When I type a query into a search engine it comes up with the list of suggestions as normal. But when I click on one I end up being re-directed to various odd search type websites instead of the link I click on.

I have AVG free and using windows firewall. I've ran anti malware bytes and downloaded MSC, but I cant update MSC. I'm scared to google for Super anti spyware etc in case I end up at a rogue site with all this redirecting going on - I really need to clean the netbook up as I've online shopping to do and I'm too scared to right now.

AVG keeps popping up saying it's blocked myads.platform etc but something must have got in. Oh and sometimes when I look at my wireless connection it has mysteriously changed to set point access instead of my homehub connection. I then have to restart as windows comes up saying it isn't authorised to manage the connections until I do.

The netbook came with XP already installed as it doesn't have a disc drive, so I'm worried about deleting things then not being able to install the operating system again.

What do the dodgy URLs look like?


Trying restarting into safe mode (http://www.bleepingcomputer.com/tutorials/tutorial61.html) and running the scans again
Try running a Rootkit scan user either this (http://www.gmer.net/), this (http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html) or this (http://sites.google.com/site/rootrepeal/) but run these in normal mode.
It might be overkill but try running Combo Fix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

I wont put the actual url in case someone clicks it. gomeo uk and ask friends are just two of them I can remember off hand.

I'll try combo etc just now I thought it was bleeping computers but couldn't mind. Thanks for your reply, I'll update later how it goes :D

It's malware - that happened to me a few years ago and was the straw that broke the camel's back - I no longer run windoze... A little program tags on to your search engine and redirects you on every search. There are instructions on the net to remove it but I can't mind as it was years ago.

Get a Linux computer or a Mac - problem solved ;)

What do the dodgy URLs look like?


Trying restarting into safe mode (http://www.bleepingcomputer.com/tutorials/tutorial61.html) and running the scans again
Try running a Rootkit scan user either this (http://www.gmer.net/), this (http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html) or this (http://sites.google.com/site/rootrepeal/) but run these in normal mode.
It might be overkill but try running Combo Fix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)


Well I cant boot in safe mode and combofix advised not to force it through the INI file as malware can scupper any hope of getting back to normal.
Combofix wont work unless I switch off AVG - do I just go for it and hope nothing more gets in in the meantime :eek:

Ah right, I know what it is now. It's a variant of the TDSS malware family. Unfortunately this has what's called an MBR rootkit component. That's what is stopping it entering Safe Mode.

Okay try this:


Fix your MBR with the guide on this page (http://helpdeskgeek.com/how-to/fix-mbr-xp-vista/).
Immediately after that, while the computer is rebooting try to restart into 'Safe Mode with Networking' using the guide from the previous post - Don't let it start normally or other parts of the malware could essentially reinstall the rootkit stuff.
Now in the following order run: MalwareBytes (http://www.malwarebytes.org/), TDSS Killer (http://support.kaspersky.com/viruses/solutions?qid=208280684) and ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) Ignore the warning on ComboFix (it's just really related to file locking) it should prompt you to run it anyway.
I'm paranoid so you may want to repeat the MBR fix again for good measure.
Update Windows.
Use Firefox with the Adblock extension and be careful what you download from P2P/file sharing networks. Especially the low rent ones. Lots of them have dodgy things masquerading as legitimate.

If one part of this doesn't work, try ignoring it and continuing on and then let us know what happened and if there were any problems.

And yeah, at some point in the future if it's practical you may want to consider looking at Linux or a Mac. About the only thing you'll have issues with are play some games. Macs are probably easier (I'm saying this as a Linux user) but they have obscene markup.

Macs are probably easier (I'm saying this as a Linux user) but they have obscene markup.

I baulked at the price at first (ran Kubuntu and Ubuntu for many years) but now the price is so worth the speed. Near instant startup! It's called Windoze for a reason ;). I love my Mac :) With the corssover software there's rarely any issues any longer with cross compatibility :)

Another alternative is (if you have the memory) have your computer as a Windoze/Linux dual boot - this is what I had to do when I lived with my parents. My mum was a bit of a technophobe... Funnily though when I left home she started using Kubuntu and never turned back!

Thanks Recquery - you are a star :D

In the end I had to download all your suggestions to a memory stick from the desktop and then install them on here from it. Even typing the exact url into the address bar wasn't working :eek:

I dont do file sharing, although I go on facebook I dont click links either - I do play Farmville on there though.

Could it have been a bad update from AVG? It recently upgraded from 9.0 to 2011 and it was about the same time this carry on started.

Anyway, thanks again. Maybe I'll get some presents bought safely now :cool:

Thanks Recquery - you are a star

In the end I had to download all your suggestions to a memory stick from the desktop and then install them on here from it. Even typing the exact url into the address bar wasn't working

I dont do file sharing, although I go on facebook I dont click links either - I do play Farmville on there though.

Could it have been a bad update from AVG? It recently upgraded from 9.0 to 2011 and it was about the same time this carry on started.

Anyway, thanks again. Maybe I'll get some presents bought safely now

So all good now?
EDIT: Just want to confirm you did the MBR part? it's probably the most critical.

It could have been a dodgy ad installing some malware. A malicious PDF, you may have even got it from another computer on a network you were on. Some of them travel on USB disks also. It's sometimes hard to work out what the infection vector was.


I baulked at the price at first (ran Kubuntu and Ubuntu for many years) but now the price is so worth the speed. Near instant startup! It's called Windoze for a reason. I love my Mac With the corssover software there's rarely any issues any longer with cross compatibility

Another alternative is (if you have the memory) have your computer as a Windoze/Linux dual boot - this is what I had to do when I lived with my parents. My mum was a bit of a technophobe... Funnily though when I left home she started using Kubuntu and never turned back!

I occasionally run Windows in a VM if I have to but I prefer to use Wine for the odd game I play. I was on a Windows 7 system the other day and even it's slow, better than Vista granted but no where near my 5 second Debian boot.

Mmm, PDF looks to be the most likely culprit - thanks for the heads up, strange AVG didn't pick it up when scanning attachments though.. By usb disk do you mean memory stick?

Ooops yes the MBR part was done first !

Mmm, PDF looks to be the most likely culprit - thanks for the heads up, strange AVG didn't pick it up when scanning attachments though.. By usb disk do you mean memory stick?

Ooops yes the MBR part was done first !

Going into some of the technicalities; the problem is really the Adobe PDF reader which turns on PDF JavaScript by default and usually this JavaScript is under multiple layers of obfuscation (encoded as Base64 data, URLs split up into strings them combined and decoded later etc) so it's hard to identify.

Yeah I mean memory sticks, SD cards etc. Some malware has been know to hide stuff on the disk then mess with autoplay so it's automatically spread.

It's sometimes best to run as an unpriviedged non-admin account then elevate priviledges or switch accounts when you need to install something, though that can get annoying for some people though.

That makes sense, I was blaming sun java last week as I saw java in the string of a threat that had been removed by avg, but it must have been javascript.

Adobe reader has a new version and finally introduces the "security sandbox" so hopefully it'll be a bit more secure. The things that PDFs were capable of doing once loaded into Adobe reader was pretty scary.

I've started using Hitman Pro alongside my usual A/V and A/M and I like the fact that its the only thing I've found that does a scan on boot and uploads anything it doesnt recognise to a cloud for further inspection.

It has a free 30 day trial but I was happy to pay the 14 euros for the 1 year license.

I'll suppose I'll shared my list of analysis tools, they're pretty good as a start to dissect malware and test a file that hasn't been picked up but that you're still not sure about:


http://anubis.iseclab.org/
http://wepawet.iseclab.org/
http://camas.comodo.com/
http://www.joebox.ch/
http://threatexpert.com/
http://malzilla.sourceforge.net/
http://www.virustotal.com/
http://www.uploadmalware.com/

Thanks Niall and Recquery :D