Google redirect

Status
Not open for further replies.

Shankly

Posts: 7   +0
I seem to have a google redirect problem. When clicking on google search results in both IE8 and Firefox 3.5 I get redirected to ad related sites. Hitting the back button and trying the same link a second or third time will give the correct web page. Also, Internet Explorer is generally running slower and prone to crashes.

I followed the 8 step guide and I am attaching the logs. Any help is appreciated. Thanks.
 
Welcome to TechSpot, Shankly. I'll try to help you sort through the problems.

Starting with a question as to your use of the following:
You are loading precesses from Pinnacle Studios: It appears that this is related to the USB drive. I have typed in what I found related to this:
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
Does the following:
USB2Check copies its file(s) to your hard disk. Its typical file name is PCLECoInst.dll . Then it creates new startup key with name USB2Check and value PCLECoInst.dll . You can also find it in your processes list with name PCLECoInst.dll or USB2Check.

USB2 is not required to start on boot.

O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe"

There is no information on this or why it needs to run.

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe:
Part of Pinnacle Systems InstantCD/DVD and InstantCopy CD/DVD copying software that verifies drive settings. Once loaded it doesn't use any resources so you can leave it enabled
The driver would need to startup.

I note the following processes starting up from the F Drive: Is this the drive for the USB?
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
F:\Program Files\Palm\HOTSYNC.EXE


I don't see any of this as malware- just trying to make sense of the startups.

Please do a full system scan with the Norton AC. Keep the log and attach to next reply. that will help me to better decide what to have you do next.
 
Thanks Bobbye for the help.

I don't know what's going on with the Pinnacle processes. I don't use Pinnacle for video editing anymore, so I uninstalled it long before this problem showed up. These appear to be left behind from the uninstall.

The F: drive is not a USB drive. It's a HDD partition reserved for programs and the My Documents folder. It's on the same physical drive as the C: drive, which is a smaller partition I use only for the OS (Windows XP SP3).

I ran a full system scan using NIS 2009 which came up clean. I don't see any option to export the results to a log file.

One other thing which may be relevant is around the same time as the google redirect showed up, I also got the fake antivirus message from Antivirus Pro 2010. Norton did remove that after a few attempts, and I have not seen it since.

thanks again for the help.
 
Are you still getting the redirect?

Sorry, I've gotten you off track with the Pinnacle program. Looks like it's set up as a shared file. So it needs to be removed on the system it was originall installed on. If it doesn't appear in Add/Remove Programs, remove the remnants using Windows Explorer:

Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Using Windows Explorer: (right click on Start> Explore) navigate to the C drive> Documents & Settings for your account> Programs> look for and do a right click> if found:

USBTip
PSDrvCheck


IF the program folder isn't there:
Using Windows Explorer> navigate to the C drive> Windows> System 32> do a right click> delete the following if found:

PCLECoInst.dll
----------------------------------
I'm not seeing anyting in these logs relaated to a redirect. If you are still getting redirected:
Please download ComboFix HERE:
  • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  • Run Combo-Fix.exe and follow the prompts.
    (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
  • Wait for the scan to be completed.
  • If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Notes:

  • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Attach Combofix report to ney reply.

Rescan with HJT and paste new log in next reply.
 
Looks like combo-fix worked! No longer getting redirected and IE is running faster without freezing.

Log files attached as requested. Please let me know if there is anything else I need to do.

I was also able to clean up the pinnacle files left over using your instructions.

Thanks so much for your help!
 

Attachments

  • ComboFix.txt
    19.9 KB · Views: 8
Sorry, didn't meant top sidetrack you with the Pinnacle program. I just wasn't sure what it was

I'd like you to run this online scan:
Open Kaspersky Online Scanner in Internet Explorer HERE.
  • Click Accept and the web scanner will begin to load
  • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
  • You will be prompted to install an ActiveX component from Kaspersky, click Install
  • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT and then Scan Settings
  • In the scan settings make that the following are selected:
    [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
    [o] Scan Options: Scan Archives> Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    [o] Select My Computer
  • The program will start to scan your system.
  • Once the scan is complete, click on the Save as Text button and save the file to your desktop
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

Attach the log in next reply. If it's clean and the problems have been resolved, I'll have you remove the cleaning tools.
 
Hi Bobbeye:

I tried to follow your instructions, but the web version of Kaspersky is offline. I was going to install the free trial but it prompted me to uninstall Norton Internet Security which is a paid subscription, so I didn't go that route. Anyway, I did online scans using Bitdefender and Trend Micro Housecall. Both came up clean.

Everything is still working well in IE, so I assume we're done?

thanks for the help.
 
Looks like Kaspersky if offline now- there's a message that it's unavailable- sorry about that. I wonder if they are ready to issue v5.

I'm going to ask someone to check the Combofix deletions to see if any further removal needs to be done. If not, I'll have you remove the cleaning tools and set a new restore point.
 
Thank you for posting back! I am so sorry- you fell between the cracks! My "consult" on the Combofix deletions didn't work out.

I do need the online scan. Still keep seeing notices about Kaspersky beng unavailable, so let's try this:
Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Are you still having the redirects or pop-up ads? If no and the Eset scan is clean, I'll have you remove the cleaning tools. I am really sorry you've had to wait so long. I do my best to work with oldest first, but I'm going to have to find a way that works better- thank you for your patience.
 
I figured I might have dropped off the radar. But that's OK as everything has been running smoothly. I haven't had any problems with redirect or anything else.

However, when I ran Eset it did find the following: Olmarik.OF virus. The log is attached. So I guess we are not quite done yet. Thanks.
 
Hey, no problem! Qoobox is Combofix' quarantine folder. That entry was:
Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p

When you uninstall Combofix, that will be gone:


Uninstall ComboFix.exe And all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg

And remove the additional cleaning tools:
Remove all of the tools we used and the files and folders they created
  • DownloadOTCleanIt by OldTimer
  • Save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes.

If you are prompted to Reboot during the cleanup, select Yes.

You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
  • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
  • Click "OK" to select the partition or drive you desire.
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Here are some pointers to help you stay safe:

Please follow these simple steps to keep your computer clean and secure:
1.Disable and Enable System Restore: This will help you to drop the old restore points and set a new, clean one:

System Restore Guide


2.Stay current on updates:
  • Visit the Microsoft Download Sitefrequently.
    You should get All updates marked Critical and the current SP updates:Windows 2000> SP4, Windows XP> SP2, SP3, Vista> SP1
  • Visit this site[Adobe Readeroften and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
  • Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

3.Make Internet Explorer safer. Follow the suggestions HERE
This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

4.Remove Temporary Internet Files regularly: Use5. Use an AntiVirus Software(only one)
6.Use a good, bi-directional firewall(one software firewall)
[*]See Understanding and Using Firewalls including links to download a firewall.

7.Consider these programs for Extra Security
  • Spywareblaster:
  • SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
  • IE/Spyad
  • This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
  • Google Toolbar Get the free google toolbar to help stop pop up windows.

If I can be of further assistance, please let me know.
Again my apology for the delays.
 
Status
Not open for further replies.
Back