Google Redirect Nightmare

Status
Not open for further replies.
J

jcml

Posts: 12   +0
I have had this problem for 1 week and have spent many hours running anti-spyware/virus/malware programs to no avail. I use Firefox on Windows XP. When I click a search result from Google it almost always gets redirected. Also, Firefox frequently dies during searches, and updates to anti-virus programs often freeze. The overall performance of my computer has slowed. I have carefully followed your 8-Step instructions. I sincerely appreciate any help you can provide.

Jeff Howard
 

Attachments

  • hijackthis.log
    9.5 KB · Views: 6
hi jcml

This google redirect problem seems to be one of the most frequent posts on here. I'm not sure as to whether a solution has been found yet (this is not one of my strongest troubleshooting areas - err, actually I'm not sure if i do have any strong troubleshooting areas .... but that's for another day) .... Try searching through the forum for related posts and hopefully you'll find something useful.

Spyder_1386 :)
 
I have looked through the numerous posts regarding this problem and they all required a deep repair that is well beyond my expertise. That is why I sent the requested logs. Hope someone can help me.
 
You have Cssdll32.dll Trojan/Backdoor on your computer, that´s probably why you always gets redirected.

There are also remnants from Norton, I´ll therefore suggest you run their own Removal Tool (SymNRT) save it to your Desktop.

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039
Once downloaded please close ALL open browsers, also save any work because this may require a restart.

Go to your desktop and double click on the removal tool and then click Setup.
Once open Click Next
Accept the license agreement and click Next
Type in the letters/numbers that you see into the text box then click Next.
Then click Next and the tool will start running.
Once finished restart the PC and run the tool again to ensure everything has been removed.

Delete Nortonremoval tool from your Desktop.

Reboot.

Please download Combofix from:
http://subs.geekstogo.com/ComboFix.exe

And save to the desktop.

Close all other browser windows.

Double-click on the combofix icon found on your desktop.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When finished, it will produce a logfile located at C:\combofix.txt.

Attach the contents of that log in your next reply
 
Thanks for your response. I successfully removed the Norton remnants. However, I downloaded Combfix and it will not run. It starts the little Combofix green starting line then promptly dies. I wouldn't be surprised if this virus interferes with it, since it also prevents update downloads for Malware programs. Any suggestions at this point? Thanks!
 
See if combofix can run from safe mode ->

Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows Xp Advanced Options menu.

Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.
 
Good idea, but still a no go. This is a dastardly virus. I hope you like a challenge! I have full and utter confidence in you.
 
Thank you, and I can´t live without challenges :D

Please download http://oldtimer.geekstogo.com/OTViewIt.exe
by OldTimer to your desktop.

Double click on the OTViewIt.exe icon on your desktop.
Check the Scan All Users checkbox and leave Use Whitelist checked. Set the File Age to 30 days.

Click on the Run Scan button.
Two reports that are located in the same location as OTViewIt will open.
OTViewIt.txt <-- Will be opened
Extra.txt <-- Will be minimized

Attach the logs into your next reply.
 
A quick question - have you edited the hosts file ?

C:\WINDOWS\System32\drivers\etc\Hosts


Please download http://jpshortstuff.247fixes.com/FileLook.exe
by jpshortstuff and save to your Desktop.
Double-click FileLook.exe to run it.
Ensure that BBCode Ouput is checked. Copy and paste everything in the quote box below into the empty textfield under FileLook by...


C:\WINDOWS\sued.dat
Click to expand...

Click the FileLook button to start the scan.
When finished, Notepad will open with the results of the scan in a text file named fl_log.txt which will automatically be saved to the root of your system drive. (Typically C:\fl_log.txt)

Attach that log
 
FileLook Log

No, I have not edited the host file, at least not on purpose (frankly, I wouldn't know how!) Here's the FileLook log. I have to hit the sack, gotta work tomorrow, but look forward to continuing this adventure. Will you be around tomorrow evening? Thanks a million. -Jeff


FileLook.exe v2.0 by jpshortstuff
Log created at 01:05 on 01/04/2009
==================================
FileLook - "sued.dat"

Filename: sued.dat
Path: C:\WINDOWS\
MD5: D40BB69179718ED9D0561E2DB6EAC0D0
Created: 01:34:20 on 29/03/2009
Modified: 01:47:26 on 29/03/2009
Size: 36 bytes
Attributes: Hidden Read-Only
-------------------------

==============================

=EOF=
 
It should be safe to delete - C:\WINDOWS\sued.dat file

Please open C:\WINDOWS\System32\drivers\etc\Hosts file using Notepad, and check if you have this line in bold:

127.0.0.1 localhost
# Start of entries inserted by Spybot - Search & Destroy ?

Download http://eric.71.mespages.googlepages.com/LopSD.exe
by Eric_71 and save it to your desktop.
Lop S&D will only run on Windows XP and Windows Vista

Disable your antivirus and antimalware programs so they do not interfere with the running of Lop S&D.
Double-click LopSD.exe
Choose the language by typing of the corresponding letter and press Enter
Click OK at the informative window
Type 1 to choose Option 1 then press Enter
Wait until the end of the scan have finished.

A report will be generated, attach the contents of it in your next reply.
 
I opened C:\WINDOWS\System32\drivers\etc\Hosts file using Notepad, but [ # Start
of entries inserted by Spybot - Search & Destroy ?] was not in bold. The LopSD log
is attached. Was I supposed to delete [C:\WINDOWS\sued.dat] file ?
 
Yes, please delete -C:\WINDOWS\sued.dat

Run Lop S&D again, using this option -

Type 2 to choose Option 2 (Fix + Hosts), then press Enter
Wait until the end of the scan have finished.
A report will be generated, attach the contents of it in your next reply.


Rightclick on combofix and rename it to mike,exe

If you can run mike/combofix exe now, please do, and attach the log, along with Lop S&D log .

It is possible you´ll have to run combofix from safe mode
 
Hmm :confused:

Start->Run-> Devmgmt.msc ->ok
On the toolbar, Click on View -> "Show hidden devices"
2.
Scroll down and locate Non-plug and Play Drivers
Click the + sign to expand
3.
Search for “gaopdxcounter”
More exploits: clbdriver.sys, oUltraf, seneka.sys,


Right click on it, and select “Disable”

4. Restart your computer

5. Confirm 'gaopdxcounter' is disabled. Repeat Step 2-3.
Cancel to exit.

Let me know if you found any of them ?

Also, post a fresh hijackthis log using this command ->

Start-run, type/copy: hijackthis /ihatewhitelists

It will create a hijackthis log, longer than normal
 
No luck finding any of those funky files under Non-plug and Play Drivers. Here's the hijack log. Am I driving you nuts yet?
 
Wow one of the longest logs I've seen, stacks of things starting with Windows (26.1 KB HJT log !)
I think so support can answer you properly we are best cleaning it up to some respectful measure.

Please run IE Reset on your System

Then run WinsockFix

Then run Startup Control Panel and remove any not required startups: (should be most!) Note I have 1 only and that's my Antivirus

Restart (probably already done once above already)

Then download and run SDFix (I'm sorry, but I must refer you to t h i s tutorial on its use, scroll down to "SDFix Instructions")

Download, and run the "RunThis.bat" in Safe Mode, as advised
Then attach the log and (after the SDFix scan) a new HJT log
Oh by the way, it says that it may take 20mins to scan! (Mine took over an hour to complete!)
 
YES


Edit:

Oh and your Java is out of control :D

Update Java
Run JavaRa
This will remove all your old Java stuff (that is not required)
It will also help you check for new Java updates


Restart again

Combofix Instructions

  • Download Combofix to your desktop.
  • Rename ComboFix to ComboF
  • Double click CombF & follow the prompts.
  • A window will open with a warning.
  • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt
Make sure to Attach the log to a new reply
 
It will after SDFix is run ;)

Edit:

In case you come back and say it still doesn't work

Try this ;)

Un-install Combofix
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
  • CF_Cleanup.png
  • When shown the disclaimer, Select "2"
Note #1: One space after ComboFix in that uninstall command
Note #2: Substitute Combofix for ComboF if renamed, or try both


Run CCleaner
Then Restart


Re-Download Combofix Instructions

  • Download Combofix to your desktop.
  • Rename ComboFix to ComboF
  • Double click ComboF & follow the prompts.
  • A window will open with a warning.
  • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

And hopefully we get a log this time :confused:
.
 
I proceeded as directed, but...
Can't get SDFix to run.
Uninstalled / reinstalled / renamed ComboFix, still won't run.
This virus is incredibly stubborn and evil.
Any other ideas?
 
Yes :)

You could remove the Hard drive and mount it in another computer and scan it as a secondary drive.

Or you can use the UBCD boot CD and scan it with that
 
Status
Not open for further replies.

Similar threads

Daniel Sims
Thousands of websites infected to redirect users in Google Ads view-pumping scam
Replies
5
Views
635
Feng Lengshun
F
midian182
Sketchy Google Play store reward apps accrue over 20 million downloads
Replies
1
Views
567
psycros
psycros
E
Solved Svchost.exe launching multiple iexplore.exe - unknown cause
Replies
23
Views
3K
Broni
Broni

Latest posts

Back