Google Redirecting Problem

[AlexanderAshfor]

Okay, I'm going to start from the beginning on my computer problem: Saturday night I was having really slow internet problems...No big deal...I shut my computer down and think nothing of it. Sunday morning I turn it on and have commercials playing out of my speakers, and my computer is lagging extremely. I was able to get that problem out of the way by doing a system restore. I think I'm in the clear...I was wrong. I start using my default search engine (Google) and every time I search about 2/3's of the time I am redirected to various "search engines" (I'm not even sure you could call them REAL websites), and have to constantly go back and reclick to attempt to get to the desired website.

So I have tried the 8 steps to the best of my abilities and to no avail am still in the same problematic boat.

I have used:
Ad-Aware
SuperAntiSpyware
BlackLight
Symantec Antivirus

I do not have the log for SuperAntiSpyware, but attached is the HiJackThis log.

Thanks for the help!

|AA|

P.S. I also tried reseting my IE7 browser, and that didn't help.

 

[Bobbye]

Sorry,can't do anything with just the HJT log.

You have these on the system.
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

Please update each, Mbam first, then SAS. Be sure to check the lone in each to remove what is found.

Rescan with HJT.> no removals on this- that's my job. .Put all three logs in the next reply

I'll review all three and we'll go from there.

 

[AlexanderAshfor]

First and foremost, Bobbye, let me thank you for helping me.

Attached are the appropriate logs. I am giving you the Malwarebytes log that I did yesterday AND the one I did this morning (the one this morning didn't pick up anything).

Also, another symptom I noticed is if my internet browser is left open for the night (or a prolonged period of time) I have popups similar to the sites I'm being redirected to.

Here are the logs. Awaiting orders.

|AA|

 

[Bobbye]

Okay Alex- I started this last night but had to close up for a storm.

I see this old one is still around:
minibugtransporter.dll
C:\PROGRAM FILES\AWS\WEATHERBUG\MINIBUGTRANSPORTER.DLL
MINIBUGTRANSPORTER.DLL
Minibug is an adware that displays ads on to your computer. It seems to be a variant of adware WeatherBug. Crogram Files\AWS\WeatherBug. Weatherbug is installed as a secondary application with many popular pieces of software including AOL Instant Messenger.

There was removal in Malwarebytes, but it sounds like you might still have at least part of it installed. I don't see it in the HJT log- did you remove the program? since it is classified as Aware, the removal is optional , but recommended. So let's see what's left:

1. If you have v6, it has it's own uninstaller so use that. If not> Add/Remove Programs: Look for Weatherbug. If seen, highlight and uninstall.
2. To delete the AWS directory

• 
  1. Open "MY COMPUTER" icon on your desktop.
  2. Double-click the C drive.
  3. Double-click “Program Files” folder to open.
  4. Right click on the folder titled "AWS" and select DELETE.

Extra removal instructions for Windows XP

1. Open "MY COMPUTER" icon on your desktop.
2. Double-click the C drive.
3. Double-click on Document and Settings
4. Double-click the folder that has your name next to it (or the name of whomever the machine is registered to)
5. Double-click the “Application Data” folder to open it and delete the folder entitled “WeatherBug”.
7. Restart your computer and the uninstall is complete.[/list]

I notice you have nview loading:
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
This is a legitimate program. I just want to make sure you're using it and loading it intentionally as it can cause some problem on the system:
rundll32.exe nview.dll, nViewLoadHook
Command: Unknown at this time.
Description: This is a DLL to enable multiple display monitors on a single computer. It can be a cause of numerous problems on some computers

You need to update the Adobe Reader. You have v6 and it's now up to v9+. The older version presents a vulnerability:

• Visit this Adobe Reader site and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
• Check this site also. Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

Once you have that all out of the way, please Empty the Recycle Bin then
Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  
• Run Combo-Fix.exe and follow the prompts.
  (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
• Wait for the scan to be completed.
• If it requires a reboot, please do it.

• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Rescan with HIJT when finished. Attach new log and Combofix report into next reply.

Let me know existing system problems when through.

 

[AlexanderAshfor]

Okay, Bobbye, I *THINK* you may have done it. I did about 10 Google searches and they all came up with the correct URL, and no redirects.

I did have a few issues with the instructions, and just want to run things by you to see if it could be problematic:

A) In regards to the WeatherBug issue, there were no folders on my computer that matched that criteria, and it wasn't in the location that you suspected it to be. I cannot recall completely deleting, but I did remove two things when I was playing around with HiJackThis before I posted my problem. I could tell they were both ad/popup type things just by the descriptions. Perhaps its possible WeatherBug was attached to one of those? Or maybe what MalWareBytes picked up were the last of it? Either way I don't think its on my computer.

B) In response to the NVIEW file, I do from time to time display my computer on other monitors such as projectors and whatnot for college presentations. I'm not overly sure what you're asking me, but if I'm understanding you correctly, then yes, I am aware of my computer being displayed on other monitors.

C) I was unable to disable my Symantec AntiVirus because it is the school's edition, so all the settings where you would typically disable things like Auto-Protect and whatnot are locked out of my control (all the boxes are greyed out and have a small black "lock" next to them). I am not sure how much this would have hindered ComboFix, but I'm sure the log will give you the needed information.

Anyway, attached are your requested logs. I think I may be in the clear, and await your orders. Again, thank you for your continued help; I am greatly appreciative.

 

[Bobbye]

My apology- I read your reply but forgot to reply back!

The minibug might be a hidden file- jut give it a quick check:
Open Window Explorer (right click on Start> Explore> go to Tools> Folder Options> View tab> Check 'show hidden files and folders'> Uncheck 'hide protected and system files'> Apply> OK

Now look for the minibug.

Go back and rehide the files when through.
Empty the Recycle Bin

nView okay. Just wanted to be sure you knew it was running.

Please do the following:
Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

If this is clean and the original problem has been resolved, I'll have you remove the cleaning tools and old restore points.

 

[AlexanderAshfor]

I STILL cannot seem to locate the Weatherbug files. I searched the computer for about 30 minutes and still came up with nothing. I'm guessing from the ESET scan that yes, portions of it are still on my computer.

Here is the log that you requested; it seemed to find some sort of Trojan as well as the what I'm guessing are the Weatherbug files.

|AA|

 

[Bobbye]

Here are the files we were looking for:

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files  
  C:\Program Files\AIM\Install_AIM.exe	
  C:\Program Files\AIM\Sysfiles\WxBug.EXE
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
---------------------------------------
The AIM install file had Win32/Adware.WBug.A application.

The third one is in the Qoobox. This is where Combofix send it's quarantined files. When I have you uninstall Combofix, it will remove the entry.

Howe is the system running now? Has the redirect problem been resolved? Run the Eset scan once more to make sure we got all the entries moved. If it's clean, I'll have you remove the cleaning tools and set new clean restore point.

 

[AlexanderAshfor]

Okay, Bobbye, here are the logs you requested.

The system has been running well. The redirect problems seem to have stopped!

|AA|

 

[Bobbye]

Looking good! Are you still experiencing the redirect or any related problems? If not, you can remove the cleaning tools and old restore points:

Uninstall ComboFix.exe And all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

Remove all of the tools we used and the files and folders they created

• DownloadOTCleanIt by OldTimer
• Save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

If you are prompted to Reboot during the cleanup, select Yes.

You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:

• Go to Start > All Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
• Click "OK" to select the partition or drive you desire.
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

More details and screenshots for Disk Cleanup in Windows Vista can be found here.

Please follow these simple steps to keep your computer clean and secure:

1.Disable and Enable System Restore: This will help you to drop the old restore points and set a new, clean one:

System Restore Guide

2.Stay current on updates:

• Visit the Microsoft Download Sitefrequently.
  You should get All updates marked Critical and the current SP updates:Windows 2000> SP4, Windows XP> SP2, SP3, Vista> SP2
• Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
• Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

3.Make Internet Explorer safer. Follow the suggestions HERE
This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

4.Remove Temporary Internet Files regularly: Use

• ATF Cleaner by Atribune or
• TFC

5. Use an AntiVirus Software(only one)

• This can save you a lot of trouble with malware in the future.It should be kept updated and used to scan regularly.
• See This link for a listing of some online & their stand-alone antivirus programs:
  Virus, Spyware, and Malware Protection and Removal Resources

6.Use a good, bi-directional firewall(one software firewall)
[*]See Understanding and Using Firewalls including links to download a firewall.

7.Consider these programs for Extra Security

• Spywareblaster:
• SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
• IE/Spyad
• This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
• Google Toolbar Get the free google toolbar to help stop pop up windows.

If I can be of further assistance, please let me know.

 

[AlexanderAshfor]

I followed your last instructions, Bobbye.

Again, thank you for all your help. I think my computer is even running slightly faster...We probably uncovered something else not even related to the redirect problem. I've been redirect free for a few days now. Awesome!

Thanks again!

|AA|

 

[Bobbye]

You're welcome. Glad to hear the system is running well.

Please let me know if you need help in the future.