Google Re-Direct issue won't go away

Welcome to Major Geeks!

We are going to start with TDSSKiller again. Be sure to download again from the given link to make sure you have the current version.

Goto the below link and follow the instructions for running TDSSKiller from Kaspersky

• TDSSkiller - How to run

Be sure to attach your log from TDSSKiller (See: HOW TO: Attach Items To Your Post )


Now I suggest that you continue on with the below even if things seem okay.

READ & RUN ME FIRST. Malware Removal Guide


Attach your logs in this thread when finished.

 

You need to finish all of the instructions and then attach all the logs.

I don't know what you manage to do to the TDSSKiller log but that is not a proper log file in text format. Did you load it into some word processor before saving it rather than just leaving it in plain text format?

 

Keep going!! You have still have logs from the below scans to attach:

• Malwarebytes
• ComboFix
• RootRepeal
• MGtools

Are you running an illegal copy of Windows? That is what your SAS logs shows >>> C:\WINDOWS\SYSTEM32\ANTIWPA.DLL

 

I would say that you know based on the fact that you did not allow Malwarebytes to fix these.

You need to get your Windows copy properly and legally activated.


Run MSconfig and put your PC into normal startup mode as requested in step 4 of the READ & RUN ME.


Are you having any problem with Desktop icons missing or things from the Start menu missing etc? Just incase, run the below.

Download and save the below tool from Grinler @ bleepingcomputer to your Desktop or anywhere else you can find it ( if the Desktop is not showing )

http://download.bleepingcomputer.com/grinler/unhide.exe

Now run it.



Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:61192
O1 - Hosts: 184.95.59.211 www.google.com
O1 - Hosts: 184.95.59.212 search.yahoo.com
O1 - Hosts: 184.95.59.212 www.bing.com

After clicking Fix, exit HJT.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.


Now download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
• It will create a folder named HostsXpert in whatever folder you extract it to.
• Run HostsXpert.exe by double clicking on it.
• Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).
• Click Restore Microsoft's Hosts File and then click OK.
• Click the X to exit the program

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You need to finish the rest of my instructions.

 

You still forgot to tell me how things are working.

You logs are much cleaner now. Just delete the below two files:
C:\WINDOWS\system32\1778672549
C:\Documents and Settings\Scott\Local Settings\temp\jna4056665429157651557.dll

Let me know if you get them deleted. Also make sure that no more files like the jnaxxxx.dll file show up.

 

See if you are allowed to put a copy of it into a ZIP file. If you can then attach it here.

 

Yes! Normal mode should be "normal mode".

I want to make sure no new bad files appeared. Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

Which browser are you using when this happens?

Do you use a router? If yes then do the below.

Some infections are known to infect router hardware. If you have a router hooked up then you need to follow the instructions for your hardware and reset it to factory default settings. Normally there is a recessed push button type switch that needs to be held down for some number of seconds to do this. After resetting to factory defaults on your router, you will need to reconfigure the router for your network if you have made any changes to the default network setup.

 

You need to answer my questions.

 

Do the redirects also occur if you use IE instead? It is possible that they are only in Firefox and that we may need to fix Firefox.

Just reset it to what you want. This home page occurred due to you have installed Conduit Search Engine ( either knowingly or unknowingly with some software you installed at some point in time. It is not installed anymore. ).

Let's try a quick bypass of the router to see if it is the problem. Just shutdown your PC, and then remove the router from between your Verizon modem and your PC and directly connect your PC to the Verizon modem ( I'm assuming you are using a wired connect and not wireless ). Then reboot your Verizon modem ( you can just power cycle it ). Then turn on your PC. See if you get redirects this way with your router removed.

 

DOes not sound like a redirection problem nor malware.

If you are not having redirection issues anymore then perhaps you don't need to do anything with your router and also maybe we are almost finished.

 

You're welcome. Then let's do our final steps.



If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!