TechSpot

Redirected searches (yeah, again)

Inactive
By mikelorus
Feb 6, 2010
Topic Status:
Not open for further replies.
  1. I feel kind of bad making yet another thread about redirected search engine searches, but I have that problem, and it looks like there is no one size fit all solution for this. So, apologies for whoever has to deal with this AGAIN.

    Anywhoo, these are the logs from Malwayrebyte, Hijack This, and Super anti spyware, as these are the logs that seem to be necessary.

    I hope that's all you guys need, and thank you in advance for taking the time to help out.

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    Please download ComboFix from Here or Here to your Desktop.


    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Please, never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  3. mikelorus

    mikelorus TS Rookie Topic Starter Posts: 41

    Thank you for your quick reply. I did as you asked, and here are the two files.

    Attached Files:

  4. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    KillAll::
    
    MBR::
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
  5. mikelorus

    mikelorus TS Rookie Topic Starter Posts: 41

    Here are the files after having done that. Again, thank you for all your help.

    Attached Files:

  6. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    How is redirection issue?
  7. mikelorus

    mikelorus TS Rookie Topic Starter Posts: 41

    I just went through 30 or so searches, and it was all good. Thank you very much for your help on this issue, I really appreciate the time you put in to help me.
  8. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    We're not totally done, yet :)
    We need be sure, your computer is perfectly clean.

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

    Post fresh HijackThis log as well.
  9. mikelorus

    mikelorus TS Rookie Topic Starter Posts: 41

    Here they are. That scan took forever =X

    Attached Files:

  10. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    Please download OTM

    • Save it to your desktop.
    • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    :Processes
    
    :Services
    
    :Reg
    
    :Files
    C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\49\5aa57f31-1ae5e606	
    C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\9\60b62ac9-30b2e997
          
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [Reboot]
    
    • Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM and reboot your PC.

    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
  11. mikelorus

    mikelorus TS Rookie Topic Starter Posts: 41

    Here it is. Feels good knowing that all that unnecessary crap is being cleaned out of my comp.

     
  12. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    Very good :)

    Verify your Java version here: http://www.java.com/en/download/installed.jsp
    Update, if necessary.
    Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista).

    =======================================================================

    Disable Windows Defender, as it'll interfere with cleaning process:
    - Open Windows Defender by clicking the Start, clicking All Programs, and then clicking Windows Defender.
    - Click Tools
    then...

    ++ Windows XP:
    - Click General Settings
    - Scroll down to Real Time Protection Options
    - Uncheck Turn on Real Time Protection
    - After you uncheck this, click on the Save button
    - Close Windows Defender

    ++ Windows Vista:
    - Click Options
    - Under Administrator options, clear the Use Windows Defender check box, and then click Save.

    Enable Windows Defender, when all cleaning is done.

    ======================================================================

    Print this post out, since you won't have an access to it, at some point.

    1. Open HijackThis.

    2. Close all windows, except for HijackThis.

    3. Put checkmarks next to the following HijackThis entries:

    - R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    - O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE


    4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

    - O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    - O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
    - O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    - O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    - O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    - O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    - O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    - O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    - O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    - O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    - O4 - Startup: Registration Assassin's Creed.LNK = C:\Program Files\Ubisoft\Assassin's Creed\Register\RegistrationReminder.exe
    - O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    - O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll


    5. Click on Fix checked button.

    6. Restart computer.

    7. Post new HijackThis log.
  13. PWT

    PWT TS Rookie

    Stumped by a Hijacked browser

    First time here and have tried most spyware/malware scanners out there. Here is the log before I toss the hard drive in hopes someone can identify something that keeps eluding me.

    Thanks in advance for the help!

    PWT

    Attached Files:

  14. mikelorus

    mikelorus TS Rookie Topic Starter Posts: 41

    New HJT log.

    Attached Files:

  15. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    We're almost there, but apparently, I missed couple of entries.
    Re-run HJT and checkmark:
    O1 - Hosts: ÿþ127.0.0.1 localhost
    O1 - Hosts: ::1 localhost

    Click "Fix checked" button.
    Post fresh HJT log.
  16. mikelorus

    mikelorus TS Rookie Topic Starter Posts: 41

    Good you made a mistake, now I know you aren't some sort of virus fighting bot >.>

    Attached Files:

  17. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    Hahahaha....


    Your computer is clean [​IMG]

    1. Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
  18. rf6647

    rf6647 TS Maniac Posts: 931

    MBR Stealth Rootkit / Sinowal

    This is an amazing solution - I needed this 3 weeks ago!

    Detection appears to have improved (log entry appearing in message #5).
    Code:
    Infected copy of c:\windows\system32\DRIVERS\nvatabus.sys was found and disinfected
    The key to the solution appears to be CFscript and invoking mbr.exe from combofx. This prevents the re-infection.

    The first signs pointed to rootkit infection referred to as MBR Stealth or Sinowal or Mebroot, as shown by log entry from message #3.
    Code:
    detected MBR rootkit hooks:
    \Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
    \Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
    \Driver\atapi -> atapi.sys @ 0xb9f11852
    IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
     ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
    \Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
     ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
    NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9decbb0
     PacketIndicateHandler -> NDIS.sys @ 0xb9df9a21
     SendHandler -> NDIS.sys @ 0xb9dd787b
    Is there any residual problem left behind when it comes to the mirror copy of the directory structures? I believe that this infection stole disk allocation by marking blocks used to hide parts of the payload.

    <Reasoning for the question.>

    I am speaking of the MFT. A mirror copy is kept. For the variety of rootkit I encountered, I felt that it used free area of the hard drive to hide code called by the hooked code. I clearly saw sectors in track 0 were part of the payload. Supposedly the rootkit hid code in free space of the hard drive to overwrite drivers . From this I infer that the malware could only protect this area by showing its allocation in the MFT.

    Background:
    Before proceeding with disinfecting: chkdsk infected drive; clone the drive; and verify cloned drive is bootable.

    Method 1: Ghost9 clone produces a image copy of infected drive. Restoring image to clone drive reports "mismatch" error. Cloned drive is bootable. Demote clone to slave; chkdsk finds no errors.

    Method 2: XXclone produces a file copy version of infected drive. No errors reported. Cloned drive is not bootable. Demote clone to slave; chkdsk finds lost blocks; creates file0000. In theory this method does not copy a file or folder if is absent from the directory structures. XXclone was able to clone (a bootable copy) an uninfected version.

    Method 3: Partition Magic 8 checks drive for errors and reports "mismatch" errors.

    General: I could not verify what the defect was that was reported as "mismatch". XXclone chkdsk error makes no sense since file copy makes changes to MFT; in this case MFT started clean and changes to MFT correspond to files successfully copied to the drive.

    Observation: Even with a clean track 0, the corrupted driver(s) was still able to plant its hooks. From my perspective, this gave weight to code hidden in free space. Other utilities (Ghost9, Partition Magic, XXclone) found discrepancies with disk structure and/or allocation.
  19. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    I'm not sure, if I understand your question...
  20. mikelorus

    mikelorus TS Rookie Topic Starter Posts: 41

    Awesome. My google searches haven't redirected me yet, and there are no more popup tabs. Thank you for all your help Broni, you are a gentleman and a scholar.
  21. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    Excellent!
    Good luck :)
  22. rf6647

    rf6647 TS Maniac Posts: 931

    I added my reasoning to message 18. Using edit of the message is my way to avoid cluttering this thread with my issue.
  23. mikelorus

    mikelorus TS Rookie Topic Starter Posts: 41

    Epic bump >.<

    I really hate to be constantly bringing problems into this site, but my searches are redirecting again and just by browsing threads, and there seems to be so many different ways to get rid of it. I feel really bad about constantly asking for help here =.=


    HJT is below, malwarebytes and super anti spyware both say my comp is clean, should I run combofix like before?

    Attached Files:

  24. Broni

    Broni Malware Annihilator Posts: 46,775   +254

    Not a problem, but I guess you have to pay more attention to your computer habits especially being on the net.
    Maybe, replacing McAfee with something better is not a bad idea.

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  25. mikelorus

    mikelorus TS Rookie Topic Starter Posts: 41

    When the combofix scan starts, it just goes to a BSoD. I tried uninstalling it and downloading it multiple times straight to my desktop every time it has happened.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.