Google redirect in Firefox...

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by beanball, Apr 11, 2011.

  1. beanball

    beanball Private E-2

    Hey guys and gals,

    I'm hoping someone can help me because I have a Google redirect thing going on (Firefox) that I just cannot seem to solve. And I've been around computers for a while and dealt with a number of these things so this one is getting me frustrated.

    Basically when I do a Google search it takes a lot longer to load, say 5-10 seconds. When the search comes up, I click a link and it will take me to an ad site sometimes, sometimes not. Those links take a 5-10 seconds to load as well.

    Anyways I've tried so much software, SpyBot, MalWarebytes, SuperAntiSpyware, Hitman 3.5, AVG scan, etc. I've cleaned as much as is found, in safe mode.

    Usually for these types of issues I've found the culprit in my hosts file but I've checked it over and over and only the 127.0.0.1 localhost exists. No suspicious entries.

    I've uninstalled/re-installed firefox, problem persists.

    Even from the below HijackThis log I can't see anything suspicious, can anyone else or does anyone else have any ideas for this poor soul? :(
     
    Last edited by a moderator: Apr 11, 2011
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

  3. beanball

    beanball Private E-2

    Hi Kestrel. I completed all of the steps in that link, except I can't run tdsskiller.exe. It just doesn't do anything or go anywhere. I've tried renaming it to a .com file, I've tried running it in safe mode. Just won't run.

    Attached is my gooredfix.log. Thanks for your help.
     

    Attached Files:

  4. beanball

    beanball Private E-2

    Also combofix doesn't seem to run because I had AVG installed. I uninstalled it and even ran the removal tool in the link you provided, it still gives me that error. I can't catch a break here.

    However there is a strange file on my desktop now called "catchme.txt" and in it is the following:

    File "C:\WINDOWS\system32\drivers\volsnap.sys" added successfully
    File "C:\WINDOWS\system32\drivers\volsnap.sys" added successfully
    File "C:\WINDOWS\system32\drivers\volsnap.sys" added successfully
    File "C:\WINDOWS\system32\drivers\volsnap.sys" added successfully
    File "C:\WINDOWS\system32\drivers\volsnap.sys" added successfully

    Where is this coming from? Perhaps a rootkit?
     
  5. beanball

    beanball Private E-2

    Attached the rootrepeal log too.
     

    Attached Files:

  6. beanball

    beanball Private E-2

    MGLogs attached too.
     

    Attached Files:

  7. beanball

    beanball Private E-2

    Well folks, I finally got combofix running and sure enough, I had a nasty rootkit on the volsnap.sys:

    "Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected"

    http://www.youtube.com/watch?v=bzkFvMRt9tw

    So thanks kestrel for the very detailed link, and to this site in general.

    PS Mods - you may want to add a tip to the Combofix section. If AVG users cannot run Combofix even after uninstalling it through control panel and/or running the removal tool from the link on this site, go to C:\Program Files\ and look for an AVG folder with settings left behind. Simply hard delete that folder and Combofix should then work.
     
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    If combofx ran then we can run a script with it then.

    If you do not use Windows Messenger Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    • O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup

    After clicking Fix exit HJT.


    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::
    
    File::
    C:\Documents and Settings\All Users\Application Data\16899892
    C:\Documents and Settings\All Users\Application Data\~16899892
    C:\Documents and Settings\All Users\Application Data\~16899892r
    Folder::
    C:\Program Files\SpyNoMore
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
    "SNM"=-
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Could you please get this: x into a zipped file and attach it for me in your next post? To do this, see the below:

    Please go to start > Run and paste in the following:

    log retrievable @ C:\collect.zip


    Run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Also try running TDSSKiller now.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds