Google links redirecting me to saved page

April 28, 2011 at 13:48:26
Specs: Windows 7
Everytime I click on a link with google in it (even my searchbar) it redirects me to a saved page in my hard drive... file:///C:/Users/Home/AppData/Roaming/Firefox_toolbar/Firefox%20toolbar/ is the link it is redirecting me to...I know that is a saved page on my hard drive but if I delete it things get worse so I restored it.

See More: Google links redirecting me to saved page

Report •

April 28, 2011 at 15:22:01
Brent Kirk,

Try the following:

Download TDSSKiller from the following link:
Save it to the Desktop.

If you cannot download the file, the malware may be blocking the attempt. You need to download ith file to a clean computer and then transfer it to the infected one using a USB flash drive, or external media (an external drive or a CD) .

Once the file is on the Desktop, right-click on the TDSSKiller.exe icon and select: Rename.
Name it a random name with a .com extension. For example:

Now, double-click on the renamed file to launch it. If you receive a warning from Publisher: Kaspersky Lab asking if you want to run the file, click on the Run button to allow TDSSKiller to run.

When TDSSKiller starts, it displays the welcome screen.
Click on the Start Scan button.

When the scan finishes it displays a results screen stating whether or not the infection was found on your computer.

To remove the infection, click on the Continue button. If it does not say Cure on the results screen, leave it at the default action of Skip, and press the Continue button. Do not change to Delete or Quarantine as it may delete infected files that are required for Windows to operate properly.

When TDSSKiller finishes cleaning the infection, a report stating whether or not it was successful is shown.

>>Please provide the report in your reply.<<

If TDSSKiller requires a reboot to finish the cleaning process, click on: Reboot Now

Next, start the computer in Safe Mode with Networking by tapping the F8 key while it boots, and selecting this option

Download one of these files: iExplore.exe or eXplorer.exe These files are renamed copies of RKill:

Save the file selected to the Desktop, and double-click on it. (For Vista/Windows 7, select: Run as Administrator)
Ignore any messages, and allow the file to run until the command window closes.

Without a reboot, download Malwarebytes’ Anti-Malware (black button with green and white icon) Save to the Desktop:

Double-click mbam-setup.exe and follow the prompts to install the program. (For Vista/Windows 7, select: Run as Administrator)

Run Malwarfebytes’ AntiMalware and update the program.
Once updated, select Perform Full Scan and click the scan button.

When the scan finishes, click OK in the message box, and you will see the results of the scan.

Click the Remove Selected button to get rid of the malware.

When Malwarebytes finishes, you may be prompted to reboot. If so, reboot.

>>Please post the TDSSKiller and the Malwarebytes logs in your reply so we can see where we are at, and plan any additional removal strategy, if necessary.<<

Report •

April 29, 2011 at 12:20:30
All it said was

Duration 00:00:18

Processed: 266 Objects,

Infection: Not Found

Report •

April 29, 2011 at 14:35:30
Did you run the RKill file (iExplore.exe or eXplorer.exe) and Malwarebytes' Anti-Malware?

If so, can you post the Malwarebytes log?

Report •

Related Solutions

April 29, 2011 at 15:07:59
that has to be in safe mode to run correct?

Report •

April 29, 2011 at 15:56:26
The Other one is:

Malwarebytes' Anti-Malware

Database version: 6475

Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385

4/29/2011 12:55:38 PM
mbam-log-2011-04-29 (12-55-38).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Objects scanned: 343433
Time elapsed: 32 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32 (Trojan.Agent) -> Value: System32 -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Home\AppData\Local\Xenocode\Sandbox\Gygan\\2011.03.23t02.21\Native\STUBEXE\8.0.1112\@programfiles@\internet explorer\iexplore.exe (Trojan.Meredrop) -> Quarantined and deleted successfully.
c:\Users\Home\AppData\Local\Xenocode\Sandbox\Gygan\\2011.03.23t02.21\Virtual\STUBEXE\8.0.1112\@programfiles@\gygan beta\Gygan.exe (Trojan.Meredrop) -> Quarantined and deleted successfully.
c:\Windows\imglib.dll (Spyware.NetVizor) -> Quarantined and deleted successfully.

Report •

April 29, 2011 at 20:21:16
Are you still getting redirected?

Report •

May 2, 2011 at 12:45:53
Yes I am still getting redirected. It blocks my Gmail from logging in and my youtube

Report •

May 2, 2011 at 14:38:46
Right click on Notepad and pick Run as administrator.
Click on File > Open then browse to:


In the drop down list change Text files (*.txt) to All files (*.*)

Please open the hosts file and post its contents.

Also, For Windows 7:

Go to Start > Control Panel.

Open up Network and Internet and go to the Network and Sharing Center.

Click on Change adapter settings on the left hand panel.

This will bring up a list of adapters present on your computer. Most people will have a Local Area Connection while laptop users will add a Wireless Network Connection and possibly a Bluetooth Network Connection...

Right click on Local Area Connection and click on Properties.

If prompted by UAC, click on Yes.

Highlight Internet Protocol Version 4 (TCP/IPv4) and click on: Properties.

In the Properties window, do you see a radio box with: Obtain an IP/DNS Address Automatically?

Report •

May 2, 2011 at 15:22:44
# Copyright (c) 1993-2009 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
# # source server
# # x client host

# localhost name resolution is handled within DNS itself.
# localhost
# ::1 localhost

and yes Obtain an IP/DNS Address Automatically are both selected

Report •

May 2, 2011 at 16:31:33
Well, we need to dig deeper...

Let's get some specific details about a system which could be modified by a malware infection.

Please do the following:
Download [<b.Random's System Information Tool (RSIT):

Save to the Desktop

Double click on RSIT.exe to run the program
If using Vista/ Windows 7, right click RSIT.exe and select 'Run as administrator'

Click [b]Continue at the disclaimer screen
Once the tool finishes, two logs open: Log.txt, and Info.txt (minimized). The logs are also contained in C:\rsit

>>Please provide the RSIT Log.txt and Info.txt reports in your reply.<<

Also, download GMER:

If you cannot download the file, malware may be blocking the attempt. You need to download it to a clean computer and then transfer it to the infected one using a USB flash drive, or external media (external drive or CD)..

Save the GMER file to the Desktop.

Double-click on gmer.exe

If a Windows security warning appears asking if you would like to run the program, click on the Run button to allow GMER to start.

You may get a warning about rootkit activity and GMER may ask if you want to run a full scan. If this happens, please click on the NO button.

Now, configure GMER.
Please uncheck the following settings:

Drives/Partition other than System drive (normally C:\)
Show All

Next, click on Scan (may take a while).
When GMER finishes you will be back at its main screen.

Click on the Copy button (lower right), then right-click on your Desktop, and select: New > Text document.

Once the file is created, open it, right-click again, and select: Paste.

>>Also post the GMER report in your reply.<<

Note: Please, do not take action on any of the information on the GMER report!!

Report •

Report •

May 2, 2011 at 17:08:35 this link should have the logs posted

Report •

May 3, 2011 at 17:13:59
It turns out I had just downloaded a false toolbar... I disabled it and it is running smoothly now

Report •

May 3, 2011 at 19:28:57
Glad your system is working fine.

Thank you for the courtesy of informing us.

Good luck!!

Report •

Ask Question