[Solved] Search links were redirected to random sites

Status
Not open for further replies.
V

vostro1310

Posts: 19   +0
Every time I use Google search and click the result link, the link was redirected to a random site. I have tried the 8-step preliminary removal but the problem remains. Attached are the three log files. Please help to fix this annoy problem. Thanks.
 

Attachments

  • hijackthis.log
    8.8 KB · Views: 1
  • SUPERAntiSpyware Scan Log - 02-04-2010 - 20-22-09.log
    465 bytes · Views: 2
  • mbam-log-2010-02-04 (20-01-20).txt
    1.2 KB · Views: 3
Sorry, used the beta version of HijackThis. Here is the log from the full verision.
 

Attachments

  • hijackthis_020510.txt
    8.7 KB · Views: 7
Thank you for catching that! Good job!

Please describe your redirect to me using the following:
Since you question a Google Redirect, I'd like you to describe what's happening:
1. If you type a word in the Google search box, and then choose one of the sites that comes up, what happens?
2. Does a different site load?
3. Does any site load?
4. Are the sites the same/different? Example of domain (such as searchfinder.com)
5. Are you sure you're not seeing a Google page saying DNS server couldn't be contacted?

Then I'll have you run another program.
 
Thanks for replying.

Here is the symptom of my computer,
1, When I typed "ESATA" in the google box and clicked one of the results, the new webpage started to load. But before the new page shows up, I saw a "redirect link" on the tab (I use firefox) and the resulted page was "address.com" showing results of esata in Newark, DE area under the catagory of Yellow Page.
2 & 3. Yes, the search result should be www.wisegeek.com/what-is-esata.htm, but instead http://www.addresses.com/yellow-pages/category:Esata/location:Newark,DE/listings.html was the site showed up.

The similar redirect happened on all the searches. But if I copy the web address of the results and pasted it directly to the address bar, the right site would show up.

Another observation, when I right clicked the search result and chosed to open at a new tab, it will showed a blank page with the address http://xmlsearch.mygeek.com/blank.html. But if I close the is tab and do the same thing again from the result page, it would go to the right site.

I just have no clue what is going on? I would really appreciate for your help.
 
Question: Are you aware that your Start page is going here?
partnerpage.google.com/smallbiz.dell.com

You have these 4 entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6090117
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6090117
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6090117
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://partnerpage.google.com/small...n&client=dell-usuk&channel=us-smb&ibd=6090117

I can find different Dell site with various search strings, but nothing specific for the partner The [ibd]=6090117 doesn't bring up a specific identity.

If you have not set these:

Please reopen HJT to 'do system scan only' and check those 4 entries and include the entry below:
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll

Close all Windows except HijackThis and click on "Fix Checked

Reboot the system and see if this makes a difference.

Regarding searches: make your search more specific. Even asking "What is eSATA" is more specific that just typing the one word in.

I would also like to ask if you're in the UK. I have found that some of the ISPs will direct to another search page is the search term is vague.

For your entries, I could fine an assortment:

Doing a search using http://partnerpage.google.com/smallb...mb&ibd=6090117 brings up a 404- Not found error.
I used ibd=6o90117 and found 3 hits> 2 were for DELL, one for a site with the # in JP.

I found this example: http://www.google.com/ig/dell
And this using partnerpage.google.com: http://www.google.com/ig

I also use Firefox and Google search, so I typed "Esata" in the search and got 6,790,000 for "ESATA"

If I type "What is eSATA"? (no quotes) the first site is definition, second is wisegeek.

The address.com yellow pages URL you left brought up the page, but asked if "Did you mean:
* East?"
 
Yes, I noticed the start page is not www.google.com but I thought Dell configured that way (I am using Dell laptop).

Unfortunately, my Dell died this morning when I tried to start it. It showed the MS BSOD without specific description but these codes 0x0000007E ( 0x0000001D, 0x80537008, 0xB84CF3B8, 0xB84CF0B4). I tried to boot it in Safe Mode but it hung at the step of loading Mup.sys. I don't know what should I do now.
 
What is mup.sys? Multiple UNC Provider driver

What does the mup.sys do? It determines which network client protocol to use when the target server is specified by a UNC path such as \\Server_Name.

How is it 'fixed'? Can be fixed by booting with CD and repairing, or by the 'disable mup' command

You're going to need to boot into the Recovery Console if you Dell came with a CD for the operating system. If it one of the newer laptops, it will have a Recovery partition instead. The Dell recovery Partition comes with the image you see when you first turn your laptop on.Usually you can boot into the using F10.

Press F10 on boot-up and follow the onscreen menu's.
----------------------------------------
Possible causes of Stop 0x0000007E error in Windows XP::
  • If this issue occurs after the first restart during Windows Setup or after Setup is complete, the computer might not have sufficient hard disk space to run Windows XP.
  • The computer BIOS might be incompatible with Windows XP, or it might have to be updated.
  • The video adapter drivers might be incompatible with Windows XP.
  • A device driver or a system service might be damaged.
  • If the issue is associated with the Win32k.sys file, it might be caused by a third-party remote control
Source: http://support.microsoft.com/kb/330182 and http://support.microsoft.com/kb/308041/

Do you have a Windows XP CD-ROM so that you can boot into the recovery console and replace the corrupted file- or is it on the system itself like mine is (Dell Inspiron 9300)? If you load up to mup.sys, then the hard drive isn't dead.

Let me know. Details as needed.
 
I have the XP CD came with my Dell. There is no F10 option on the boot screen but F12 to select boot device.

Read the 330182, Disk space is not an issue, C drive still has more 90GB available.
Not sure if BIOS has a problem, bought it last year and worked just fine until the "2010 Antivirus" attacked. System became weird (link redriect and BSOD when ran hibernation) since, but no hardware changed.

I booted it with the CD and chose the Recovery Console, after type in Administrator password, it only showed the Command Prompt. What do I need to do with the Command Prompt?
 
I disabled the MUP as you instructed and rebooted it in Safe Mode. The system stopped with screen showing lots of sys file and the last one was 1394BUS.SYS.

After reading the 308041, I wonder if in-place upgrade would be a easier solution without messing the original system much since I have not changed the hardware after the installation of XP.
 
1394BUS.SYS. is the driver for the adapter. Is there a reason you tried to boot into Safe Mode after disabling mup.sys?

You booted into the Recovery Console, did the above, right?
Did you remove the CD from the drive before you rebooted?
Can you boot into Normal Mode? If so, do the following:

Click on Control Panel> System> Tools> Error Checking> Check both boxes on the screen that comes up> OK> Close the nag message and Reboot. The Error Check should begin in a few seconds.

Let it complete. The system will reboot itself when through.
 
I booted into the recovery Console and disabled the MUP.SYS, then restarted from the hard drive in normal mode. The system still showed the BSOD with the same 0x0000007E code. I, then booted it in Safe Mode, but it stopped at 1394BUS.SYS. Had no success to boot the system.
 
Use Safe Mode as a diagnostic:

If a symptom does not reappear when you start in safe mode, you can eliminate the default settings and minimum device drivers as possible causes. If a newly added device or a changed driver is causing problems, you can use safe mode to remove the device or reverse the change.

Using Safe Mode to determine a basic source of a problem:The choices:

  • [1] Safe Mode: Loads the minimum set of device drivers (serial or PS/2 mouse devices, standard keyboards, hard disks, CD-ROM drives, and standard VGA devices)and system services required to start Windows XP/2000/2003.(Event Log, Plug and Play, remote procedure calls (RPCs), and Logical Disk Manager.) User specific startup programs do not run. This is helpful in determining whether problems are due to specific programs.

    [2 ]Safe Mode with Networking: Includes the services and drivers needed for network connectivity. Safe mode with networking enables logging on to the network, logon scripts, security, and Group Policy settings. Nonessential services and startup programs not related to networking do not run. Helpful if needed but should be used with caution as the security programs don't load in this mode.

At this point I would suspect a driver. Check that out like this:

Click on the Control Panel> system> Hardware tab> Device Manager> look for the error icon which is a yellow ▲ with a black !. Double click to open that driver> view the problem> attempt a driver update if indicated.

Let me know how that goes. There are 2 other options that can be utilized if needed.
 
Sorry, Bobbye. Your instruction confused me. Could you please instruct me how to boot the system up, so I could check the device manager as you mentioned. I have tried all options on the boot menu and none of them made through the booting. All options on Safe Mode hung at 1394BUS.SYS and all regular boot ended up with BLUE Screen. I don't know how to get the system up with BSOD on normal boot and system hung on Safe Mode.
 
Can you get into any mode? Wee need to find out what's causing the BSOD. The Event Viewer can be used if you can get into the system. Let me know and I'll give you instructions for accessing.

Can you tell me what 'system hung when in Safe Mode' means?

The different Safe Mode options were meant as a help to where to look and where you didn't need to look. sorry, didn't mean to confuse you.
 
Thanks to CAMusing, the KB977165 was the cause of my BSOD. By following ths instruction from this link, http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/73cea559-ebbd-4274-96bc-e292b69f2fd1, I did the following to uninstall the KB977165.

1. Boot from the Windows XP CD and start the recovery console (see this Microsoft article for help with this step)

Once you are in the Repair Screen..

2. Type this command: CHDIR $NtUninstallKB977165$\spuninst

3. Type this command: BATCH spuninst.txt

4. Type this command: systemroot

5. When complete, type this command: exit

After the above fix, I can now boot to the normal mode.
 
Bobbye, thanks for helping to resolve my BSOD.

Now I could go back to your post at #5. I removed the 5 entries from HJT and restarted the system. Google the "what is esata?" and the google showed the same results as you mentioned, definition was the first and wisegeek was the second. However, I was only able to get the right link at the first time I opened it in a new tab. It redirected me to "FindStuff" (http://www.icityfind.com/jump2/?affiliate=and2&subid=2716&terms=what is esata?) at my second try to open it in a new tab. I ran the HJT and attached is the new log.

By the way, I am located at Delaware, not UK.
 

Attachments

  • hijackthis_02162010.txt
    7.9 KB · Views: 1
So sorry! I saw the post about the update, but didn't get feedback for your current reply.

We need to route out this re-director!
Please download ComboFix HERE:
  • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    Important! Save the renamed download to your desktop.
  • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection
  • Double click on the setup file on the desktop to run
  • If you are prompted to download and install the Recovery Console, please do so.
    (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
  • If you are prompted to update, please do so
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
Notes:

  • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run..
Then please Run Eset NOD32 Online AntiVirus Scanner HERE
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
 
Got both scans finished and the log files attached.

Just curious, why the CF needs to be renamed before downloading. I did not notice initially my folder setting with the extension name hidden and saved the CF as ComboFix(.exe).exe. When I first ran it, it simply quit after I click OK to the Disclaimer window. Why could I just download it as it is and run it?

After all the scans, the google search still did not work right. All the first click would be redirected to different site, but the repeated click on the same results link would go to the right site.
Edit/Delete Message
 

Attachments

  • ComboFix.txt
    12.7 KB · Views: 3
  • log.txt
    795 bytes · Views: 1
After all the scans, the google search still did not work right. All the first click would be redirected to different site, but the repeated click on the same results link would go to the right site.
 
Just curious, why the CF needs to be renamed before downloading. I did not notice initially my folder setting with the extension name hidden and saved the CF as ComboFix(.exe).exe. When I first ran it, it simply quit after I click OK to the Disclaimer window. Why could I just download it as it is and run it?
Click to expand...
Because we are told to rename the report. That will separate it from the setup file on the desktop. It will allow deleting a current report before running Combofix again.

Please download SystemLook from one of the links below and save it to your Desktop:
  • Double-click SystemLook.exe to run it.
  • A blank Windows will open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy the content of the following codebox into the main textfield :
    Code: 
         :filefind
     iastor.*
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan, Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
 
Well, I'm puzzled!

I'm not a hardware person-but:
iaStor.sys is the driver for onboard Intel SATA support... It allows hard drives and other peripherals attached to an Intel motherboard via the SATA controller to work.

You have 2 legitimate entries for iaStor.sys:
C:\drivers\storage\R179638\iastor.sys > 305176 bytes> 2358C53F30CB9DCD1D3843C4E2F299B2
C:\WINDOWS\system32\drivers\iaStor.sys> 305176 bytes> 2358C53F30CB9DCD1D3843C4E2F299B2

And Combofix is having a problem with the file. I need to check and see if I can remove one of these but still leave the system with a functioning driver.

I'm sorry this has taken so long. I'll be back.
 
Status
Not open for further replies.

Similar threads

Shawn Knight
Google fully discontinues cache links in Search
Replies
9
Views
519
Tinderbox
Tinderbox
midian182
Google's AI-powered search can recommend malicious sites, including scams and malware
Replies
6
Views
138
James Ryan
J
D
Google is changing how it shows search results to European users
Replies
1
Views
164
Mr Majestyk
M

Latest posts

Back