google redirect please help

system · July 23, 2011, 3:48am

I’m getting the google redirect thing new to all this so help will be much appreciated i’m downloading ots right now and will post readings soon

system · July 23, 2011, 4:04am

do u get antivirus alerts such as malcious url blocked?if yes then this can be a tdss rootkit…till then let us wait for your ots log…

system · July 23, 2011, 4:10am

here is the ots log and yes it says something about mal url

system · July 23, 2011, 4:21am

well we need to stop this redirection follow this:

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Registry - Safe List]
YN ->network.proxy.http -> "127.0.0.1" ->
YN->network.proxy.http_port -> 52889 ->
YN->network.proxy.type -> 0 ->
YN-> C:\WINDOWS\system32\drivers\etc\hosts -> 
YN->Reset Hosts
YN->127.0.0.1       localhost
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[Custom Items]
:files
ipconfig /flushdns /c

:end

post ots logs on next reply.can even try kaspersky tdss killer.

system · July 23, 2011, 4:36am

here is the tdsskiller log there were no threats found

system · July 23, 2011, 4:39am

alright download mbam from here:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

update and do a full scan post logs on next comment…

system · July 23, 2011, 4:42am

post the logs of the ots fix that i told u to run…

system · July 23, 2011, 4:44am

have u ran the ots fix,no more redirection?

system · July 23, 2011, 5:01am

here is the log from the ots fix it seems to fixed you guys rock that was an annoying little problem

system · July 23, 2011, 5:02am

I will run a full malwarebytes scan tomorrow and post them logs here too though just to be safe

system · July 23, 2011, 5:03am

no more redirections i suppose?

system · July 23, 2011, 5:05am

spoke too soon worked once went back into google now i got this popup from avast and can"t go to any links

system · July 23, 2011, 5:08am

alright,TDSS killer didnt kill the rootkit neither ots did any good so another option this is a tdl4 rootkit.We need a bigger tool to kill it so follow this:

Download aswMBR.exe ( 1.8mb ) to your desktop.

Double click the aswMBR.exe to run it

Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR2-1.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://public.avast.com/~gmerek/aswMBR2.png

after the scan is complete u can hit fix or fixmbr option to remove the rootkit.

THEN

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
it may ask to reboot after the fix is completed please do the same if asked.

 
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> -> 
HKEY_USERS\.DEFAULT\: Main\\"XMLHTTP_UUID_Default" -> BD 0E 95 01 3B 31 A1 44 BB 43 1F 4A 1E 73 F4 62  [binary data] -> 
YN->HKEY_USERS\.DEFAULT\: "ProxyEnable" -> 0 -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> -> 
HKEY_USERS\S-1-5-18\: Main\\"XMLHTTP_UUID_Default" -> BD 0E 95 01 3B 31 A1 44 BB 43 1F 4A 1E 73 F4 62  [binary data] -> 
YN->HKEY_USERS\S-1-5-18\: "ProxyEnable" -> 0 -> 
YN->network.proxy.http -> "127.0.0.1" ->
YN->network.proxy.http_port -> 52889 ->
YN->network.proxy.type -> 0 ->
YN->HOSTS File > ([2001/08/23 06:00:00 | 000,000,734 | -----> 
YN->C:\WINDOWS\system32\drivers\etc\hosts -> 
YN->Reset Hosts
YN->127.0.0.1       localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
YN->{02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
YN->{c3721e85-f0ac-4b7e-ae4c-3e738011dc9d} [HKLM]->[Somoto Toolbar]->File not found
YN->{c3721e85-f0ac-4b7e-ae4c-3e738011dc9d} [HKLM]->[Somoto Toolbar]->File not found
YN->WebBrowser\\"{9D425283-D487-4337-BAB6-AB8354A81457}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-329068152-2077806209-1417001333-1003\] > -> HKEY_USERS\S-1-5-21-329068152-2077806209-1417001333-1003\Software\Microsoft\Internet Explorer\Extensions\ -> 
YN->CmdMapping\\"{898EA8C8-E7FF-479B-8935-AEC46303B9E5}" [HKLM] ->  [Reg Error: Key error.] -> File not found
[Registry - Additional Scans - Safe List]
YN->Load hkey=HKCU key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows ->  -> File not found
[Files/Folders - Created Within 30 Days]
NY-> C:\Program Files\BFG 
NY-> C:\Documents and Settings\tammy Blackwell\Application Data\sekrbfg
NY-> C:\Documents and Settings\All Users\Application Data\Trymedia 
NY-> C:\Documents and Settings\tammy Blackwell\Local Settings\Application Data\fd
[Files/Folders - Modified Within 30 Days] 
NY-> C:\WINDOWS\System32\776005517
NY-> C:\Documents and Settings\tammy Blackwell\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
NY-> C:\Documents and Settings\tammy Blackwell\Application Data\C24A.F9C
NY-> C:\WINDOWS\tasks\At1.job
NY-> C:\WINDOWS\System32\dllcache\tcpip.sys
[Files - No Company Name]
NY-> C:\WINDOWS\System32\authz32.exe
NY-> C:\WINDOWS\System32\shfolder32.exe
NY-> C:\WINDOWS\System32\776005517
[File - Lop Check]
NY-> C:\Documents and Settings\tammy Blackwell\Application Data\Toolbar4
NY-> C:\WINDOWS\Tasks\At1.job
NY-> C:\Documents and Settings\tammy Blackwell\Application Data\sekrbfg
NY-> C:\Documents and Settings\tammy Blackwell\Application Data\TOMI3
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[Custom Items]
:files
ipconfig /flushdns /c

:end

post aswmbr and ots log on next reply.

system · July 23, 2011, 6:30am

hope this kills the tdl4 rootkit.Also tell me whether your google redirection is fixed or not? after running the above fix.

Pondus · July 23, 2011, 6:46am

@com155
so how is it going with the training at BleepingComputer…how do you have time to be here in this forum if you are training at BleepingComputer ?

system · July 23, 2011, 6:54am

Don’t forget, he is also “famous throughout the city”.

@com155…I heard iYogi is hiring…you should give them a call…

system · July 23, 2011, 7:19am

@gargamel360 and pondus.
ya,thanks gargamel360 for informing… ;D ;D ;D ;D…well i do the training stuff at night and malware fixing at evening sometimes i sit overnight for the same…but at morning i come here to meet u guys… ;D ;D ;D ;D…i reside at mumbai not at delhi for your info… :)…so impossible to travel to delhi from mumbai…it takes half a day to go there…so will stick with my own job since we are paid well by our head…though this is a free service… ;D ;D ;D ;D

system · July 23, 2011, 7:24am

@gagamel360.

Remember gargamel360 its hard work sitting overnight but my dog zorro is always there with me in all my malware cleanup and training…He is still sitting on my lap and barking… ;D ;D ;D ;D…most probably saying hello to u people…say hello to him pls… ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D ;D

Pondus · July 23, 2011, 7:36am

have been surfing the BleepingComputer forum but cant see you over there at the forum!
what name are you using there ?

hmmm…you sure like smileys…

system · July 23, 2011, 7:37am

YN ->network.proxy.http -> "127.0.0.1" ->
YN->network.proxy.http_port -> 52889 ->
YN->network.proxy.type -> 0 ->
YN-> C:\WINDOWS\system32\drivers\etc\hosts -> 
YN->Reset Hosts
YN->127.0.0.1       localhost

This is all legitimate man :o

google redirect please help

Announcements