TechSpot

Redirect on Firefox

By RLK107
Apr 15, 2010
  1. Whatever I have redirects, pirates my 'Home' setup in Firefox to http://www.searchregard.net/, and adds signature-like hot link to all my online submissions (see below).

    I've attached HJT log and have run CCleaner twice..

    Link below has been generated by virus. Part of the problem.






    -----
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 52,897   +344

  3. RLK107

    RLK107 TS Rookie Topic Starter Posts: 37

    Thanks, Broni. I discovered "the error in my ways" earlier and am about to submit a post with the required output printouts.
    Ignore the link at the bottonm It is being placed there by the virus I'm trying to eliminate.
     
  4. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    OK........
     
  5. RLK107

    RLK107 TS Rookie Topic Starter Posts: 37

    Re-try file attach

    Diagnostic log files attached.
    Ignore link below. Part of virus problem.


    -----
     

    Attached Files:

  6. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    Do NOT use the computer while GMER is running!
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log.

    ======================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  7. RLK107

    RLK107 TS Rookie Topic Starter Posts: 37

    GMR, ComboFix & HJT run logs

    Have attached the three requested logs.
    (Noticed that there is no virus-generated sig file hotlink on this post. Things are looking better. :) )
     

    Attached Files:

  8. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    It looks much better :)

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\ALCMTR.EXE
    
    
    Folder::
    
    Driver::
    
    Registry::
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{D7BE8ED1-B138-48FD-BB22-9779A39130B1}"=-
    [-HKEY_CLASSES_ROOT\clsid\{d7be8ed1-b138-48fd-bb22-9779a39130b1}]
    [-HKEY_CLASSES_ROOT\SearchBHO.CSearchBHO.1]
    [-HKEY_CLASSES_ROOT\TypeLib\{A1A1E70D-58C5-4349-83B6-BE9682B9874D}]
    [-HKEY_CLASSES_ROOT\SearchBHO.CSearchBHO]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D7BE8ED1-B138-48FD-BB22-9779A39130B1}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000000
    
    
    RegLockDel::
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     
  9. RLK107

    RLK107 TS Rookie Topic Starter Posts: 37

    Ran into problem running ComboFix.
    Have attached my CFScript file and screen print of error printout.

    (Screen print is .jpg, I've renamed file to .txt.)

    Bogus sig-file link is back. Ignore.
     

    Attached Files:

  10. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    I'm not sure what you did, but you did something wrong.
    Please, re-read my previous instructions and try again.
     
  11. RLK107

    RLK107 TS Rookie Topic Starter Posts: 37

    Broni, I retraced my steps and then, on a whim, checked file sizes between the first and second txt files. Discovered that first file began with the term "Code:" and ended with the dashes under "RegLockDel::".

    On the second file I inadvertently copied the file with the first line as "File::" and the last line as "RegLockDel::".

    (This last attempt ended with ComboFix crashing and requesting that a new ComboFix be generated.)

    I need to know what the beginning and ending parameters of that .txt file should be.
     
  12. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Copy everything what is inside the box, starting with "File::" and ending with "RegLockDel::"
     
  13. RLK107

    RLK107 TS Rookie Topic Starter Posts: 37

    On the initial run, I copied text file from the email, not from the thread.
    Email did not show the box around the test.
    ComboFix and HJT logs attached.
     

    Attached Files:

  14. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    How is redirection issue?
     
  15. RLK107

    RLK107 TS Rookie Topic Starter Posts: 37

    Morning, Broni,
    Unfortunately, it's still there.
    Hoping not to have to do a system rebuild.

    BTW, thank you for all your help. It's appreciated.

    ****



    -----
     
  16. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Please download Profiles by noahdfear.

    * Save it to your desktop.
    * Double-click profiles.exe and post its log when you reply.

    ==========================================================================

    Delete your GMER file.

    Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    Do NOT use the computer while GMER is running!
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log.

    IMPORTANT! If for some reason GMER refuses to run, try again.
    If it still fails, try to UN-check "Devices" in right pane.
    If still no joy, try to run it from Safe Mode.
     
  17. RLK107

    RLK107 TS Rookie Topic Starter Posts: 37

    Have attached files from above runs.






    -----
     

    Attached Files:

  18. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box into the main textfield:
      Code:
      :filefind
      nv4_mini.sys
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  19. RLK107

    RLK107 TS Rookie Topic Starter Posts: 37

    Look file attached






    -----
     

    Attached Files:

  20. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Which browser is getting redirected?

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:


    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    CREATERESTOREPOINT


    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  21. RLK107

    RLK107 TS Rookie Topic Starter Posts: 37

    The redirect occurs with both Firefox (v6.3) and IE (v8.0.6001.18702).
    I have not observed an redirects while using Chrome (v5.0317.2).

    Here's the OTL.txt file (as an attach, 200k limit to cut/pastes (per your instructions)
    (although explorer indicates 102k)
    (What's with the 'veerboo.com' listed under Internet Explorer on the list?
    I've seen this come up at one point during a redirect, but it's not consistent.)

    Have also attached the Extras file.
     

    Attached Files:

  22. RLK107

    RLK107 TS Rookie Topic Starter Posts: 37

  23. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      PRC - [2010/04/08 16:31:48 | 002,072,576 | ---- | M] (SaveTubeVideo Company) -- C:\Program Files\SaveTubeVideo.com\SaveTubeVideo\downloader.exe
      IE - HKLM\..\URLSearchHook: {D7BE8ED1-B138-48FD-BB22-9779A39130B1} - Reg Error: Key error. File not found
      FF - prefs.js..keyword.URL: "http://www.veerboo.com/results.php?q="
      [2010/04/11 17:58:34 | 000,000,000 | ---D | C] -- C:\Program Files\SaveTubeVideo.com
      
      
      :Services
      
      :Reg
      
      :Files
      C:\Program Files\SaveTubeVideo.com\SaveTubeVideo\downloader.exe
      
      
      :Commands
      [purity]
      [emptytemp]
      [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  24. RLK107

    RLK107 TS Rookie Topic Starter Posts: 37

    Have attached log.
    Firefox still redirects. :(
     

    Attached Files:

  25. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    ...and IE?
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...