show this message again'. Stay in Selective Startup.

Please advise system status and run HijackThis again. Attach log.

 

[petr77]

hello, i havent yet done what you said yet, just wanted to let you know this. mbam says that it removed the trojan but i still get redirected on google.
I have scanned with spybot and it removes the trojan and then my google search works fine until i restart my pc and then the trojan comes back and i then have the problem with google again. Heres the log of what it removed.

Thanks

 

[Bobbye]

After you have finished following what I set up for you, please run HijackThis again, as requested, and attach the log. Until you do that, no more progress can be made.

Is there some particular reason why you decided to run Spybot before you followed what I set up?

 

[petr77]

i had run spybot and a few other antivirus tools when i first found out that there was something wrong, so i thought i would send you the log because it might help. I have done the things that you said apart from one because it was my wireless connectio. I have found out that other computers on the same wireless network as me also have the same problem, just thought i would let you know.
thanks

 

[Bobbye]

This should be removed. The router is not configured correctly.
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?

If the entry was correct, it would show as:
O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe

Here is a support site that may help with this:
http://kbserver.netgear.com/kb_web_files/N101741.asp

Otherwise the log is fine. Let me know system status after this is handled. We will remove the cleaning tools and old restore points.

 

[petr77]

got rid of that thing you said. still having the google redirecting problem until i use spybot to get rid of trojan or if i use mbam but will come back when restarted. ill attach the hijack this log i dont know if you need it. is it something affecting my wireless internet due to it affecting all computers on network.
thanks

 

[Bobbye]

Your original Mbam logs show the Trojan.DNSChanger entries were quarantined and deleted.

Spybot shows Zlob.DNSChanger: [SBI $041D1396] TCP/IP Settings #2 (Undefined) (Registry change, fixed)

The Netgear entry is now displaying correctly:
O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe

Clear your existing System Restore points and establish a new clean restore point:
Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
Next, go to Start > Run and type in cleanmgr> Select the More options tab> Choose the option to clean up System Restore and OK it.
This will remove all restore points except the new one you just created.

We have fixed the redirect problem- at least it appeared so. Can you please describe just what is happening regarding the wireless connection? This Netgear product appears to be a USB drive. Do you have a router?Do you have a network set up between computers?

Frankly, I'm not sure what isn't working. And I do not understand the reports of the recurring malware. I my have you run ComboFix and ask momok to assist. He is better experienced with that program.

 

[momok]

I think running Combofix is a good idea. It can pick up some things HJT misses.

 

[petr77]

spybot gets rid of the dns changer but when i restart my computer it is coming back. I am on a usb device which is connected to the main router which isnt on this computer. All the computers that are connecting to the main router are getting this google redirect problem. I read somewhere about someone who had the same problem an the trojan changes the dns so he went back onto his dns settings and cleared the settings which were there which was put there by the trojan then he connected back on to his real dns settings and he then had no problems. Dont really understand much though.

Are the 6 trojan.dns.changers that mbam is picking up the same as the zlob.dns.changer that spybot is picking up?

 

[Bobbye]

Please download ComboFix.: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.

• Run Combo-Fix.exe and follow the prompts.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be completed.
• If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please attach the log when done.

momok, I could use your help with the ComboFix log. Thanks.

 

[petr77]

heres the combo fix log

thanks

 

[momok]

Please boot into safe mode.

Unhide all system files and delete the following:
c:\windows\system32\ROC090.bac
c:\windows\system32\ROC093.bac
c:\temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}

What other contents does C:\Temp have? let us know the results

 

[Bobbye]

I am on a usb device which is connected to the main router

Is it possible to scan this drive?

 

[petr77]

problem has gone now, dns settings was changed so normal ones have now replaced them. Antiviruses are saying that pc is clean. So seems ok.

may i ask what do these files do?

c:\windows\system32\ROC090.bac
c:\windows\system32\ROC093.bac
c:\temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}

within the c:\temp there is nothing apart from that above

i have deleted system restore points

shall i now uninstall them antivirus programs? which do you reccomend that i keep?

thanks

 

[Bobbye]

may i ask what do these files do?
c:\windows\system32\ROC090.bac
c:\windows\system32\ROC093.bac
c:\temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}

momok instructed you on handlimng these files in Post #15.
Please follow his instructions.[/QUOTE]

shall i now uninstall them antivirus programs? which do you reccomend that i keep?

Are you indicating you want to change from the installed functioning AVG v8? That can be done if you want. You can try Avast. The procedure is as follows:

B]Download the new AV program and save to your desktop- don't run (install) yet[/B]
For Avast: The free version: http://www.avast.com/eng/download-avast-home.html

Boot into Safe Mode: Take the system offline by clicking on File> Work Offline:
Use msconfig> Selective Startup> Startup tab> UNCEHCK all AVG entries> Apply> OK
Use Add/Remove Programs in Control abel to uninstall AVG.

Once done, double click on the new AV setup you saved to the desktip and run. Once installed> Reboot. You will be ask if you want to go back online- answer Yes. You will also get the nag message again. check and close it. Update the new AV and run a scan.

You can now remove the cleaning tools:
* Download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe)
* Click the CleanUp! button.
* It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).

Let us know if you need more help.

 

[petr77]

everything is sorted now thanks for your help

 

[Bobbye]

You're welcome. Thank you for the update.

 

[anthstav]

Bobbye,

I am having extreme trouble with this Copy-Book Google virus, it keeps directing me to copy-book.com

What can i do? any help would be much appreciated.

 

[Bobbye]

anthstav, please follow the Steps set up here:

https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

When through, start a new thread, describe your problem and attach all three logs. We will go from there.

 

[anthstav]

Ok thankyou Bobbeye, i will do it shortly... your help will be much appreciated!