TechSpot

Redirected searches and hits in firefox and IE

By rsslcs
Mar 17, 2009
  1. Hi! im new! anyway, this is a virus that modifies search results, and redirects me to other ad sites intermittently. (nothing new then^^)
    I ran a scan of the comp using Avast, and followed the 8-step tutorial. I was worried with vitro being found by Avast, but it was deleted without any problems, and no other files are infected, I assume that the virus wasnt yet active, it was in system restore folders, which I removed by disabling system restore, then re-enabling it. The tutorial doesnt fix the prob, but there is an unknown DLL in system32 which is in the hijackthis log. so TADAAA! there are various mbam logs from previous scans, but they were done in quick succession, the most recent scan was a full one.

    EDIT: Google also loads very slowly (waiting for 'www . site') after hitting the search button, and ive got 2 tmp folders with gibberish names (85EBB28365AF4 etc)in WINDOWS foldr with WiseCustomCalla.dll which look kinda suspicious, but I havent touched them in case they are actually legitimate
     

    Attached Files:

  2. rsslcs

    rsslcs TS Rookie Topic Starter

    Also, there are no previous virus related problems anymore. A virus that I had changed my desktop to a spyware alert and asked me to download xp antivirus 2009. I promptly got rid of that using Mbam and avast. I unblocked the desktop and the task manager using a registry fix from a tech forum, but the internet problem still persists...
     
  3. rsslcs

    rsslcs TS Rookie Topic Starter

    anyone? Does this topic look old or smth? Is this topic boring? :p


    But seriously, could someone take a look plz?

    EDIT Sorry if that came across as rude, it WAS a joke :)
     
  4. kritius

    kritius TS Guru Posts: 2,087

    Fix entries using HiJackThis

    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKCU\..\Run: [Comrade.exe] C:\Program Files\GameSpy\Comrade\Comrade.exe
    O4 - Startup: BitTorrent Acceleration Patch.lnk = C:\Program Files\BitTorrent Acceleration Patch\BitTorrent Acceleration Patch.exe


    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary


    Download LSP Fix from >>HERE<<

    Look >>HERE<< for a great guide in it's usage.

    Rename HijackThis.exe to rsslcs.exe by doing the following;



    • Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> C:\Program Files\Trend Micro\HijackThis
    • Right-click on the HijackThis.exe
    • Choose from the pull-down menu; "Rename"
    • And now Rename HijackThis.exe to rsslcs.exe
    • When you've renamed HijackThis, open HijackThis again.
    • Take a fresh HijackThis log (click Do a system scan and save a log file)
    • Post the fresh HijackThis log here.


    To get an Uninstall List from HijackThis:

    • Open HijackThis, click Config, click Misc Tools
    • Click "Open Uninstall Manager"
    • Click "Save List" (generates uninstall_list.txt)
    • Click Save, copy and attach the log in your next post.
     
  5. rsslcs

    rsslcs TS Rookie Topic Starter

    Theres another problem.. The ram usage with all programs closed apart from firefox avast & superantispyware was 500 mb, and a svchost.exe process used by the network service used 50% of the processor constantly, even in safe mode with or without firefox. Also, theres 2 dat files in system32,senekalwpskky.dat and senekaqbphexte.dat. Those look randomly generated, and they were created in march 2009.
    Yup, avast detected one as malware! yay.
    EDIT ok will do.
     
  6. kritius

    kritius TS Guru Posts: 2,087

    Do as I said in my post above and then do the following.

    Download random's system information tool (RSIT) by random/random from HERE and save it to your Desktop.

    • Double click on RSIT.exe to run.
    • Click Continue at the disclaimer screen.
    • Once it has finished, two logs will open.
    • log.txt <will be maximized and info.txt <will be minimized
    • Please post the contents of both logs in the next reply.
     
  7. rsslcs

    rsslcs TS Rookie Topic Starter

    ok heres the stuff and also which lsp do I remove?

    theres 4 LSPs:

    mswsock.dll
    winrnr.dll
    QoS.dll
    rsvpsp.dll

    EDIT: And why IS the svchost process gobbling up so much of my CPU? It didnt do that before I had the virus...
     
  8. rsslcs

    rsslcs TS Rookie Topic Starter

    kritius, thanks so much for the help. I used LSP fix to remove QoS.dll, when didnt see it in an example screenshot. Everything improved straight away, the whole pc sped up. So thanks again, ill be back in 4 months to complain about the new latest virus even worse than vitro ^^

    cheers russ

    PS: if QoS was a vital component of windows, well its gone now so... sorry :grinthumb
     
  9. rsslcs

    rsslcs TS Rookie Topic Starter

    Everythings a lot faster now and that memory/CPU usage problem's gone, but I still get redirected! Whatever now!?
     
  10. kritius

    kritius TS Guru Posts: 2,087

    Unistall the following,

    BitTorrent Acceleration Patch
    GameSpy Arcade
    Java(TM) 6 Update 7
    P2P_Torrent Toolbar


    Fix entries using HiJackThis

    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below


    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis


      [​IMG]Download and Run ComboFix
      • Download this file to your desktop from either of the two below listed places :



        HERE or HERE


      • Then double click combofix.exe & follow the prompts.
      • When finished, it shall produce a log for you. Attach that log in your next reply

      WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
    • Reboot HijackThis if necessary
     
  11. rsslcs

    rsslcs TS Rookie Topic Starter

    ok , ive done the combofix scan, removed requested programs.
    Heres the log
     
     
  12. kritius

    kritius TS Guru Posts: 2,087

    Can you run a fresh scan with Hijackthis for me?

    I also think that you should remove any and all Bittorrent software that you have installed.

    I would like you to do an online scan so that we can what else may be in your system,
    Run Kaspersky online scanner
    With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
    Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
    Do not go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.


    Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
    • The program will launch and then start to download the latest definition files.
    • Once the scanner is installed and the definitions downloaded, click Next.
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      o Scan using the following Anti-Virus database:
      o Extended (If available, otherwise use standard)
      o Scan Options:
      o Scan Archives
      o Scan Mail Bases
    • Click OK
    • Under select a target to scan, select My Computer
    • The scan will take a while so be patient and let it run.
    • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
    • Click the Save Report As... button (see red arrow below)

      [​IMG]
    • In the Save as... prompt, select Desktop
    • In the File name box, name the file
    • In the Save as type prompt, select Text file (see below)

      [​IMG]
    • Include the report in your next post.
     
  13. rsslcs

    rsslcs TS Rookie Topic Starter

    heres my hijackthis log, ill post the kapersky scan results when its done
     
  14. kritius

    kritius TS Guru Posts: 2,087

    You should install a firewall as well.

    Only install the firewall, not the full internet suite.

    HijackThis looks clean.

    Just need to see the Kaspersky log.
     
  15. rsslcs

    rsslcs TS Rookie Topic Starter

    it's taking a while^^ it looks as though I have 3 hrs worth of scanning yet
     
  16. kritius

    kritius TS Guru Posts: 2,087

    It takes a while but it's very good.

    It won't remove anything, just tell me where everything is.
     
  17. rsslcs

    rsslcs TS Rookie Topic Starter

    heres the report! At LAST!
    the only file was QoS.dll, which was removed from the LSP thingy a day or two ago..
     
  18. kritius

    kritius TS Guru Posts: 2,087

    Lets make sure that it stays gone then.

    OTMoveit3 by OldTimer
    Please download the OTMoveIt3 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes
      explorer.exe
      
      :Files
      C:\WINDOWS\system32\QoS.dll
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
     
  19. rsslcs

    rsslcs TS Rookie Topic Starter

    ok heres the moveit log:
     
  20. kritius

    kritius TS Guru Posts: 2,087

    Coolio,

    Any more problems? If not,
    • Double-click OTMoveIt3.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes, if not delete it by yourself.

    Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt3 attempting to contact the internet, please allow it to do so.

    • Disable and Enable System Restore. - If you are using Windows XP or Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

      You can find instructions on how to enable and re-enable system restore here:

      Windows XP System Restore Guide

      or

      Windows Vista System Restore Guide

    Re-enable system restore with instructions from tutorial above

    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.

    • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
    • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
    • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.

      This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:

      Instructions for Spybot S & D
    • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

      A tutorial on installing & using this product can be found here:

      Using SpywareBlaster to protect your computer from Spyware and Malware
    • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
    Follow this list and your potential for being infected again will reduce dramatically.

    Here are some additional utilities that will enhance your safety

    • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
    • Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
    • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
    • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:

      Using Winpatrol to protect your computer from malicious software

    Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

    The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

    Also, please read this great article by Tony Klein So How Did I Get Infected In First Place
     
  21. rsslcs

    rsslcs TS Rookie Topic Starter

    hmm it seems that I get redirected when clicking on a google result.. it waits for search.webmaster.nl, and then flicks between... is it ip numbers? (example, not real. 78.56.0.44.10), but only now and again, so id be happy if there was a solution, but if not, its not a major inconvenience, so all other problems like modified results, slowing down, desktop background locked, etc are gone.
     
  22. kritius

    kritius TS Guru Posts: 2,087

    We'll try a few things,

    Delete Domains

    Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

    Download HostsXpert v4.1 and unzip it to your computer, somewhere where you can find it.
    • Double click on HostsXpert.exe to launch the program.
    • Click on Restore MS Hosts File to restore your Hosts file to its default condition.
    • Click on Make ReadOnly to secure it against further infection.
    • Exit the program.
    Visit the Website for more information.

    Then Go to start>run then type cmd

    In the command prompt window type ipconfig /flushdns.

    Let me know if it still happens.
     
  23. rsslcs

    rsslcs TS Rookie Topic Starter

    yup it does, i usually get redirected to blinx.com, or google.com/undefined...
    also, the website link gives me a 404
     
  24. kritius

    kritius TS Guru Posts: 2,087

    Post a fresh HJT log.
     
  25. rsslcs

    rsslcs TS Rookie Topic Starter

    here it is!
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.