Inactive Search redirect in IE8/Firefox

[bboisvert]

Looks like this topic is quite popular this week. Similar symptoms as everyone else. WinXP SP3, using Firefox or IE8 and clicking on search links from either google or Bing redirects to random bogus search sites.

I tried running the 8 steps from the top of the forum. Malwarebytes log is attached. It cleaned up some things and now comes up clean on subsequent reruns. TrendMicro scan comes up clean. ESET online scan comes up clean. AdAware and Spybod S&D come up clean. I ran ComboFix twice but it still persists. I tried running GMER at least 3 times. Each time it BSOD'd at random places. TFC.exe locks up the computer. HijackThis log is available. I'll stop dinking around trying different self-serve things and wait for further instruction from the smart people. :>)

Thanks,
b

 

[Broni]

I ran ComboFix twice but it still persists.

You shouldn't be running Combofix by yourself.

You didn't complete all steps. I don't see DDS logs.

Post both Combofix logs.

 

[bboisvert]

See attached. The Second combofix log overwrote the first so this is the 2nd iteration. DDS logs are also included.

Also note that I am not able to visit update.microsoft.com from either IE8 or Firefox.

Thanks,
~b

 

[Broni]

Please, don't zip attached files.
Look in your C:\ folder. You should see ComboFix2.txt file. Post it in your next reply.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.

 

[bboisvert]

The download of TDSSKILLER.ZIP generated a TrendMicro Realtime Scanner message: Virus=Cryp_Zed-16, Result=Passed a potential security risk.

Should I continue? Disable AV scanner first?

 

[Broni]

Whatever works. Ignore warning, or disable Trend.

 

[Broni]

It' bed time for me, so we'll continue tomorrow.
You're infected with a rootkit, so make sure you don't play around with any own solutions.

 

[bboisvert]

Gotcha. Running now. Will check back in the AM.

 

[bboisvert]

Here is the TDSSKiller report. The util seems to have found the rootkit and zapped it. Search links are working correctly as is Windows Update. Should I run any post-removal utils or do any additional steps?

Thanks,
~b

 

[Broni]

I need you to re-run TDSSKiller one more time and post fresh log.

Also, delete your Combofix file, download new one, run it and post fresh log.

 

[bboisvert]

See Attached.

 

[Broni]

Very good

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

======================================================================

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

• Spyware, Adware, Dialers, and other potentially dangerous programs
  [*] Archives
  [*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.


Download HijackThis:
http://free.antivirus.com/hijackthis/
by clicking on Installer under Version 2.0.4
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!

NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator

 

[Broni]

Are you still out there?