leovalk
asked on
Google Redirect hassle
One of our laptops has the google redirect disease.
We have tried lots of things already but to no avail.
So far we have tried:
Scan with AVG 2012
Scan with McAfee
Scan with Malwarebytes
Scan with Hitman pro 3.6
Scan with pc tools spyware doctor
Scan with Super antispyware
Scan with microsoft essentials
The Microsoft Malicious software removal tool
Ran TDSS
Ran FIXTDSS
Ran Gooredfix
used Rkill and unhide
oh and even did a Combofix
Also did a Hijack this scan and ran the results through Hijjackthis.de and fixed the issues indicated with a red X
All to no avail.
the issue started with a fake HDD scare, which we got removed (I guess) but this redirecting issue remains.
The issue seems limited to a standard user and only happens in Firefox and Chrome.
Whenever doing a google search it will redirect to some random sites filled with advertisements
I'm attaching a hijackthis log and a combofix log and a tdss killer log fyi
Hope someone can help me out here
ComboFix.txt
hijackthis.log
TDSSKiller.2.7.26.0-07.04.2012-0.txt
We have tried lots of things already but to no avail.
So far we have tried:
Scan with AVG 2012
Scan with McAfee
Scan with Malwarebytes
Scan with Hitman pro 3.6
Scan with pc tools spyware doctor
Scan with Super antispyware
Scan with microsoft essentials
The Microsoft Malicious software removal tool
Ran TDSS
Ran FIXTDSS
Ran Gooredfix
used Rkill and unhide
oh and even did a Combofix
Also did a Hijack this scan and ran the results through Hijjackthis.de and fixed the issues indicated with a red X
All to no avail.
the issue started with a fake HDD scare, which we got removed (I guess) but this redirecting issue remains.
The issue seems limited to a standard user and only happens in Firefox and Chrome.
Whenever doing a google search it will redirect to some random sites filled with advertisements
I'm attaching a hijackthis log and a combofix log and a tdss killer log fyi
Hope someone can help me out here
ComboFix.txt
hijackthis.log
TDSSKiller.2.7.26.0-07.04.2012-0.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Andrej Pirman
Also, look for settings in bold text under about:config in FireFox. Maybe you'll get an idea what setting is causing redirects.
ASKER
OK, when I run ff in safe mode it works fine.
In Chrome there is an extension that is called "default" and when I remove that one, it will work fine, however upon restart it will be active again.
We are probably close to the solution.
So how can we proceed?
In Chrome there is an extension that is called "default" and when I remove that one, it will work fine, however upon restart it will be active again.
We are probably close to the solution.
So how can we proceed?
Look at the file it is referencing as the plugin make sure you do not have romances of the item in c:\windows\prefetch
Make sure it is not part of the users startup folder
Look into the user's profile for this file. Use netstat -an to see if there is a rogue process or the default pages that the browser loads which is how this plug in winds up being added.
Make sure it is not part of the users startup folder
Look into the user's profile for this file. Use netstat -an to see if there is a rogue process or the default pages that the browser loads which is how this plug in winds up being added.
Usually with this type of redirection it is a overlay over the User Interface that actually redirects using a obfuscated javascript. Usually coming from Overlay.xul in firefox profile folder. I haven't checked into Chromes usage yet.
Edit:
W7: %appdata%\..\Local\Google\
Chromes extensions are located in one of the folders here. You can do a quick check for what files are causing the redirect using "findstr.exe" from the console.
Edit:
W7: %appdata%\..\Local\Google\
Chromes extensions are located in one of the folders here. You can do a quick check for what files are causing the redirect using "findstr.exe" from the console.
cd/d %appdata%\..\Local\Google\Chrome\User Data\Default\Extensions
findstr /C:"www.redirectedurl.com" /S > %userprofile%\Desktop\output.txtASKER
We found a Default extension in Chrome that didn't seem to belong there and we found a "performance cache 1.0" addon in Firefox that does not really exist.
We were able to get those deleted and are now testing the laptop.
will be back tomorrow with results.
We were able to get those deleted and are now testing the laptop.
will be back tomorrow with results.
Rgr, This persistent threat is starting to use tactics that hide in plain site. Hopefully this will help get rid of that aspect. In the meantime I am going to do some more research.