Followed 8 steps, still have Google redirect

Status
Not open for further replies.
A

ARCHSTANTON1138

Posts: 10   +0
Just like apparently tons of other people, I have the pesky Google/Yahoo redirect thing going on. Its affected both Internet Explorer and Firefox. Here are my logs from Malwarebytes, SuperAnti-Spyware, and Hijack This. Thank you for your help.
 
Welcome to TechSpot. I'll help with the problem.

Malware was found in 2 saved Favorites. If these are still on the system, please delete them:
Browser Hijacker.Favorites
C:\DOCUMENTS AND SETTINGS\HELEN COOK\DESKTOP\COMPTR.ICONS.RARELY USED\ONLINE SECURITY GUIDE.URL
C:\DOCUMENTS AND SETTINGS\HELEN COOK\DESKTOP\COMPTR.ICONS.RARELY USED\SECURITY TROUBLESHOOTING.URL

Download the Norton Removal Tool HERE- like many others you have a few 'left over' entries. Save it to your desktop> don't run it yet.

Please reopen HijackThis to 'do system scan only.' Check each of the following if present:

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

Close all Windows except HijackThis. Click on "Fix Checked."


Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Double click on the Norton Removal Tool set up and run. Follow any onscreen prompts.

Since you question a Google Redirect, I'd like you to describe what's happening:
1. If you type a word in the Google search box, and then choose one of the sites that comes up, what happens?
2. Does a different site load?
3. Does any site load?
4. Are the sites the same/different?
5. Are you sure you're not seeing a Google page saying DNS server couldn't be contacted?

Visit this Adobe Reader site often and update to current version (v9.xx) Uninstall any earlier updates (v7) as they are vulnerabilities.
 
Thank you very much for your response. As far as the Google redirect goes, it has affected both the Google and Yahoo search engines. When I search for something, the links come up as normal, but when I click on one of the links, Im redirected to usually advertising rather than the website I'm trying to access. I have noticed in the redirect process, the phrase "admarketplace" is often in the url I am being redirected to. I am thinking this might be the company involved in the creating of the virus. I will do these actions you have suggested, then I will send back a HijackThis report once I am done.

EDIT: I just tried locating and removing the 2 files you said contained malware, when I look in the specified folder, those 2 files are not there. I did a search of the system, and they could not be found through that either.
 
Ok, Ive done all of the actions you recommended minus the deletion of the 2 files in the COMPTR.ICONS.RARELY USED folder, as when I opened this folder, they were not listed. I have attached my newest HijackThis log, as it appears that Im still having problems with being redirected when clicking on links from Google and Yahoo, but now I am not being redirected to advertisements, I am being redirected to completely blank pages with no address in the url bar.
 
You have multiple processes loaded, starting on boot and running in the background. NONE of them need to start on boot. They are legitimate entries so the removal is Optional. To cut down on the internet activity as well as to free up some resources, I suggest you have HIJT remove them, then take each off of startup.

NOTE: The Optional removals are in green, some with descriptions.

Please reopen HijackThis to 'do system scan only.' Check each of the following if present:

C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe>> Simple Star PhotoShow_Deluxe photo editing and organizing software;
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE>> monitor the status of the printer.
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe>> create labels after a music CD is burned using LightScribe discs.
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start>> Easy Access Buttons control panel on Compaq laptops. Only required if you use the extra keys
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe>> Default settings software
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe">> This program will alert you if another program attempts to change your browser's default search engine to something other than Yahoo.
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
O4 - HKLM\..\Run: [ChangeResolution] C:\hp\bin\ChangeResolution.exe

Close all Windows except HijackThis and click on "Fix Checked."

If you agree with the optional removals in the log, taker them off of Startup:
Start> Run> type in msconfig> enter> Selective Startup> Startup tab> find each of the entries in the processes you have HJT remove> UNCHECK> when through click on Apply> OK

Start> Run> type in 'services.msc'> look for the following Service:
YahooAUService
Change Startup type to Manual> Close Services.

Please note: the first time you reboot after changing the Startup using msconfig you will get a nag message that you can ignore and close after checking 'don't show this message again.' Stay in Selective Startup.

Please submit this file to Virus scan for identification:

Please go to http://virusscan.jotti.org/en to upload these suspicious files for analysis.
  • Browse to the following location and Copy the following files and paste in the Submit box:
    File: getPlus_Helper.dll
    File: Get1noarp

    [b[Location: [/b]O4 - HKLM\..\RunOnce: [Uninstall Adobe Download Manager] "C:\WINDOWS\system32\rundll32.exe" "C:\Program Files\NOS\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp[/b]
  • Click on Submit.
  • Wait for the scan. Paste the results in your next reply.

Rscan with HJT and paste new log in next reply.

Edit: Almost forgot: Go to Control Panel> Internet Options> Security tab> Restricted zone> Sites> type each of the following in> then click on ADD> click on Apply> OK when both have been added:
*.SearchAWeb.com
*.adMarketplace.com

Include the *: it is a Wold Card.
 
Pardon me if I sound completely stupid here, but if i click on fix on the green items that you suggested, does that mean that those programs will be completely deleted off of my computer?
 
No. It just removes the process. The more you have running, the slower the load, the slower the surf and the slower the shutdown. The fewer processes you have starting up, the faster the load, the faster the surf (because you don't have all the programs running in the background) and the faster the shutdown.

To keep them from starting, you would need to use the msconfig utility to uncheck them on the Startup menu and/or change the Startup Type of the Service..

But they are still available to you- unless you uninstall them in Add/Remove Programs.

And "Optional" is just that- I suggest, you decide.
 
Ok.....thats all i needed to know. I will do these actions now. I'll attach another HijackThis log once I am through. Thank you very much for all of your help so far.
 
Ok, Ive attached a new HJT log, but I was not able to scan those 2 files that you wanted me to with http://virusscan.jotti.org/en, because I could not locate them. I tried to find them manually first, and when that was unsuccessful, I did a system search that also yielded nothing. From what it looks like they were attached to Adobe, is it possible they were deleted when I uninstalled the old version of Adobe reader?
 
No problem- the path I gave you could have been wrong. The HJT log looks good. Are you still being redirected?

I'd like you to run an online Virus scan to make sure we haven't k\missed anything:
Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
Please leave the log in your next reply. If it's clean and the redirect have stopped, I'll have you remove the cleaning tools and old restore points.
 
Actually, yeah, I am still getting redirected. I'll run this scan, and post the log. Here's another thing, I'm using Firefox, when I edit things in Internet Options, does it affect all browsers, or just Internet Explorer? Or do I need to do something different to block websites on Firefox?
 
Here's the log from the virus scan. It found 6 threats, most of them coming from one program, which makes sense, since it was downloaded only a short time ago, and my redirect problem has only been for the last couple weeks. How should I proceed? Should I just uninstall the program, or do I need to do something a little more in depth than that?
 
It appears that the FL\FL.Studio.8.0.0.XXL.Producer.Edition is a pirated program. Any further help will depend on whether you uninstall this programs and any related entries.

We do not support piracy.
 
I apologize, I have uninstalled and deleted this program. I am still having the redirection problem though. What should my next step be?
 
Please download ComboFix HERE:
  • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  • Run Combo-Fix.exe and follow the prompts.
    (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
  • Wait for the scan to be completed.
  • If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Notes:

  • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Follow with new Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
Then rescan with HijackThis.

Attach Combofix report and Eset Log in next reply.

Paste new HJT log into the reply.
 
Sorry it took so long, here are the three requested reports. The Combo-Fix and ESET logs are attached, I have also had to attach the HJT log as well because it exceeded the number of characters allowed in a response.
 

Attachments

  • ComboFix.txt
    16.1 KB · Views: 2
  • log.txt
    2.7 KB · Views: 1
  • hijackthis 3.txt
    11.4 KB · Views: 0
Bobbye asked that I look at this.

DDS by sUBs
Please download DDS by sUBs from HERE or HERE and save it to your Desktop.

Vista users. Right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

  • Double click on dds to run it.
  • When done, DDS.txt will open.
  • You will receive another prompt after a while. Click Yes at the prompt. It will take another few minutes to scan.
  • When done, Attach.txt will open.
  • Please zip and attach the contents of DDS.txt and Attach.txt in your next reply.
 
Status
Not open for further replies.

Similar threads

A
Google and Mozilla patch their internet tools against a critical security flaw
Replies
0
Views
230
Alfonso Maruccia
A
midian182
Google is changing the Play Store for foldable phones and large-screen devices
Replies
0
Views
356
midian182
midian182
yRaz
My current switch from Microsoft to Linux, de-googling my life and what it takes.
Replies
2
Views
2K
yRaz
yRaz

Latest posts

Back