TechSpot

Malware Issue - Google Searches Hijacked

By Hofeman612
Dec 25, 2009
  1. I was having google searches hijacked for the last week and today it blew up into a full on spyware attack with some malware called "Antivirus Live" or something like that. I used Malwarebytes to remove that and I thought I was in the clear, but I've noticed the google hijacked searches are still an issue. I subsequently ran through the 8 step process I found on your site for malware issues, but I'm still getting google searches hijacked. I've attached the 3 logs you request we attach. Any help that can be provided is much appreciated. Hopefully you can tell me what in the hijackthis log I can delete to fix my issue. Thanks.
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Hofeman, what's going on here?
    Remote connection to RoadRunner using SOCKS protocol?

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=70.61.208.30:8080;http=70.61.208.30:8080;https=70.61.208.30:8080;socks=70.61.208.30:8080


    and here: Domain in Taiwan?\
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = UPCo.wan
    O17 - HKLM\Software\..\Telephony: DomainName = UPCo.wan
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = UPCo.wan


    And where does the Firebird SQL Server some in?
    C:\Doc-ItServer\Manager\Firebird\bin\fbserver.exe

    O18 - Protocol: cwt - {774E529C-2458-48A2-8F57-3ED3105D8612} - C:\Program Files\CaseWare\cwproto.dll>> CaseWare is legitimate. Work?

    You need to update AVG. You have v8. Current version is v9.
     
  3. Hofeman612

    Hofeman612 TS Rookie Topic Starter

    I don't know anything about that SOCKS protocol. I think that was my bad though. When I finally got rid of that "Antivirus Live" Malware my internet explorer wasn't working properly and I was trying to get it fixed. Once I got it fixed I forgot to delete those. I've removed all that proxy stuff now.

    I'm not sure about the Taiwan stuff either. It's my work laptop and the citrix server is UPCO, so could it be related to that?

    The firebird I'm unsure of, but I see its related to Doc-It which is a software I use for work.

    Caseware is definitely legit, I use it for work.

    I'll try and get my IT people to update my AVG.

    As for the google redirects, do you see anything in the logs on that? Also, I've done a root repeal log and can post that as well, if you wish. I did that online search you sometimes tell people to use as well and it didn't come up with anything.
     
  4. Hofeman612

    Hofeman612 TS Rookie Topic Starter

    Updated files

    I've attached updated files.
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You should block the Tracking Cookies- for both account of jhofer and system:

    Reset Cookies

    For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

    You have Viewpoint Media Player installed on your system. This program is not malware but it is foistware in that it is usually installed without the user's knowledge or approval, and for this reason I recommend you remove it. If you actually use this program, I recommend you try using safe and free alternatives such as VLC Media Player:

    To remove, find and remove Viewpoint Media Player

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    • Click on Start > Run and type: services.msc> OK
    • Click the "Extended tab".
    • Scroll down the list and find the service called "Viewpoint Manager Service"
    • When you find the service, double-click on it.
    • In the Properties Window > General Tab that opens, click the "Stop" button.
    • From the drop-down menu next to "Startup Type", click on "Disabled".
    • Now click "Apply", then "OK" and close any open windows.
    • Click on Start > Settings > Control Panel >Add/Remove Programs
    • Highlight and remove all references to Viewpoint - i.e. Viewpoint, Viewpoint Manager, Viewpoint Media Player.

    Finally, delete the following folders if they still exist: Open Windows Explorer> Programs:
    C:\Program Files\ViewManager\ <-- and delete this folder
    C:\Program Files\Viewpoint\ <-- and delete this folder

    Empty the Recycle Bin

    I don't see any sign of malware. You do have some specialized processes related to your work running- they are all legitimate. Can they cause any problem when running together? I don't know that. That is a question for your IT person.

    I will mentione that you have a remote process running: RemotelyAnywhere is a remote administration and remote control applications for Windows. This process allows other users to control your PC :
    O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
    O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe


    Neither of these needs to be on Startup, so be sure they're set to Manual and not Automatic:
    Start> Run> type in services.msc> double click on each and change Start up type to Manual:
    LMIMaint
    LogMeIn


    Close Services. I don't think this will make any difference in the redirects, but better not to have it starting automatically and then running in the background.

    It always puzzles me when I see these running and someone asks for help on an internet computer forum instead of using the remote help!

    Which online scan did you run? Eset or Virusorg?
     
  6. Hofeman612

    Hofeman612 TS Rookie Topic Starter

    Thanks for the help. I reset my cookies, deleted Viewpoint and changed my logmein stuff to Manual.

    I ran Eset for the online search.

    I have been trying google searches today and it doesn't seem to be redirecting me anymore. I thought I had this beat before though before and after awhile it started happening again. Hopefully it doesn't come back. I'll keep running the malware search softwares to check for them just in case. I guess for now there isn't much to do because I don't have the symptoms anymore. Thanks for your help.
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'm glad the symptoms are gone but we're not quite through yet

    Eset isn't an online search- it's an online antivirus program. Please scan with it and attach log to next reply.

    Rescan with HijackThis and paste new log in next reply.

    Sometimes people just stop when the main problem seems resolved. But it doesn't means that all the malware is gone.
     
  8. Hofeman612

    Hofeman612 TS Rookie Topic Starter

    Well, my bad feeling was well founded. I got redirected again. Most of the time its directdr.com but there are others as well. So I definitely still have something, don't know how to get rid of it though as none of the programs are finding anything and ESET hasn't either, as you'll see in the log.

    I've attached the reports per your request. Thanks again for your help.
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Can you give me any other redirects in addition to directdr.com.? Are you being taken to the sites or getting pop-ups for them?

    I'd like you to put these in the restricted Sites:
    Control Panel> Internet Options> Security tab> Restricted zone> Sites> type in each> Add:
    *.directdr.mybisi.com
    *.directdr.com

    Use the *- it's a Wild Card.
    Then click on Apply> OK.

    Are you also getting a pop-up for ppcblinks.com?

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    There is one entry in the HIJT log I'd like you to remove:
    O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=all&pf=cmnb

    Please attach Combofox report to next reply.
     
  10. Hofeman612

    Hofeman612 TS Rookie Topic Starter

    I blocked that site and deleted that Hijack This log entry. I went through and did some testing on google and I got a bunch of different redirects. I attached a .txt file with just some of the addresses that came up. Didn't see ppcblinks though.

    I'm at work now, so I'll have to run combofix later tonight. Thanks. I'll post that log tonight.
     
  11. Hofeman612

    Hofeman612 TS Rookie Topic Starter

    Forgot to attach the .txt file.
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

  13. Hofeman612

    Hofeman612 TS Rookie Topic Starter

    No, I'm not using that php thing. I was simply doing a google search and clicking on some of the links it provided. From there, I would do a copy and paste of the address that came up (I'd try to do it quickly cause it would always quickly switch to another address) and then I'd copy and paste the second address it would switch to.

    Anyway, I ran combofix and it seemed like that found the issue. I've attached the log from that. Let me know if there is anything more I need to do.

    Thanks again for you help.
     
  14. Hofeman612

    Hofeman612 TS Rookie Topic Starter

    Bump...Just wanted to see if you were able to take a look at my combofix log yet. Thanks.
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    So sorry- I didn't get notice of the reply.

    Where is the rest of the Combofix log? there's quite a bit below what you left.
     
  16. Hofeman612

    Hofeman612 TS Rookie Topic Starter

    Thats odd, I went to the C drive and then the Combofix folder and then found the .txt file entitled ComboFix. (I forgot to remame the file when I downloaded). Not sure why that log doesn't have everything. I've attached all the .txt files in the folder. I don't see what you want, I don't think, but maybe its there and I'm missing it. I'm sorry, if its not there, could you tell me where it might be? Thanks.
     

    Attached Files:

  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Uninstall ComboFix.exe And all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it. Save it to the desktop.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Double click on the setup you downloaded to Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Follow with new scan using Eset Online scanner:
    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Rescan with HijackThis and PASTE new log into next replty.

    Attach Combofix report and new Eset log.

    I will have you remove all of the cleaning tools and set new restore points when we have finished,
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...