Search redirection malware, 8 steps done without success

[btuftee]

I appear to have the popular search redirection problem at the moment. Running XP Home edition, SP3. Followed all eight steps, no luck. I did, however, note that while running IE in safe mode with networking, the redirects did not appear to be happening. So, maybe whatever is doing the redirecting is not loaded in safe mode, I don't know.

Attached are the logs, I've gone through a couple of iterations of different scanners like Kaspersky, Malwarebytes, etc, prior to discovering this site and its eight steps. Previous scans had noted a few trojans which were cleaned and removed. Now, all of my scans come up clean (including AVG virus scans), but no dice - the search redirect is still going on. All I get now are tracking cookies, all of the scans are missing the "real" infection.

This all started a few days ago when my wife somehow downloaded Systemguard from a popup, I don't really even know how, she doesn't either. Scanning seemed to clean out Systemguard OK, and I thought everything was cool, until I started using a browser again, and noted the redirects. Don't know if there's a connection, but it would be a heck of a coincidence!

If it matters, the redirects are happening with IE, Firefox, and I even downloaded Chrome to see if that would work too. Getting the redirects with all of them. I have since uninstalled a ton of crap from my computer, trying to strip it bare (and back up stuff, in case I need to wipe and reinstall XP).

All help is appreciated, thanks!

Brian

 

[kimsland]

AVG8 is now old and generally useless
Please uninstall it through Control Panel > Add/Remove Programs
Once removed, then run the AVG Remover: http://www.avg.com/filedir/util/support/avgremover_en.exe

Restart

Download and install Free Avira Antivirus: http://www.free-av.com/
Update it and run a full scan

 

[btuftee]

Ok, ran the Avira full scan, after uninstalling AVG. It found a single trojan, identified as "iview392.exe". Cleaned up the infection, and rebooted. Unfortunately, the search redirection still persists.

I've attached the logfile from the Avira scan.

 

[kimsland]

Download Combofix

Combofix:

• Download Combofix to your desktop.
• Disable your Antivirus (as Combofix will remove any found malwares)
• Double click ComboFix & follow the prompts.
• A window will open with a warning.
• When the scan completes it will open a text window. Please attach that log back here

Also restart and provide a fresh HJT Scan log

-------------------

Note: You may still have the redirection issue after this
It is likely that I will ask you to follow a recent post I made HERE
But this depends on if Combofix reports "atapi.sys" as being suspect in the Combofix log (of which I think it will)

 

[Bobbye]

Welcome to TechSpot, btuftee. I'll help with the malware. There is a squall line coming through and I'm on battery, so If I stop in the middle and have to close down, that's why.

O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
t iview392.exe is for Irfranview

Do you have a file on the F drive named 'internet junk'? That's the entry that had the Trojan.

The logs are clean. Almost all malware that I'm seeing will send the user to another site rather than the one they've chosen. Usually it's not the type of site you'd go looking for. Everyone is calling it a 'Google Redirect' because most use Google.

There are two programs named 'Systemguard:
1. McAfee SystemGuards: this had a Service with it- I don't see it running on your machine.

2 System Guard 2009 is a rogue anti-spyware program from the same family as Antivirus 2009 and Spyware Guard 2009. This program is advertised through the use of Trojans and misleading advertisements on web sites. When System Guard 2009 is promoted via web sites it is done so using pop-ups stating that your computer has infections. You can find several screen shots of this malware here: http://www.bleepingcomputer.com/virus-removal/remove-system-guard-2009

Please describe the 'redirect' precisely. Are you being sent to an undesirable site instead when you choose a site from a search? I worked with someone today who said she had a Google redirect. But it turned out she was putting a URL site address in the Google search box instead of the Address Bar so the site didn't load- but she described it add a 'Google Redirect.'

I did, however, note that while running IE in safe mode with networking, the redirects did not appear to be happening.

Interestingly enough, in this mode, security programs don't load. Here is a fuller description:
[*]Safe Mode with Networking: Includes the services and drivers needed for network connectivity. Safe mode with networking enables logging on to the network, logon scripts, security, and Group Policy settings. Nonessential services and startup programs not related to networking do not run. Helpful if needed but should be used with caution as the security programs don't load in this mode.

The line in BOLD would be a good place to start looking for the problem.

Please run this online scan to see if anything is found:
Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Attach the log in next reply.

 

[btuftee]

While the computer was on and running earlier today (without IE open or anything, and physically unplugged from the network), Avira popped up with another trojan detection warning, so I ran a full Avira scan again and disinfected a few trojans. A second scan pronounced the machine clean again (said it needed to reboot to clean the infection, so I did that). The Avira log with the detected trojan is posted, but I didn't post the log from the clean scan.

Attached is the combofix log, as you suspected, it found an issue in atapi.sys. When Combofix started to run, and was partially through its scan, it said that it detected rootkit activity, rebooted, and then finished its scan.

I know that the original infection was definitely the Systemguard malware, no doubt about it.

The malware symptoms are a search redirect... if I type an URL directly into the address bar (or load a favorite), there are no issues. However, if I run a search (Google, Yahoo), and try to click on a link contained on the search results page, it will perform the redirection.

The ESET scan is running as I type this (I'm on another computer, the infected machine is isolated!), will report with more info once ESET is done. Will also reboot and post my Hijackthis log.

 

[Bobbye]

F:\System Volume Information\_restore{76DFFA47-9EA0-4D87-9CCD-FC2FD87E3917}\RP1449\A0122541.exe
[DETECTION] Is the TR/Spy.871424.1 Trojan

The Trojan was found in the system restore points. (System Volume=System Restore points)It appears to have come from the media libraries. The Eset scan should show if it is still active on the system. We'll have you drop all the old restore point and create new, clean one when the system has been cleaned.

Since you're trying to use Safe Mode as a diagnostic, this might help:
Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

If a symptom does not reappear when you start in safe mode, you can eliminate the default settings and minimum device drivers as possible causes. If a newly added device or a changed driver is causing problems, you can use safe mode to remove the device or reverse the change.

Using Safe Mode to determine a basic source of a problem:The choices:

• Safe Mode: Loads the minimum set of device drivers (serial or PS/2 mouse devices, standard keyboards, hard disks, CD-ROM drives, and standard VGA devices)and system services required to start Windows XP/2000/2003.(Event Log, Plug and Play, remote procedure calls (RPCs), and Logical Disk Manager.) User specific startup programs do not run. This is helpful in determining whether problems are due to specific programs.
  
• Safe Mode with Networking: Includes the services and drivers needed for network connectivity. Safe mode with networking enables logging on to the network, logon scripts, security, and Group Policy settings. Nonessential services and startup programs not related to networking do not run. Helpful if needed but should be used with caution as the security programs don't load in this mode.
  
• Safe Mode with Command Prompt: Starts the computer in safe mode, but displays the command prompt rather than the Windows GUI interface.
  
• Last Known Good Configuration, which starts your computer using the registry information that was saved at the last shutdown.

So by using the different options of Safe Mode, you can sometimes determine what the area of problem is- and isn't.

I try to discourage use of Safe Mode with Networking to only absolute necessity since the security programs don't load.

 

[btuftee]

OK, the ESET scan finished and found "Win32/Olmarik.RF" and removed it.

Rebooted and ran a hijackthis scan, it's posted below.

Running another Avira scan right now....

 

[Bobbye]

Okay, let's clarify the Trojans:

Original Avira scan: Wednesday, December 02, 2009 12:26
Begin scan in 'F:\' <Media Storage>
F:\Internet Junk\iview392.exe
[DETECTION] Is the TR/Spy.871424.1 Trojan

Beginning disinfection:
F:\Internet Junk\iview392.exe
[DETECTION] Is the TR/Spy.871424.1 Trojan
[NOTE] The file was moved to '4b80014a.qua'!

Next Avira scan: Thursday, December 03, 2009 18:20
Notes Trojan is in system restore point- your system is safe. Old restore points will be removed when we're through. Don't use system restore now. This is NOT a new find.
F:\System Volume Information\_restore{76DFFA47-9EA0-4D87-9CCD-FC2FD87E3917}\RP1449\A0122541.exe
[DETECTION] Is the TR/Spy.871424.1 Trojan

Beginning disinfection:
F:\System Volume Information\_restore{76DFFA47-9EA0-4D87-9CCD-FC2FD87E3917}\RP1449\A0122541.exe
[DETECTION] Is the TR/Spy.871424.1 Trojan

Eset online Scanner:
Qoobox is where Combofix puts the quarantined files. This will be removed when we uninstall Combofix. This is NOT a new find.
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\atapi.sys.vir Win32/Olmarik.RF virus deleted - quarantined
----------------------------------------------------------------------------
Trojans now off the system, cannot infect unless you use old restore points- don't!
----------------------------------------------------------------------------
Congratulations! Your system is now clean. If your problem has been resolved, please do the following:

Uninstall ComboFix.exe And all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

Remove all of the tools we used and the files and folders they created

• DownloadOTCleanIt by OldTimer
• Save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

If you are prompted to Reboot during the cleanup, select Yes.

You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:

• Go to Start > All Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
• Click "OK" to select the partition or drive you desire.
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

You can delete the Trojan in the Avira quarantine. Restore Points are clean. Qoobox emptied.

If you are still getting the redirect, we will have to consider a system problem.

 

[btuftee]

Wow, huge thanks to Bobbye and kimsland... everything looks clean now. I've run several scans now with no threats detected, and most importantly, all of the search redirection has stopped.

Many thanks!!

 

[Bobbye]

You're welcome! Here are some tips for you:

Please follow these simple steps to keep your computer clean and secure:

1.Disable and Enable System Restore: This will help you to drop the old restore points and set a new, clean one:

System Restore Guide

2.Stay current on updates:

• Visit the Microsoft Download Sitefrequently.
  You should get All updates marked Critical and the current SP updates:Windows 2000> SP4, Windows XP> SP2, SP3, Vista> SP2
• Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
• Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

3.Make Internet Explorer safer. Follow the suggestions HERE
This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

4.Remove Temporary Internet Files regularly: Use

• ATF Cleaner by Atribune or
• TFC

5. Use an AntiVirus Software(only one)

• This can save you a lot of trouble with malware in the future.It should be kept updated and used to scan regularly.
• See This link for a listing of some online & their stand-alone antivirus programs:
  Virus, Spyware, and Malware Protection and Removal Resources

6.Use a good, bi-directional firewall(one software firewall)
[*]See Understanding and Using Firewalls including links to download a firewall.

7.Consider these programs for Extra Security

• Spywareblaster:
• SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
• IE/Spyad
• This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
• Google Toolbar Get the free google toolbar to help stop pop up windows.

If I can be of further assistance, please let me know. Help and support is only given in the forums but you can send a PM to me and bring my attention
back to the thread.

Let us know if you need more help in the future.