Another Google Redirect issue

[Snowman]

I've seen several variants of this same topic/problem. Not sure if I should be posting in someone else' thread or start a new one.

As I just mentioned, I have the same issue that some other members have very recently mentioned also. Both in FireFox and Internet Explorer, after searching Google then clicking on a link in the results page, I am on occasion (but not always) re-directed to another seemingly legit search site, or elsewhere. I have been unable to detect with AVG, SuperAntiSpyware, CCleaner or MalwareBytes any trojan, virus etc.... Looking for help to identify and rid myself (my computer) of this nagging/annoying and potentially damaging bug. Any help would be greatly appreciated. Just tell me what to do.

Background:

Running

WinXP SP3

AVG (free version)

SuperAntiSpyware

CCleaner

MalwareBytes

[Elise]

Hello ,

And My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

• The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  
• Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  
• The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  
• Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
  

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Please download OTL from one of the following mirrors:
  • This is THE Mirror
    

  [*]Save it to your desktop.

  [*]Double click on the icon on your desktop.

  [*]Click the "Scan All Users" checkbox.

  [*]Push the button.

  [*]Two reports will open, copy and paste them in a reply here:

  • OTListIt.txt <-- Will be opened
    
  • Extra.txt <-- Will be minimized
    

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
  
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  
• Now click the Scan button. If you see a rootkit warning window, click OK.
  
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  
• Click the Copy button and paste the results into your next reply.
  
• Exit GMER and re-enable all active protection when done.
  

-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

• A detailed description of your problems
  
• A new OTL log (don't forget extra.txt)
  
• GMER log
  

[Snowman]

Here it is!

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-06-21 21:09:00

Windows 5.1.2600 Service Pack 3

Running: hn78ys1h.exe; Driver: C:\DOCUME~1\BENAND~1\LOCALS~1\Temp\uwxdqfod.sys

---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAD21B620]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\DRIVERS\ati2mtag.sys section is writeable [0xB97E9000, 0x1A05E6, 0xE8000020]

init C:\WINDOWS\system32\drivers\Senfilt.sys entry point in "init" section [0xAD4B1A00]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----

Extras.Txt

OTL.Txt

[Elise]

Hello again,

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  
• Double click on Combofix.exe and follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[Snowman]

As requested, here is the combofix.txt file for your review.

Thanks!

combofix.txt

[Elise]

Hi, how are things running now? I see you had some trouble with combofix (the log looked like the first run didn't complete), so its possible I miss a few things that were fixed.

[Snowman]

Was combofix supposed to get rid of the Google redirect issue? I can't say for sure if the problem is gone at this point. The redirect issue does not happen every time, so it's hard to know right now if the problem still exists or not. True, Combofix did not complete the first time. I came back to the computer and the screen was black, but the PC was still running. Nothing I could do would "wake" it up.

[Elise]

Hello there,

Lets doublecheck if combofix got rid of the redirect or not: please browse to the following folder (if it exists) and let me know what file is inside it: c:\qoobox\quarantine\c\windows\system32\drivers

UPDATE JAVA

------------------

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

• Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  
• Look for "JDK 6 Update 20 (JDK or JRE)".
  
• Click the "Download JRE" button to the right.
  
• Select your Platform: "Windows".
  
• Select your Language: "Multi-language".
  
• Read the License Agreement, and then check the box that says: "Accept License Agreement".
  
• Click Continue and the page will refresh.
  
• Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  
• Close any programs you may have running - especially your web browser.
  

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  
• Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  
• If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  
• When the Java Setup - Welcome window opens, click the Install > button.
  
• If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  

-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.

-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Please launch MBAM, update it and run a full scan. Post me the resulting log.

[Snowman]

Lets doublecheck if combofix got rid of the redirect or not: please browse to the following folder (if it exists) and let me know what file is inside it: c:\qoobox\quarantine\c\windows\system32\drivers

Hello Elise,

I found the core folder that you spoke of above, but the tree only went this deep c:\qoobox\quarantine\c\windows

Thanks for all of your help. I have one question. I see a number of similar posts for this Google redirect issue, and although I could have missed it, I haven't really seen a definitive answer as to the name of this trojan/virus or whatever it's called, where it resides and why so many programs have trouble getting rid of it and detecting it in the first place.

Again, thanks for your help. Here is the log....

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4232

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

6/24/2010 5:53:29 AM

mbam-log-2010-06-24 (05-53-29).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 344835

Time elapsed: 57 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[Elise]

Hello again,

I have one question. I see a number of similar posts for this Google redirect issue, and although I could have missed it, I haven't really seen a definitive answer as to the name of this trojan/virus or whatever it's called, where it resides and why so many programs have trouble getting rid of it and detecting it in the first place.

This is because there are so many different causes for a google redirect. A redirect is not a virus or malware, its merely a symptom. There are many causes for this symptom: from an infected router to hosts file hijacking to rootkits.

When diagnosing such a problem, I ask for logs that will show me the most likely cause. In your case, since combofix crashed the first time and since nothing else showed up, I strongly suspect it was a rootkit, however I have no real evidence for that.

Please let me know how things are running now; what problems do you still have left?

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
   
2. Click the button.
   
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. 
      
   2. Click on to download the ESET Smart Installer. Save it to your desktop.
      
   3. Double click on the icon on your desktop.
      
      
   4. Check
      
   5. Click the button.
      
   6. Accept any security warnings from your browser.
      
   7. Check
      
   8. Push the Start button.
      
   9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      
   10. When the scan completes, push
       
   11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
       Note - when ESET doesn't find any threats, no report will be created.
       
   12. Push the button.
       
   13. Push
       
       

[Elise]

Hello, are you still there?

[AdvancedSetup]

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.