Help!!! Google search links re-directed to unwanted pages

Edit 3rd and final update - all clear

Edit: 2nd Update -- the problem may be solved. I will see in the morning -- but if anyone is curious as to how things unfolded -- I have given a pretty detailed report of the process over about a 2 hour period.

So I am extremely careful as to what sites I go to. If I think I am going to any site that might be risky I use an old laptop that has nothing of value on it.

I was in tech support with Verizon Wireless and also my ISP about a problem I was having with my network extender. The question was whether the DSL service was consistently stable.

One of the tech persons sent me to one site to test the speeds, etc. and the other sent me to a different site to test the speeds.

One of those two sites downloaded a trojan as well as something somewhere that, when I click on a link form a Google search I get redirected to pages with ads or other matter I have no interest in.

After Googling around I found some advice which I followed, but none of them worked.

So here is what I did, to no avail:

1. I updated MBAM and ran a scan. It found a trojan whihc it removed.

2. I ran a disk cleanup and deleed everything through internet options

3. At one site it was recommended to download TDSS Killer by Kapersky -- whihc apparantly you can get for free. I did that and if I remember right it foud the "trojantracker" but didn't solve the problem of the re-directed web page.

4. The same site recommended that if that didn't work to download FixTDSS form Symantec which is also free. That didn't solve the problem.

5. In the comments on that website several people recommend deleting any extra IP lines in the Host file. One gave detaile dinstructions on how to do it. Of course I saved a copy of the original elsewhere in case I screwed something up.

That person said the only 127. 0.0.1 localhost should be there and to delete all others.

There was an extra line with a diferent IP address below the one that is suppose dot be there. I deleted that but it didn't solve anything. Above the 127 IP adress were "examples" with different IP addreses. I tried also deleting one of those and then the other as well. Still no solution.

6. Since I have Norton Internet Security for that old laptop I mentioned at the top of this email -- (I use Micrsoft Securities Essential on eveything else) when I purchsed the norton utilities it came with 3 licenses. SInce two were unused, I downloaded Norton Internet Security onto this laptop with the problem, updated its files , ran a full scan. It basically found a lot fo cooies but one high risk trojan all of whihc it deleted.

Stil did not solve the problem.

Here is what the "host" file looked like when I first opened it.

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost​

I deleted first the bottom line then eachone of the example lines. Between each deletion I shut down and restarted my laptop.

I am out of ideas.

Does anyone have any suggestions?

Well, I was scanning through older posts on this thread and discovered someone having a redirect problem with IE 9. Some responded with a few more suggestions to see if things had been changed. I checked all of them -- and everything is fine.

But I now discover that the redirection doesn't seem to be happening. I am not sure why. I didn't do anything except to scan this thread.

But I have left Norton Internet Security on instead of going back to MSE. (I was going to wait a bit and think abut what I wanted to do.) But even with Norton Internet security on, the mis-direction still happened earlier.

So I see people are looking at this - I hope someone has some thoughts.

Edit: I posted too quickly -- the re-direct is back

So now Norton is trying run a patch on its update program and says it can't do it until "Oasis2Service" stops running.

I have no idea what Oasis2service is and I can't find it anywhere on my laptop.

Please. someone help! I can't believe this. In 25 years of using home computers, I've never dealt with a situation like this.

 

You might be able to find the service in services.msc (just type that in the start menu search bar).

Personally, at this point, I would go for a full system reinstall.

Bad things do happen sometimes and these days it is possible to get infected through a site that was compromised.

 

This is all happening on my Sony Vaio Z. I found on the internet that Oasis2Service seems to be a program tied to Vaio messenger. Someone said that when they removed that it also removed Oasis2Service.

I removed Vaio Messenger -- I never use it anyway and had turned it off as it was a PIA. But Norton showed that Oasis2Service was still running.

The Norton Patch said if it was canceled than it would automatically load when the laptop was restarted. So I restarted the computer.

The moment the laptop came back on -- a red alert from Norton saying it discovered the following: SONAR.Module!gen3, it blocked it and it removed it. Going to Norton's site for more information -- it said to run a full system scan -- which just finished. All Norton found at this time was cookies and as usual it removed them.

The actions Norton took to remove the SONAR.Module!gen3 was as follows:

1.It removed the following file: Users\(my user name)\appdata\local\boradcom\arsoft\ sghybdjt.dll<- Apparantly the is the SONAR.Module!gen3 file.

2.Norton also did a registry change, it removed Run->Arcsoft

It seems once again that the misdirection of web pages has stopped -- but I don't want to conclude too hastily. But I've tried a number of google searches and several links on each -- and the misdirection seems to be gone.

I do not want to do a full fresh install if I can avoid it -- I don't have the time -- there is too much to deal with for me to do that. It would take at least a 12 hour day.

I guess I am a little more impressed with Norton. I remember when it was bloated and I hadn't used it in years. I only subscribed because it seems pretty heavy-duty and I wanted it for my old laptop that I use when I need to go to sights that might not always be safe.
(360 seems just too much and the addition over Internet Security doesn't seem that useful -- at least for me.)

But now I am thinking about keeping Norton Internet Security on my SONY Vaio for a while. It is clear that MSSE didn't stop this. MBAM didn't catch all of the culprit -- and though Norton didn't either right away -- apparantly this new patch that just came out in the last hour got it.

So I am off to bed and will see how things are in the morning. I may have lucked out and escaped long term harm.

 

One suggestion if you should ever be requested to run some sort of online test for tech support/whatever, is to open the website in a sandboxed web browser. Use a program such as Sandboxie, and even some antivirus suites include this functionality (eg Comodo Internet Security 6). That way you can do what is requested without the risk of something getting loose and reeking havoc.

 

AFA hosts file. I always thought any line that starts with # is just a comment so deleting them will not alter anything.
I would also suggest running all your scans in safe mode (F8 after computer posts)
Could you please tell us what version of Windows you are running, and what sites were recommened for speed test that started the issue?
(Please do not post clickable link, just a name may help others to avoid them).
My guess would be the test may need java which may be the at the root of the original issue.

 

Well, it's been 24 hours and not a single misdirect -- and who knows what else was in there.

It was well-worth spending 2 hours in the midnight hour trying to get rid of the trojan/virus or whatever it was, rather than do a fresh install whihc would have taken two days -- but that would have been a good idea if all else failed.

Norton Internet Security was the only anti-virus protection that got it -- though it seems like they had just released a patch to catch mis-way through my troubles. But I am going to leave NIS on here for a while and see how I like it. Doesn't cost me anything.

(And I know if I do decide to remove it, the difficulties of getting all remnants of NIS removed and where to go and how to get rid of them. Done it before.)

@saturnotaku Thanks for the recommendation of Sandboxie. I hope I have time ot learn about it before my next round of techs -- which is tomorrow.

@ Josea -- I've been reading about the Java problem - that is a godd thought of yours.

Would explain the significance of running scans in safe mode?

The two sites were Voip8x8 and speedtest. Don't know whihc one did it.

 

Safe mode only loads the basic windows drivers/startup items so the chances of being able to easily (or easier than in "normal more") remove whatever is causing you problems are higher in safe mode.

 

Just as a follow-up -- it is clear that last patch update by Norton Utilities the night of the Trojan infestation got rid of it. Also, I have left Norton Internet Security on the laptop in question.

I believe now that the site that dumped the Trojan onto my laptop was the Voiptest8x8 one. When I tried to use it to day, it insisted on using Java -- which has (or had) a serious security breach problem. But Java seems to have fixed that because I ran the test today several times for another purpose and Norton didn't indicate any problems.

My laptop has worked faster and more seamlessly since Norton has been installed. Up until now I've been using MSSE.

My guess is that
1. Norton's bloatedness is really quite gone and

2. One of the things I find a bit annoying is that when Norton does its system scan, which it does automatically fairly frequently, it always comes up with all the cookies on my computer. Of course a number of them are cookies I want to keep. But I don't have time or the inclination to go through the 50 or so cookies to tell Norton to ignore this one or that one.
So I tell Norton to "fix" (which means delete) all the cookies. What that means is that on a number of websites that I frequent (such as this one) I have to sign in from scratch -- which is good until the next system scan by Norton.
But given how fast my laptop is working now, I think it is worth it.

So I am going to put NIS on my other "good" laptop (HP Elitebook 8540w) as Norton's license is good for 3 computers.

I also have a second "old" laptop used to pipe streaming internet and CDs through my speaker system in the living room. It is as slow as molasses turning on and off -- I wonder if Norton would help speed that one up too. Though it works fine once it is on for streaming purposes. So probably the extra license is not worth paying for.