TechSpot

When clicking a link on Google I get redirected to a different site?

Solved
By emily1988
Jul 5, 2010
  1. When i search for something on google (IE7) often when i click a link it takes me to a totally different site usually an advertising site or some rubbish. so i have to click the link several times or type the website in my browser in order to get to it!

    I have no idea whats happeneing, i ran my Norton 360 comprehensive scan and it didn't find anything wrong...

    Help would be very much appreciated thanks...

    Im running on windows 7 also.
     
  2. Broni

    Broni Malware Annihilator Posts: 48,055   +272

  3. emily1988

    emily1988 TS Rookie Topic Starter

    Ok here are my logs... the gmer didnt find anything so no point including that as its blank..
     

    Attached Files:

  4. Broni

    Broni Malware Annihilator Posts: 48,055   +272

    You have 64-bit Windows, so I'm surprised GMER even ran....

    Download SUPERAntiSpyware Free for Home Users:
    http://www.superantispyware.com/

    * Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
    * Close SUPERAntiSpyware.

    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    * Open SUPERAntiSpyware.
    * Under "Configuration and Preferences", click the Preferences button.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):

    • Close browsers before scanning.
      Scan for tracking cookies.
      Terminate memory threats before quarantining.
    * Click the "Close" button to leave the control center screen.
    * Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, under "Complete Scan", choose Perform Complete Scan.
    * Click "Next" to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    * Make sure everything has a checkmark next to it and click "Next".
    * A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    * If asked if you want to reboot, click "Yes".
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.

    • Click Preferences, then click the Statistics/Logs tab.
      Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
      If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
      Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.
    Post SUPERAntiSpyware log.

    =====================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  5. emily1988

    emily1988 TS Rookie Topic Starter

    Here are the logs... had to add as attachments as the text was too long...
     

    Attached Files:

  6. Broni

    Broni Malware Annihilator Posts: 48,055   +272

    Which browser is getting redirected?


    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      DRV:[b]64bit:[/b] - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\RtsUCcid.sys -- (USBCCID)
      DRV:[b]64bit:[/b] - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\Rts516xIR.sys -- (RtsUIR)
      O2:[b]64bit:[/b] - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll File not found
      O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
      O3:[b]64bit:[/b] - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll File not found
      O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
      O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
      O4:[b]64bit:[/b] - HKLM..\Run: [PLFSetL] C:\Windows\PLFSetL.exe File not found
      O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
      O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
      O18:[b]64bit:[/b] - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll File not found
      O18:[b]64bit:[/b] - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\msdaipp - No CLSID value found
      O18:[b]64bit:[/b] - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll File not found
      O18:[b]64bit:[/b] - Protocol\Handler\symres {AA1061FE-6C41-421f-9344-69640C9732AB} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
      O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - Reg Error: Key error. File not found
      O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - Reg Error: Key error. File not found
      O18:[b]64bit:[/b] - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - Reg Error: Key error. File not found
      O20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
      O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
      O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
      O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
      [2010/07/05 17:35:00 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At1.job
      [2010/07/04 23:44:00 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At3.job
      [2010/06/26 11:51:00 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At2.job
      [2010/06/11 11:37:02 | 000,000,348 | ---- | M] () -- C:\Windows\tasks\At4.job
      @Alternate Data Stream - 95 bytes -> C:\ProgramData\Temp:02A78DF6
      @Alternate Data Stream - 138 bytes -> C:\ProgramData\Temp:178093AE
      @Alternate Data Stream - 136 bytes -> C:\ProgramData\Temp:9D6EAEC3
      @Alternate Data Stream - 136 bytes -> C:\ProgramData\Temp:3C6E4889
      @Alternate Data Stream - 132 bytes -> C:\ProgramData\Temp:4D066AD2
      @Alternate Data Stream - 130 bytes -> C:\ProgramData\Temp:E1F04E8D
      @Alternate Data Stream - 129 bytes -> C:\ProgramData\Temp:1D32EC29
      @Alternate Data Stream - 127 bytes -> C:\ProgramData\Temp:53DF4438
      @Alternate Data Stream - 127 bytes -> C:\ProgramData\Temp:36EEEDAC
      @Alternate Data Stream - 127 bytes -> C:\ProgramData\Temp:10CFA7D4
      @Alternate Data Stream - 122 bytes -> C:\ProgramData\Temp:AED4FFF5
      @Alternate Data Stream - 122 bytes -> C:\ProgramData\Temp:ABE89FFE
      @Alternate Data Stream - 122 bytes -> C:\ProgramData\Temp:A5264343
      @Alternate Data Stream - 117 bytes -> C:\ProgramData\Temp:7FD199E4
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [resethosts]
      [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  7. emily1988

    emily1988 TS Rookie Topic Starter

    Internet explorer 7 is getting redirected!

    here are the results after te fix and from the new scan :)

    Thankyou for your time and help by the way, its very much appreciated!! :grinthumb
     

    Attached Files:

  8. Broni

    Broni Malware Annihilator Posts: 48,055   +272

    Download Bootkit Remover to your Desktop.

    • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  9. emily1988

    emily1988 TS Rookie Topic Starter

    ok this is what i got...

    Bootkit Remover version 1.0.0.1
    (c) 2009 eSage Lab
    www.esagelab.com

    \\.\C: -> \\.\PhysicalDrive0
    MD5: bb4f1627d8b9beda49ac0d010229f3ff

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Press any key to quit...
     
  10. Broni

    Broni Malware Annihilator Posts: 48,055   +272

    It's clean.

    Download Kenco.exe to your desktop
    • Close all windows and run the program.
    • It wont take long to run.
    • Kenco will reboot the system if it finds anything.
    • Post the log it gives you ( it will be saved in the same place as Kenco.exe).
     
  11. emily1988

    emily1988 TS Rookie Topic Starter

    Well that was fast compared to the others :)

    heres the results...

    Kenco by jpshortstuff (31.12.09.1)
    Log created at 02:14 on 06/07/2010 (Emily)

    ========== Task Unlocker ==========

    ========== KencoScan ==========
    C:\Windows\system32\shacct.dll -> Error setting security information [5]!

    ========== C:\Windows\Tasks ==========
    GoogleUpdateTaskMachineCore.job -> [21:40 05/02/2010] 892 bytes
    GoogleUpdateTaskMachineUA.job -> [21:40 05/02/2010] 896 bytes

    -=E.O.F=-
     
     
  12. Broni

    Broni Malware Annihilator Posts: 48,055   +272

    Nothing here....

    1. Close IE.
    Go Start>All Programs>Accessories>System Tools, and click on Internet Explorer (no add-ons). Same problem?


    2. Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box into the main textfield:
      Code:
      :filefind
      ws2_32.dll
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  13. emily1988

    emily1988 TS Rookie Topic Starter

    No problems with IE no add ons..

    results are as follows...

    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 02:25 on 06/07/2010 by Emily (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for "ws2_32.dll"
    C:\Windows\System32\ws2_32.dll --a--- 206336 bytes [23:12 13/07/2009] [01:16 14/07/2009] DAAE8A9B8C0ACC7F858454132553C30D
    C:\Windows\SysWOW64\ws2_32.dll --a--- 206336 bytes [23:12 13/07/2009] [01:16 14/07/2009] DAAE8A9B8C0ACC7F858454132553C30D
    C:\Windows\winsxs\amd64_microsoft-windows-w..nfrastructure-ws232_31bf3856ad364e35_6.1.7600.16385_none_4eaca269e8070c6b\ws2_32.dll --a--- 296448 bytes [23:21 13/07/2009] [01:41 14/07/2009] 7083F463788CB34FCC42F565D56F89E8
    C:\Windows\winsxs\x86_microsoft-windows-w..nfrastructure-ws232_31bf3856ad364e35_6.1.7600.16385_none_f28e06e62fa99b35\ws2_32.dll --a--- 206336 bytes [23:12 13/07/2009] [01:16 14/07/2009] DAAE8A9B8C0ACC7F858454132553C30D

    -=End Of File=-
     
  14. Broni

    Broni Malware Annihilator Posts: 48,055   +272

    Aha...

    In IE, go Tools>Internet settings>Advanced tab and click on "Reset" button.
    Restart IE and check for redirections.
     
  15. emily1988

    emily1988 TS Rookie Topic Starter

    :approve: Ahhh finally... No more redirections to useless sites!!

    Thankyou very much indeed :wave:
     
  16. Broni

    Broni Malware Annihilator Posts: 48,055   +272

    Very good :)

    One more step...

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  17. emily1988

    emily1988 TS Rookie Topic Starter

    Here's the log... I believe its empty :)
     

    Attached Files:

  18. Broni

    Broni Malware Annihilator Posts: 48,055   +272

    Good :)

    OTL Clean-Up
    Clean up with OTL:

    * Double-click OTL.exe to start the program.
    * Close all other programs apart from OTL as this step will require a reboot
    * On the OTL main screen, press the CLEANUP button
    * Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    =====================================================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
     
  19. emily1988

    emily1988 TS Rookie Topic Starter

    Thankyou very much :approve: everything seems to be doing fine now, no more redirections,

    Thanks so much for you time and help couldn't have done it without you :D
     
  20. Broni

    Broni Malware Annihilator Posts: 48,055   +272

    Yes!! [​IMG]
    Good luck and stay safe :)
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.