TechSpot

Search engine redirect issue

By Vulchur
Apr 23, 2009
  1. Search engine redirect issue. 8 steps followed

    I've been having a hard time trying to sift through what's been going on with my computer. I'd recently run into problems with antivirus plus and had thought I'd gotten rid of it with Malwarebytes' Anti Malware. However, I'm having a lot of problems with getting redirected in searches now a few weeks later, as well as being unable to open pages I input the url in directly (makes research a pain). I'd already followed most of the steps in your 8 step recommendation. Couldn't follow step 5 of the eight steps: link wouldn't work open, had to get it off another computer. Any assistance or insight you all could provide would definitely help keep me up late at night.
     
  2. B00kWyrm

    B00kWyrm TechSpot Paladin Posts: 1,436   +37

    HJT shows you are using McAfee and MS antimalware product(s)

    From the other computer, dl all the other tools mentioned in the 8 steps. Neglect nothing.
    Whatver AV / AntiSpy / Antimalware and FIrewall you are currently using, for the purpose of the eight steps _at__least_, you want to use the tools that are listed there.
    Since they are free, it costs you nothing to take this advice.

    Burn them to a cd to take to the infected computer, and install them to the desktop or other place you can easily find them.
    NOTE: more than one av or antispy program will likely conflict with each other... meaning you need to uninstall whatever is currently running.

    Some of the steps require running more than once, and sometime safe mode is required for part of the process ...
    after safe mode, you will need to re-run per the instructions... follow them diligently.

    I won't be around much for the next several days, but others will. When you are ready, repost with the new logs.
     
  3. Vulchur

    Vulchur TS Rookie Topic Starter

    8 steps followed-revisited

    I reposted, but I'll reply to thread again. Here are my logs.
     
  4. B00kWyrm

    B00kWyrm TechSpot Paladin Posts: 1,436   +37

    Expert Guidance Needed from here.

    Hey Vulchur...
    Looks like you are off to a good start...
    What I am noticing of concern at this point is

    1. 2 AV products running. (Avira and MS). Two AV products can conflict, leaving you less secure. It would be good to run them separately / consecutively, noting what each finds (if anything). I am not familiar with the MS product, so I cannot help you unload it. Again, as posted by others in other threads, if it is a paid product, we don't want you throwing your money away... So, maybe an expert can give some guidance here.

    2. I am seeing significant work that needs to be done with HJT, but again, an expert will serve you better. I am still learning the product. We don't want to break your computer by "checking" something we shouldn't!

    So, of the several experts that watch this board, maybe one will have a chance to look in and help out soon.
    Good Luck.
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    B00kWyrm is correct in pointing out that you have two programs which contain an antivirus application.I have outlined the entries below for you and identified them so you will understand the contents of each:

    Windows OneCare Live: #Antivirus, antispyware, and firewall, Wireless networking security, Online identity theft protection
    Avira AntiVir PersonalEdition Classic >>> Free Antivirus 9.0.0.394
    Sine the presence of more than one antivirus program can potentially cause conflicts which could reduce their security protection, you should remove one of them. Since you have paid for WindowsLive OneCare- unless it offers a trail version-you might want to remove the free Avira instead.

    Step 5 is for free Superantispyware. The link displayed for me with no problem:
    http://www.techspot.com/downloads/2695-superantispyware.html

    Here is the cause of your redirects: This entry and all of the following 01 entries:
    This means that whenever the URL to the right of the entries (Google) above is entered, instead of taking you to that site, you are being redirected to IP 94.247.2.216. This IP belongs to:
    role: DATORU EXPRESS SERVISS HostMaster
    address: 18. novembra street 319C
    address: Daugavpils, LV-5413
    address: Latvia

    So we need to remove these entries as follows:
    Remove bad HijackThis entries
    • Run HijackThis
    • Click on the System Scan Only button
    • Put a check beside all of the items listed below (if present):
    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.

    Please download ComboFixHERE:
    With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

    Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    Also disable your internet connection.


    • Run Combo-Fix.exe and follow the prompts.
    When finished, please rescan with HijackThis and attach new log with Combofix report.

    So the order you follow is:
    1. Decide on which antivirus program you want to keep.
    2. Uninstall the 'other AV program or the suite containing the AV program.
    3. Open HJ, follow the removal entries.
    4. Download and run Combofix.
    5. Attach new HJ log and Combofix report.

    NOTE on removing AV program,:
    This is best done in Safe Mode:
    Reboot the computer> let the logo load and then begin tapping the F8 key BEFORE Windows starts to load> continue tapping until Safe mode displays:
    Start> Run> msconfig> enter> Selective Startup> Startup Menu> UNCHECK ALL entries for the AV/Security program you are NOT going to keep> Apply> OK.
    IF you are removing Avira:
    Start> Run> services.msc> find each Service below> double click to open> Change Startup type to Disabled> Stop the Service
    Control Panel> Add/Remove Programs> highlight and then UNINSTALL THAT program.

    Reboot into Normal Mode> ignore the nag message that come up and close it after checking 'don't show message again'. Stay in Selective Startup.

    B00kWyrm, nice setup. thank you.
     
  6. Vulchur

    Vulchur TS Rookie Topic Starter

    New logs

    Here are the logs. Lot of the redirect issues in search engines are gone. Thanks alot. However, I'm still having a little trouble with a few sites. E-bay to name one.
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    What is the problem you're having when you try to access the sites. Please be specific.

    Regarding entries in Combofix:
    I notice you have some open ports, any reason?
    The Universal Plug N' Play (UPnP) system operates over two ports: UDP/1900 and TCP/5000.

    Re Port 5000
    The FBI has Strongly Recommended that
    All Users Immediately Disable Windows'
    Universal Plug n' Play Support
    http://www.grc.com/unpnp/unpnp.htm

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    The is also an entry left from McAfee: and should be removed.
    Using Avira:
    2009-04-21 00:44 . 2008-12-14 00:16 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee


    Your Adobe Reader is out of date. Most current version: Adobe Reader 9.1Vulnerabilities can be exploited. Click here to download the latest version : http://www.techspot.com/downloads/345-adobe-reader.html
    OR
    Install the FoxIt Reader: this does the same thing as Adobe, but doesn’t have the bloat: http://www.foxitsoftware.com/pdf/rd_intro.php

    After either updating Adobe or installing FoxIt, you should uninstall the earlier version 7 in Add/Remove Programs.

    I don't see any malware in the HJ log. If the original problem has been resolved, we can remove the cleaning tools and old restore points:

    Download OTCleanIt HERE & save it to your desktop.
    Clear your existing System Restore points and establish a new clean restore point:
    Please let me know if I can be of more help.
     
  8. Vulchur

    Vulchur TS Rookie Topic Starter

    No I don't recall opening any ports recently. Adobe has been updated and McAfee files have been deleted. Waiting on OTCleanIT. The issue with certain sites is that my browser won't load them. ie: the site you just posted grc.com/unpnp/unpnp.htm I get the message "Internet Explorer cannot display the webpage " Even in Firefox I get a "Failed to Connect Screen."
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, I get http://www.grc.com/unpnp/unpnp.htm with no problem on Firefox.
    I also get it on IE6, but with third party Cookie Alerts because of the way my security is set. When I block each or all these Cookies, the sites load.

    So my guess is that some setting you have in the browsers is blocking the URLs, but "can't display' sound like the phishing filter and 'can't connect' sound more like a server problem.

    the ports are setting for portforwarding:
    5000-5001,5050 tcp applications Yahoo Messenger Chat Portforward
    5000-5001 tcp applications Yahoo Messenger Voice Chat Portforward

    I think this is discouraged because of a security risk. I am going to consult another help about this though. will be back.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    For some reason, I had in my head that you had the Kerio firewall. But I don't see it. That means you need to get a firewall ASAP to block those open ports. Here is one recommendation:

    Download the Comodo Firewall Pro 3.5.57173.439 HERE and Save to your desktop..
    Double-click the set-up on the desktop and run the program.
    Follow the onscreen prompts.
    It "should" block these ports.

    Please update and run Combofix again to mke sure the ports are closed.
    Follow with new scan with HJ. Attach both report and log.


    IF clean, you can go ahead with and remove the cleaning tools- but let me review the logs first.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...