Google redirect malware / rootkit

help
I am using Windows 7 Home premium .
When I use the Internet explorer or firefox and search something on Google, it redirects me to a travel site or eshop or obscure search engine relative to the search string or term , but not the actual real site, term or product.

This behaviour only seems to happen  when you use the actual search textbox on the google web page and click a search result, and not every time or perhaps only once.

The redirect URL shows at thebottome of IE as below:
http://77.91.228.48/click.php?c=0c9a... being the most common one. sometimes it goes through 2 or 3 urls before a page loads.
seems to be russian in origin ( no surprises !)

IF you  just press back to go back to the search page to click on the link again. The second time I press the link, it goes to the correct page .
There is old talk online of it being related to a TSS rootkit?. but with no solutions
Also talk of some sort of script injection ito the browser page probably by a rootkit but im lost without tools i can use on 64bit.

The initial infection was a scareware app that malwarebytes did remove  but this symptom still stays no matter what i do.
Also  added its own DSN server into the windows settings, which i have manualy got aroung to allow updates for security softwares.

I have tried :
ipconfig / Flushdns
Malwarebytes anti malware:  nothing found
hijackthis : cant see anything suspiciuos
superantispyware: nothing found
full virus scan eset and AVG : nothing found
TSS rootkit removal tools from kasperski : usbaudio.sys MD5 suspect so i removed it : No result.

Can't run root repeal cause its 64bit windows
Can't run combofix cause its 64bit windows

Has anyone delt with a new mutation of this nasty?
or good rootkit tools for 64bit. or a solution would be brilliant

Thanks in advance
Kramer8uAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

expert_tanmayCommented:
You might have got a BHO installed. A BHO is like a plugin to your browser. On IE click on Tools->Manage Add-ons and look in the enabled list if you see any thing suspicious disable or delete it. Similarly you can check on Firefox by clicking Tools->Add-ons.
phototropicCommented:
It would also be a good idea to fix your hosts file with the following download:

http://www.mvps.org/winhelp2002/hosts.htm

Also, try a scan with Hitman Pro 64-bit:

 http://www.surfright.nl/en/downloads/

Good luck!!!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sudeep SharmaTechnical DesignerCommented:
Exploring ASP.NET Core: Fundamentals

Learn to build web apps and services, IoT apps, and mobile backends by covering the fundamentals of ASP.NET Core and  exploring the core foundations for app libraries.

Kramer8uAuthor Commented:
Thanks guys Himan pro did finda a DLL but no rootkit .
the DLL was qmpehsoe.dll and once removed seems to have stopped the google redirects .

One question though in looking up information on TDL3 rootkit 64bit see below :

http://www.computersecurityarticles.info/antivirus/tdl3-rootkit-x64-goes-in-the-wild/

It says it modyfies the MBR with "bootkit" code.
I'd like to be sure i killed this one

How do I recreate / overwite with a fresh , windows 7 64bit MBR to make sure this "bootkit" is toast

Shoudl I post a seperate question???

Sudeep SharmaTechnical DesignerCommented:
boot off your windows 7 cd, and let it try and fix it for you.  It  should be able to repair your boot record automatically.  To do it  manually, you'd open a command prompt and type:

bootrec /fixmbr
bootrec /fixboot
bootrec /rebuildbcd
KenBroCommented:
Hitman x64 fixed the exact same problem for me on a Windows 7 x64 this 77.91.228.48 re-direct was left behind by (fake) Anti Virus 2010 as far as I can tell. Thanks Bros:)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.