Solved Search engine links hijacked, 8 steps completed

[Mseckham]

Using any browser (IE, Firefox, Chrome) my links from search engines such as Google and Yahoo are redirecting to other sites. Usually the first time I click on a link it goes to the correct site but any other time following that I get taken to all sorts of sites. Logs attached. Any help much appreciated.

 

[Bobbye]

Welcome to TechSpot, Mseckham. One of the malware infections you had is known to steal passwords and other private information. It is recommended that you change all of your passwords and also monitor any online financial transactions.

It appears that the HijackThis log might not be displaying completely. There are no Active X Objects showing- this would include Java, which I don't see, shockwave/flash and other add-ons. So either you don't have any which is unlikely, or malware is suppressing some of the entries.

Please Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls.
  
• Double click on the setup file on the desktop to run
• If prompted to download and install the Recovery Console, please do so.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
• If prompted to update, please allow.
• Click on Yes, to continue scanning for malware.
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.

.
Then Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

I'll know more after I see the Combofix report and the Eset log.

 

[Mseckham]

Thanks for looking into this so quickly. Steps above followed and logs attached.

 

[Sean Courtney]

Sounds like you may have the Virtumonde virus. I had exactly the same issue. Here is a link that may help you.

http://www.f-secure.com/sw-desc/virtumonde.shtml

 

[Bobbye]

Sean Courtney, please refrain for giving help on this thread.

Mseckham, I've been trying to put the scan times in order- which I can do, but it's not telling me what I need: The two in the Qoobox, are two files the were quarantined in Combofix. At the end of the cleaning, when I have you uninstall Combofix, these files will be removed. Qoobox is the name of the folder Combofix send those files to.

For the other entry:
Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files 
  C:\Program Files\Total PC Defender\Total PC Defender.exe
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

You have Total PC Defender 2010 running which is a rogue anti-spyware program that is installed through the use of malware and Trojans. Total PC Defender was created to scam you into thinking you have a computer problem so that you will then purchase the program. Please do not purchase this program, and if you already have, you should contact your credit card company to dispute the charges. Please follow the steps in the removal guide below to remove Total PC Defender and any related malware:
2010-03-14 21:23 .c:\program files\Total PC Defender

Unfortunately, it looks like you might have downloaded it yourself through scare tactics hoping to fix your system: If you did purchase this rogue program, you should contact the company and request a refund and remove it from your system.

Please do the following in the order I give you:
1. Update and scan with Malwarebytes again.
2. Delete the Combofic log on your desktop and rerun Combofix.
. Rescan with HijackThis.

Attach the new Mbam log, Combofix report and new HijackThis log.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!! DO NOT make any Registry Changes. And it is recommended that if you are running any Registry editing program, that you either uninstall or disable while we are in the cleaning process

Edit: I noticed that you are actively downloading through Azureus, which is for file sharing. Please refrain from any activity through Azureus while I am helping you. Dowloading while we are cleaning could result in more infections.
[010-03-14 14:00 . c:\documents and settings\Denise Rigby\Application Data\Azureus
2010-02-07 20:31 . c:\documents and settings\All Users\Application Data\Azureus/

===

 

[Mseckham]

Hi Bobbye,

Thanks again. Fortunately I haven't purchased anything like PC Defender so it must have just been a link that was clicked on. I've attached all the logs as advised. It's quite an old laptop so we don't really use it for anything other than web browsing. The Google links are no longer hijacked and it all seems to be running a bit quicker, so it's definitely a big improvement. I'm not quite sure how the Azureus shows that it has been running, we haven't been using it and it's not listed in Programs either. Could it possibly be something that is auto running on startup?

 

[Bobbye]

Mseckham, did you have a Lexmark printer at one time but no longer use it?

Did you have Symantec/Norton on the machine, even if you didn't use it?

If these are Yes/Yes, I'll add a couple of entries to the next step- it's all ready but no sense in you having to do it twice..

 

[Mseckham]

Hi Bobbye,

Yes we have a lexmark which we do still use. It did have Norton on it which we don't use and have tried uninstalling but it looks as though its left some remnants behind.

 

[Bobbye]

Thanks. Lexmark entries are okay. Run the Norton Removal Tool to remove the leftovers.

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\documents and settings\LocalService\Local Settings\Application Data\Temp
c:\windows\system32\OOBE\oobebaln.exe
c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

Folder::
c:\documents and settings\Denise Rigby\Application Data\Azureus
c:\documents and settings\All Users\Application Data\Azureus/
C:\Program Files\Total PC Defender\Total PC Defender

Registry::

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.

Then rescan with HijackThis and leave new log.
__________________

 

[Mseckham]

Hi Bobbye,

Above steps completed and logs attached.

Thanks

 

[Bobbye]

It doesn't look like you ran the Norton Removal Tool. All of the entries are still on the system. So please do that. Click on the name in blue to download the tool.

If you looked in the Combofix report, you will have seen a large number of entries for Azureus/Vuze/Torrents:
P2P or 'file sharing: Warning:
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall Azureus/Vuze/Torrents: for the following reasons:

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.

If you have a program installed for any of these names in Add/Remove Programs, it should be uninstalled: Azureus, Vuze or the Torrents (Bit Torrent, uTorrent)
Then using Windows Explorer: Windows key + E> click on My Computer> double click on Local Drive (C)> Programs> look for any/all of these name and do a right click>Delete on the folder.

I am still concerned about the lack of entries in the HijackThis log. The Windows Genuine Advantage and Update processes are missing, among others. I guess this would be about the time that I ask if you are using a legitimate version of Windows.

Some are in plug-ins for Firefox, but the system should still be showing Java, a PDF Reader Adobe or FoxIt and there are no add-ons showing for IE. There are only 3 Services showing. I don't get the chance very often to complain about "not enough" entries, but the log just doesn't look right.

You should be running pretty well by now. Looks like we got the bad stuff. Are you having any of the original problems or have they been resolved?

 

[Mseckham]

Hi Bobbye,

I'm becoming a bit mystified by it all too. I ran the Norton Removal tool before posting the last log and it stated it was all uninstalled. None of the Azureus, Vuze etc. are listed in programs so it looks as though this has been cleared out now. I'll check the folders this evening when I get home and wipe out those too.

It's definitely a legitimate version of Windows, it's still the one that was installed on it when it was bought at PC World a few years back. We recently installed SP 3 on it and it went through the validation stage OK.

One thing that may be explaining the lack of processes is that when it was running slowly, I ran msconfig and stopped some programs and processes from stating on boot up. Shall I switch them all back on and redo the logs?

The redirecting has stopped and everything is running a lot quicker now. I always thought I was fairly IT literate but all of this has been way over my head and I'm really grateful for the support that you've provided me with.

 

[Bobbye]

Okay to leave the processes you stopped using the msconfig utility off

The processes I'm referring to can be found here:
Open Internet Explorer> Tools> Manage add-ons>> there are 2 settings for the dialog box> 1, processes now being used and 2. processes previously used.

Do you have anything in either section showing Enabled? What?

The Services I referred to are handled in yet another section and most users don't make changes in the Startup type. Take a look here and let me know if you've made changes in this section:
Start> Run> type in services.msc> enter. IF you've worked in here, you will recognize the screen. If not, just close it back up and we won't be concerned with it.

You're doing fine following the instructions I've given. I'm just big on asking questions if I need to! It works both ways I think.

If the original problem has been resolved and there are no new problems, I can try to move the Norton entries I saw: the only 'big deal' about having 'left overs' is that Norton has a tendency not to play nice with other security programs.

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
Folder::
c:\program files\Common Files\Symantec Shared
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
__________________

 

[Bobbye]

jhonnyD2, I notice you have stopped on 10 threads and posted this same message. While what you are saying isn't wrong, the fact that you are saying the same thing on a number of threads in a short time span makes it appear to be nothing more than spam.

Malware help is specific for the person who started the thread- no one else.

 

[Mseckham]

Hi Bobbye,

New Combofix log attached. I've not changed anything in the services.msc before so I left that. I usually use Firefox instead of IE, I did check that Manage Addons in IE and it was slightly different to how you've outlined it - there was no dialogue box - but there were different sections to click on and a few processes such as Shockwave, Googlebar were listed as Enabled.

Thanks again.

 

[Bobbye]

Okay, looks good! We've cleaned out the P2P data, Norton files and a few other things. About now you should be running faster and well. Since the original problem has been resolved you can remove the cleaning tools and old restore points:

Uninstall ComboFix and all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

Remove all of the tools we used and the files and folders they created

• DownloadOTCleanIt by OldTimer
• Save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes. If you are prompted to Reboot during the cleanup, select Yes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.

• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

To help you understand where this malware may have come from, please read Tony Klein´s guide So how did I get infected in the first place?

If I can be of further help, please let me know.