Google search redirect

Status
Not open for further replies.

gabblop

Posts: 46   +0
HI,

I'm having problem with my browser. When i'm searching something and click on a link, i get to random sites. I have kaspersky internet security, scanned about 3 times and no virus detected. I've installed Safari, but i get the same problem. I also readed the other threads about this subject but i don't understand. Please, help me!
 
Welcome to TechSpot, gabblop. I'll help with the malware problem.

We have set up a thread with steps for Preliminary Virus and Malware Removal instructions. You will find it HERE.

Please follow the steps and when finished, leave the 3 logs in your next reply and we will review them for malware entries. The logs will show us what the malware is so that the appropriate follow up programs, if needed, can be done.

Malware bytes and Superantispyware each have a line for you to check so that the programs will delete or quarantine the malware entries they find. Each will product a log. HijackThis also produces a log. Most of the entries in this log will be legitimate. After it is reviewed, if any entries need to be removed, we will instruct you as to what they are and how to do it.
 
Ok here I attached the logs.
 

Attachments

  • mbam log.txt
    1.6 KB · Views: 3
  • SUPERAntiSpyware Scan Log.txt
    998 bytes · Views: 2
  • hijackthis log.txt
    7.4 KB · Views: 1
You have a DNS Changer malware infection along with a possible Rootkit.
It appears that at some point, you or someone else who uses the computer may have attempted to download the MVPS Hosts here:http://mvps.org/winhelp2002/hosts.htm. But it wasn't done correctly and now the hosts files have been hijacked.

Please reopen HijackThis to 'do system scan only.' Check each of the following entries, if present. (It is possible that you won't see all of these entries now- but you should check all of the 01- Hosts entries) NOTE: Do not click on 'Fix Checked' until you have checked all of the entries:

O1 - Hosts: copyright (c) 1993-1999 microsoft corp.
O1 - Hosts: this is a sample hosts file used by microsoft tcp/ip for windows.
O1 - Hosts: this file contains the mappings of ip addresses to host names. each
O1 - Hosts: entry should be kept on an individual line. the ip address should
O1 - Hosts: be placed in the first column followed by the corresponding host name.
O1 - Hosts: the ip address and the host name should be separated by at least one
O1 - Hosts: space.
O1 - Hosts: additionally, comments (such as these) may be inserted on individual
O1 - Hosts: lines or following the machine name denoted by a '
O1 - Hosts: for example:
O1 - Hosts: 102.54.94.97 rhino.acme.com
O1 - Hosts: 38.25.63.10 x.acme.com
O1 - Hosts: localhost name resolution is handled within dns itself.
O1 - Hosts: ::1 localhost
O1 - Hosts: 78.46.17.80 l2authd.lineage2.com
O1 - Hosts: 78.46.17.80 l2patcher.lineage2.com
O1 - Hosts: 78.46.17.80 nprotect.lineage2.com


Close all Windows except HJT and click on "Fix Checked."

Print out the following directions so that you can follow each step: DNS Changer

You will need to do a DNS Flush, then reset your router.
Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

Exit the Command prompt when finished and shut the system down.-

  • [1]. Shut down your computer, and any other computer connected to your router.
    [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
    [3]. Unplug the router. Wait sixty seconds.
    [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
    [5].With the router unplugged, start your computer. Run MBAM again.
    [6].Connect to the router again. The turn the router back on.
    [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
    [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.

Rescan with HijackThis after completing the above. Leave the new Mbam log and new HijackThis log in your next reply.
I will have you reset the Hosts files correctly when we're finished.
 
HI,

I deleted all the 01 hosts and did the "ipdconfig /flushdns" but FAILED! I attached here a screenshot! Help!
 

Attachments

  • flush dns failed (Jpeg).JPG
    flush dns failed (Jpeg).JPG
    30.8 KB · Views: 2
Try doing this first:

  • [1]. Click Start> Run> type services.msc> OK.
    [2]. Double click DNS Client.
    [3]. Set Startup Type to Automatic.
Reboot
 
Yes, the DNS flush worked now. Here are the logs.
 

Attachments

  • hijackthis(2).txt
    6.5 KB · Views: 1
  • mbam-log(2).txt
    1 KB · Views: 1
Okay- did you also do the router reset? That's important.

Please download ComboFix HERE:
  • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    Important! Save the renamed download to your desktop.
  • Please disable all security programs, such as antiviruses, antispywares, and firewalls.
  • Double click on the setup file on the desktop to run
  • If prompted to download and install the Recovery Console, please do so.
    (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
  • If prompted to update, please allow.
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
Notes:

  • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
.

Follow with Run Eset NOD32 Online AntiVirus Scanner HERE
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Leave the Combofix report and Eset log in next reply.

Is your internet connection working okay?
 
Yes, I restarted my router and all that but when I want to install combofix after renaming it, I get an error saying I cant rename as Combo-Fix(.exe). Here I attached the pop up error.
 

Attachments

  • Combofix error.JPG
    Combofix error.JPG
    9.9 KB · Views: 3
Don't worry about the renaming. If it becomes a problem it can be done later. Just find and post:
C:\ComboFix.txt

It should be on your desktop.

There is a reason for the renaming, but I understand what you see. I've taken that out of my directions for Combofix as it can be done later if necessary.
 
Yes, my internet connection is ok but I had to setup my router again. Here are the 2 logs.
 

Attachments

  • combofix log.txt
    30.1 KB · Views: 1
  • log.txt
    740 bytes · Views: 1
P2P or 'file sharing' Warning:

You are running multiple file sharing programs:
GreedyTorrent
Azureus
uTorrent


As long as these are running, it is useless to try and clean malware.
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall GreedyTorrent, Azureus and uTorrent for the following reasons:
  • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
  • Malware writers use these program to include malicious content.
  • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
  • The 'sharing' also includes malware that the shared system has on it.
  • Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.
 
Ok, thanks alot for the information. I removed all the 3 programs! I also want to thank you one more time because i have no more google redirect. THANKS , you just saved my life :D!
 
Would you like me to remove any left over entries from the P2P programs? Just run Combofix after you uninstalled them----- One more scan with HijackThis---- And one more online AV scan. I'll set up any files that need to be removed and if the AV scan is clean, I'll have you remove the cleaning tools.

Sometimes, a problem will be resolved but there is still malware- I'd like to check and make sure we got it all. We're almost there.
 
Ok here are the 3 logs.
 

Attachments

  • ComboFix log.txt
    27.6 KB · Views: 1
  • ESET log.txt
    1.4 KB · Views: 1
  • hijackthis.log
    5.8 KB · Views: 1
Can't find much and that's a good thing!

Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code:
File::
c:\documents and settings\All Users\Application Data\Azureus
c:\documents and settings\Gabriel Tapuc\Application Data\Azureus	
c:\documents and settings\Gabriel Tapuc\Application Data\uTorrent

Folder::
c:\program files\Cheat Engine
Registry::

Driver::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . No need to leave this log.
====================
If the original malware problems have been resolved:
Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
  • Click "OK" to select the partition or drive you want.
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Please let me know if I can be of help in the future. Please take the information I left about P2P/File Sharing programs seriously.
 
Hi, I followed all the steps and created a system restore but after that, u say "Go back and follow the path to > System Tools." But whats its the and system tools is a program files folder, not a program. So what i have to click???
 
Sorry- that extra letter shouldn't have been in there. I have corrected it so you just use the same path you did originally:

Go to Start > All Programs > Accessories > System Tools
 
Umm... what system tools do u mean... IT IS A FOLDER!!! I attached a pic here to show u what I mean. It is not a program!!! You said "Go to Start > All Programs > Accessories > System Tools" but after system tools... I click what? Help?
 

Attachments

  • System tools folder.JPG
    System tools folder.JPG
    55.6 KB · Views: 1
You need to get up to speed on using programs and folders. If you see an arrow point to the right of the name, it means there are multiple contents. Place the cursor over the name and the contents will display to the right. When they do, click on the one you want.

Ergo: System Tools ► System Restore.

At no point in the directions does it refer to System Restore as a program. Apparently you don't know how to open either folders OR programs!

For your information, a program can display the same way if it has multiple features.
 
You still don't answer at my question: When i'm at accessories>system tools, i click what??? System restore has only 2 choices: 1. Restore my computer to an earlier time and 2. Create a restore point. At the left, there is a link named "System Restore Settings". So i have no where to find any partition drive window. Can you please put a print screen so i can easily understand?
 
I added a line to this section which should make it easier:
  • Go back and follow the path to > System Tools.
  • Choose Disc Cleanup> let the files compress
  • Click "OK" to select the partition or drive you want.
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

More details and screenshots for Disk Cleanup in Windows Vista can be found here.

The full path is: All Programs> Accessories> System Tools> Disc Cleanup> Let files compress> Choose More Options tab> In system Restore section choose Cleanup
I hope this helps- it seemd better to add that step as it is a bit misleading
 
Sorry it wasn't clear. That should have been in there. Yes, you are clean and finished! Here are some tips that should help you keep the system clean:

Please follow these simple steps to keep your computer clean and secure:
1.Disable and Enable System Restore: See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
2.Stay current on updates:
  • Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
  • Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
  • Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
3.Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.
4.Remove Temporary Internet Files regularly: Use ATF Cleaner by Atribune or TFC
5. Use an AntiVirus Software(only one)
See Virus, Spyware, and Malware Protection and Removal Resources

6.Use a good, bi-directional firewall(one software firewall) I recommend either of these software firewalls.- both are free and good:
Comodo or Zone Alarm
7.Consider these programs for Extra Security
  • Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
  • IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
  • Google Toolbar Get the free google toolbar to help stop pop up windows.

If I can be of further assistance, please let me know. .
 
Status
Not open for further replies.
Back