TechSpot

Search redirect in IE8/Firefox

By bboisvert
Jun 9, 2010
  1. Looks like this topic is quite popular this week. Similar symptoms as everyone else. WinXP SP3, using Firefox or IE8 and clicking on search links from either google or Bing redirects to random bogus search sites.

    I tried running the 8 steps from the top of the forum. Malwarebytes log is attached. It cleaned up some things and now comes up clean on subsequent reruns. TrendMicro scan comes up clean. ESET online scan comes up clean. AdAware and Spybod S&D come up clean. I ran ComboFix twice but it still persists. I tried running GMER at least 3 times. Each time it BSOD'd at random places. TFC.exe locks up the computer. HijackThis log is available. I'll stop dinking around trying different self-serve things and wait for further instruction from the smart people. :>)

    Thanks,
    b
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    You shouldn't be running Combofix by yourself.

    You didn't complete all steps. I don't see DDS logs.

    Post both Combofix logs.
     
  3. bboisvert

    bboisvert TS Rookie Topic Starter

    See attached. The Second combofix log overwrote the first so this is the 2nd iteration. DDS logs are also included.

    Also note that I am not able to visit update.microsoft.com from either IE8 or Firefox.

    Thanks,
    ~b
     

    Attached Files:

  4. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Please, don't zip attached files.
    Look in your C:\ folder. You should see ComboFix2.txt file. Post it in your next reply.

    Download TDSSKiller and save it to your Desktop.
    Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
    Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

    If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
    When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.
     

    Attached Files:

  5. bboisvert

    bboisvert TS Rookie Topic Starter

    The download of TDSSKILLER.ZIP generated a TrendMicro Realtime Scanner message: Virus=Cryp_Zed-16, Result=Passed a potential security risk.

    Should I continue? Disable AV scanner first?
     
  6. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Whatever works. Ignore warning, or disable Trend.
     
  7. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    It' bed time for me, so we'll continue tomorrow.
    You're infected with a rootkit, so make sure you don't play around with any own solutions.
     
  8. bboisvert

    bboisvert TS Rookie Topic Starter

    Gotcha. Running now. Will check back in the AM.
     
  9. bboisvert

    bboisvert TS Rookie Topic Starter

    Here is the TDSSKiller report. The util seems to have found the rootkit and zapped it. Search links are working correctly as is Windows Update. Should I run any post-removal utils or do any additional steps?

    Thanks,
    ~b
     

    Attached Files:

  10. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    I need you to re-run TDSSKiller one more time and post fresh log.

    Also, delete your Combofix file, download new one, run it and post fresh log.
     
  11. bboisvert

    bboisvert TS Rookie Topic Starter

    See Attached.
     

    Attached Files:

  12. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Very good :)

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ======================================================================

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.


    Download HijackThis:
    http://free.antivirus.com/hijackthis/
    by clicking on Installer under Version 2.0.4
    Install, and run it.
    Post HijackTHis log.
    Do NOT attempt to fix anything!

    NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
     
  13. Broni

    Broni Malware Annihilator Posts: 52,904   +344

    Are you still out there?
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...