Inactive Need help with a persistent Google redirect!

crfloyd · May 26, 2010

I am experiencing a very annoying Google redirect that I can not seem to get rid of. I have attached the requested logs. Please help in any way you can!

Broni · May 26, 2010

Which browser is getting redirected?

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" .

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

crfloyd · May 26, 2010

My primary browser is Firefox, but I have also had Google redirected within Internet Explorer. Attached is my ComboFix log. Thank you for the help!

Broni · May 26, 2010

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

File::
c:\windows\system32\apikndss¤.exe
c:\windows\System32\apikndss.exe
c:\windows\System32\apikndss(.exe
c:\users\Floyds\AppData\Local\Temp\geurge.exe
c:\users\Floyds\AppData\Local\Temp\k8p14819.exe
c:\users\Floyds\AppData\Local\Temp\md22uhi.dll
c:\windows\system32\net.net
c:\windows\system32\msfdjgqe.dll
c:\windows\system32\drivers\zhfwhvvrqafuy1.sys


Folder::
c:\users\Floyds\AppData\Roaming\.#
c:\programdata\61606625


RenV::
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Logitech\GamePanel Software\lgdevagt .exe
c:\program files\Logitech\GamePanel Software\G-series Software\lgdcore .exe
c:\program files\Logitech\GamePanel Software\LCD Manager\lcdmon .exe
c:\program files\Realtek\Audio\HDA\rthdvcpl .exe


Driver::
lyvmuqg
zhfwhvvrqafuy1


Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\61606625]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\apikndss]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\apikndss(]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bazisazive]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ewrgetuj]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezLife]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hsf87sdhfush87fsufhuie3fddf]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcexecwin]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\net]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rinfri]


RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

crfloyd · May 27, 2010

Here are the logs. Thanks again!

Broni · May 27, 2010

How is redirection issue?

crfloyd · May 27, 2010

I am still being redirected. The first time I search something and click a Google link, it goes to the proper page. The second time, I get taken to a random page.

Broni · May 27, 2010

Which browser is getting redirected?

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

===========================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
userinit.exe
explorer.exe
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT

* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

crfloyd · May 27, 2010

It wouldn't let me copy and paste the text here as I exceeded the character limit so I have attached them instead. Thanks again!

Broni · May 27, 2010

You didn't say...

Which browser is getting redirected?

Broni · May 27, 2010

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code:

:OTL
O2 - BHO: (no name) - {79a2801f-ad64-47ee-badd-5648dcc8d214} - No CLSID value found.
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
[2010/03/12 20:30:20 | 000,000,000 | ---D | C] -- C:\Users\Floyds\AppData\Local\ESET
[2010/03/12 20:20:10 | 000,000,000 | ---D | C] -- C:\ProgramData\ESET
[2010/03/12 20:20:10 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/04/27 10:12:37 | 000,811,520 | ---- | C] () -- C:\Windows\System32\qlkytf


:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[resethosts]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
You will get a log that shows the results of the fix. Please post it.
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

crfloyd · May 27, 2010

I apologize, I use Firefox as my primary browser and that is the one being redirected. I will also add that a couple of times, an entire new tab has been opened randomly with a random site. I will now run the scan you have advised.

Broni · May 27, 2010

While you're doing that, can you take a look, if IE is redirected as well?

crfloyd · May 27, 2010

I opened up IE and ran a few searches. It did fine for about 8-10 searches and then it started to redirect again. I will also add that I have a program called Hitman that starts up upon reboot and it usually tells me that IE is using a proxy server every time.

crfloyd · May 27, 2010

This is the log from the fix:

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{79a2801f-ad64-47ee-badd-5648dcc8d214}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79a2801f-ad64-47ee-badd-5648dcc8d214}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\Windows\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
C:\Users\Floyds\AppData\Local\ESET\ESET NOD32 Antivirus\Quarantine folder moved successfully.
C:\Users\Floyds\AppData\Local\ESET\ESET NOD32 Antivirus folder moved successfully.
C:\Users\Floyds\AppData\Local\ESET folder moved successfully.
C:\ProgramData\ESET\ESET NOD32 Antivirus\Stats folder moved successfully.
C:\ProgramData\ESET\ESET NOD32 Antivirus folder moved successfully.
C:\ProgramData\ESET folder moved successfully.
C:\Program Files\ESET folder moved successfully.
C:\Windows\System32\qlkytf moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Floyds
->Temp folder emptied: 2864 bytes
->Temporary Internet Files folder emptied: 1826815 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 93693653 bytes
->Flash cache emptied: 2387 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 38285 bytes

Total Files Cleaned = 91.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.5.0 log created on 05272010_205253

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Broni · May 27, 2010

I still need this:

Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Still redirecting?

it usually tells me that IE is using a proxy server every time.

I don't see any indication of the above in your OTL log.

crfloyd · May 27, 2010

This is the log from the second scan

Broni · May 27, 2010

Still redirecting?

Empty Java cache folder as described here: http://support.f-secure.com/enu/home/virusproblem/howtoclean/cleanjavacache.shtml

Turn computer off, disconnect router and modem from power source for 1 minute.
Power everything back up.
Check for redirections.

If still there, delete your GMER file, download fresh one and post its log.

crfloyd · May 27, 2010

Just opened up a new browser and it redirected my first google search link that I clicked.

Broni · May 27, 2010

OK, go ahead with those next steps.

crfloyd · May 27, 2010

Here is the GMER log.

Broni · May 27, 2010

GMER log looks fine.

Please, download fresh Combofix file, run it and give me new log.

crfloyd · May 28, 2010

New ComboFix log.

crfloyd · May 28, 2010

FYI: While running ComboFix, i had a popup come up about 50-60 times telling me "Find String (QGREP) Utility has stopped working." Each time, I pressed "Close Program" and ComboFix would continue.

Here is a pic of the popup:

Broni · May 28, 2010

How is redirection now?

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Vista users:: Right click on SystemLook.exe, click Run As Administrator

Copy the content of the following box into the main textfield:

Code:

:dir
C:\32788R22FWJFW /s
c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521} /s
:filefind
wuauclt.exe
ctfmon.exe

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Inactive Need help with a persistent Google redirect!

Posts: 29 +0

Attachments

Posts: 56,041 +516

Posts: 29 +0

Attachments

Posts: 56,041 +516

Posts: 29 +0

Attachments

Posts: 56,041 +516

Posts: 29 +0

Posts: 56,041 +516

Posts: 29 +0

Attachments

Posts: 56,041 +516

Posts: 56,041 +516

Posts: 29 +0

Posts: 56,041 +516

Posts: 29 +0

Posts: 29 +0

Posts: 56,041 +516

Posts: 29 +0

Attachments

Posts: 56,041 +516

Posts: 29 +0

Posts: 56,041 +516

Posts: 29 +0

Attachments

Posts: 56,041 +516

Posts: 29 +0

Attachments

Posts: 29 +0

Posts: 56,041 +516

Similar threads