Can't get rid of google redirect...

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by jenandlaw, Dec 2, 2012.

Thread Status:
Not open for further replies.
  1. jenandlaw

    jenandlaw Private E-2

    I'm getting this ridiculously-persistent Google redirect in Firefox and Chrome. I don't use IE so I'm not sure about that one. It only happens about once every four or five searches. I'll get sent to a completely different page. If I hit the back button, I'll get the page I wanted, but it seems like the original redirect happens so fast I never even see the page I wanted before it forwards me to another page.

    I believe, but I'm not certain, that it started a few weeks ago when I had to redownload drivers to get my iTunes to play cds.

    Attaching the logs as requested.
     

    Attached Files:

  2. jenandlaw

    jenandlaw Private E-2

    I have been trying to verify that it is still redirecting, and although my husband says it did it twice to him this morning, it hasn't happened to me yet. He rebooted and maybe that was all that it needed after all the scans. I'm temporarily going to say this issue is solved. If it happens again, I will bump the thread and get back in line. Thanks!
     
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re run Hitman and have it delete Potential Unwanted Programs

    [​IMG] Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these 1 detection:
    • [STARTUP][SUSP PATH] _uninst_26864385.lnk @andyandjenni : C:\Users\andyandjenni\AppData\Local\Temp\_uninst_26864385.bat -> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.

    Delete this file.
    C:\Users\andyandjenni\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_26864385.lnk

    Everything running okay still?
     
  4. jenandlaw

    jenandlaw Private E-2

    So glad you replied. It's not gone. I got a redirect today while trying to go to Youtube. Sent me to some wackadoodle russian credit card site.

    Attached are two logs. When I right clicked on Roguekiller it started scanning right away. Then I selected the registry tab and scanned. I made sure it only had a checkmark by the line you stated, but when it deleted it said it deleted three.

    After rebooting that file you asked me to delete isn't there.
     

    Attached Files:

  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.



    Run this and attach the results.

    Using ESET's Online Scanner
     
  6. jenandlaw

    jenandlaw Private E-2

    Just to be clear, you want me to run the Junkware Removal Tool AND the Eset Online Scanner, correct?
     
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Oh yes. :)
     
  8. jenandlaw

    jenandlaw Private E-2

    Sorry for the delay. Took hours to run last night. Eset found something. Wonder why it didn't find it the first time I ran Eset Online Scanner? Oh well....

    Thanks, Kestrel.
     

    Attached Files:

  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    ESET didn't find anything bad anyway.

    Download OTL to your desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

    Attach both of these logs into your next reply.
     
  10. jenandlaw

    jenandlaw Private E-2

    See attached.
     

    Attached Files:

  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    This only occurs in Firefox and Chrome, right?
     
  12. jenandlaw

    jenandlaw Private E-2

    I haven't tried it in I.E. yet since I never use it. Will try tonight.

    Do I need to just buy a new laptop and burn this one?
     
  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    No!!! :)

    Let me know about IE, ok? Then we can make a plan of action from there. Getting late for me here and I'm about to splurge pretty soon. But will be about tomorrow as soon as poss!
     
  14. jenandlaw

    jenandlaw Private E-2

    Surfed a little tonight using I.E. and didn't have any redirects. Switched over to Firefox for something and immediately got the redirect to that russian credit card company, ANNNNNNDDDD this time, AVG popped up with a "threat detected" message. See attached. Does that help?
     

    Attached Files:

  15. jenandlaw

    jenandlaw Private E-2

    FYI shortly after posting the previous message i got the blue screen. Then got it twice more. Start the computer. It starts booting up for about 2 mins then blue screen. :(
     
  16. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    We are going to be uninstalling your old version of FireFox and installing the new version. (Except we will be using Revo Uninstaller to uninstall) So do the below to save bookmarks:

    • Run FireFox and click Bookmarks.
    • Then select Organize Bootmarks.
    • Then on the next window click File and then select Export. Save the bookmarks.html file to your Desktop for later use in importing.
    Now download and save the installer for the current version of FireFox but DO NOT install it yet. Get it here: Mozilla FireFox

    You will need exit FireFox now and use Internet Explorer to continue with the below until we reinstall FireFox.

    Start by uninstalling FireFox and then reboot. Do not skip the reboot.
    After reboot, delete the below folders:
    • C:\Program Files\Mozilla Firefox
    • C:\users\UserAccount\AppData\Roaming\Mozilla\Firefox

    where UserAccount is the actual user account name being used.

    Now reinstall FireFox from the file previously downloaded.
    Import your bookmarks file. (similar process to exporting).

    Any better?
     
  17. jenandlaw

    jenandlaw Private E-2

    Oh my. Things going downhill. Couldn't get past the blue screen that happens when I login. Finally got it to boot in safe mode. Ran malwarebytes because I didn't know what else to do. See attached log. Then did as you suggested in your last post. Haven't reinstalled Firefox. Don't have to have it. Tried to login without safe mode, keep getting the blue screen. See attached screenshots of what errors I'm getting.

    Just got the redirect in "safe mode with networking" when I got online to post this using Chrome.
     

    Attached Files:

  18. jenandlaw

    jenandlaw Private E-2

    more screenshots
     

    Attached Files:

  19. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please download Combofix to your desktop. Please refer to these instructions prior to running. Attach log once done.
     
  20. jenandlaw

    jenandlaw Private E-2

    Since my last post, I couldn't get the computer to boot in anything but safe mode. I would get blue screens immediately. I had about decided that I was going to have to order a new hard drive and start all over. I went to try to find out what kind of hard drive I have (sata or IDE) and device manager wouldn't show me any hard drives. I googled that, and found a reference that some TDSS rootkits would do that, and to run a specific Kaspersky scan. I did, but it didn't save a log so I don't know what it did. Afterwards, I could boot normally again and haven't had the blue screen since.

    I'm sorry I did this unsupervised, but I really didn't know what to do and only getting my next step once a day is dragging this process out so badly and I need my computer so desperately. Please don't misunderstand, I'm very grateful for the help.

    Anyway, I tell you that in case it affects your instructions.
     
  21. jenandlaw

    jenandlaw Private E-2

    Forgot to attach the combofix log. Also, I followed the directions and disabled my AVG for the recommended 15 minutes, but it apparently came on in the middle of the scan and told me combo fix was a threat. I clicked "allow" even though the instructions told me not to touch my computer after starting Combofix because it wouldn't continue without me clicking.
     

    Attached Files:

  22. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Do the redirects persist? :(
     
  23. jenandlaw

    jenandlaw Private E-2

    I don't know. Was waiting for instruction. Will surf and see.
     
  24. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes, please do. I must get to sleep. 2.30am here. Catch you tomorrow. :)
     
  25. jenandlaw

    jenandlaw Private E-2

    Ok. Will do. Thanks again.
     
  26. jenandlaw

    jenandlaw Private E-2

    Still getting it in I.E. and Chrome. See attached AVG blocked threat. Still getting sent to .ru sites.
     

    Attached Files:

  27. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Afraid I'm going to have to ask my colleagues to take a look, I am struggling to target the source of it all.
     
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please uninstall Chrome and also Firefox if it is still installed. Do not reinstall either of these yet until requested. First we need to do some cleanup. You will have to use Internet Explorer to do all browsing for now.

    We may also be asking you to uninstall AVG as it maybe getting in the way....... in fact, let's just do this now to make sure it does not block anymore fixes. So uninstall AVG too right now.

    I will post a fix in my next message after going thru your logs.
     
    Last edited: Dec 9, 2012
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay make sure that you have uninstalled Chrome, Firefox and AVG as previously requested before continuing with the below.
    • Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    :OTL
    IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = [URL]http://www.google.com/search?q={searchTerms}&rlz=1I7GPEA_en&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7[/URL]
    IE - HKCU\..\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}: "URL" = [URL]http://127.0.0.1:4664/search&s=vSuw3pyR3P9k0mIbCTxsAkADl-Q?q={searchTerms[/URL]}
    IE - HKCU\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = [URL]http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms[/URL]}
    FF - prefs.js..extensions.enabledAddons: %7B335C5896-FC00-4A80-8066-1256D7A9C469%7D:8.1
    FF - prefs.js..extensions.enabledAddons: %7BF53C93F1-07D5-430c-86D4-C9531B27DFAF%7D:12.0.0.2189
    FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:17.0.1
    CHR - plugin: Coupons Inc., Coupon Printer Manager  (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
    O4 - HKLM..\Run: []  File not found
    [2012/11/11 21:28:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab
    [2012/11/11 21:25:15 | 000,133,208 | ---- | C] (Kaspersky Lab ZAO) -- C:\Windows\System32\drivers\26864385.sys
    @Alternate Data Stream - 250 bytes -> C:\ProgramData\TEMP:363E775E
    @Alternate Data Stream - 240 bytes -> C:\ProgramData\TEMP:40EE25BB
    @Alternate Data Stream - 239 bytes -> C:\ProgramData\TEMP:89CF6F9C
    @Alternate Data Stream - 222 bytes -> C:\ProgramData\TEMP:A02025CE
    @Alternate Data Stream - 221 bytes -> C:\ProgramData\TEMP:3B454A5C
    @Alternate Data Stream - 220 bytes -> C:\ProgramData\TEMP:FAB64002
    @Alternate Data Stream - 220 bytes -> C:\ProgramData\TEMP:090FB735
    @Alternate Data Stream - 217 bytes -> C:\ProgramData\TEMP:AECF4772
    @Alternate Data Stream - 217 bytes -> C:\ProgramData\TEMP:206470A5
    @Alternate Data Stream - 214 bytes -> C:\ProgramData\TEMP:3E06C78F
    @Alternate Data Stream - 213 bytes -> C:\ProgramData\TEMP:24C072FF
    @Alternate Data Stream - 211 bytes -> C:\ProgramData\TEMP:848CC150
    @Alternate Data Stream - 211 bytes -> C:\ProgramData\TEMP:6425A235
    @Alternate Data Stream - 206 bytes -> C:\ProgramData\TEMP:5D351BC6
    @Alternate Data Stream - 202 bytes -> C:\ProgramData\TEMP:260575F1
    @Alternate Data Stream - 198 bytes -> C:\ProgramData\TEMP:3D36932D
    @Alternate Data Stream - 196 bytes -> C:\ProgramData\TEMP:C22674B6
    @Alternate Data Stream - 146 bytes -> C:\ProgramData\TEMP:0B4227B4
    @Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:D1D597D0
    @Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:D31BE97C
    @Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:53DF59D1
    @Alternate Data Stream - 111 bytes -> C:\ProgramData\TEMP:8944C195
    @Alternate Data Stream - 110 bytes -> C:\ProgramData\TEMP:CB16385F
    @Alternate Data Stream - 107 bytes -> C:\ProgramData\TEMP:561B1D2B
    @Alternate Data Stream - 100 bytes -> C:\ProgramData\TEMP:B2FEAB71
     
    :Files
    C:\Program Files\Mozilla Firefox
    C:\Program Files\Google
    C:\Users\andyandjenni\AppData\Roaming\mozilla
    C:\Users\andyandjenni\AppData\Local\Google\Chrome
    C:\Users\andyandjenni\AppData\Local\gel.exe
    C:\Users\andyandjenni\AppData\Local\*.exe
    C:\Users\andyandjenni\AppData\Local\Temp\3D30.tmp
    C:\Users\andyandjenni\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\28018d4e-68cf052a
    C:\Users\andyandjenni\AppData\Local\Temp\*.*
    C:\Users\andyandjenni\AppData\Local\Temp\_uninst_26864385.bat
    :Reg
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
    @="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe"
    :Commands
    [PURITY]
    [EMPTYTEMP] 
    [EMPTYFLASH]
    
    [REBOOT]
    • Now click the [​IMG] button.
    • If the fix needed a reboot please do it.
    • Click the OK button (upon reboot).
    • When OTL is finished, Notepad will open. Close Notepad.
    • A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    • Attach this log to your next message. (See: How to attach)
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the log from OTL
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  30. jenandlaw

    jenandlaw Private E-2

    Kestrel: Thanks for your help!

    Chaslang:

    OTL shut down in the middle. I don't know how far it got. I lost my desktop and toolbars and had to restart to get them back.

    Do you want me to try again?
     
  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes! If it fails again, try running in safe boot mode.

    Did you uninstall Chrome, Firefox and AVG?
     
  32. jenandlaw

    jenandlaw Private E-2

    Yes, AVG and Chrome uninstalled. OTL worked find this time. See attached.
     

    Attached Files:

  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Make sure you tell me how things are working now when just using Internet Explorer now that Chrome and Firefox are uninstalle!
     
  34. jenandlaw

    jenandlaw Private E-2

    I.E. seems to be running fine. Haven't gotten a redirect in the last 20 mins. What makes me nervous about saying "all clear" is that I.E. is the one that has had the fewest redirects. Firefox the most, then Chrome, then IE. But I can give it a bit and bump this if I have any again.

    Question 1: Where is the setting to show me this thread in reverse order (in other words, newest posts on top)? Mine seems to be flopping back and forth.

    Question 2: Should I reset all my passwords and cancel my credit cards? I don't know how long I've had this and what I may have purchased online in that time period.

    Question 3: How long should I wait to reinstall Chrome and Firefox?
     
  35. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Click the Quick Links pull down near the top-right of the page and then Edit Options. You will see a Display Options item in the list.

    Probably not necessary but it would not hurt to reset your passwords. I don't think you had a serious infection that was stealing info.

    Reinstall them now. Also reinstall AVG and make sure every thing is still good. You just had addons Chrome and Firefox that were causing the redirects to linger.
     
  36. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Thankyou Chaslang. Appreciate it.
     
  37. jenandlaw

    jenandlaw Private E-2

    Thank you both.

    I've got AVG and Chrome reinstalled. Don't know if I want Firefox. I'll surf a bit and bump this if anything else happens.

    Again, I can't thank you enough.
     
  38. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Press and hold the Windows key [​IMG] and then press the letter R on your keyboard. This opens the Run dialog box.
      • Copy and paste the below into the Run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
Thread Status:
Not open for further replies.

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds