Solved Google Redirect

[flattop]

Hi all.. I am having great trouble finding out what is redirecting my Google searches. NOD32 is blocking the pages that try to display and then I get a message saying the page cannot be found... then a fresh homepage displays. I have cleaned many computers, but none of my methods will find what's going on with this laptop. I could sure use some help. Please find the files attached you requested.

Thanks!
flattop

 

[Broni]

Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log.

========================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[flattop]

Thank you for your help. It is very much appreciated. Please find the three attachments you requested.

Also when I download any file (like GMER) it downloads at normal speed, but when it gets to the end of the download (where it starts saving to desktop) it takes at least 4-5 minutes and sometimes even fails. Don't know if this has anything to do with this problem or not, but thought I'd mention it.

Thank You..

flattop

 

[Broni]

I see, that you ran Combofix before, so I'd like to see ComboFix2.txt file (located in C:\ folder).

How is redirection issue?

 

[flattop]

:Hi Broni,

Sorry but the first file isn't there any longer. I am certain I deleted it and when checking the only one there is the one I sent you which is from the most recent scan.

My problem is still very much present. Just getting to this page it made 2 attempts. NOD stopped them both as before, but then it tells me the page (http:// and a whole bunch of gibberish with no www. cannot be displayed and then pops open a fresh Google homepage as before. Then you close from 2- 4 of those windows depending on how many attempts it makes to redirect you and then you get back down to the page you wanted.

So no joy yet.
flattop

 

[Broni]

I'm aware, your computer is still infected.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.

=========================================================================

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Vista users:: Right click on SystemLook.exe, click Run As Administrator
• Copy the content of the following box into the main textfield:
  

  :filefind
  iaStor.sys 
  termdd.sys

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[flattop]

Thanks Broni. Here are the two files you requested...
Thanks for the help!
flattop

 

[Broni]

Please download OTM

• Save it to your desktop.
• Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes

:Services

:Reg

:Files
C:\Windows\System32\drivers\iaStor.sys|C:\Program Files\Intel\Intel Matrix Storage Manager\driver\IaStor.sys /replace
C:\Windows\System32\drivers\termdd.sys|C:\Windows\System32\DriverStore\FileRepository\machine.inf_51b95d75\termdd.sys /replace
      
:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

 

[flattop]

Hi Boni

Well I'm using another computer now. After running OTM it asked for a reboot and I chose Yes.. and it crashed. Now it won't boot. I tried several times with no luck so let it try its repair function. It worked for a while and then wanted to try to restore to an earlier time. I canceled that and it worked for quite a while and then came back saying it couldn't fix the problem. Looking at the details it basically was saying the reason was unknown.

Any suggestions? Or should I just go ahead and redo the machine?

flattop

 

[Broni]

Do you have Windows XP CD?

 

[flattop]

Hi Broni.. This is a Vista machine. But I finally relented and let it try a restore point. The only one on this machine was one I created yesterday. So I'm back up on the infected laptop. Don't have a clue as to how far restoring has set you back in trying to help me though. Very sorry about that. But I can say the problem still is here for sure. Oh and OTM is no longer on the desktop either, so not sure if what it was attempting got accomplished or not either.

flattop

 

[Broni]

Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log.

 

[flattop]

Hi Broni

Here is the file you requested.

Thank you
flattop

 

[flattop]

Hi Broni

Will try this again. Hope I'm not messing up but the last post for some reason didn't post that I can see.

Here is the gmer log file you requested.

Thank you.
flattop

 

[Broni]

Yeah, we're back to very same issue.


Let's see, if we can look at your computer booting from an external source.

You will need USB flash drive to move information from bad computer to a working computer.

You need to download two programs.

First

ISO Burner this will allow you to burn REATOGO-X-PE ISO to a cd and make it bootable. Just install the programm, from there on it's fairly automatic (Instructions)

Second

• Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 270.3 MB in size so it may take some time to download.
• When downloaded double click and this will then open ISOBurner to burn the file to CD
• Reboot your system (Non working computer) using the boot CD you just created.
  
  • Note. If you do not know how to set your computer to boot from CD follow the steps HERE
• Your system should now display a REATOGO-X-PE desktop.
• Double-click on the OTLPE icon.
• When asked Do you wish to load the remote registry, select Yes
• When asked Do you wish to load remote user profile(s) for scanning, select Yes
• Ensure the box Automatically Load All Remaining Users is checked and press OK
• OTL should now start. Change the following settings
  • Change Drivers to All
  • Change Registry to All
  • Under Custom Scan box paste this in:
    
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    tos_sps32.sys
    termdd.sys
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    userinit.exe
    explorer.exe
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    
• Press Run Scan to start the scan.
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to your USB drive.
• Please post the contents of the C:\OTL.txt file in your reply.

 

[flattop]

Ok.. Done this as close as it would let me. When I clicked the OTLPE icon it said there were no OSystems that were 2000 or later, so I couldn't do your first instruction as it never would give me the option to load the remote registry... so in the box that would open I chose the 'C' drive. It gave me the same message. In order to get the program to launch, I had to choose the 'Windows' folder. Then it launched and I followed all the rest of your instructions. Evidently OTLPE didn't like her version of Vista basic.

But here is the file it created for me doing the above....

Thank you
flattop

 

[Broni]

We're dealing here with very new variant of TDSS rootkit, so there is no guarantee our cure will work. Proper removal tools are still being developed.

Do this on the computer you are posting from:
Copy the text in the codebox below:

:OTL

:Services

:Reg

:Files
C:\Windows\System32\drivers\termdd.sys|C:\Windows\System32\DriverStore\FileRepository\machine.inf_51b95d75\termdd.sys /replace

:Commands
[purity]
[emptytemp]

Open Notepad and paste it.
Save the document as Fix.txt on to a USB flash drive


On the infected computer the following...

Run OTLPE

• Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
  
  • (The content of Fix.txt should appear in the box)
• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post the log produced (you'll need to transfer it with USB stick)
• Attempt to reboot normally into windows.

See, how is redirection issue.

 

[flattop]

Hi Broni
Well I followed your instructions. Booted to the CD we made, opened OTLPE, got the fix in place, ran scan, and then when it had finished it said click 'OK' to see the log file, but when I clicked OK no log showed up. I stopped right there, left the machine sitting and got on this one to ask if I should continue and reboot now to the CD in order to see the log or if it might be saved somewhere that I can retrieve it before continuing to a reboot? Or will it show up after a reboot?

Thanks
flattop

 

[Broni]

The log will show after reboot.

 

[flattop]

Hi Broni

Well did your instructions and no log file showed up, but I did find this one in the program's folder. Hope this is what you needed. I also have spent just a minute browsing on this computer (infected one) and haven't had any redirects since doing the last couple chores. So maybe?? You will be able to tell much better than me for sure.

Thank you
flattop

 

[Broni]

Good news
It looks like the file was successfully replaced.

Now, I want you to re-run Malwarebytes (don't forget to update it) and post its log.
Delete your Combofix file, download fresh one and post its log as well.

 

[flattop]

Hi Broni.

That's great news. And so far no more redirects! Here are the two logs you requested. The date and time on MB is wrong as somehow the time got changed and I didn't notice until in the middle of the scan. Downloaded a fresh copy of Combofix also as requested. When it started it said there was a CD emulator running that it had to shut down. Computer crashed during that and shut down. But booted back up normally and then Combofix ran normally. So hope things are fine. They seem to be.

Thank you.
flattop

 

[Broni]

All look good

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

==========================================================================

Please download OTC to your desktop. It'll remove most tools and logs we used so far. If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

• Double-click OTC.exe to run it. (Vista and 7 users, please right click on OTC and select "Run as an Administrator")
• Click on the CleanUp! button and follow the prompts.
• You will be asked to reboot the machine to finish the Cleanup process, choose Yes. If it doesn't ask you to reboot, restart computer manually.
• After the reboot all the tools we used should be gone.
• The tool will delete itself once it finishes.

=======================================================================

Please run a BitDefender Online Scan

• Disable your antivirus program.
• Click Start Scanner button.
• Click Start scan button
• Allow browser plug-in to be installed when prompted.
• Click I Agree to agree to the EULA.
• Please refrain from using the computer until the scan is finished.
• When the scan is finished, click on View log.
• Notepad will open with scan results.
• Save the report to your desktop and post its content in your next reply.

Post fresh HijackThis log as well.

 

[flattop]

Hi Broni

Ok. There are those two logs for you. BitDefender did find one virus. I am certain I have removed that 'ave' file from here in the past. I'm hoping it doesn't come back again.

Time for bed here in Nebraska.

Thank you for all your help.
flattop

 

[Broni]

Disable TeaTimer, as it'll interfere with the cleaning process:
Right click Spybot's TeaTimer System Tray Icon.
Click Exit Spybot-S&D Resident.
TeaTimer closes.
NOTE. If on re-boot, Spybot inquires about registry change(s), allow it.

Alternatively, I suggest, you uninstall Spybot since it's a tool of the past.

=========================================================================

Disable Windows Defender, as it'll interfere with cleaning process:
- Open Windows Defender by clicking the Start, clicking All Programs, and then clicking Windows Defender.
- Click Tools
then...

++ Windows XP:
- Click General Settings
- Scroll down to Real Time Protection Options
- Uncheck Turn on Real Time Protection
- After you uncheck this, click on the Save button
- Close Windows Defender

++ Windows Vista:
- Click Options
- Under Administrator options, clear the Use Windows Defender check box, and then click Save.

Enable Windows Defender, when all cleaning is done.

==========================================================================

Print this post out, since you won't have an access to it, at some point.

1. Open HijackThis.

2. Close all windows, except for HijackThis.

3. Put checkmarks next to the following HijackThis entries:

O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll


4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [ToshibaServiceStation] "C:\Program Files\TOSHIBA\TOSHIBA Service Station\TSS.exe" /hide
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

5. Click on Fix checked button.

6. Restart computer.

7. Post new HijackThis log.