TechSpot

Another Google Redirect

By Creighton
Nov 15, 2009
  1. I've followed the 8 step guide but this does seem to be a difficult one based on the other threads I've read.

    I would appreciate any help you can provide.

    Just for clarity - when I do a google search this virus redirects the results I click on to another site. It seems to affect Firefox, IE, Chrome and Safari.

    Attached are the requested logs.
     
  2. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    So all the other redirect threads don't give you a clue, on what to do?
     
  3. Creighton

    Creighton TS Rookie Topic Starter

    Alas, no clue.

    I did download Combofix, but saw the warnings not to run it without guidance before managing to make matters worse.

    I also tried searching for some of the same Hyjackthis entries that others were directed to fix but didn't seem to have the same bug.

    Is there something more I should have done?

    One more symptom I forgot to mention is that when I boot up after Windows starts it takes a LONG time for the icons in the system tray to startup. I'd always assumed some deleted program was trying to startup and timing out but perhaps it is related?

    I appreciate any guidance you can spare.
     
  4. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    Go ahead and run combofix, following the instructions carefully. Take your time to read all the instructions
     
  5. Creighton

    Creighton TS Rookie Topic Starter

    ---------------------------------------------------------------------------------
     
  6. Creighton

    Creighton TS Rookie Topic Starter

    Combofix appears to have worked. I plan to set a new system restore point.

    What annoys me the most is that McAfee never caught any of the junk I removed in the last 3 days. How is it that commercial software with highly paid full time employees is beat - time and time again - by volunteers?

    Thank you for doing what you do.
     
  7. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    Glad you got things back to normal. I stopped using those $50+ antivirus programs years ago. They not only miss many infections, they slow down and cripple a computer and the other protection programs, one might use
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Creighton, I'd like you to attach the Combofix report to next reply..

    You did the right thing by not running it when you saw previous references to it. But we don't make any assumptions about it and part of the guidance you should get comes from reviewing that report. You had a significant amount of malware in the original scans.

    To get the Tracking Cookies under control:
    Reset Cookies

    For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

    For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others.

    I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
    AdBlock Plus
    Easy List

    Do you need the DNS Suffix Search List - if your computers are not located in Target stores or their corporate hq, and you don't work for or with them, you don't need those entries in your list. Under Local Area Connection - Properties - Internet Protocol (TCP/IP) Properties - Advanced - DNS
    tab, look in the "Append these DNS suffixes" list, and remove all of that.
    Likewise "DNS suffix for this connection". Or is there a reason why you need
    that?


    This refers to this section:
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = nic.target.com,tgt.com,dist.target.com,stores.target.com,hq.target.com,target.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = nic.target.com,tgt.com,dist.target.com,stores.target.com,hq.target.com,target.com
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = nic.target.com,tgt.com,dist.target.com,stores.target.com,hq.target.com,target.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = nic.target.com,tgt.com,dist.target.com,stores.target.com,hq.target.com,target.com


    So as far as I'm concerned, you're not through yet.
    I need to see the Combofix report/
    You need to do a rescan with HijackTis and give me a new log.

    And I'd like you to run an online virus scan and include the log:
    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Resolving one problem does not mean the system is clean.
     
  9. Creighton

    Creighton TS Rookie Topic Starter

    follow up post combofix logs

    Thanks, Bobbeye - here the log you requested.

    I will make the FF changes too.

    I did work for Target HQ and used home computer to access work files.

    I still have a LONG wait between logging on and getting the systray programs to finish starting - it's like something has to time out before I can begin using my computer every time I boot up. Any advice ?

    Thanks Again!
     
  10. Creighton

    Creighton TS Rookie Topic Starter

    Hyjackthis

    Oh and here's the new HJT log...
     
  11. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    It could be McAfee, basically McAfee is usually pretty heavy on system resource, and it hasn't even helped you this time either
    How may days have you got left on its subscription? If its not many I'd suggest uninstalling it and using a less resourced and better (IMO) Antivirus: Free Avira (it's free ;))

    Oh and start HJT and do a scan only and fix these: (they just stood out a mile)
    And you might want to stop Quicken from starting with Windows as well :)
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Log?
     
  13. Creighton

    Creighton TS Rookie Topic Starter

    ops, here's the ESET log as well as the most recent HTJ log after making the changes suggested by kimsland.

    Goodnews is that I seem to have shaken off the bugs! (thank you!). Badnews is that my startup problem is still there... I now go to get a cup of coffee whenever I restart ;-) it usually almost done restarting when I get back.

    Anything else you'd recommend for either problem?
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The reason? Because you do the searches from within the browser. And since these are all browsers, it is reasonable to think the redirect affects all of them>> not always, nor all of the time- just 'reasonable.'

    It looks like you did 4 Eset scans: For these:
    1. # local_time=2009-11-15 08:11:03 (-0600, Central Standard Time)
    C:\Documents and Settings\Mitchell\Application Data\Sun\Java\Deployment\cachea variant of Java/TrojanDownloader.OpenStream.NAD Trojan (deleted - quarantined)

    Go to the Control Panel> Java> Temporary internet files tab> Settings> Delete files.

    # utc_time=2009-11-17 08:09:22>>> 1/1
    # local_time=2009-11-17 02:09:22 (-0600, Central Standard Time)
    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.PY virus (deleted - quarantined)
    Qoobox is the folder that Combofix places the quarantines. To remove:

    Uninstall ComboFix.exe And all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]

    If this is no longer the case, I recommend that you remove the following:
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = nic.target.com,tgt.com,dist.target.com,stores.target.com,hq.target.com,target.com

    Empty the Recycle Bin

    Malware is not the reason you're slow in startups or rebooting. That appears to be due to a system problem. You do have some extra startups, but not enough to cause this. To troubleshoot this:

    Click on Start> Run> type in msconfig> enter> Selective Startup> Startup tab> Uncheck everything except the McAfee processes and any that are necessary for your network activity> Apply> OK.

    NOTE: the first time you reboot after making changes using msconfig, you'll get a nag message that you can ignore and close after checking 'don't show this message again.' Stay in Selective Startup.

    The loading of Special processes such as:
    DisplayKEY eSYNC> Real Estate update
    GE Security Supra\ProxyDaemon.exe
    SSL\stunnel-4.10.exe
    Dell Server Administrator Daemon

    can add to the Start time

    As can the Services set to start automatically can: There are currently 28 Services showing running.
    7 of these are for McAfee
    5 Are Roxio 'share' related
    2 belong to the Cisco Secure Services Client (SSC)


    So figure McAfee and the CheckPoint (Cisco) Services need to have automatic startup. That would mean 19 of those Services could be reset to Manual Startup type to only start when needed.

    Please delete current Eset logs and rescan to make sure those entries are gone. Please post the log.

    When we know the system is clean, I'll have you remove the cleaning tools and set a new, clean restore point.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...