Solved Google redirects to spam sites-all anti virus steps failed

January 22, 2013 at 16:56:58
Specs: Windows Vista
Hello

Google search links redirect to random spam sites, looks like there is some malware on my PC. I have Avast which after a full scan didnt detect it.

I've downloaded malwarebytes, ccleaner, and none have detected the issue. I have uninstalled a load of non-needed software and it still is happening. At my wits end, so if anyone could help out I would really appreciate it


See More: Google redirects to spam sites-all anti virus steps failed

Report •

✔ Best Answer
January 23, 2013 at 21:40:22
Can you please download and run Junkware Removal Tool from this link:
http://www.bleepingcomputer.com/dow...
Turn off your antivirus before running to stop conflicts. Do not run any other programs while JRT is scanning please.

Then update and run a full Malwarebytes scan.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?



#1
January 22, 2013 at 18:24:06
Download AdwCleaner from this link:
http://www.bleepingcomputer.com/dow...
AdwCleaner Usage Instructions:
Using AdwCleaner is very simple. Simply download the program and run it. You will then be presented with a screen that contains a Search and Delete button. The Search button will cause AdwCleaner to search your computer for unwanted programs and then display a log showing the various files, folders, and registry entries used by these programs.
To delete these unwanted programs simply click on the Delete button, which will cause AdwCleaner to reboot your computer and remove the files and registry entries associated with the various adware that you are removing. On reboot, AdwCleaner will display a log showing the files, folders, and registry entries that were removed.
Please include the log in your next reply.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#2
January 22, 2013 at 19:55:45
Thanks Mr Goodguy! However, I hit search on Adwcleaner and nothing came up. I then hit delete anyways, PC rebooted and issued the below logs.


# AdwCleaner v2.107 - Logfile created 01/22/2013 at 22:49:37
# Updated 21/01/2013 by Xplode
# Operating system : Windows (TM) Vista Home Premium Service Pack 2 (64 bits)
# User : Owner - OWNER-PC
# Boot Mode : Normal
# Running from : C:\Users\Owner\Downloads\AdwCleaner.exe
# Option [Delete]


***** [Services] *****

Stopped & Deleted : CltMngSvc

***** [Files / Folders] *****

Deleted on reboot : C:\Program Files (x86)\SearchProtect
Deleted on reboot : C:\ProgramData\APN
Deleted on reboot : C:\Users\Owner\AppData\Local\Deal Vault
Deleted on reboot : C:\Users\Owner\AppData\Local\SwvUpdater
Deleted on reboot : C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\xbl0ydz4.default\extensions\{72a0f495-ba60-4524-827b-b36b8c18587a}
Deleted on reboot : C:\Users\Owner\AppData\Roaming\SearchProtect
File Deleted : C:\END
File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
File Deleted : C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\xbl0ydz4.default\searchplugins\Conduit.xml
File Deleted : C:\Users\Public\Desktop\eBay.lnk

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{99C91FC5-DB5B-4AA0-BB70-5D89C5A4DF96}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Deal Vault
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SearchProtect
Key Deleted : HKCU\Software\SearchProtect
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110111981166}
Key Deleted : HKLM\Software\SearchProtect
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110111981166}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

-\\ Mozilla Firefox v12.0 (en-US)

File : C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\xbl0ydz4.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v24.0.1312.52

File : C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2480 octets] - [22/01/2013 22:49:08]
AdwCleaner[S1].txt - [2481 octets] - [22/01/2013 22:49:37]

########## EOF - C:\AdwCleaner[S1].txt - [2541 octets] ##########


Report •

#3
January 22, 2013 at 23:18:30
Please download and run Rougekiller from this link:
http://majorgeeks.com/RogueKiller_d...
Instructions:
•Please quit all programs
•Right-click the RogueKiller file and select "Run as Administrator'
•Press: SCAN
•On the RogueKiller console, click the Registry tab.
•Make sure the entries there are checked. 
•Then, press the [Delete] button.
An RKreport Log (Mode: Delete) is created on the Desktop.
Please provide the RKreport Log in your reply.
Restart the computer.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

Related Solutions

#4
January 23, 2013 at 04:57:40
Hey and thanks! I ran that, it found four items which i deleted and then rebooted. Log below. But as of right now the issue seems to have gone away all though I will test more later.


RogueKiller V8.4.3 [Jan 21 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/file...
Website : http://tigzy.geekstogo.com/roguekil...
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Normal mode
User : Owner [Admin rights]
Mode : Remove -- Date : 01/23/2013 07:51:12

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG HD502IJ +++++
--- User ---
[MBR] da47a6a5a8cb55a7573fcc049886769c
[BSP] 66b36ff64be372958353c50e2eeedb25 : HP tatooed MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 463900 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 950068035 | Size: 13037 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[3]_D_01232013_02d0751.txt >>
RKreport[1]_S_01232013_02d0750.txt ; RKreport[2]_D_01232013_02d0750.txt ; RKreport[3]_D_01232013_02d0751.txt


Report •

#5
January 23, 2013 at 04:58:24
Actually spoke too soon, issue is still occurring.

Report •

#6
January 23, 2013 at 11:38:48
Download and run HitmanPro from this link:
http://www.surfright.nl/en/hitmanpro/
Install and run include the log if any thing is found.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#7
January 23, 2013 at 17:04:31
Thanks Mr Goodguy, next log below:

[code]
HitmanPro 3.7.0.185
www.hitmanpro.com

Computer name . . . . : OWNER-PC
Windows . . . . . . . : 6.0.2.6002.X64/2
User name . . . . . . : Owner-PC\Owner
UAC . . . . . . . . . : Enabled
License . . . . . . . : Free

Scan date . . . . . . : 2013-01-23 19:57:58
Scan mode . . . . . . : Normal
Scan duration . . . . : 4m 5s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No

Threats . . . . . . . : 2
Traces . . . . . . . : 50

Objects scanned . . . : 3,254,820
Files scanned . . . . : 23,478
Remnants scanned . . : 344,301 files / 2,887,041 keys

Malware _____________________________________________________________________

C:\Users\Owner\Downloads\ccleaner.exe
Size . . . . . . . : 178,360 bytes
Age . . . . . . . : 8.0 days (2013-01-15 19:08:07)
Entropy . . . . . : 7.5
SHA-256 . . . . . : 3950E9223BAC2840DF16621D5C900A1A00E089FA088B9A6C0A8C92B9CCF2BA83
Product . . . . . : ccleaner
Description . . . : ccleaner
Version . . . . . : 2.2.49.0
Copyright . . . . : (c) 2010 (2013-01-10 19:56)
RSA Key Size . . . : 2048
Authenticode . . . : Valid
> G Data . . . . . . : Gen:Variant.Adware.Solimba.1 (Engine A)
Fuzzy . . . . . . : 103.0

C:\Users\Owner\Downloads\flvmplayer.exe
Size . . . . . . . : 178,720 bytes
Age . . . . . . . : 8.0 days (2013-01-15 19:07:39)
Entropy . . . . . : 7.5
SHA-256 . . . . . : 8E44F5BB4FE95832560A9177A5455BCC1DD6DA9486BC6790E2A3800203C9C257
Product . . . . . : flvmplayer
Description . . . : flvmplayer
Version . . . . . : 2.2.49.0
Copyright . . . . : (c) 2010 (2012-12-28 17:14)
RSA Key Size . . . : 2048
Authenticode . . . : Valid
> G Data . . . . . . : Gen:Variant.Adware.Solimba.1 (Engine A)
Fuzzy . . . . . . : 103.0


Cookies _____________________________________________________________________

C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:247realmedia.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:2o7.net
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:7search.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.360yield.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.mlnadvertising.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.yieldmanager.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:adbrite.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.bleepingcomputer.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.creative-serving.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.p161.net
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.pointroll.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.pubmatic.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.undertone.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:adtechus.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:advertising.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:apmebf.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:ar.atwola.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:at.atwola.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:atdmt.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:atwola.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:bs.serving-sys.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:burstnet.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:care2.112.2o7.net
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:casalemedia.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:cdn.at.atwola.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:collective-media.net
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:fastclick.net
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:invitemedia.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:kontera.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:media6degrees.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:mediaplex.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:oasc12.247realmedia.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:pcworldcommunication.122.2o7.net
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:pointroll.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:revsci.net
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:rtst.122.2o7.net
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:ru4.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:serving-sys.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:specificclick.net
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:tacoda.at.atwola.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:tacoda.net
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:track.adform.net
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:tribalfusion.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:www.googleadservices.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:xiti.com
C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Cookies:zedo.com
C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\xbl0ydz4.default\cookies.sqlite:doubleclick.net


[/code]


Report •

#8
January 23, 2013 at 21:40:22
✔ Best Answer
Can you please download and run Junkware Removal Tool from this link:
http://www.bleepingcomputer.com/dow...
Turn off your antivirus before running to stop conflicts. Do not run any other programs while JRT is scanning please.

Then update and run a full Malwarebytes scan.

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#9
January 27, 2013 at 08:05:07
Thanks, log for Junkware Removal Tool below

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.5.2 (01.26.2013:2)
OS: Windows (TM) Vista Home Premium x64
Ran by Owner on Sun 01/27/2013 at 9:42:30.90
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Registry Values

Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_users\.default\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_users\s-1-5-18\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_users\s-1-5-19\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_users\s-1-5-20\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_users\S-1-5-21-3626694710-3157294291-2902251441-1000\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\main\\Start Page
Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\.default\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\s-1-5-18\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\s-1-5-19\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\s-1-5-20\software\microsoft\internet explorer\searchscopes\\DefaultScope
Successfully repaired: [Registry Value] hkey_users\S-1-5-21-3626694710-3157294291-2902251441-1000\software\microsoft\internet explorer\searchscopes\\DefaultScope

~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{02478d38-c3f9-4efb-9b51-7695eca05670}

~~~ Files

~~~ Folders

Successfully deleted: [Folder] "C:\Program Files (x86)\coupons"

~~~ FireFox

Successfully deleted: [File] C:\Users\Owner\AppData\Roaming\mozilla\firefox\profiles\xbl0ydz4.default\extensions\qpyvckoxqx@qpyvckoxqx.org.xpi [Tracur]
Successfully deleted the following from C:\Users\Owner\AppData\Roaming\mozilla\firefox\profiles\xbl0ydz4.default\prefs.js

user_pref("extensions.wrc.SearchRules.ask.com.style", ".WRCN {display:none} #yui-main .tsrc_vnru .title + .WRCN, #yui-main #teoma-results .title + .WRCN {display:inline !impor
user_pref("extensions.wrc.SearchRules.ask.com.url", "^hxxp(s)?\\:\\/\\/(.+\\.)?ask\\.com\\/.*");
user_pref("extensions.wrc.SearchRules.baidu.com.style", ".WRCN {display:none} .result .f .WRCN {display:inline !important; background: url(\"IMAGE\") right no-repeat}");
user_pref("extensions.wrc.SearchRules.baidu.com.url", "^hxxp\\:\\/\\/www\\.baidu\\.com\\/.*");
user_pref("extensions.wrc.SearchRules.excite.com.style", ".WRCN {display:none} .listing .resultsLink + .WRCN {display:inline !important; background: url(\"IMAGE\") right no-re
user_pref("extensions.wrc.SearchRules.excite.com.url", "^hxxp\\:\\/\\/msxml\\.excite\\.com\\/excite\\/ws\\/.+");
user_pref("extensions.wrc.SearchRules.rambler.ru.style", ".WRCN {display:none} .search-results .title + .WRCN {display:inline !important; background: url(\"IMAGE\") right no-r

~~~ Chrome

Dumping contents of C:\Users\Owner\appdata\local\Google\Chrome\User Data\Default\Default
C:\Users\Owner\appdata\local\Google\Chrome\User Data\Default\Default\aadidcdfgcdegcdddidfdfdfdedgdcdh
C:\Users\Owner\appdata\local\Google\Chrome\User Data\Default\Default\aadidcdfgcdegcdddidfdfdfdedgdcdh\background.html
C:\Users\Owner\appdata\local\Google\Chrome\User Data\Default\Default\aadidcdfgcdegcdddidfdfdfdedgdcdh\ContentScript.js
C:\Users\Owner\appdata\local\Google\Chrome\User Data\Default\Default\aadidcdfgcdegcdddidfdfdfdedgdcdh\manifest.json

Successfully deleted: [Folder] C:\Users\Owner\appdata\local\Google\Chrome\User Data\Default\Default [Default Extension 1.0]

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 01/27/2013 at 9:52:27.86
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Report •

#10
January 27, 2013 at 08:05:44
Malwarebytes log below:

Malwarebytes Anti-Malware (Trial) 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.27.05

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Owner :: OWNER-PC [administrator]

Protection: Enabled

1/27/2013 10:01:24 AM
MBAM-log-2013-01-27 (11-03-02).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 377887
Time elapsed: 51 minute(s), 5 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Users\Owner\Downloads\ccleaner.exe (PUP.Offerware) -> No action taken.
C:\Users\Owner\Downloads\flvmplayer.exe (PUP.Offerware) -> No action taken.

(end)


Report •

#11
January 27, 2013 at 08:08:15
Also, my usual tests of clicking different google links have not generated the issue for 10 mins. will add on if it re-appears. thanks for the contiunued help mr goodguy

Report •

#12
January 27, 2013 at 12:48:11
You will need to run Malwarebytes and check mark the two PUP entries for removal.
And your most welcome, please select a best answer if you are having no more issues :)

Please reply and let us know if our help worked. Your feedback helps others. Maybe you?


Report •

#13
February 7, 2013 at 06:33:11
I have had similar problems. Just now I tried Malwarebytes Antirootkit.beta v1.01.0.1017. Scanning my system it found 21 times "PUP.offerware" which seems to be a malware damaging system and Chrome. I do not know yet if this has solved all my problems, but this malware passed through ZoneAlarm and normal malwarebytes protection. The antirootkit is an extra scanning tool belonging to Malwarebytes.

Report •

#14
February 7, 2013 at 09:35:02
Hi olgisl.

"I do not know yet if this has solved all my problems"
Start a new thread if it hasn't.

"but this malware passed through ZoneAlarm and normal malwarebytes protection"
Malware Prevention
http://www.malwarevault.com/prevent...
"There is no magic involved. The majority of malware is installed by the user themselves"


Report •

#15
February 12, 2013 at 07:27:47
All set, Best answer Mr Goodguy! Mr Great guy!

Report •

Ask Question