Google links redirecting, 8 steps have been done

[Bensnap]

Hello, I have the problem with Google redirecting links to random websites. I did the 8 steps. Thanks in advance for your help.

 

[Bensnap]

Bumping for help.

 

[Bobbye]

You've been very patient Ben- thank you. My apology for the delay.

Here's the problem

O2 - BHO: Internet Explorer Plugin - {8BFD4136-BF8E-4136-A6BF-62A538A82934} - bzhcwcio2.dll (file missing)

Internet Explorer Plugin bzhcwcio2.dll Infostealer trojan, detected as TrojanSpy:Win32/Ambler.D>> Trojan-Spy.Ambler attempts to steal password and other confidential information from affected systems.

First thing you need to do is to change all of your passwords. And monitor any online financial transactions.

I'd like you to run this online scan first:
Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please attach the log to your next reply.

 

[Bensnap]

Here is the log from Eset online scanner.

 

[Bobbye]

Thank you. Please rescan with HijackThis and leave new log to make sure entry has been removed.

IF the redirecting has continued, please answer the following:
Since you question a Google Redirect, I'd like you to describe what's happening:
1. If you type a word in the Google search box, and then choose one of the sites that comes up, what happens?
2. Does a different site load?
3. Does any site load?
4. Are the sites the same/different?
5. Are you sure you're not seeing a Google page saying DNS server couldn't be contacted?

 

[Bensnap]

When I search with any engine the top result usually works first time. From the second link down they redirect to different random websites like fake search sites or advertising. I can copy the web address and paste in a new tab and it works. On occasion a tab will randomly pop up and go to a advertisement website.

 

[Bobbye]

Regarding: O1 - Hosts: 193.169.12.8 nosd.info
netname: TITANNET
descr: Financial company "Titan" LTD
country: BZ> Belize

This points to an infection called W32.SillyDC [Symantec]

Unless you have a connection with Northern Ozaukee School District (NOSD) and it is located in Belize in Central America and you have your Hosts files on TITANNET, then the Hosts files have been hijacked. When you try to search, your search is being routed to Belize.

This entry is not in your first HJT log!

I'd like to run another-different-online scan:
Open
Kaspersky Online Scanner in Internet Explorer

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Click Accept and the web scanner will begin to load
• If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
• You will be prompted to install an ActiveX component from Kaspersky, click Install
• If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT and then Scan Settings
• In the scan settings make that the following are selected:
  [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
  [o] Scan Options: Scan Archives> Scan Mail Bases
• Click OK
• Now under select a target to scan:
  [o] Select My Computer
• The program will start to scan your system.
• Once the scan is complete, click on the Save as Text button and save the file to your desktop

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

If Kaspersky finds anything, it will have a different name. Leave the Kaspersky log. Rescan with HJT and leave new log.

Please tell me what your status is at this point regarding the redirecting?

 

[Bensnap]

Scanned with kaspersky but it didn't come up with anything. Still redirecting links in google.

 

[Bobbye]

Okay, obviously we're not reaching it:

Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.

• Double click on the setup file on the desktop to run
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
• When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
  
• Query- Recovery Console image
  
  
  
  
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
  
  
• Click on Yes, to continue scanning for malware.
  
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please leave the Combofix report in you next reply.

 

[Bensnap]

Here is my Combofix log for ya.

 

[Bobbye]

Ben, check the date on the computer clock. The first 2 files have date of:
2010-02-19 18:34 . 2010-02-19 18:34 -------- d-----w- c:\program files\microsoft frontpage
2010-02-19 18:32 . 2010-02-19 18:32 21640 ----a-w- c:\windows\system32\emptyregdb.dat

Also a question: Combofix report deletions section says:
---- Previous Run -------
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
c:\windows\system32\Thumbs.db

When/where was previous run?

 

[Bensnap]

My computer clock is correct.

I had to run Combofix a second time because while it was writing the log on the first run my computer BSOD. Ran it a second time and it worked fine.

 

[Bobbye]

Okay Ben, I wrote some script to remove entries in Combofix- am having it checked now. Will be back as soon as I get the reply.

 

[Bobbye]

Sorry for the delay Ben. I didn't get an answer on my Combofix question, but if you are still having the redirecting problem, there are some files I'd like you to submit for identification:

Suspicious file(s) to scan: > browse or upload:
c:\windows\system32\vfnzejjn10.dll
c:\windows\system32\uyishz.dll

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Please paste the results in your next reply.

 

[Bensnap]

Here is the scan for one of the files you wanted. For the other file Virscan says its ok.
Google seems to have stopped redirecting now. Thanks for your help.

 

[Bobbye]

Okay, let's try and move both of these files:

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files 
  c:\windows\system32\vfnzejjn10.dll
  c:\windows\system32\uyishz.dll
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

When you have finished, please run this online scan:
Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please include the log in your next reply. If it's clean, I'll have you remove the cleaning tools and old restore points.

 

[Bensnap]

Here are the scans you asked for. Thanks.

 

[Bobbye]

Thanks Ben. I haven't learned how to write script yet so I used OTMoveIt. This is the Worm found on the scan I had you submit:

Worm:Win32/Ambler.A is a worm that spreads via networked and removable drives, and attempts to steal sensitive information, such as passwords, from an affected computer.

It appears to be well quarantined and out of the system-Qoobox will be removed when I have you uninstall Combofix. Because of the nature of this infection, you should change all of your passwords and monitor any online financial transactions.

If you used a flash drive on this computer while it was infected, or if you have a network set up, they will need to be scanned also. You should be able to use the Eset online scan.

If the problems caused by the malware have been resolved, You can remove the cleaning tools:

Uninstall ComboFix.exe And all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

Remove all of the tools we used and the files and folders they created

• DownloadOTCleanIt by OldTimer
• Save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

If you are prompted to Reboot during the cleanup, select Yes.

You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:

• Go to Start > All Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
• Click "OK" to select the partition or drive you want.
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

More details and screenshots for Disk Cleanup in Windows Vista can be found here.

Please let me know it I can be of anymore help.