google redirect please help

[rayb75]

I'm getting the google redirect thing new to all this so help will be much appreciated i'm downloading ots right now and will post readings soon

[com155]

do u get antivirus alerts such as malcious url blocked?if yes then this can be a tdss rootkit....till then let us wait for your ots log.....

[rayb75]

here is the ots log and yes it says something about mal url

[com155]

well we need to stop this redirection follow this:

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]


[Unregister Dlls]
[Registry - Safe List]
YN ->network.proxy.http -> "127.0.0.1" ->
YN->network.proxy.http_port -> 52889 ->
YN->network.proxy.type -> 0 ->
YN-> C:\WINDOWS\system32\drivers\etc\hosts ->
YN->Reset Hosts
YN->127.0.0.1       localhost
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[Custom Items]
:files
ipconfig /flushdns /c

:end
post ots logs on next reply.can even try kaspersky tdss killer.

[rayb75]

here is the tdsskiller log there were no threats found

[com155]

alright download mbam from here:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

update and do a full scan post logs on next comment....

[com155]

post the logs of the ots fix that i told u to run....

[com155]

have u ran the ots fix,no more redirection?

[rayb75]

here is the log from the ots fix it seems to fixed you guys rock that was an annoying little problem

[rayb75]

I will run a full malwarebytes scan tomorrow and post them logs here too though just to be safe

[com155]

no more redirections i suppose?

[rayb75]

spoke too soon worked once went back into google now i got this popup from avast and can"t go to any links

[com155]

alright,TDSS killer didnt kill the rootkit neither ots did any good so another option this is a tdl4 rootkit.We need a bigger tool to kill it so follow this:


Download aswMBR.exe ( 1.8mb ) to your desktop.
 
Double click the aswMBR.exe to run it
 
Click the "Scan" button to start scan
 
 
On completion of the scan click save log, save it to your desktop and post in your next reply

after the scan is complete u can hit fix or fixmbr option to remove the rootkit.

THEN

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.
it may ask to reboot after the fix is completed please do the same if asked.

Code: [Select]


[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> ->
HKEY_USERS\.DEFAULT\: Main\\"XMLHTTP_UUID_Default" -> BD 0E 95 01 3B 31 A1 44 BB 43 1F 4A 1E 73 F4 62  [binary data] ->
YN->HKEY_USERS\.DEFAULT\: "ProxyEnable" -> 0 ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> ->
HKEY_USERS\S-1-5-18\: Main\\"XMLHTTP_UUID_Default" -> BD 0E 95 01 3B 31 A1 44 BB 43 1F 4A 1E 73 F4 62  [binary data] ->
YN->HKEY_USERS\S-1-5-18\: "ProxyEnable" -> 0 ->
YN->network.proxy.http -> "127.0.0.1" ->
YN->network.proxy.http_port -> 52889 ->
YN->network.proxy.type -> 0 ->
YN->HOSTS File > ([2001/08/23 06:00:00 | 000,000,734 | ----->
YN->C:\WINDOWS\system32\drivers\etc\hosts ->
YN->Reset Hosts
YN->127.0.0.1       localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
YN->{02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
YN->{c3721e85-f0ac-4b7e-ae4c-3e738011dc9d} [HKLM]->[Somoto Toolbar]->File not found
YN->{c3721e85-f0ac-4b7e-ae4c-3e738011dc9d} [HKLM]->[Somoto Toolbar]->File not found
YN->WebBrowser\\"{9D425283-D487-4337-BAB6-AB8354A81457}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-329068152-2077806209-1417001333-1003\] > -> HKEY_USERS\S-1-5-21-329068152-2077806209-1417001333-1003\Software\Microsoft\Internet Explorer\Extensions\ ->
YN->CmdMapping\\"{898EA8C8-E7FF-479B-8935-AEC46303B9E5}" [HKLM] ->  [Reg Error: Key error.] -> File not found
[Registry - Additional Scans - Safe List]
YN->Load hkey=HKCU key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows ->  -> File not found
[Files/Folders - Created Within 30 Days]
NY-> C:\Program Files\BFG
NY-> C:\Documents and Settings\tammy Blackwell\Application Data\sekrbfg
NY-> C:\Documents and Settings\All Users\Application Data\Trymedia
NY-> C:\Documents and Settings\tammy Blackwell\Local Settings\Application Data\fd
[Files/Folders - Modified Within 30 Days]
NY-> C:\WINDOWS\System32\776005517
NY-> C:\Documents and Settings\tammy Blackwell\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
NY-> C:\Documents and Settings\tammy Blackwell\Application Data\C24A.F9C
NY-> C:\WINDOWS\tasks\At1.job
NY-> C:\WINDOWS\System32\dllcache\tcpip.sys
[Files - No Company Name]
NY-> C:\WINDOWS\System32\authz32.exe
NY-> C:\WINDOWS\System32\shfolder32.exe
NY-> C:\WINDOWS\System32\776005517
[File - Lop Check]
NY-> C:\Documents and Settings\tammy Blackwell\Application Data\Toolbar4
NY-> C:\WINDOWS\Tasks\At1.job
NY-> C:\Documents and Settings\tammy Blackwell\Application Data\sekrbfg
NY-> C:\Documents and Settings\tammy Blackwell\Application Data\TOMI3
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[Custom Items]
:files
ipconfig /flushdns /c

:end
post aswmbr and ots log on next reply.

[com155]

hope this kills the tdl4 rootkit.Also tell me whether your google redirection is fixed or not? after running the above fix.

[Pondus]

@com155
so how is it going with the training at BleepingComputer......how do you have time to be here in this forum if you are training at BleepingComputer ?