Google Search Redirect

Hi.

Sometimes when I click I link from a google search it gets redirected to a random Ad site, the ad site seems to be a different one each time. It doesn’t happen with every google search that I do which makes it seem odd.

I’ve carried out full scans with MBAM, SAS, Avast and others but none seem to be finding anything on my computer.

I’m on XP and using firefox latest version.

Anyone help with this?

Thanks.

Hi, there. Please follow Essexboy’s instructions.

Thanks. Here’s the MBAM log, will post the OTL one when it’s done.

Malwarebytes’ Anti-Malware 1.45
www.malwarebytes.org

Database version: 4001

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

17/04/2010 16:45:26
mbam-log-2010-04-17 (16-45-26).txt

Scan type: Quick scan
Objects scanned: 104607
Time elapsed: 6 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hi there is a new TDSS variant out there which means I will require a GMER run

http://www.geekstogo.com/misc/guide_icons/gmer.png
GMER Rootkit Scanner - Download - Homepage
[] Download GMER
[
] Extract the contents of the zipped file to desktop.
[*] Double click GMER.exe.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif

[*] If it gives you a warning about rootkit activity and asks if you want to run a full scan…click on NO, then use the following settings for a more complete scan…
[*] In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
[] IAT/EAT
[
] Drives/Partition other than Systemdrive (typically C:)
[*] Show All (don’t miss this one)

http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg

Click the image to enlarge it

[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [Save…] button, and in the File name area, type in “ark.txt”
[*]Save the log where you can easily find it, such as your desktop.
CautionRootkit scans often produce false positives. Do NOT take any action on any “<— ROOKIT” entries
Please copy and paste the report into your Post.

Here’s the OTL logs.

Did you start getting this problem about 10 days ago ?

Could you run the GMER scan please

No has been happening for a while about a month or so, and it doesn’t happen often so didn’t think much of it at first.

GMER scan just finished and added log.

OK it is not a rootkit or file swap which is good news

Does this happen in both IE and Firefox ?

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

It happens in firefox, I rarely use IE so not sure if it happens in that, and the fact it only happens once in a while I can’t test if it happens in IE.

I’ll do the combofix scan now.

OK I will check out your FF addons when CF produces it’s log

CF said there was a rootkit when it did its initial scan, did everything else fine it seems, log added.

On completion of this run play with firefox and see if the redirects still occur

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:


MBR::


  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt [*]A new OTL log.

Done the scans. CF said there was a rootkit present when it did its initial scan again. And when I started Firefox after the OTL scan, it said it wasnt my default browser and asked if I wanted to make it my default browser, don’t know if that has any bearing?

Also logs added.

Hmm CF is not showing a rootkit though so I will use a different tool. Combofix set IE to default as part of its run routine

Download avz4.zip from HERE

[*]Unzip it to your desktop to a folder named avz4
[*]Double click on AVZ.exe to run it.
[*]Run an update by clicking the Auto Update button on the Right of the Log window:
http://perplexus.geekstogo.com/avz-update-button.png

[*]Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

[*] Start AVZ.

[*] Choose from the menu “File” => "Standard scripts " and mark the “Advanced System Analysis with malware removal mode enabled” check box.

http://perplexus.geekstogo.com/avz-standardscripts-asa-removal.png

[*] Click on the “Execute selected scripts”.
[*] Automatic scanning, healing and system check will be executed.
[*] A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
[] It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
[
] All applications will work properly after the system restart.

When restarted

[*] Start AVZ.

[*] Choose from the menu “File” => “Standard scripts " and mark the “Advanced System Analysis” check box.

http://perplexus.geekstogo.com/avz-standardscripts-asa.png

[*] Click on the “Execute selected scripts”.
[*] A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post

That’s odd considering CF said it did find a root kit? Just doing the AVZ scans now but had a redirect from one google search. It led to http://7search.com/scripts/validation/v1/validate.aspx?x=Vg2nGK7o3QIhUw3nvdFFhQ%3D%3D_l9zlibh%2B81KCAvLRgoPkyq4XEYt4vLzNpHtNHKYFs4FU6zxwPdHa8Dxaf8vnTP1Nyg9qHMYvCTAa6dcRznUQ4Ppb8qO4bw20cZfGXmltbTUfq9eofDaKlPV%2FR7YPYGU%2BogZep%2BG0I95%2FHfPJh5%2FgmM3ptQ6Nq3bE3vkwD9Ks61%2FHtXFzgSgKcAC%2BF7yYAVVvQ8YxGIErKz19Gk6uwX9lUG302SU9G8s63%2BJZf9QVHxPANKjO%2FBkeqcTGuaXtzSNQ2qCYI5BqRNOc2R7kkIuKHIkLlHqLYsy47TaXTntag8A%3D

Hi Bradley,

Manual removal instructions:

Step 1: Use Windows File Search Tool to Find 7search.dll Path

Go to Start > Search > All Files or Folders.
In the “All or part of the the file name” section, type in “7search.dll” file names.
To get better results, select “Look in: Local Hard Drives” or “Look in: My Computer” and then click “Search” button.
When Windows finishes your search, hover over the “In Folder” of “7search.dll”, highlight the file and copy/paste the path into the address bar. Save the file’s path on your clipboard because you’ll need the file path to delete 7search.dll in the following manual removal steps.

Step 2: Use Windows Command Prompt to Unregister 7search.dll Files
To open the Windows Command Prompt, go to Start > Run > type cmd and then click the “OK” button.
Type “cd” in order to change the current directory, press the “space” button, enter the full path to where you believe the 7search.dll DLL file is located and press the “Enter” button on your keyboard. If don’t know where 7search.dll DLL file is located, use the “dir” command to display the directory’s contents.
To unregister “7search.dll” DLL file, type in the exact directory path + “regsvr32 /u” + [DLL_NAME] (for example, :C\Spyware-folder> regsvr32 /u 7search.dll.dll) and press the “Enter” button. A message will pop up that says you successfully unregistered the file.

Step 3: Detect and Delete Other 7search.dll Files
To open the Windows Command Prompt, go to Start > Run > cmd and then press the “OK” button.
Type in “dir /A name_of_the_folder” (for example, C:\Spyware-folder), which will display the folder’s content even the hidden files.
To change directory, type in “cd name_of_the_folder”.
Once you have the file you’re looking for type in del “name_of_the_file”.
To delete a file in folder, type in “del name_of_the_file”.
To delete the entire folder, type in “rmdir /S name_of_the_folder”.
Select the “7search.dll” process and click on the “End Process” button to kill it,

polonus

I’ve done the search but no search results come up ???

I will look and see what AVZ says as it will either confirm or deny combofix’s rootkit

Forum says I can’t attach .zip files and the individual files either.

Could you upload to Mediafire and post the sharing link.