Inactive Redirected searches (yeah, again)

Status
Not open for further replies.

mikelorus

Posts: 41   +0
I feel kind of bad making yet another thread about redirected search engine searches, but I have that problem, and it looks like there is no one size fit all solution for this. So, apologies for whoever has to deal with this AGAIN.

Anywhoo, these are the logs from Malwayrebyte, Hijack This, and Super anti spyware, as these are the logs that seem to be necessary.

I hope that's all you guys need, and thank you in advance for taking the time to help out.
 

Attachments

  • SUPERAntiSpyware Scan Log - 02-06-2010 - 19-55-46.log
    1.3 KB · Views: 1
  • mbam-log-2010-02-06 (20-08-31).txt
    916 bytes · Views: 1
  • hijackthisFeb6.txt
    10.6 KB · Views: 1
Please download ComboFix from Here or Here to your Desktop.


**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Thank you for your quick reply. I did as you asked, and here are the two files.
 

Attachments

  • logcombo.txt
    24.9 KB · Views: 5
  • hijackthisFeb9.txt
    10.5 KB · Views: 0
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
KillAll::

MBR::


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
 
Here are the files after having done that. Again, thank you for all your help.
 

Attachments

  • HJT Feb 9.txt
    10.2 KB · Views: 1
  • ComboFix.txt
    23.1 KB · Views: 3
Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

How is redirection issue?
 
I just went through 30 or so searches, and it was all good. Thank you very much for your help on this issue, I really appreciate the time you put in to help me.
 
We're not totally done, yet :)
We need be sure, your computer is perfectly clean.

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

  • Spyware, Adware, Dialers, and other potentially dangerous programs
    [*] Archives
    [*] Mail databases
6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Post fresh HijackThis log as well.
 
Here they are. That scan took forever =X
 

Attachments

  • HJT Feb 10.txt
    10.4 KB · Views: 2
  • KasperskyFeb10.txt
    1.2 KB · Views: 3
Please download OTM

  • Save it to your desktop.
  • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:
:Processes

:Services

:Reg

:Files
C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\49\5aa57f31-1ae5e606	
C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\9\60b62ac9-30b2e997
      
:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]

  • Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
 
Here it is. Feels good knowing that all that unnecessary crap is being cleaned out of my comp.

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\49\5aa57f31-1ae5e606 moved successfully.
C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\9\60b62ac9-30b2e997 moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Michael
->Temp folder emptied: 94429247 bytes
->Temporary Internet Files folder emptied: 384897 bytes
->Java cache emptied: 128013 bytes
->FireFox cache emptied: 89800549 bytes

User: NetworkService
->Temp folder emptied: 896 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 22312 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 176.00 mb


OTM by OldTimer - Version 3.1.8.0 log created on 02102010_144330

Files moved on Reboot...

Registry entries deleted on Reboot...
 
Very good :)

Verify your Java version here: http://www.java.com/en/download/installed.jsp
Update, if necessary.
Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista).

=======================================================================

Disable Windows Defender, as it'll interfere with cleaning process:
- Open Windows Defender by clicking the Start, clicking All Programs, and then clicking Windows Defender.
- Click Tools
then...

++ Windows XP:
- Click General Settings
- Scroll down to Real Time Protection Options
- Uncheck Turn on Real Time Protection
- After you uncheck this, click on the Save button
- Close Windows Defender

++ Windows Vista:
- Click Options
- Under Administrator options, clear the Use Windows Defender check box, and then click Save.

Enable Windows Defender, when all cleaning is done.

======================================================================

Print this post out, since you won't have an access to it, at some point.

1. Open HijackThis.

2. Close all windows, except for HijackThis.

3. Put checkmarks next to the following HijackThis entries:

- R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
- O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE


4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

- O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
- O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
- O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
- O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
- O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
- O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
- O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
- O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
- O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
- O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
- O4 - Startup: Registration Assassin's Creed.LNK = C:\Program Files\Ubisoft\Assassin's Creed\Register\RegistrationReminder.exe
- O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
- O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll


5. Click on Fix checked button.

6. Restart computer.

7. Post new HijackThis log.
 
Stumped by a Hijacked browser

First time here and have tried most spyware/malware scanners out there. Here is the log before I toss the hard drive in hopes someone can identify something that keeps eluding me.

Thanks in advance for the help!

PWT
 

Attachments

  • hijackthis.log
    11 KB · Views: 1
We're almost there, but apparently, I missed couple of entries.
Re-run HJT and checkmark:
O1 - Hosts: ÿþ127.0.0.1 localhost
O1 - Hosts: ::1 localhost

Click "Fix checked" button.
Post fresh HJT log.
 
Good you made a mistake, now I know you aren't some sort of virus fighting bot >.>
 

Attachments

  • HJT Feb 10.txt
    8.9 KB · Views: 2
I know you aren't some sort of virus fighting bot
Hahahaha....


Your computer is clean

1. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.
 
MBR Stealth Rootkit / Sinowal

This is an amazing solution - I needed this 3 weeks ago!

Detection appears to have improved (log entry appearing in message #5).
Code:
Infected copy of c:\windows\system32\DRIVERS\nvatabus.sys was found and disinfected

The key to the solution appears to be CFscript and invoking mbr.exe from combofx. This prevents the re-infection.

The first signs pointed to rootkit infection referred to as MBR Stealth or Sinowal or Mebroot, as shown by log entry from message #3.
Code:
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9f11852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9decbb0
 PacketIndicateHandler -> NDIS.sys @ 0xb9df9a21
 SendHandler -> NDIS.sys @ 0xb9dd787b
Is there any residual problem left behind when it comes to the mirror copy of the directory structures? I believe that this infection stole disk allocation by marking blocks used to hide parts of the payload.

<Reasoning for the question.>

I am speaking of the MFT. A mirror copy is kept. For the variety of rootkit I encountered, I felt that it used free area of the hard drive to hide code called by the hooked code. I clearly saw sectors in track 0 were part of the payload. Supposedly the rootkit hid code in free space of the hard drive to overwrite drivers . From this I infer that the malware could only protect this area by showing its allocation in the MFT.

Background:
Before proceeding with disinfecting: chkdsk infected drive; clone the drive; and verify cloned drive is bootable.

Method 1: Ghost9 clone produces a image copy of infected drive. Restoring image to clone drive reports "mismatch" error. Cloned drive is bootable. Demote clone to slave; chkdsk finds no errors.

Method 2: XXclone produces a file copy version of infected drive. No errors reported. Cloned drive is not bootable. Demote clone to slave; chkdsk finds lost blocks; creates file0000. In theory this method does not copy a file or folder if is absent from the directory structures. XXclone was able to clone (a bootable copy) an uninfected version.

Method 3: Partition Magic 8 checks drive for errors and reports "mismatch" errors.

General: I could not verify what the defect was that was reported as "mismatch". XXclone chkdsk error makes no sense since file copy makes changes to MFT; in this case MFT started clean and changes to MFT correspond to files successfully copied to the drive.

Observation: Even with a clean track 0, the corrupted driver(s) was still able to plant its hooks. From my perspective, this gave weight to code hidden in free space. Other utilities (Ghost9, Partition Magic, XXclone) found discrepancies with disk structure and/or allocation.
 
Awesome. My google searches haven't redirected me yet, and there are no more popup tabs. Thank you for all your help Broni, you are a gentleman and a scholar.
 
Epic bump >.<

I really hate to be constantly bringing problems into this site, but my searches are redirecting again and just by browsing threads, and there seems to be so many different ways to get rid of it. I feel really bad about constantly asking for help here =.=


HJT is below, malwarebytes and super anti spyware both say my comp is clean, should I run combofix like before?
 

Attachments

  • hijackthismay20.log
    9.4 KB · Views: 2
Not a problem, but I guess you have to pay more attention to your computer habits especially being on the net.
Maybe, replacing McAfee with something better is not a bad idea.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
When the combofix scan starts, it just goes to a BSoD. I tried uninstalling it and downloading it multiple times straight to my desktop every time it has happened.
 
Status
Not open for further replies.
Back