Browser Redirect problem in IE and Firefox

[Astronerd]

The Browser is redirected to an ad site when I click on one of the search results. It does this no matter if its IE or FireFox. I ran all of the procedures in the 8 step process. One problem, though... After the CCleaner ran, the reboot turned McAfee back on. I did not catch this. I hope I did not complicate things.

Thank You,
The Astronerd

 

[Tmagic650]

Run the ESET Scanner:
ESET SCANNER

See if it picks up anything additional...

 

[Astronerd]

Tmagic650,
OK... I ran the ESET scanner and it found nothing. I couldn't find a log file for it, though. I haven't tried to run a browser yet. What do you think?

 

[Astronerd]

I went back and downloaded all updates for the 8 step process and then unhooked my lan cable. I turned off McAfee. I ran the 8 step process. I have included the log files plus an added log from AdAware. CCleaner, Malwarebytes, SUPERAntiSpy ware found nothing. I'm not familar with the guts of HijackThis to know if it shows unless i take the log to www.hijackthis.de to have it analyzed. AdAware seems to have found a bunch of stuff.
More symptoms:
The redirect is going to newserversearch.com, errrawscevehseen.com and sasrceewrrehven.com among other sites. My right mouse button no longer works on the browser window so I can't "copy and paste".

 

[Astronerd]

The SUPERAntiSpyware log... I had trouble attaching...

 

[Astronerd]

New Information:
I do not know if this matters or not but when the machine is booted up in safe mode with networking, the redirect does not happen.

 

[Tmagic650]

Turn off System Restore, rerun the scans and turn System Restore back on...

 

[Bobbye]

This information might help you assess the cause of the problem:

Safe Mode with Networking: Includes the services and drivers needed for network connectivity. Safe mode with networking enables logging on to the network, logon scripts, security, and Group Policy settings. Nonessential services and startup programs not related to networking do not run. Helpful if needed but should be used with caution as the security programs don't load in this mode.

 

[Astronerd]

OK...
I downloaded all of the updates for the 8 step and followed ALL of the instructions. Disconnected LAN cable. Disabled McAfee per instructions. Disabled McAfee firewall per instructions. Ran the 8 step processes. I turned McAfee back on. Reconnected the LAN cable.
I used a Google search to try to get back to this forum. Got redirected.
Right mouse button still disabled for cut-n-paste.
Here are the log files.
What do I do now
The problem still exists.

 

[Astronerd]

I guess this machine is going to be a "boat anchor" until I reformat the hard drives. I would like to preserve all .doc, .xls, .jpg, and .raw files. But as you guys have said, .doc files and others must be suspect. Can these files be scanned somehow so as to NOT transfer the infection to the reformatted drives? Is there a specific set of instructions as to how to rebuild this machine and prevent reinfection during the rebuild? My machine specs are in my profile. I have a three machine subscription to McAfee. The other machines are clean.
Oh, as an afterthought, about a month before the infection showed up, I deleted WindowsDefender to try and relieve the "head banging" 100% CPU utilization that lasted about 10 minutes after a cold boot.

 

[Bobbye]

Astronerd, since the other member who gave you instructions doesn't come back to a thread, I'll be glad to help you. The advice to turn off System Restore should not have been given.

You did not need to disable all of your security to run these programs. Please be sure it has been enabled again. Also, please turn System Restore back on.

Can you please tell me just what' happening? Why do you think you need to reinstall and what malware do you think has gotten into your files?

I don't see anything in the logs that you left that would account for the redirect. The mouse problem is a separate matter. It appears that you have several processes on the system to help with the online schooling. If you don't mind, I'd like to run them by you to make sure you know they're running: I'm leaving short descriptions for you:

Ipswitch Transfer Service>> Move files from your computer to any server in the world.
MathXL online homework, tutorial, and assessment system.
Install From The Web Client
Microsoft Virtual Server
System Requirements Lab>> analyses your computer to see if it can run a specific product
Pearson Installation Assistant>> for MathXL
Pearson Education Inc. Online>> Learning tools.Sibelius Scorch free web browser plug-in that lets you play, transport, change instruments, save and print your Sibelius scores on the Internet.

And these which point to Central Piedmont Community College > open Spring, 2010

C:\Program Files\CPCC E-Locker Webdrive\wdservice.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\CPCC E-Locker Webdrive\wdservice.exe

These are all legitimate processes. If you are using them now actively, there is no problem. If you are not, we should set up a removal.

One I wasn't sure of:

C:\Program Files\Common Files\Winferno\WSS\WSS.exe???
O23 - Service: Winferno Subscription Service - Capital Intellect Inc - C:\Program Files\Common Files\Winferno\WSS\WSS.exe

I couldn't determine what you were subscribed to.

It's all in the name of security. Many times, people have processes running they aren't aware of or that they no longer use.

 

[Astronerd]

Thanks Bobbye!
Naturally, I'm writing from a different machine.
Since becoming infected, the machine in question has been disconnected from the internet. The only time it is reconnected is to update the tools suggested for cleaning. After the updates, the LAN cable is removed again. By being offline, the disabling of the security programs is moot as long as I turn them back on after the scans, isn't it? I did turn System Restore back on after the last scan.
Now for the symptoms:
Connect to the internet. Pull up google. Enter a search for "blue moon". The list comes up. Select the entry for the "Blue moon - Wikipedia, the free encyclopedia". It actually goes to the correct site. Now enter a search for "astronomy". The list comes up. Select the entry for "Astronomy Picture of the Day". The result page has:

Server not found
Firefox can't find the server at nressaceerhrewv.com.

Return to google. Enter the search for "blue moon" again. The list comes up. Select the entry for the "Blue moon - Wikipedia, the free encyclopedia". The result page has:

Server not found
Firefox can't find the server at nressaceerhrewv.com.

I have no clue as to why, after all of the scans have completed, the search selection seems to work only once.

Now, as to the programs you referenced:
Ipswitch Transfer Service is connected to WS_FTP pro, which is an FTP file transfer program I use for updating web sites that I maintain. I use it regularly.
Sibelius is a music sheet transfer program. It is now deleted.
CPCC E-Locker is a way to connect my school drive to my machine as though it is local. It is now deleted.
Winferno is a registry cleaner that was recommended by McAfee. I have had it for about 8 months.
MathXL is an online homework program that my sons had used several years ago. I thought I deleted it. It does not show on Add/Delete. I would have assumed that Winferno would have cleaned up any unattached files.
Microsoft Virtual Server does not show on Add/Delete. How do i get rid of it?
Install From The Web Client - can not find this either. Don't know what it is.

Any help you can give is greatly appreciated. Maybe I will not have to spend two weeks reloading this machine?

 

[Bobbye]

Thank you for filling me in. I have started asking people to describe the 'redirect' because I found that whenever someone uses Google and has a problem accessing a site, they are using the 'catch all phrase "Google Redirect."

"Firefox can't find the DNS server at newserversearch.com." One Firefox user left this message for other users with the same problem in the Mozilla support:

The virus would redirect to various anagrams of newserversearch.com. I was able to trace that domain back to the host and contacted them to alert them to this illegal activity. A day later newserversearch.com was offline. So now you just get an error instead of the redirect.

The consensus was the use of the Trojan Remover program. It appears to find this file that the other programs do not.

Download Trojan Remover:
This security utility is available as a fully-working evaluation copy that will work for 30 days before you must either register or uninstall it.NOTE: You do NOT have to Register to run this 'evaluation copy.'

You will find the download site here: http://www.simplysup.com/tremover/download.html

• 
  [1] Download the program and SAVE to your desktop.
  [2] Double click on the trjsetup to run the program.
  
  
  
  [3] Follow the onscreen instructions.
  
  
  
  [4] Save the log and print to Notepad. Include in your next reply.
  (Trojan Remover writes a detailed logfile every time it performs a scan. This logfile contains information on which programs load at boot-time, and what (if any) actions Trojan Remover carried out. The logfile can be viewed and printed using Notepad.
  [5]Once you have installed Trojan Remover you can delete the downloaded trjsetup file.

Reboot the computer. See if that handles the server redirect.

Rescan with HijackThis and leave new log and the report from the Trojan Remover in your next reply.

 

[Astronerd]

Where does Trojan Remover write the log? And is it a .log file? I can't seem to find it.

 

[Bobbye]

This logfile can be viewed in Trojan Remover by selecting 'Help > View Update Log'.

This may just be log for updates- I'm not sure. check it and let me know. When you did the download, then the scan, were there any instructions to name the file?

 

[Astronerd]

Found it! It's called TRLOG.TXT. The update of the virus signatures is called UPDLOG.TXT.
It is in:

C:\Documents and Settings\ "User ID" \My Documents\Simply Super Software\Trojan Remover Logfiles

Here it is...

 

[Tmagic650]

Still redirecting?

 

[Astronerd]

Click on any item in the selection list and this cones up:

Server not found
Firefox can't find the server at nressaceerhrewv.com.

 

[kritius]

Download LockSearch to your desktop

• A window will pop up, Press 2 and then Enter.
• A scan will start, let it run uninterrupted. It should only take a few minutes.
• A log will appear when it is finished, it will also be saved in the same location as LockSearch, which should be on your desktop.
• Copy and paste the contents of the log in your reply

 

[Bobbye]

Thank you for the assistance kritius.

Tmagic, stay out of this thread. your 'help' is neither wanted or needed. You deserted this member a week ago after giving him bad advice.

 

[Astronerd]

Here is the LockSearch log...

 

[kritius]

Please download OTM

• Save it to your desktop.
• Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes
  
  :Services
  
  :Reg
  
  :Files
  C:\WINDOWS\system32\pschdcnte.dll
  
  :Commands
  [purity]
  [emptytemp]
  [Reboot]

• Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :dir
  %systemroot%\Tasks\

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[Astronerd]

OK... Here are the two log files

 

[Bobbye]

bevzz, yes, this is a common problem. But you need to start your own thread, following the steps HERE and attaching the logs for review.

Although malware can cause redirects, it is not always the same malware and the 'fix' will depend on identifying it.

 

[kritius]

Still being redirected?


Please download OTM

• Save it to your desktop.
• Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes
  
  :Services
  
  :Reg
  
  :Files
  C:\WINDOWS\Tasks\PHINSDVGE.job
  
  :Commands
  [purity]
  [emptytemp]

• Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.