Google Redirect Hijack!

June 7, 2009 at 18:52:18
Specs: Windows XP

I've read other posts, but they don't seem to be the same. What's happening here is a redirect from a Google search.
I do a search, say for Home Depot, and I get a good search result, but when I go to select the hyperlink it opens a new tab and sends me to some other site. Annoying!
I've run the Highjack This, but of course I have no idea what I'm really looking at.
I'll post it if someone thinks it will help.
If anyone can help I would be very grateful. Thanks.

See More: Google Redirect Hijack!

Report •


#1
June 7, 2009 at 19:29:17

Can you make a new HijackThis log and upload it to rapidshare.com. HijackThis: Here

-------------------------------------------------


Report •

#2
June 7, 2009 at 20:12:22

Thanks, here's the rapidshare.com info for my highjack this file...

1. Download Link: Click here to download file
http://rapidshare.com/files/2420975...
MD5: B6B8E742049298AF5DCCB8B542738A75


Report •

#3
June 7, 2009 at 20:15:11

Here's one that I did only seconds ago...

1. Download Link: Click here to download file
http://rapidshare.com/files/2420982...
MD5: F1ACC83AA3ACDE8080981BA50F66905F


Report •

Related Solutions

#4
June 7, 2009 at 20:16:19

Does it happen in all the web browsers?

-------------------------------------------------


Report •

#5
June 7, 2009 at 20:18:01

Firefox and Explorer for sure. Haven't tried Chrome.

Report •

#6
June 7, 2009 at 20:22:11

1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again. Make sure you have your web browser open in background before following the steps below.

i) To create the logfile, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteStdScr(3);
RebootWindows(true);
end.


Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Image Tutorial

-------------------------------------------------


Report •

#7
June 7, 2009 at 20:42:46

Ok, here's the link rapidshare.com link...

1. Download Link: Click here to download file
http://rapidshare.com/files/2421026...
MD5: B852701DA81BC96327BA039E11AA7BC3

Thanks again for helping me out with this.


Report •

#8
June 7, 2009 at 21:06:13

Follow these Steps in order numbered. Don't proceed to next step unless you have sucessfully completed previous step:

1) Run this script in AVZ like before, your computer will reboot:

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 QuarantineFile('\\?\globalroot\systemroot\system32\UACcdtulkkbnuwufsi.dll','');
 QuarantineFile('\\?\globalroot\systemroot\system32\UACyoqxcgemulwswwi.dll','');
 DeleteFile('\\?\globalroot\systemroot\system32\UACyoqxcgemulwswwi.dll');
 DeleteFile('\\?\globalroot\systemroot\system32\UACcdtulkkbnuwufsi.dll');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
SetAVZPMStatus(true);
RebootWindows(true);
end.

2) After Reboot. Attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.co...

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please upload that file to rapidshare.com and paste the link here.

-------------------------------------------------


Report •

#9
June 7, 2009 at 22:49:12

OK, I think I did everything just as noted. I did have a problem with Norton AntiVirus restarting toward the end of ComboFix, but permanently disabled and ran again and everything seemed to go well.

Here's the link...

1. Download Link: Click here to download file
http://rapidshare.com/files/2421264...
MD5: C047B60654C28F95972B7D2897E65A78


Report •

#10
June 8, 2009 at 05:35:03

Follow these Steps in order numbered. Don't proceed to next step unless you have sucessfully completed previous step:

1) Run this script in AVZ:

begin
CreateQurantineArchive('c:\quarantine.zip');
end.

2) A file called quarantine.zip should be created in C:\. Then please zip up C:\qoobox\quarantine and upload both it and C:\quarantine.zip to a filehost such as http://rapidshare.com/ Then, Private Message me the Download link to the uploaded file.

3) Lastly, uninstall Combofix by: pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) > Start > run > type combofix /u > ok. Or Start > run > type 123 /u > ok.

4) Follow Response Number 6 and generate new set of logs and post download links to them.

-------------------------------------------------


Report •

#11
June 8, 2009 at 06:55:44

OK, here's the latest AVZ log file...

1. Download Link: Click here to download file
http://rapidshare.com/files/2422469...
MD5: 45AC388DCD7EA83EA67D089477A370B5


Report •

#12
June 8, 2009 at 07:16:06

Thanks for the files. Please follow these steps in order numbered and post summary log after each step.
1) If you use Windows System restore, turn it off > reboot. How to turn it off/on: http://support.kaspersky.com/faq/?q... Run a full scan with:

Download and run Kaspersky AVP tool: http://devbuilds.kaspersky-labs.com...
Once you download and start the tool:

# Check below options:

    * Select all the objects/places to be scanned. 
    * Settings > Customize > Heuristic analyzer > Enable deep rootkit search

# Click Scan
# Fix what it detects
# Attach Scan log/Summary to your next message.

Illustrated tutorial: http://img32.imageshack.us/img32/76...

Note: Turn system restore back on, if you wish; this to remove malware from system volume information files.

2) Install, update database and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log, but Please Don't fix anything yet, until the log is reviewed.

3) House cleaning. Scan with SuperAntispyware : http://www.superantispyware.com/dow... . Fix what it detects and post summary scan log.

-------------------------------------------------


Report •

#13
June 9, 2009 at 08:44:26

Busy day yesterday, but I'm finally back at this.
So the Kaspersky scan ran fine. I'm attaching the Rapidshare link below.
When I ran the Malwarebytes however I kept getting a blue screen with the message Kernal_data_inpage_error. I would have to power off the computer and reboot to get back into the operating system. I ran Malwarebytes twice and got the blue screen twice. I'm not sure what to do now. It showed 6 infections before it crashed. I guess I can try running it again while I wait for your response.

Thanks

1. Download Link: Click here to download file
http://rapidshare.com/files/2426477...
MD5: 3D07B79F7917C3815888224E08209644


Report •

#14
June 9, 2009 at 09:16:11

Is your original problem fixed? skip MBAM and run superantispyware fix what it detects and post scan log.

-------------------------------------------------


Report •

#15
June 9, 2009 at 09:18:52

Yeah, the original problem seems to be gone.
Ok, I'll run superantispyware...


Report •

#16
June 9, 2009 at 09:22:08

After superantispyware post the log, Uninstall malwarebytes and run these:

1) http://onecare.live.com/site/en-Us/...

2) http://onecare.live.com/site/en-Us/...

Reinstall Malwarebytes and try to run these. If it still doesn't work post a screen shot of blue screen of copy down whole error message and paste it.

-------------------------------------------------


Report •

#17
June 9, 2009 at 22:05:08

Well... Superantispyware ran fine. It found nothing, and now it is on my computer and starts at boot up. Should I uninstall?

After running that I ran both onecare.live scans and they were fine.

I tried running malwarebytes again, and again I was booted to a DOS screen. This one is slightly different than the one I was getting before. The one I got before had the heading "Kernel_data_inpage_error". The one I get now can be seen at the following rapidshare site...
Sorry about the size. I took a quick picture with my camera since I couldn't get a screenshot, and I neglected to resize. Should be easy to see though. :)

1. Download Link: Click here to download file
http://rapidshare.com/files/2428595...
MD5: 92252A6F9F34CC7E68A1258BCC6CD45A


Report •

#18
June 10, 2009 at 07:01:05

Yes you can uninstall superantispyware. As for your other error consult windows forum and refer to: http://support.microsoft.com/search... . Is you original problem solved of malware?

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#19
June 10, 2009 at 07:44:11

Yes, the original problem is solved. Thank you very very much. I really appreciate all the time you put into this.

Thanks again.


Report •

#20
June 10, 2009 at 07:53:40

No problem i am not monitoring this post anymore if you need further help feel free to pm.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •


Ask Question