TechSpot

I keep getting search redirects

By ghostrider4
Jan 13, 2010
  1. when ever i try to go to click on a link in a search page i get redirected to a page with this and simular weird address "http://newserversearch.com/?q=" but its a bunch of words: <form action="http://68.169.70.144/go.php?c=zFlGUKdk4m2mbYUDi6S%2Fez46dTmrWfrQ%2BD8sxob4J%2FgDA2pXXBojkg%2F2MCWsr6GbhVNN09gHFnxkODE9n64IJdW5ZteyoT66oWtUiAxzABX0acZre9Pe9gcJNAEJ0R8yIPNtca2h5nRYI3SmFKz01g4GuW52Faszp%2BK1xwgTVNwFtd6zuBc0iQzbJaQE1MeEbvZX8XpwYxV8ilK3cIvhrpFq4WVNbw%2Bi88qigbfbMkeNNueycyUThROjaeHViQ7p1lBzWCy1VGQi2LYI9Fbym67geoqZ7LyCNrhQ2kQ. The last thing i remember downloading was a update for flash player to view a online trailer but i was never able to view it. im sending my hjt log.
     

    Attached Files:

  2. Kevork

    Kevork TS Rookie Posts: 92

    Hi Ghostrider,

    Under malware removal you need to run the first 8steps described under the thread before starting a new topic. Or else you will not receive any support.

    Just a hint :)
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Thank you Kevork.

    ghostrider4, you have been given good advice! We can't help clean malware seeing just a HijackThis log. The steps you were referred to can be found HERE.

    This will allow us to see more clearly what is on the system.

    When you have finished, please attach the 3 logs for review.

    I did take a look at the HijackThis log you left- it is exceptionally short. (I don't get to tell many people this!) It is possible that malware has suppressed some entries. It would be helpful if you temporarily disabled the system Mechanic SystemGuard Alerter.
     
  4. ghostrider4

    ghostrider4 TS Rookie Topic Starter

    Ok, I wasnt sure how to do this. I'll do the 8 steps and let you know what it finds, thanks
     
  5. ghostrider4

    ghostrider4 TS Rookie Topic Starter

    ok here are the logs, it seems to of fixed it already. i ran these same programs a couple of days ago but they never found anything, this time they did.
     

    Attached Files:

  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Good job! Don't use System Restore while we're cleaning. there is malware in the restore points. I'll have you drop the old restore points when we're through and create a new, clean one.

    The short HijackThis log still bothers me. We need to make sure that the malware isn't suppressing anything. There are just 2 entries to remove:

    Please reopen HijackThis to 'do system scan only'. Check the following if present:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


    Close all Windows except HJT and click on "Fix Checked."

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.

      Important! Save the renamed download to your desktop.
      • Double click on the setup file on the desktop to run
      • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
      • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
        (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
      • Query- Recovery Console image
        [​IMG]
      • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
        [​IMG]
      • Click on Yes, to continue scanning for malware.
      • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
      Notes:

      • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
        2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
        3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
        4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

      Please follow wit Eset online scan:
      Run Eset NOD32 Online AntiVirus Scanner HERE

      Note: You will need to use Internet Explorer for this scan.
      • Tick the box next to YES, I accept the Terms of Use.
      • Click Start
      • When asked, allow the Active X control to install
      • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
      • Click Start
      • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
      • Click Scan
      • Wait for the scan to finish
      • Re-enable your Antivirus software.
      • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
      Then new scan with HijackThis.

      Attach the following to next reply:
      Combofix report
      Eset log
      New HijackThis log.
     
  7. ghostrider4

    ghostrider4 TS Rookie Topic Starter

    Ok here are these logs.
     

    Attached Files:

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The Eset logs shows that you are using a pirated version of Nero 9.4.13.2 Ultra Edition 2009. To continue, please remove.
     
  9. ghostrider4

    ghostrider4 TS Rookie Topic Starter

    i have a trial version of nero 9 installed but it expired 11/11/09, it still says expired but i will uninstall it, it is just using up space.
     
  10. ghostrider4

    ghostrider4 TS Rookie Topic Starter

    i looked at the eset log and deleted everything except for the spybot stuff. Just for the record, I never downloaded those files but my roommates mite of. I will do another eset scan and post the log when its done.
     
  11. ghostrider4

    ghostrider4 TS Rookie Topic Starter

    Here is the log.
     

    Attached Files:

     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You don't need to start a new post just to add a comment- use the Edit feature.

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      
      :Services
      
      :Reg
      
      :Files  
      F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws1.zip	
      F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip	
      F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentieu.zip	
      F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFraudLoadedt.zip	
      
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ---------------------------------------
    I've asked for help with the Combofix report.
     
  13. ghostrider4

    ghostrider4 TS Rookie Topic Starter

    here is the otm log.
     

    Attached Files:

  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Good. Now run one more HijackThis scan and leave new log- we should be finished then. I'll check the log for any entries that need to be removed, then have you remove the cleaning tools and old restore points.
     
  15. ghostrider4

    ghostrider4 TS Rookie Topic Starter

    heres the log. the file attachments wont let me upload it, keeps saying file is already uploaded to this thead. I have even renamed it 3 times here it is copyed and pasted:


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:45:23 PM, on 1/15/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    F:\WINDOWS\System32\smss.exe
    F:\WINDOWS\system32\winlogon.exe
    F:\WINDOWS\system32\services.exe
    F:\WINDOWS\system32\lsass.exe
    F:\WINDOWS\system32\svchost.exe
    F:\WINDOWS\System32\svchost.exe
    F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    F:\Program Files\Alwil Software\Avast4\ashServ.exe
    F:\WINDOWS\system32\spoolsv.exe
    F:\WINDOWS\system32\rundll32.exe
    F:\WINDOWS\System32\svchost.exe
    F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    F:\WINDOWS\system32\ctfmon.exe
    F:\WINDOWS\system32\svchost.exe
    F:\WINDOWS\explorer.exe
    F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "F:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1253986362687
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1261780418953
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe

    --
    End of file - 4092 bytes
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The log is clean. Both the HJT logs have been a bit short- are you sure the entire logs is included?

    Remove all of the tools we used and the files and folders they created
    • DownloadOTCleanIt by OldTimer
    • Save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    The tool will delete itself once it finishes.

    If you are prompted to Reboot during the cleanup, select Yes.


    You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
    • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
    • Click "OK" to select the partition or drive you desire.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

    More details and screenshots for Disk Cleanup in Windows Vista can be found here.

    Let me know if you need more help.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.