Search engine results redirecting

[ruari]

hi,
all my browsers are running very slowly and all search engine results keep being redirected to often unrelated pages. from reading other posts here, i assumed there is some sort of virus on my machine, so i tried a few free antivirus scans but with no real results.
i would be very grateful if someone could tell me how i could rectify this problem?
cheers, r

 

[almcneil]

Sound like a type of spyware falled "web browser hijacking".

Go to http://www.download.com and download/install/run the following 3 antispyware utilities:

• AVG 8.0
• Ad-Aware 2008
• Spybot Search & Destroy

Repost with results.

Best,
-- Andy

 

[ruari]

cheers, ive run AVG 8.0 and Ad-Aware 2008, but spybot wouldnt install, so the problem is still here.any other ideas?
thanks again

 

[almcneil]

Rats!!

Rats!! Of the 3 anti-spyware utilities I recommended, it's Spybot that is the best at removing hijackers. Try restarting in Safe Mode and see if Spybot will install there. If you can't, you're in a pickle.

Repost if you can't install Spybot in Safe Mode.

Best,
-- Andy

 

[Wendig0]

While I am not the best at reading them, a lot of users here are very adept at reviewing "HijackThis" logs. Download HijackThis, run it, and post the results.

Though it may not be the most advanced remedy for this particular problem, I have had the same problem you describe in the past, and a system restore to a date before the problems began cured it while most malware/spyware removal tools could not. It might work for you as well, but I still recommend creating a HijackThis report first.

 

[BillAllen55]

Please during your cleaning process review the excellent 8-step process from Tech-spot found here:
https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

 

[ruari]

i tried to install spybot in safe mode but it still wouldnt work

 

[almcneil]

i tried to install spybot in safe mode but it still wouldnt work

Then proceed to HijackThis and post your logs.

Best,
-- Andy

 

[ruari]

ive however installed HJT so hopefully this will help...

the HJT log is as follows (i dont know if this helps) :
moderator edit: log removed. logs should be posted as attachments, not copied pasted.

 

[Bobbye]

ive however installed HJT so hopefully this will help...

We offer malware cleaning with instructions for disabling Real Time protection, updating Java if needed, running the malware programs and attaching the logs. You were given the URL by a member as:
https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/


The HijackThis program is run AFTER the other cleaning programs, not before. We then check the logs for additional removals.

Please read this: How to post your Hijackthis log-file as an ATTACHMENT
https://www.techspot.com/vb/topic19133.html

Additionally, a server with IP 85.255.112.113 is shown. This is in the Ripe Network. I cannot connect to their database at this time, but will try to ID the Netname later.

Edit: I was finally able to access the Ripe database: IP 85.255.116.214 is assigned as follows:
netname: UkrTeleGroup
descr: UkrTeleGroup Ltd.
Country Code UA>> Ukraine

IS this oYour ISP?

 

[ruari]

attached are the requested logs:

cheers

p.s. im dont know about the ISP

 

[BillAllen55]

Follow this suggestion first:

Please during your cleaning process review the excellent 8-step process from Tech-spot found here:
https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

Once this has been accomplished it would then be helpful to the experts (myself NOT included) to then insert a copy of your hijackthis! log.

 

[momok]

Please boot into safe mode.

Next, go to Start > run and type services.msc

Search for "Windows Tribute Service" and set the start up type to 'disabled' (right click properties).

Then run HijackThis and fix the following entries:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [5FF.tmp] C:\Windows\temp\5FF.tmp
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C4052AC-4CD9-4E36-BF27-7602D2E57245}: NameServer = 85.255.112.113;85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A2832AB-274F-425F-9C58-ABFFE9B13C80}: NameServer = 85.255.112.113;85.255.112.73
O17 - HKLM\System\CS1\Services\Tcpip\..\{2C4052AC-4CD9-4E36-BF27-7602D2E57245}: NameServer = 85.255.112.113;85.255.112.73
O17 - HKLM\System\CS2\Services\Tcpip\..\{2C4052AC-4CD9-4E36-BF27-7602D2E57245}: NameServer = 85.255.112.113;85.255.112.73
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdtde.exe

Search for C:\Windows\system32\kdtde.exe and delete it.

Reboot into normal mode, then scan and save a fresh HijackThis log. Post it here in your next reply.

 

[Bobbye]

i tried to install spybot in safe mode but it still wouldnt work

I'm going to let momok continue with these logs. But I want to point something out. There is an AV program and 2 spyware/adware programs being recommended by one member, in place of the cleaning programs that are recommended by TechSpot. Those 3 programs DO NOT do they type of cleaning we usually need here for heavy malware infections. They are programs that should be can on a system on a regular basis, but NOT used for the cleaning.

Additionally, AVG has been beset by problems since v8 came out. It is NOT the recommended first choice for an AV program. Even AdAware has evolved to a less than satisfactory program over the years. I use or have used all three of these programs on 2 systems over a number of years.

 

[ruari]

ok cheers, will do it now

here is the requested new HJT log:

the attachment wouldn't show up so here it is:

moderator edit: log removed. logs should be posted as attachments, not copied pasted.
(2nd Notice)

 

[Bobbye]

Gosh it's tough to go through a log when it's pasted in! What happened that it wouldn't attach?

Anyway, hopefully momok can take you through this one:

O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdetx.exe
Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):
C:\Windows\system32\kdetx.exe

As you can see, it's still on the log. I see some have run ComboFix and still had it, then required script on Notepad and a regedit to get rid of it!

I'd have Hijackthis remove these though:

O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [5FF.tmp] C:\Windows\temp\5FF.tmp
O13 - Gopher Prefix:

IF this is a special entry of yours, leave it:
O8 - Extra context menu item: E&xportálás a Microsoft Excel programba - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

And once more:

Can you verify the IP here. As mentioned previously it belongs to:
Additionally, a server with IP 85.255.112.113 is shown. This is in the Ripe Network.
IP 85.255.116.214 is assigned as follows:
netname: UkrTeleGroup
descr: UkrTeleGroup Ltd.
Country Code UA>> Ukraine
IF the is your ISP or you company network, leave it alone. Can you identify it?
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C4052AC-4CD9-4E36-BF27-7602D2E57245}: NameServer = 85.255.112.113;85.255.112.73

 

[ruari]

im not sure, i just kept attaching it, and it kept saying it was already attached, but i couldnt see it!
im not sure how to find what my IP is?
cheers

 

[momok]

Hi, I believe that is your old log as it states 27-10-2008.
Please run a new scan and save that log. Attach it here in your next reply. If you really can't then copy and paste. We'll (one of us mods) will help you attach it after that.

 

[ruari]

it worked this time

 

[momok]

You should fix these:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

I dont see other bad items. How's your system running now?

 

[ruari]

yh cheers, it seems tobe running a lot better

 

[momok]

Then you're gd to go.

1. Please download and run CCleaner via step 3 of the instructions HERE.
   
   
2. Turn off system restore (XP/ME only). Learn how to do that HERE.
   This will remove all the remaining nasties from your old restore points.
   
   
3. After that turn system restore back on.
   This would have created a new safe and clean restore point for your system.
   
   
4. Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
   May I recommend you to read this article.
   This can help to prevent future infections.

 

[Bobbye]

momok, the site with the System Restore explanations, screen shots and directions for turning off System Restore is excellent. I'd like to pass something on that I learned from kimsland> it's particularly good for the 'after cleaning' process:

Clear your existing System Restore points and establish a new clean restore point:
Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
Next, go to Start > Run and type in cleanmgr> Select the More options tab> Choose the option to clean up System Restore and OK it.
This will remove all restore points except the new one you just created.

This is not meant to replace the understanding of the System Restore process but I have found it helpful at the end of cleaning, along with removing the cleaning tools.

 

[momok]

Yep.. I always use it at the end of cleaning, thats why I posted it. =)

 

[kimsland]

momok, the site with the System Restore explanations, screen shots and directions for turning off System Restore is excellent. I'd like to pass something on that I learned from kimsland>...

I have now an easier option:

-------------------------------

CLEAR & RESET SYSTEM RESTORE'S CACHE

Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 & press Enter

* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply

Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

-------------------------------

This was discovered around the same time I created the new guide:
Control Panel Applets & Windows Shortcuts