I am experiencing a problem with Google search results being intermittantly redirected to various other search pages. I have tried running Ad-Aware and SpybotSD, but the problem is still there. I am attaching a HIJT log. I will appreciate any help I can get.View attachment 37566
Google search results redirected
- Thread starter rbuxton1
- Start date
- Status
Follow the 8-step malware removal guide
Post 3 logs. This gives us a common view of your complaint.
Google redirection covers a wide spectrum of infections or just a simple reset of IE settings.
MBAM will know how to classify this HJT finding
O20 - Winlogon Notify: c009432E - C:\WINDOWS\SYSTEM32\c009432E.mat
Failure to access sites for tools from the guide, may require access via this site:
download dot com
Post 3 logs. This gives us a common view of your complaint.
Google redirection covers a wide spectrum of infections or just a simple reset of IE settings.
MBAM will know how to classify this HJT finding
O20 - Winlogon Notify: c009432E - C:\WINDOWS\SYSTEM32\c009432E.mat
Failure to access sites for tools from the guide, may require access via this site:
download dot com
Google redirection problem
Hi,
Thank you for your time and your interest in my problem. Since posting, and prior to receiving your reply, I had started on the 8 step procedure. When I ran MalWareBytes Anti-Malware, it detected and removed several Trojans. This apparently solved the Google redirection. However, when I ran MBAM again, it kept finding Trojans (eg. Files Infected:
C:\System Volume Information\_restore{A34FB7E6-F555-47EF-8E2F-102C4B8C02A7}\RP719\A0069168.sys (Trojan.Downloader) -> Quarantined and deleted successfully.) I turned off System Restore, ran MBAM again, and turned System Restore back on. This time I got a clean run.
Thank you in advance for any advice you can give.
Rhon
Hi,
Thank you for your time and your interest in my problem. Since posting, and prior to receiving your reply, I had started on the 8 step procedure. When I ran MalWareBytes Anti-Malware, it detected and removed several Trojans. This apparently solved the Google redirection. However, when I ran MBAM again, it kept finding Trojans (eg. Files Infected:
C:\System Volume Information\_restore{A34FB7E6-F555-47EF-8E2F-102C4B8C02A7}\RP719\A0069168.sys (Trojan.Downloader) -> Quarantined and deleted successfully.) I turned off System Restore, ran MBAM again, and turned System Restore back on. This time I got a clean run.
Thank you in advance for any advice you can give.
Rhon
I am still troubled by
O20 - Winlogon Notify: c009432E - C:\WINDOWS\
It appears to have been touched by one of the tools. Do you have any knowledge of this finding?
If any of the MBAM / SAS logs contain any of the following
TDSS*, brastk*, karna* , MS Juan , MS Track System
{then I recommend ComboFix - instructions courtesy of Blind Dragon
O20 - Winlogon Notify: c009432E - C:\WINDOWS\
It appears to have been touched by one of the tools. Do you have any knowledge of this finding?
If any of the MBAM / SAS logs contain any of the following
TDSS*, brastk*, karna* , MS Juan , MS Track System
{then I recommend ComboFix - instructions courtesy of Blind Dragon
Google redirection problem
Thanks for your concern.
I appended the MBAN logs together and searched for the text strings you mentioned. I couldn't find any of them.
I have at some point run the ComboFix program and saved the log.
The log contains a reference to the item that's troubling you.
- - - - ORPHANS REMOVED - - - -
Notify-c009432E - (no file)
I am attaching the log for your information.
I will appreciate any further help that you can give.
Rhon
Thanks for your concern.
I appended the MBAN logs together and searched for the text strings you mentioned. I couldn't find any of them.
I have at some point run the ComboFix program and saved the log.
The log contains a reference to the item that's troubling you.
- - - - ORPHANS REMOVED - - - -
Notify-c009432E - (no file)
I am attaching the log for your information.
I will appreciate any further help that you can give.
Rhon
Unfortunately I don't "speak" combofix. Another specialist volunteered to review the log. He is on the other side of the world. His day is just beginning.
ComboFix precedes the HJT log. It is unusual that ComboFix removed orphan file but left the Registry with a changed value. Normally ComboFix cleans things up left hanging from the other tools.
Thanks for your patience with me. Since you feel things are better, I wish you happy computing. The follow-on from the specialist should confirm your feelings. I'm just trying to be thorough.
ComboFix precedes the HJT log. It is unusual that ComboFix removed orphan file but left the Registry with a changed value. Normally ComboFix cleans things up left hanging from the other tools.
Thanks for your patience with me. Since you feel things are better, I wish you happy computing. The follow-on from the specialist should confirm your feelings. I'm just trying to be thorough.
Google redirection problem
I appreciate your care and your patience with me. I would not like to think that something bad is lurking in my system. For the time being I am using my laptop for financial transactions. I will look forward to hearing from your colleague.
Thanks again.
Rhon
I appreciate your care and your patience with me. I would not like to think that something bad is lurking in my system. For the time being I am using my laptop for financial transactions. I will look forward to hearing from your colleague.
Thanks again.
Rhon
momok
Posts: 2,127 +6
These are the following Combofix/CFScript instructions.
Thereafter, please post a fresh HJT log as well as the resultant ComboFix log from the above instructions as attachments into this thread.
- Open notepad and copy/paste the text in the quote box below into it:
- Save this as "CFScript.txt" on the desktop.
- Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
- ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang
Thereafter, please post a fresh HJT log as well as the resultant ComboFix log from the above instructions as attachments into this thread.
momok
Posts: 2,127 +6
Please fix these in HJT and post a fresh log thereafter.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) -
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -
O20 - Winlogon Notify: c009432E - C:\WINDOWS\
Thanks
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) -
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -
O20 - Winlogon Notify: c009432E - C:\WINDOWS\
Thanks
Google redirection problem
Momok,
I ran HJT and checked the items that you recommended. After the fix, I continued with a scan from within HJT which showed the items gone. Then I rebooted my system and again ran HJT. This time the Items appear to be back. I am sending both logs.
Should I run HJT with System Restore turned off?
Thanks,
Rhon
Momok,
I ran HJT and checked the items that you recommended. After the fix, I continued with a scan from within HJT which showed the items gone. Then I rebooted my system and again ran HJT. This time the Items appear to be back. I am sending both logs.
Should I run HJT with System Restore turned off?
Thanks,
Rhon
Here is a random idea.
Theory: An existing application, brought back an optional setting. employing an icon
Action: Visit taskbar notification section; hover over icons; make note of void in the line up or new icon
Action: visit 'customize notifications'
taskbar > right click unused section > properties > customize > review list
The Trick: match icons to applications. no other info available at this level
Working the problem in this backwards fashion takes a lot of guess work.
Theory: An existing application, brought back an optional setting. employing an icon
Action: Visit taskbar notification section; hover over icons; make note of void in the line up or new icon
Action: visit 'customize notifications'
taskbar > right click unused section > properties > customize > review list
The Trick: match icons to applications. no other info available at this level
Working the problem in this backwards fashion takes a lot of guess work.
Google redirection problem
Hi momok,
Since my last post, I tried fixing the four items you suggested with HJT and System Restore turned off. They were gone when I rescanned with HJT, but they came back when I rebooted (as you probably expected). I found two references to the 020 Winlogon Notify item on my system. One was a file
C:\Qoobox\Quaranteen\Registry-Backups\Notify-c009432E
This directory was apparently created by Combofix.
The other reference was the Winlogon Notify registry entry. I deleted the entry with Regedit and the item no longer shows up in HJT logs.
I thought about removing all references to Shockwave from the registry, but I don't really understand the relationship between it and Adobe Flash. I don't understand why objects keep returning after being 'fixed' by HJT. Maybe you can make a recommendation. In the meantime I will run MBAM and AVG as you suggested.
Thanks for you continued help.
Rhon
Hi momok,
Since my last post, I tried fixing the four items you suggested with HJT and System Restore turned off. They were gone when I rescanned with HJT, but they came back when I rebooted (as you probably expected). I found two references to the 020 Winlogon Notify item on my system. One was a file
C:\Qoobox\Quaranteen\Registry-Backups\Notify-c009432E
This directory was apparently created by Combofix.
The other reference was the Winlogon Notify registry entry. I deleted the entry with Regedit and the item no longer shows up in HJT logs.
I thought about removing all references to Shockwave from the registry, but I don't really understand the relationship between it and Adobe Flash. I don't understand why objects keep returning after being 'fixed' by HJT. Maybe you can make a recommendation. In the meantime I will run MBAM and AVG as you suggested.
Thanks for you continued help.
Rhon
momok
Posts: 2,127 +6
Fix these in HJT:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} -
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -
Apart from that problem seems to be gone =)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} -
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -
Apart from that problem seems to be gone =)
- Status
Similar threads
