Google Redirect Aswell.

[Winsley]

Hello! I seem to have picked up the same bug that a lot of other users are reporting here which causes Google redirects. I started getting "Malicious URL" alerts from Avast this morning after I booted up my PC. Strange thing is, I haven't recently downloaded anything or noticed anything strange until first thing this morning.

Anyways, I've been looking at recent topics and I'm hoping the revered "essexboy" can help me. I have tried scanning with Avast, Malwarebytes, Hitman Pro (suggested on another forum as a fix), and TDSSKiller. Unfortunately, all have come back negative.

Here is a screenshot of the alert: http://i92.photobucket.com/albums/l3/Fish_21/malware.png
  -Since it's hard to read, the object is t2.gstatic.com (sometimes it's t0.gstatic.com). The Process is "C:\Program Files\AVAST Software\Avast\AvastSvc.exe


Here is a link to my OTS log file: http://www.mediafire.com/?9jrcykax0nkw9vf

[nmb]

I think this has nothing to do with your computer. There is a lot of discussion going on every where on the internet about this redirections in image search ( http://www.bing.com/search?q=google+image+search+redirect&src=IE-SearchBox&FORM=IE8SRC ). But a diagnostic from essexboy will sure help out to make sure nothing is wrong in your computer. Also, who knows? He might catch something else too, if its lurking in there..

Edit: Very similar to this: http://www.youtube.com/watch?v=fBdc0jwLy6k will happen if avast block the redirection.

[essexboy]

Is that a web shield alert as I cannot read it properly, the OTS log seems clear

 

[nmb]

Is that a web shield alert as I cannot read it properly, the OTS log seems clear

If I am seeing it right, Network shield it is.

[Winsley]

Yeah, sorry about that. The image got shrunk after uploading. It is a Network Shield alert.

[essexboy]

Lets clear the temps

Clear Cache/Temp Files
Download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.  Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

[Winsley]

All done. I use CCleaner daily to clean out temp files. TFC cleared out 44mb worth of files and I've rebooted. I'll let you know in a little bit if I'm still getting the alerts. It's good to know my log file looks clean.

[essexboy]

TFC is a bit more thorough, it also empties the flash folder

[Winsley]

That makes sense. It's a pretty handy program. In other news, I'm still getting the alerts. Might it be some type of false positive?

[essexboy]

The probability exists however, lets double check

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
  

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[Winsley]

I ran ComboFix. Here is the link to my log file: http://www.mediafire.com/?apad5qo99xsvtpe

After running, I got another Network Shield alert at the Google home page. The Object was "google.ca" and the process was Firefox.

[essexboy]

Do you use a proxy programme at all - and is it just firefox or IE as well

I would like to run a different analysis now as this has been updated to look in more depth at firefox

Download OTL  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Attach both logs  both logs

[DavidR]

Is that a web shield alert as I cannot read it properly, the OTS log seems clear

Sorry for being a little late on this one, it does appear to have been triggered by the web shield (avastSvc.exe), but it is the malicious site list being used. Looks like that image wanaplaceinvictoria.jpg in bottom line of the list of images has been hovered over.

I wonder if this could well be a malicious image/malformed URL that has been discussed in the avast blog before.

[Winsley]

I don't use any proxy programs. So far I haven't been getting the alerts in Internet Explorer. These alerts seem to be random and don't show up every time I use Google. Since my last post, I haven't gotten any more alerts in either Firefox or IE.

Here are my log files after scanning with OTL:

OTL: http://www.mediafire.com/?h4592so6uv94t72
Extras: http://www.mediafire.com/?fparn7ofxxgjlbq

[Winsley]

Is that a web shield alert as I cannot read it properly, the OTS log seems clear

Sorry for being a little late on this one, it does appear to have been triggered by the web shield (avastSvc.exe), but it is the malicious site list being used. Looks like that image wanaplaceinvictoria.jpg in bottom line of the list of images has been hovered over.

I wonder if this could well be a malicious image/malformed URL that has been discussed in the avast blog before.

I went back and did the same search and hovered over the same image again. I didn't end up getting any alerts this time.

Edit. Newest alert in Firefox on Google home page: Object = google.com/.../challenge?k=6LcRuL0SAAAAAEnvZvPe...etc
                    Process = C:\Program Files\AVAST Software\Avast\AvastSvc.exe