Google links re-directing

[HybridSquirrel]

Having some weird issues. Google links seem to take me to a website I don't want. Not always one of those sketchy spam websites, but not always the one I click on. I have already run spybot, malwarebytes, and ms security essentials and deleted anything bad I had on my computer but it is still there. Can someone help me fix this? It is pretty annoying.


Using win 7 ulti x64

 

[NoStateofMind]

Run hijackthis and post the log.

 

[RebateMonger]

I don't have specifics on repair, but, just for yucks, open up Internet Explorer, open "Internet Options", then the "Connections" tab, then "LAN Settings...". See if the "Proxy Server" box is checked. If so, then your PC is running its own Proxy Server that redirects web requests elsewhere than intended.

 

[HybridSquirrel]

I don't have specifics on repair, but, just for yucks, open up Internet Explorer, open "Internet Options", then the "Connections" tab, then "LAN Settings...". See if the "Proxy Server" box is checked. If so, then your PC is running its own Proxy Server that redirects web requests elsewhere than intended.

whats internet explorer? just kidding.


do you have a working link for hijack this? all the ones i have found were dead

 

[MagnusTheBrewer]

Hijackthis

 

[HybridSquirrel]

You have included 64 images in your message. You are limited to using 10 images so please go back and correct the problem and then continue again.

Images include use of smilies, the BB code tag and HTML <img> tags. The use of these is all subject to them being enabled by the administrator.



i get that when trying to post the log file -_-

 

[NoStateofMind]

Post the items with BHO at the start. Those are Browser Helper Objects which could be causing the redirecting.

 

[HybridSquirrel]

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll


i think thats all the bho ones

 

[NoStateofMind]

Nothing obvious to me. Could you PM the log to me? I'll see if I can find out there.

Looks like you already did.

 

[HybridSquirrel]

ygpm....i was reading somewhere taht maybe resetting the dns would help? Its not like i get redirected to the same wesbite every time. Its random. Wikipedia usually takes me to a yellowbook website (or something like yellowbook). occasionally chrome warns me that the website it redirected me to had malware, but i just back out. left all my scans running again last night, and nothing popped up

 

[jasonjas]

It's usually the hosts file that is taken over.

read this to reset it.
http://support.microsoft.com/kb/972034

However I have seen both rootkits and hidden trojans that change the hosts file back after a few minutes. Sometimes it can be stopped by seeing if anything is running in task scheduler.

And if anything, I think that HijackThis has something for the hosts file as well.

 

[RebateMonger]

The last time I saw this behavior, the DNS was fine. But it wouldn't hurt to check it. As always, it never hurts to check the HOSTS file, either. Superantispyware and Malwarebytes didn't detect this particular malware on the system I examined. But that was several months ago.

Did you check for a Proxy Server yet?

 

[HybridSquirrel]

The last time I saw this behavior, the DNS was fine. But it wouldn't hurt to check it. As always, it never hurts to check the HOSTS file, either. Superantispyware and Malwarebytes didn't detect this particular malware on the system I examined. But that was several months ago.

Did you check for a Proxy Server yet?

yeah it was normal, it wasn't set to go through a proxy.

im running superantispyware first and i'll see if that does anything and then run that hosts file if it doesn't work. It takes about an hour to do even the "quick" scan -_-

 

[HybridSquirrel]

It's usually the hosts file that is taken over.

read this to reset it.
http://support.microsoft.com/kb/972034

However I have seen both rootkits and hidden trojans that change the hosts file back after a few minutes. Sometimes it can be stopped by seeing if anything is running in task scheduler.

And if anything, I think that HijackThis has something for the hosts file as well.

this didn't work...neither did super anti-spyware o.0

 

[corkyg]

It wouldn't hurt to delete all your temporary Internet files. Especially the CONTENT.IE5 sub-folder and contents.

 

[HybridSquirrel]

It wouldn't hurt to delete all your temporary Internet files. Especially the CONTENT.IE5 sub-folder and contents.

i delete the temporary files every day w/ ccleaner

 

[HybridSquirrel]

ive now run almost every anti-virus /anti spyware thing i know about. the microsoft fixit thing didnt work....


any other guesses?

 

[RebateMonger]

There are probably thousands of links offering instructions on removing the "Google Redirect" malware. Have you tried any of those instructions?

The BEST solution is to restore the system from backups. Assuming you don't have those, the next best solution is to copy important data elsewhere and rebuild the system from scratch. There's really no way for a non-expert to be sure that everything's removed after a malware repair.

If you're going to rebuild a system, be sure you've gotten the license Keys for any installed software, that you've copied your Internet Favorites and any email stored on the PC, that you've got any email account and web site passwords recorded, that' you've got OS and program installations disks, and you've got a list of devices/drivers installed on your PC.

After you've got a clean system, I strongly recommend making periodic system image backups so you can quickly restore it to a clean state. Removing malware is a huge time waster and malware is getting smarter and tougher to remove.

 

[HybridSquirrel]

There are probably thousands of links offering instructions on removing the "Google Redirect" malware. Have you tried any of those instructions?

The BEST solution is to restore the system from backups. Assuming you don't have those, the next best solution is to copy important data elsewhere and rebuild the system from scratch. There's really no way for a non-expert to be sure that everything's removed after a malware repair.

If you're going to rebuild a system, be sure you've gotten the license Keys for any installed software, that you've copied your Internet Favorites and any email stored on the PC, that you've got any email account and web site passwords recorded, that' you've got OS and program installations disks, and you've got a list of devices/drivers installed on your PC.

After you've got a clean system, I strongly recommend making periodic system image backups so you can quickly restore it to a clean state. Removing malware is a huge time waster and malware is getting smarter and tougher to remove.

everytime i read it, it says "post your hijackthis data here" then they do that, and someone finds something clever in it, and removes it. but everyones hijack this data is different. and then its get program X and do Y with it. None of that has worked.....so basically youre saying i should reformat?

 

[RebateMonger]

None of that has worked.....so basically youre saying i should reformat?

I'm suggesting that you've spent one day on this already, and you'll probably spend more. In that time, you could rebuild a system that'd be guaranteed to be clean. But the second part of my recommendation is that you start making full system backups so you won't be a victim again.

 

[gsaldivar]

rebuild a system that'd be guaranteed to be clean

This.

 

[COPOHawk]

I am currently fighting this for a customer (remote). I have tried a number of tricks in my book...I have narrowed down that there is obviously a stealthy virus...but am still unable to resolve.

If I had the computer, I would pull the hard drive and attach it to my own to run an AV scan on it. I know that this would resolve it.

As for reformat...yeah, well this always remains the nuclear option I personally like to exhaust all troubleshooting options first...

 

[corkyg]

How about uninstalling Google anything?

 

[HybridSquirrel]

As for reformat...yeah, well this always remains the nuclear option I personally like to exhaust all troubleshooting options first...

me too, but i feel like i have. I removed stuff I didn't know what it was on hijackthis, and it seemed to work pretty well


O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)


Thats what I took out. Seems to be working decently well. I have to find my win7 disc somewhere....

 

[mechBgon]

Reset your router to factory default, update it to the latest firmware if it isn't already, and change its admin password to something other than the factory default. If your router's been subverted, that'll resolve it (famous last words). Afterwards, have your system renew its IP address from the router and see if that's any help.

If you haven't already done so, it's never a bad time to run Secunia's PSI utility either. If your rig needs security updates for frequently-exploited stuff like Java, Flash Player, QuickTime, and so forth, it'll give you links to the patches. Good stuff: http://secunia.com/vulnerability_scanning/personal

The new Microsoft EMET utility is also pretty cool, I have a link and brief explaination here: http://www.mechbgon.com/build/security2.html#sehop