?
Solved

Google Redirect hassle

Posted on 2012-04-07
7
Medium Priority
?
860 Views
Last Modified: 2013-11-22
One of our laptops has the google redirect disease.
We have tried lots of things already but to no avail.
So far we have tried:
Scan with AVG 2012
Scan with McAfee
Scan with Malwarebytes
Scan with Hitman pro 3.6
Scan with pc tools spyware doctor
Scan with Super antispyware
Scan with microsoft essentials
The Microsoft Malicious software removal tool
Ran TDSS
Ran FIXTDSS
Ran Gooredfix
used Rkill and unhide
oh and even did a Combofix
Also did a Hijack this scan and ran the results through Hijjackthis.de and fixed the issues indicated with a red X

All to no avail.

the issue started with a fake HDD scare, which we got removed (I guess) but this redirecting issue remains.
The issue seems limited to a standard user and only happens in Firefox and Chrome.
Whenever doing a google search it will redirect to some random sites filled with advertisements

I'm attaching a hijackthis log and a combofix log and a tdss killer log fyi

Hope someone can help me out here
ComboFix.txt
hijackthis.log
TDSSKiller.2.7.26.0-07.04.2012-0.txt
0
Comment
Question by:leovalk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 18

Accepted Solution

by:
Andrej Pirman earned 2000 total points
ID: 37819891
Did you try resetting FireFox settings to default?
As it is NOT happening in IE, I assume it is not system-wide, but limited to specific browser.

-    Exit Firefox completely
-    Start Firefox in Safe Mode. The "Firefox Safe Mode" window will appear with some troubleshooting options, as shown in this Firefox 3.6 screen shot.
-    Select the option, Reset all user preferences to Firefox defaults.
-    Click the button, Make Changes and Restart.
0
 
LVL 18

Expert Comment

by:Andrej Pirman
ID: 37819896
Also, look for settings in bold text under about:config in FireFox. Maybe you'll get an idea what setting is causing redirects.
0
 

Author Comment

by:leovalk
ID: 37820097
OK, when I run ff in safe mode it works fine.
In Chrome there is an extension that is called "default" and when I remove that one, it will work fine, however upon restart it will be active again.

We are probably close to the solution.

So how can we proceed?
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 
LVL 79

Expert Comment

by:arnold
ID: 37820503
Look at the file it is referencing as the plugin make sure you do not have romances of the item in c:\windows\prefetch
Make sure it is not part of the users startup folder
Look into the user's profile for this file. Use netstat -an to see if there is a rogue process or the default pages that the browser loads which is how this plug in winds up being added.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37822078
Usually with this type of redirection it is a overlay over the User Interface that actually redirects using a obfuscated javascript. Usually coming from Overlay.xul in firefox profile folder. I haven't checked into Chromes usage yet.

Edit:
W7: %appdata%\..\Local\Google\Chrome\User Data\Default\Extensions

Chromes extensions are located in one of the folders here. You can do a quick check for what files are causing the redirect using "findstr.exe" from the console.

cd/d %appdata%\..\Local\Google\Chrome\User Data\Default\Extensions
findstr /C:"www.redirectedurl.com" /S > %userprofile%\Desktop\output.txt

Open in new window

This will help find the files responsible.
0
 

Author Comment

by:leovalk
ID: 37823327
We found a Default extension in Chrome that didn't seem to belong there and we found a "performance cache 1.0" addon in Firefox that does not really exist.
We were able to get those deleted and are now testing the laptop.
will be back tomorrow with results.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 37825858
Rgr, This persistent threat is starting to use tactics that hide in plain site. Hopefully this will help get rid of that aspect. In the meantime I am going to do some more research.
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question