Completed steps - logs for analysis

[andiejac]

I encountered a problem earlier today with what I believe to be a search engine redirect virus. When I would do a Google search and click on the site I wanted to go to, it would redirect me elsewhere.

So, after doing a little research I ran into the steps for removing the virus/malware, and have followed all the steps.

I am currently running Norton Antivirus. In addition to your analysis of the logs, I'd appreciate any recommendations about which antivirus you recommend for a home computer.

Please let me know if you have any other questions. And thank you so much in advance for your assistance with this!

 

[kimsland]

Please let me know if you have any other questions.

Yes, does it actually run? It must be running slow with all that

Here's the steps to recovery

Un-install Ad-Aware

Uninstall Symantec (Norton) Antivirus
Run the Norton Removal tool

Run Startup Control Panel and remove any not required startups: (should be most!)

Install Avira free AntiVirus

Start up Malwarebytes again; Update it; then run a full scan (remove all found Malwares)
You need to run this multiple times, until all hidden Malwares are uncovered and removed

Repost the clean Malwarebytes log
And the much smaller HJT log
Oh, and likely working perfectly computer results

 

[andiejac]

Thanks for your help - this is much appreciated.

I've removed Ad-Aware and Norton, installed Avira and run Malwarebytes. There is nothing found in the Malwarebytes scan, but I'm still having the same issue with search engines redirecting.

Attached are the new logs. Can you please advise the next steps?

Thank you

sorry - forgot to attach the logs.

 

[kimsland]

Please startup HJT Scan again and remove all the following entries (tick then press fix)
Make sure your Internet browser is closed before pressing fix

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.iowatelecom.net
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidctl_vsp.closetmaid.com_downloader.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

The following services, being automatically started, you may need to research as to why:

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: LeapFrog Connect Device Service - Unknown owner - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

 

[andiejac]

followed next steps - search engine still redirecting

I've "fixed" all the entries that you listed. Then I went back and reran Malwarebytes and HJT again. The logs are attached.

My Google searches are still redirecting to incorrect sites. Also, I see for the first time that the Comodo firewall that I installed is blocking several "intrusion attempts". I don't know how to get a log to show you the specific information, however. If you think this information would be helpful, would you mind walking me through how to get it from Comodo?

Let me know what are the next steps.

Thanks!
Andrea

 

[andiejac]

Update - more info and new logs

Well, I hope that I am not messing up my computer too bad, but I found some more things that I tried to fix. I am absolutely no expert, but just scouring the events from the last few days and trying desperately to get the security of my computer back in check.

So, a few days ago I had an issue where my internet would not work at all. I called my service provider, went through the whole unplug and replug the ethernet cord, yada, yada. Nothing was working. Then for some reason I went to the Control Panel and Network Settings. I had 2 LANs, and both were showing as disabled. So I right clicked and enabled the first one, and then internet was back up and running. Problem fixed - or so I thought.

Fast forward to yesterday when my Google searchs started redirecting. I did a little research, end up here and following all the recommended steps to remove the problem, but still Google redirects.

So, after my last post I starting thinking about the LAN issues again and think that this all must be connected somehow. So, go to Control Panel and Network Connections. There are 3 icons.

First is "Internet Connection" under the heading "Internet Gateway". This shows disabled. But when I look at the Properties and Advanced Settings, I see "Services - Select the services running on your network that Internet users can access." And there are 2 selected listings for Skype. I disabled both.

Second is LAN - showing connected, firewall working.

Third is LAN-3 (or something to that effect - I didn't take a screen shot and now it's gone). This one show disconnected, but when looking at the Properties the Windows firewall is turned off. I turn it back on.

So then I decide to just uninstall Skype, and while I'm at it I will uninstall VPN since I can't seem to get that entry off the HJT log. Uninstalling VPN also (I think) got rid of the questionable Cisco entry in the log.

Then I rebooted, checked the Network Connections and the LAN-3 is now completely missing. (Correction - I am still being redirected! Except that instead of the Google search listing a bogus website in the search result, it now just brings up the bogus site when clicking on the actual name of the website that I want to go to!)

Attached are the new logs after I did all the tweaking indicated above. Please let me know if anyone has any advice or information that will help to make sure that this is resolved & that I don't mess up my computer too bad.

Thanks!

 

[kimsland]

These are the only ones that are not needed and can cause issues:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

Personally I'd fix and remove them
Then Uninstall Google with it, from Add\Remove programs

Look if after doing the above it still doesn't help, do this

Download Combofix
Lots of info on its use h e r e
Direct download h e r e

Save it to a location that you can easily find later (in Safe Mode) ie directly to C drive

Restart your computer to Safe Mode (by repeatedly pressing F8 on your keyboard before Windows starts)
Log into your Administrator account
Locate the previously downloaded Combofix
Double click on it to run, answering any prompts along the way
Note: during Combofix scan (lasting up to 10mins) your Desktop and clock may reset (all normal)

Once Combofix has finished, save the log file to be attached to a new reply
Restart back to Normal mode, and attach the Combofix log

 

[andiejac]

no more redirect & combofix log attached

First - thank you so much for the wonderful service that you all provide. I really appreciate the help and don't know what I would have done without you in this situation!

Here's what I've done.

First, I fixed the HTJ entries that you indicated. A few kept creeping back into the logs, again and again. And Google was still redirecting.

Then I decided to go ahead with the removal of all programs related to Google, as well as a few other unnecessary programs. 1 program called Google AFE would not uninstall (and still won't).

From there, I followed the steps to run Combofix in safe mode. Although, I could not for the life of me figure out how to get Avira and Comodo disabled from safe mode. So I ended up uninstalling both while I ran Combofix (and have now reinstalled).

I am happy to report that I am no longer having the redirect issue! And I am hoping that all is well from here. Please find the Combofix log attached. Please let me know what you recommend from here.

Also, one last question. I have to report the virus to my place of employment since I use have used VPN to log into my work computer. Is there any way to tell what specific file(s) or virus(es) were the issue? Any information that you can provide will help greatly.

Thanks again for your superb service!

 

[kimsland]

You had Trojan/Backdoor Win32.X Malware (Note this is a very general name)
You also had BHO toolbar infection in your Browser either installed automatically from Malware infection, or allowed through a popup that you may have installed

This was caused by not having an adequate Antivirus sofware installed (originally)
And basically infections can come from anywhere

Anyone can get infected, even Antivirus companies, even Microsoft
To avoid infection can be quite involved to explain. But generally Safe Surfing is the highest importance. ie I never get infected, and my security is low

 

[andiejac]

thank you

Thanks for the information, I will report this information to my company.

Also, wondering if based on the Combofix logs that you see anything more that I need to do? I want to make sure that I've gotten everything that may still be on my machine before I start reinstalling any more programs.

 

[andiejac]

can anyone confirm the combofix results for me?

just checking back to see if anyone can five me next steps based on the combofix log that I posted. Any help is greatly appreciated!

Thanks!