TechSpot

Redirects when doing searches problem. 8 steps done and attached

By Evoni
Feb 6, 2010
  1. For over a week now, I've had intermittent redirects when I do a search using Yahoo or Google. I'll click a link and it will take me to a different site then the one the search engine mentioned. If I go back and click it again it at that time goes to the correct URL.

    I have the paid version of McAfee on my computer.
    I usually use the Mozilla Firefox browser.
    As far as I know I don't have any file sharing programs on my computer now or in the past.

    All 8 steps have been completed and the log are attached. I appreciate any help.
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You have 2 threads going, both started 1 day ago. As far as I can tell, there are for the same machine. If that is correct, the problem will be handled on this thread since it includes the logs.

    This can be ignored:
     
  3. Evoni

    Evoni TS Rookie Topic Starter Posts: 26

    That's correct, they are both for the same machine and I did edit the original message before starting the second thread to say this:

    "Sorry, just noticed I didn't do your 8 steps first, I'll go ahead with that. If you want to delete this message please do so and I'll post a new one after I have competed the 8 steps."

    Unfortunately I should have just added the 3 logs to the original thread instead. Sorry about that.
     
  4. Evoni

    Evoni TS Rookie Topic Starter Posts: 26

    This problem is still going on even after the 8 steps, any ideas on what I should do next?

    Thanks!
     
  5. pepsi1

    pepsi1 TS Rookie

  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please reopen HijackThis to 'do system scan only.' Check the following entries if present: Note: Optional Removals are in green:

    C:\Program Files\Viewpoint\Common\ViewpointService.exe>> See Optional 1
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    O4 - HKLM\..\Run: [Tvuhi] rundll32.exe "C:\WINDOWS\ayawicoz.dll",Startup
    O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe>> See Option 2
    O4 - Startup: PowerReg SchedulerV2.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe>> See Option 1


    Optional 1: Foistware
    Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). This program is not malware but it is foistware in that it is usually installed without the user's knowledge or approval, and for this reason I recommend you remove it. I will give full removal instructions if needed.
    Option 2: ProxyWay anonymous proxy surfing software
    this appears to be a legitimate download. But I wondered if the redirects could be related to it. Did you have the problem before you installed this software? If you did, leave it. If it is new and the redirects started after the install, it should be removed. (http://www.proxyway.com/www/downloads/)

    Close all Windows except HijackThis and click on "Fix Checked."
    Full Viewpoint removal will be given separately.

    If the redirects have continued, please run this:
    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

      Important! Save the renamed download to your desktop.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Double click on the setup file on the desktop to run
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
    • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Please follow with Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Attach the Combofix report and the Eset log to your next reply.

    Reminder: need to update Adobe Reader from v7 to v9.xx.
     
  7. Evoni

    Evoni TS Rookie Topic Starter Posts: 26

    I need to go on to the step of combofix as it is still not fixed, but when I rename it and try to download it given the link you gave, McAfee gives me a warning about the Artemis something virus. Is this normal and should I go ahead and down load it?

    Also it looks like I will have to disable McAfee first in order to download Combofix from Bleeping.com. I notice you have that as your step after I download the program, and disable the internet connection.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Follow the instructions please. Be sure to do this:

    Important! Save the renamed download to your desktop.

    We find that usually when McAee gives a warning it's because the user is attempting to run Combofix from the site itself instead of saving it first.
     
  9. pepsi1

    pepsi1 TS Rookie

    Naive question:

    I've been following about three of these threads to fix redirect problems, including this one.
    My question is if you know when this started occurring (week, few days) why can't you just do a "system restore" to a date prior to the infection? Is the restore function not available?
     
  10. Evoni

    Evoni TS Rookie Topic Starter Posts: 26

    I was not attempting to run Combofix instead of saving it. As I mentioned I renamed it and started to download it to my desktop when the virus alert message came on and at that time the download even though at almost 99 percent failed, likely due to McAfee. I will try to download it again.
     
  11. Evoni

    Evoni TS Rookie Topic Starter Posts: 26

    Same problem, I attempt to rename combofix to Combo-fix and save to desktop, the download starts get to about 99 percent, McAfee pops up message about artemis virus, asks me if I trust the site I'm downloading combofix from and I say allow. However, the download fails with this message.

    Cannot copy combofix [1] access denied make sure disk is no full or write protected and that file is not currently in use.

    Ideas?
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    To pepsi1 re:
    1. Most people cannot tell exactly when a malware problem began.
    2. Malware can damage or corrupt files- system restore won't fix them.
    3. Most commonly, there is multiple malware. One problem might be resolved- such as the redirect- but that does not mean the malware has all been found and removed.
    4. Doing a System Restore could actually reinfect a system with malware that might have been removed by the AV scan.
    5. In the case of a DNS Changer malware infection, the IP will have been changed a flush and probable router reset ill have to be done.

    Choose any one reason.
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Evoni, the more this goed on with Combofix, the more I suspect a Virut infection. I'd like you to do a scan as follows:

    • Make sure to use Internet Explorer for this
    • Please go to VirSCAN.org FREE on-line scan service
    • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
      • c:\windows\system32\userinit.exe
    • Click on the Upload button
    • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
    • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
    • Paste the contents of the Clipboard in your next reply.
    Also scan these,

    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\svchost.exe


    Give me these results and we'll go from there.
     
  14. pepsi1

    pepsi1 TS Rookie

    Thanks for the explanation.....I assumed it was more of a problem than could be handled with one action like restore, but I did not see the extent of damage.


    Evoni:

    I tried those two download sites for Combofix and the downloads were inoperable exe files, three out of four times. I put a folder on the desktop (Combofix), changed the download file name to Combo-Fix(.exe). My downloads said they completed but they did not....rectangular icon instead of the red lion's head. Try to download multiple times until you get the right icon--ForoSpyware.com work 2 out of 5 times. Each time the download screwed up I deleted the file and slightly changed the folder name so it would be a fresh install to get it to work correctly.


    * BleepingComputer.com
    * ForoSpyware.com

    The fourth time on ForoSpyware a complete exe file loaded
     
  15. Evoni

    Evoni TS Rookie Topic Starter Posts: 26

    Pepsi1, thanks for the help but I'm going to wait for instructions from Bobbye.

    Bobbye, do you want me to try what Pepsi1 suggested?

    I sent to VirSCAN.org and you can't do a copy paste there, or even type in your files, only a browse. Just mentioning that because if it's not just me that is getting that result you might want to edit your cut/paste instructions to reflect that.

    This is the scan for system32/userinit.ext

    VirSCAN.org Scanned Report :
    Scanned time : 2010/02/11 13:50:11 (PST)
    Scanner results: Scanners did not find malware!
    File Name : userinit.exe
    File Size : 26112 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : a93aee1928a9d7ce3e16d24ec7380f89
    SHA1 : 513f8bdf67a5a9e09803cfb61f590b39f2683853
    Online report : http://virscan.org/report/659b60da7f1a1cc9310b1e0be69d6c06.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 4.5.0.8 20100212010812 2010-02-12 4.25 -
    AhnLab V3 2010.02.12.00 2010.02.12 2010-02-12 1.00 -
    AntiVir 8.2.1.160 7.10.4.41 2010-02-11 0.22 -
    Antiy 2.0.18 20100211.3837291 2010-02-11 0.12 -
    Arcavir 2009 201002101845 2010-02-10 0.03 -
    Authentium 5.1.1 201002112035 2010-02-11 1.25 -
    AVAST! 4.7.4 100211-0 2010-02-11 0.01 -
    AVG 8.5.720 271.1.1/2660 2010-02-01 0.22 -
    BitDefender 7.81008.5035082 7.30333 2010-02-12 5.08 -
    ClamAV 0.95.3 10380 2010-02-11 0.01 -
    Comodo 3.13.579 3409 2010-02-11 0.89 -
    CP Secure 1.3.0.5 2010.02.11 2010-02-11 0.04 -
    Dr.Web 5.0.1.12222 2010.02.12 2010-02-12 5.33 -
    F-Prot 4.4.4.56 20100211 2010-02-11 1.25 -
    F-Secure 7.02.73807 2010.02.11.11 2010-02-11 9.67 -
    Fortinet 11.485- 11.485 2010-02-11 0.24 -
    GData 19.10448/19.744 20100211 2010-02-11 5.93 -
    ViRobot 20100211 2010.02.11 2010-02-11 0.41 -
    Ikarus T3.1.01.80 2010.02.11.75166 2010-02-11 4.46 -
    JiangMin 13.0.900 2010.02.08 2010-02-08 4.67 -
    Kaspersky 5.5.10 2010.02.11 2010-02-11 0.11 -
    KingSoft 2009.2.5.15 2010.2.11.7 2010-02-11 0.54 -
    McAfee 5.3.00 5889 2010-02-11 3.50 -
    Microsoft 1.5406 2010.02.11 2010-02-11 6.46 -
    Norman 6.01.09 6.01.00 2010-02-10 6.00 -
    Panda 9.05.01 2010.02.09 2010-02-09 1.80 -
    Trend Micro 9.120-1004 6.842.04 2010-02-11 0.03 -
    Quick Heal 10.00 2010.02.11 2010-02-11 1.33 -
    Rising 20.0 22.34.01.03 2010-02-09 0.99 -
    Sophos 3.04.1 4.50 2010-02-12 3.18 -
    Sunbelt 3.9.2398.2 5671 2010-02-11 2.61 -
    Symantec 1.3.0.24 20100211.002 2010-02-11 0.05 -
    nProtect 20100212.01 7200620 2010-02-12 4.39 -
    The Hacker 6.5.1.1 v00189 2010-02-11 0.38 -
    VBA32 3.12.12.2 20100210.2233 2010-02-10 2.66 -
    VirusBuster 4.5.11.10 10.119.51/2011380 2010-02-11 2.37 -

    Other 2 scans to follow in another message.
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Did you ever run the Eset online scan? If not, please do that now and leave the log on the next reply:

    Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.

    * Tick the box next to YES, I accept the Terms of Use.
    * Click Start
    * When asked, allow the Active X control to install
    * Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    * Click Start
    * Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    * Click Scan
    * Wait for the scan to finish
    * Re-enable your Antivirus software.
    * A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.


    Am I correct in saying that you can't get Combofix to download at all?

    I downloaded from both of the sites-.Bleeping Computer and Forospy. Both sites paused toward the end> BC at 98%, Foro at 99%. I did nothing except wait and each d/l continued to completion. Name of file in each case was Combofix.exe.

    Just in case there are partial downloaded messing you up, do the following:

    Uninstall ComboFix.exe And all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]

    Then try again.
     
  17. Evoni

    Evoni TS Rookie Topic Starter Posts: 26

    Bobbye, I posted a total of 3 messages yesterday with the 3 logs you requested be scanned by VirScan.org. Only one seems to have been allowed to post by the moderator. Also, I'm not sure why my replies are not being posted immediately as they did previously. Any idea why we have to wait for a moderator to release them?

    I had a message that Combofix failed. I will follow your latest instructionson trying to download Combofix but if you recall you had me rename the file to Combo-Fix(.exe) before downloading it. Do you now not want me to change the name of Combofix before downloading it?

    Here is the logfile I got from using Eset for the first time per your instructions. It says that 2 files are infected.

    C:\WINDOWS\ayawicoz.dll a variant of Win32/Cimag.BO trojan
    Operating memory a variant of Win32/Cimag.BO trojan


    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=650b330009093647b64b41685dc4720a
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-02-12 07:06:56
    # local_time=2010-02-12 11:06:56 (-0800, Pacific Standard Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=5121 16776613 100 96 7265463 18831533 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=109665
    # found=2
    # cleaned=0
    # scan_time=3206
    C:\WINDOWS\ayawicoz.dll a variant of Win32/Cimag.BO trojan 00000000000000000000000000000000 I
    ${Memory} a variant of Win32/Cimag.BO trojan 00000000000000000000000000000000 I
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      C:\WINDOWS\ayawicoz.dll
      :Services
      
      :Reg
      
      :Files  
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    Let me see the log after. I'm not sure this will handle the process in memory.
     
  19. Evoni

    Evoni TS Rookie Topic Starter Posts: 26

    Bobby, whenever I try to click on any links posted here, before it takes me to the link if it even does that, I'm getting a screen popping up saying Bookmark & Share and on the right the name Juliofrano and then a long list of links. Do you know why that is happening with links posted here? Doesn't happen elsewhere. Looks like it's coming from www.addthis.com/bookmark

    Here's the latest log per your instructions from otmovit by old timer.

    All processes killed
    ========== PROCESSES ==========
    No active process named C:\WINDOWS\ayawicoz.dll was found!
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: Diana
    ->Temp folder emptied: 8672096 bytes
    ->Temporary Internet Files folder emptied: 37961019 bytes
    ->Java cache emptied: 13930 bytes
    ->FireFox cache emptied: 104513472 bytes
    ->Apple Safari cache emptied: 1295472 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->FireFox cache emptied: 2899935 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: evoni
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 4358033 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 564766 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 23944570 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 996657 bytes
    RecycleBin emptied: 31342 bytes

    Total Files Cleaned = 177.00 mb


    OTM by OldTimer - Version 3.1.8.0 log created on 02132010_112215

    Files moved on Reboot...

    Registry entries deleted on Reboot...
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Evoni, I just posted about a site problem. I think work is being done and it should only be temporary. I'm being logged out after every post and have to log back in to open each log. Be patient. it will be resolved soon. I don't think it's your system since I am also having a problem.

    I should have put that entry in File instead of Process- sorry:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      
      :Services
      
      :Reg
      
      :Files  
      C:\WINDOWS\ayawicoz.dll
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
     
  21. Evoni

    Evoni TS Rookie Topic Starter Posts: 26

    Bobby, in the previous message I had also posted the scan file you requested, but for the sake of following directions, I went ahead to your link in your last message reinstalled otmovit by old timer and ran the scan again. Both times it wanted to reboot my computer but it hung each time when it closed down and just left the WIndow's blue screen. Both times I did a reset and when it rebooted up I pasted the log here for you. The 2nd scan is below, and you might want to compare it to the first one I did as there seems to be less files cleaned this 2nd time.

    One thing that was different this last time when the computer rebooted I got this message:

    ERROR LOADING
    C/windows/ayawizoz.dll
    THE SPECIFIED MODULE COULD NOT BE FOUND

    The only thing I still haven't done is run Combofix. Did you want me to try doing that but without trying to rename it this time?

    OTMovit by Old Timer scan:

    All processes killed
    ========== PROCESSES ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    DllUnregisterServer procedure not found in C:\WINDOWS\ayawicoz.dll
    C:\WINDOWS\ayawicoz.dll moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Diana
    ->Temp folder emptied: 419714 bytes
    ->Temporary Internet Files folder emptied: 5568254 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 25811699 bytes
    ->Apple Safari cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->FireFox cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: evoni
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 483 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 30.00 mb


    OTM by OldTimer - Version 3.1.8.0 log created on 02132010_161154

    Files moved on Reboot...
     
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    What is your status now? I closed down last night after the board problems.
     
  23. Evoni

    Evoni TS Rookie Topic Starter Posts: 26

    Just did a few searches and intermittent redirects are still happening.
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    When you started the thread, you said 'intermittent' and now again. this does not sound like a typical Google redirect. Please answer the following for me:

    Since you question a Google Redirect, I'd like you to describe what's happening:
    1. If you type a word in the Google search box, and then choose one of the sites that comes up, what happens?
    2. Does a different site load?
    3. Does any site load?
    4. Are the sites the same/different?
    5. Are you sure you're not seeing a Google page saying DNS server couldn't be contacted?

    Usually, the redirect would be consistent and persistent if caused by malware.
     
  25. Evoni

    Evoni TS Rookie Topic Starter Posts: 26

    I actually use both google and yahoo search engines and it happens on both. The main browser I use is Mozilla Firefox but I also have IE and use it when directed to by you.

    Example of a search on yahoo.
    I type in say Mandalay Bay and click on the link to take me to the hotel/Casino's site and I get a totally different URL and site.

    Other times I type in a subject for example persian cats and I click on it and it will take me to the correct url and subject.

    Search and clicking on a selection that the search brings up, always takes me to a site, sometimes the correct one but frequently the one not listed. If I go back one page and then click on the same selection the second time it will take me to the correct URL.

    "5. Are you sure you're not seeing a Google page saying DNS server couldn't be contacted?"

    I'm not seeing the above type of message for either Google or Yahoo searches. Normally I only get that message from either search engine when my internet connection goes out and that has not happened during this problem.

    What I've been suspecting is that this malware is taking me to sites so they get clicks on them and thus increases those sites click revenue. It's clever because it then lets me after wards go to the correct site, obviously hoping I will tolerate the temporary misdirect and not try to remove it from my system.

    Another example, I just did a search on Mandalay Bay again and it took me to the correct site this time. I did a search on Yahoo for poker using Mozilla and I saw pokerstars.com that Mcafee has their little check mark on as being a secure site, so I click on it but it doesn't take me to the url I see listed on the search instead it takes me to here:

    http://www.getgamingtoday.com/index1.htm?7Spoker

    The incorrect URL that it takes me too, is not always the same, it seems to have a group of them it defaults to, hence my suspicions on revenue and clicks and the purpose of this malware.

    For the record I never download programs unless from trusted sites and even then I seldom download and install programs. This problem originally occurred a couple weeks ago when I was using Photo Bucket, and it asked if I wanted to download it's bulk uploaded and I agreed (and regret it), at that time McAfee started issuing virus warnings but it was too late. My screen saver at the time disappeared and the icons changed, but malware bytes seemed to clear those problems up. However a few hours later I noticed the redirect problem with searches and that to this hour remains.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...