Solved Google search Browser redirects

[Broni]

What happened, no files has been replaced. It looks like rootkit is preventing replacement.

We need to try to do it in some other way.

Let's see, if we can look at your computer booting from an external source.

You will need USB flash drive to move information from bad computer to a working computer.

You need to download two programs.

First

ISO Burner this will allow you to burn REATOGO-X-PE ISO to a cd and make it bootable. Just install the programm, from there on it's fairly automatic (Instructions)

Second

• Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 270.3 MB in size so it may take some time to download.
• When downloaded double click and this will then open ISOBurner to burn the file to CD
• Reboot your system (Non working computer) using the boot CD you just created.
  
  • Note. If you do not know how to set your computer to boot from CD follow the steps HERE
• Your system should now display a REATOGO-X-PE desktop.
• Double-click on the OTLPE icon.
• When asked Do you wish to load the remote registry, select Yes
• When asked Do you wish to load remote user profile(s) for scanning, select Yes
• Ensure the box Automatically Load All Remaining Users is checked and press OK
• OTL should now start. Change the following settings
  • Change Drivers to All
  • Change Registry to All
  • Under Custom Scan box paste this in:
    
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    redbook.sys
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    userinit.exe
    explorer.exe
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    
• Press Run Scan to start the scan.
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to your USB drive.
• Please post the contents of the C:\OTL.txt file in your reply.

 

[arunbav]

OTL Log And OTL Extras got from REATOGO-X-PE desktop

Here are the logs. When I ran the OTLPE I noticed that it did NOT ask the first question I.e.

Do you wish to load the remote registry

Secondly on the OTLE screen the Registry section had 2 parts Registry and Registry -Extras I set them both to ALL. Hence I am attaching both logs. Hope I did not do anything wrong by choosing Registry -Extras to ALL.

Thanks

 

[Broni]

Do this on the computer you are posting from:
Copy the text in the codebox below:

:OTL

:Services

:Reg

:Files
C:\WINDOWS\system32\drivers\atapi.sys|C:\WINDOWS\ServicePackFiles\i386\atapi.sys /replace
C:\WINDOWS\system32\drivers\redbook.sys|C:\WINDOWS\ServicePackFiles\i386\redbook.sys /replace

:Commands
[purity]
[emptytemp]

Open Notepad and paste it.
Save the document as Fix.txt on to a USB flash drive


On the infected computer the following...

Run OTLPE

• Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
  
  • (The content of Fix.txt should appear in the box)
• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post the log produced (you'll need to transfer it with USB stick)
• Attempt to reboot normally into windows.

Check for redirection.

 

[arunbav]

New OTLPE Logs

Here are the logs. I checked the redirection as far as I tested it it does NOT appear to exist. Waiting for your verdict with bated breath . Thanks.

 

[Broni]

Excellent news

Now we have to redo some scans to make sure all is gone.
Update Malwarebytes, run the scan.
Download fresh copy of Combofix and run it.

Post both logs.

 

[arunbav]

Download from the same links as before?

Do I down load Malwarebytes and Combofix from the same links as before? I assume it is the case but thought I'd confirm

 

[Broni]

Yes........

 

[arunbav]

Problem running combofix

I am having a problem running combofix now. I down loaded it from the link earlier on in the conversation but when I tried to run it it starts (I see the combofix bar) but after sometime it disappears and nothing else seems to happen. I tried to run it again and the program complains that it cannot create some files and asks me to reboot. I logged out tried again same sequence of events even after I download a fresh copy of combolink. When I try to shutdown a dailog pops up saying that cmd.cfxxe could not shut down. What can I do? BTW the Malwarebytes run was clean (log attached) and my re direction problem is absent.

 

[Broni]

Very good

Delete your Combofix file.
Download fresh one, but this time, rename combofix.exe to broni.com BEFORE saving the file to your desktop.
Do NOT run it yet.


Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following.

Now download and run exeHelper.

* Please download exeHelper from Raktor to your desktop.
* Double-click on exeHelper.com to run the fix.
* A black window should pop up, press any key to close once the fix is completed.
* A log file named log.txt will be created in the directory where you ran exeHelper.com
* Attach the log.txt file to your next message.[/LIST]

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Now, attempt to run broni.com

 

[arunbav]

Woot!!!

You expected combofix to fail!!! And you did not let me know :haha:

I'll try what you mention. Windows downloaded some updates during this whole process but I have not installed them do you think I can do so now or wait till you give the all clear?

When I try to down load exeHelper from Raktor my pc warns me that the site has been reported unsafe and dissuades me from downloading anything from ther. I guess you know of this but I just wanted to confirm rather than screw up all the good work you have done so far
Thanks

 

[Broni]

Windows downloaded some updates during this whole process but I have not installed them do you think I can do so now or wait till you give the all clear?

Wait with them.

When I try to down load exeHelper from Raktor my pc warns me that the site has been reported unsafe

You can safely )) disregard warning.

 

[arunbav]

Combofix aka Broni.com still does not run

Nothing happens after the initial screen when I try it again it says can't creat some file and asked to reboot. I did not reboot and try do you want me to try that.

here are the other 2 logs

 

[Broni]

Yeah, reboot.
If it still doesn't work, restart in Safe Mode and try from there.

 

[arunbav]

That worked here is the log

I rebooted then it worked. Program started then rebooted itself and ran the scan. Checked for google search redirection. Happy to note it is not there. I seem to have lost sound on the computer though and also flash seems to have gone too. Just mentioning in case it means anything. Thanks

 

[Broni]

I seem to have lost sound on the computer though and also flash seems to have gone too

Try to reinstall sound driver and install fresh copy of Flash.


1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\drivers\lvuvc.hs

Folder::

Driver::

Registry::

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

 

[arunbav]

Here are the logs

Here they are.

 

[Broni]

Very good

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

==========================================================================

Please download OTC to your desktop. It'll remove most tools and logs we used so far. If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

• Double-click OTC.exe to run it. (Vista and 7 users, please right click on OTC and select "Run as an Administrator")
• Click on the CleanUp! button and follow the prompts.
• You will be asked to reboot the machine to finish the Cleanup process, choose Yes. If it doesn't ask you to reboot, restart computer manually.
• After the reboot all the tools we used should be gone.
• The tool will delete itself once it finishes.

======================================================================

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

• Spyware, Adware, Dialers, and other potentially dangerous programs
  [*] Archives
  [*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Post fresh HijackThis log as well.

 

[arunbav]

Here are the logs

Kaspersky found something but I think it is what avast had quarantined when I was testing redirection as I noted in post 23

Just tested it with IE8 and the "default" google search. I was being routed to a different page than what I had clicked on and my avast antivirus warned of a virus detection and asked to abort the connection. :-( . This sucker is nasty.

Should I tell avast to purge those files?

Please advise. Thanks

 

[Broni]

Should I tell avast to purge those files?

Yes, please.


Print this post out, since you won't have an access to it, at some point.

1. Open HijackThis.

2. Close all windows, except for HijackThis.

3. Put checkmarks next to the following HijackThis entries:

O1 - Hosts: ÿþ127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [combofix] "C:\Combofix\CF25111.cfxxe" /c "C:\Combofix\C.bat"


4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [mssSort] C:\Program Files\Maxtor\Maxtor Quick Start\msssort.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O16 "IP_192.168.1.254" /M "Stylus CX6400"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [unless you have paid version]
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [unless you have paid version]

5. Click on Fix checked button.

6. Restart computer.

7. Post new HijackThis log.

 

[arunbav]

Here is the latest Hijackthis log

Avast infected files chest does not show the 2 files that Kaspersky found so I cannot ask Avast to delete the files. However the files are there in the location that Kaspersky says.

So should I delete them manually? I worry that if I delete them and they go to the recycle bin they will start up again before I empty the bin. Maybe I am being paranoid but till this incident I've never had a virus incident in all my pc usage spanning 15 years and this incident has shaken me a bit. What should I do?

Also my desktop still has TFC and CCleaner can I just delete them or is there an unistall procedure for them.

Thanks

 

[Broni]

Please download OTM

• Save it to your desktop.
• Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes

:Services

:Reg

:Files
C:\Program Files\Alwil Software\Avast4\DATA\moved\+60+DbEV.pdf.part.vir	
C:\Program Files\Alwil Software\Avast4\DATA\moved\1BCD12C2d01.vir
      
:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste Instructions for Items to be Movedwindow (under the yellow bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

 

[arunbav]

Logs and a Minor tiny goof up (I hope)

Okay here are the logs but I'd like to add som info that might change how you would read the logs.

Basically when otm started to move the 2 files my Avast kicked in( I had it turned on. Was it wrong?) and complained and asked me if I wanted to move it to the chest. At that point I could do nothing but accept it to be moved. Then OTM said files "Moved successfully) and went on to reboot and produced the attached log.

I opened avast to look at the chest and the infected files are there. I have the option to delete the files in the chest from within avast. Should I do it?

Sorry for the hopefully minor screw up. Please advise.

 

[Broni]

I have the option to delete the files in the chest from within avast. Should I do it?

Please do. They won't be moved to recycle bin, but they'll be permanently deleted.
There is really not much to worry about. Once in vault, they won't do any harm.

When done...

Please download OTC to your desktop. It'll remove most tools and logs we used so far. If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

• Double-click OTC.exe to run it. (Vista and 7 users, please right click on OTC and select "Run as an Administrator")
• Click on the CleanUp! button and follow the prompts.
• You will be asked to reboot the machine to finish the Cleanup process, choose Yes. If it doesn't ask you to reboot, restart computer manually.
• After the reboot all the tools we used should be gone.
• The tool will delete itself once it finishes.

When done...


Your computer is clean

1. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.

 

[arunbav]

Thanks a ton

Broni,
Thanks I have completed all the steps you suggested. I see no redirection issues now. This forum, you, Bobbye and other malware experts on the forum provide an invaluable service any you guys are so thorough. Thanks again for all the help.
Arun.

 

[Broni]

I'm very glad to see your computer and its owner happy
Stay safe