Google results redirect using go.google.com
 

Hello, few days ago I've noticed that my browsers are acting up weird. It loads much slower, font size became larger of some websites and google search results always redirects to some place else... Also, windows update website wont load. Tried scanning my computer with a bunch of anti spyware softwares, but couldn't find anything... :icon_sad:
So here I am, asking for your help guys, you're my last hope :icon_rolleyes:

Re: Google results redirect using go.google.com
 

Which programs did you use? We always recommend that you begin with all the steps given HERE
Follow all instructions, run all programs and be sure to FIX if instructions say to do so. Once you have completed all the steps in the sticky then post back with all the requested logs and we can go from there.
Judy

Re: Google results redirect using go.google.com
 

Ok, I've only ran Malwarebytes' Anti-Malware, Microsoft® Windows® Malicious Software Removal Tool, ATF-Cleaner, nod32 (can't open non of the online scannings), and spyware doctor. It didn't find anything. For some reason safe mode doesn't work. After loading to safe mode I get a black screen with no icons, only mouse cursor. Tried loading with network, command prompt, tried waiting 30min, nothing worked... Also, enabled hidden system folders and disabled system restore. I couldn't get the Deckard’s System Scanner (DSS). So here is the log of MBA-M:
hijackthis log:

Re: Google results redirect using go.google.com
 

please, anybody? :(

Re: Google results redirect using go.google.com
 

I'm currently having the same issues, and worst of all, I've left my computer unattended for the past week! When I came back I had the blue background and all the other symptoms. Everyone in the house is swearing left and right that my computer hasn't been touched, but we all know this stuff doesn't install itself...

Re: Google results redirect using go.google.com
 

I don't really see anything in your HJT log. Have you tried running Error Checking?
Open My Computer, Right Click "C" Drive. Choose Properties. Then go to Tools tab. On Error Checking click Check Now. A box will open, place checkmarks in both Fix errors and Scan for and Recover Bad Sectors. Click OK. Then you will get a message this cannot be done now, do you want to do it on reboot? Choose yes or ok. Then reboot the computer and Error Checking will run. This will take awhile so be patient.

Re: Google results redirect using go.google.com
 

I used Malwarebytes' Anti-Malware, here's what it did:

Malwarebytes' Anti-Malware 1.25
Database version: 1093
Windows 5.1.2600 Service Pack 2

12:25:10 AM 8/29/2008
mbam-log-08-29-2008 (00-25-10).txt

Scan type: Quick Scan
Objects scanned: 52255
Time elapsed: 3 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\blphcltbj0el8a.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phcltbj0el8a.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

I'm cured now :)

Re: Google results redirect using go.google.com
 

sheik124, you really need to make your posts in YOUR OWN thread. No two computers or their problems are exactly alike. What works on one may not work on another. While the problems may seem similar, g3nX's Malwarebytes log is clean so the problem he has is not exactly the same as yours. If you have questions or problems please create your own thread. Doing this can lead to confusion for the original poster, for those of us trying to assist him (in fact when I read your post I thought at first he had run another Malwarebytes scan but thankfully I realized the log was not his) and confusion for others who may be reading this thread.

Re: Google results redirect using go.google.com
 

I've tried doing the Error Checking but this message pops up when I press srart "Windows was unable to complete the disk check."

Re: Google results redirect using go.google.com
 

here is the combofix log:
ComboFix 08-08-28.06 - ¤0wner 2008-08-29 14:35:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.657 [GMT -4:00]
Running from: C:\Documents and Settings\¤0wner\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\tdssadw.dll
C:\WINDOWS\system32\tdssinit.dll
C:\WINDOWS\system32\tdssl.dll
C:\WINDOWS\system32\tdsslog.dll
C:\WINDOWS\system32\tdssmain.dll
C:\WINDOWS\system32\tdssservers.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_tdssserv


((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 )))))))))))))))))))))))))))))))
.

2008-08-27 11:56 . 2008-08-27 11:56 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-27 11:56 . 2008-08-27 11:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-27 11:56 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-27 11:56 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-27 11:54 . 2008-08-27 11:54 <DIR> d-------- C:\d7fc5f74a0cc1617d7e1271d2250c21e
2008-08-26 13:53 . 2008-08-26 13:53 <DIR> d-------- C:\Program Files\Java
2008-08-26 13:53 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-26 13:52 . 2008-08-26 13:52 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-26 01:27 . 2008-08-26 01:27 60,416 --a------ C:\WINDOWS\system32\drivers\combo-fix(5).sys
2008-08-26 01:27 . 2008-08-26 01:27 60,416 --a------ C:\WINDOWS\system32\drivers\combo-fix(4).sys
2008-08-26 01:27 . 2008-08-26 01:27 60,416 --a------ C:\WINDOWS\system32\drivers\combo-fix(3).sys
2008-08-26 01:27 . 2008-08-26 01:27 60,416 --a------ C:\WINDOWS\system32\drivers\combo-fix(2).sys
2008-08-26 01:16 . 2008-08-26 01:16 <DIR> d-------- C:\Sandbox
2008-08-26 01:16 . 2008-08-26 01:19 <DIR> d-------- C:\Program Files\Sandboxie
2008-08-26 00:47 . 2008-08-26 00:49 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-26 00:47 . 2005-04-15 20:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-08-26 00:47 . 2005-08-25 19:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-08-25 19:06 . 2008-08-25 19:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-25 18:37 . 2008-08-25 18:45 <DIR> d-------- C:\fixwareout
2008-08-24 16:56 . 2008-08-25 17:13 12,288 --a------ C:\WINDOWS\system32\tdssserf.dll
2008-08-22 12:26 . 2007-11-29 12:52 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2008-08-22 12:26 . 2007-12-24 13:47 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-08-22 12:26 . 2007-11-29 12:52 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-29 18:39 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-29 18:37 237,568 ----a-w C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-08-28 14:30 --------- d-----w C:\Program Files\mIRC
2008-08-25 21:21 --------- d-----w C:\Program Files\Spyware Doctor
2008-08-22 19:55 --------- d-----w C:\Program Files\Opera
2008-08-22 17:49 --------- d-----w C:\Program Files\Winamp
2008-08-22 16:27 --------- d-----w C:\Program Files\TVersity Codec Pack
2008-08-22 16:26 --------- d-----w C:\Program Files\ffdshow
2008-06-15 20:55 56 --sha-w C:\Documents and Settings\All Users\Application Data\dc64vg9.sys
2008-03-05 03:06 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

------- Sigcheck -------

2008-04-14 05:42 666112 7a4f775abb2f1c97def3e73afa2faedd C:\WINDOWS\ServicePackFiles\i386\wininet.dll
2007-12-06 22:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 C:\WINDOWS\system32\wininet.dll
2007-12-06 22:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 C:\WINDOWS\system32\dllcache\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"RegistryMechanic"="C:\Program Files\Registry Mechanic\RegMech.exe" [2008-07-08 16:41 2828184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2004-06-10 23:15 83968]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 18:07 49152]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-02-13 20:34 13500416]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-02-13 20:34 86016]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 12:06 1443072]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-13 14:11 122880]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"sclauncher"="C:\Program Files\SimpleCenter\bin\win\sclauncher.exe" [2007-10-11 19:12 94208]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"nwiz"="nwiz.exe" [2008-02-13 20:34 1626112 C:\WINDOWS\system32\nwiz.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 05:42 110592 C:\WINDOWS\system32\bthprops.cpl]
"CTHelper"="CTHELPER.EXE" [2008-02-20 20:58 19456 C:\WINDOWS\system32\CtHelper.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-02-20 20:58 19968 C:\WINDOWS\system32\Ctxfihlp.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Nokia Nseries PC Suite.lnk]
backup=C:\WINDOWS\pss\Nokia Nseries PC Suite.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2008-02-28 17:07 1828136 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2008-02-18 16:29 2221352 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2008-02-28 09:59 570664 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
--a------ 2007-06-08 21:28 310520 C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"Nero BackItUp Scheduler 3"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Steam\\steamapps\\g3n3rationx\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Cerberus\\Cerberus.exe"=
"C:\\Program Files\\ApexDC++\\ApexDC.exe"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"C:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"=
"C:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 12:11]
R2 CTAudSvcService;Creative Audio Service;C:\Program Files\Creative\Shared Files\CTAudSvc.exe [2008-03-07 19:24]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2008-02-25 09:44]
R3 Razerlow;Razerlow USB Filter Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-04-24 23:43]
R3 SaiH8000;SaiH8000;C:\WINDOWS\system32\DRIVERS\SaiH8000.sys [2004-07-30 11:25]
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2004-08-04 08:00]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-08-16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\¤0wner\Application Data\Mozilla\Firefox\Profiles\xzghs6li.default\
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 14:38:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\CTxfispi.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2008-08-29 14:42:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-29 18:42:27

Pre-Run: 30,259,732,480 bytes free
Post-Run: 30,170,865,664 bytes free

178

Before running it i went to the registry myself and found lots of websites in some folder, some bs websites like 500 of them, so I deleted the whole folder. Then I ran combofix and now everything works!!! damn im so happy that I didn't format the hard drive... Thanks for your help!