Google Search Redirect Problem

[chompalomp2]

Hey,

Recently I've been having problems with Google redirecting to searchmeup4.com every time I follow a link, and being very slow in both Firefox and Internet Explorer. I've done numerous virus scans with different programs, and followed the 8-step procedure to try to fix the problem, but that still hasn't solved it. Other search engines like Yahoo! work fine though. In addition, iGoogle stopped working and I can find no way to access it at all.

Programs I have used to scan for viruses include:

Windows Live OneCare
Spybot - Search & Destroy
Malwarebytes' Anti-Malware
XDelBox
SUPERAntiSpyware

Here are the logs. Thanks for any help.

 

[Bobbye]

Welcome to TechSpot, chompalong. My apology for the delay. Unless you got help somewhere else, you will still be infected. You have a DNS Changer malware infection. When you request a search, you are being taken to a site in Poland instead.

Please reopen HijackThis to 'do system scan only.'. Check each of the following if present:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 89.149.210.109 www.google.de
O1 - Hosts: 89.149.210.109 www.google.fr
O1 - Hosts: 89.149.210.109 www.google.com.br
O1 - Hosts: 89.149.210.109 www.google.it
O1 - Hosts: 89.149.210.109 www.google.es
O1 - Hosts: 89.149.210.109 www.google.co.jp
O1 - Hosts: 89.149.210.109 www.google.com.mx
O1 - Hosts: 89.149.210.109 www.google.ca
O1 - Hosts: 89.149.210.109 www.google.com.au
O1 - Hosts: 89.149.210.109 www.google.nl
O1 - Hosts: 89.149.210.109 www.google.co.za
O1 - Hosts: 89.149.210.109 www.google.be
O1 - Hosts: 89.149.210.109 www.google.gr
O1 - Hosts: 89.149.210.109 www.google.at
O1 - Hosts: 89.149.210.109 www.google.se
O1 - Hosts: 89.149.210.109 www.google.ch
O1 - Hosts: 89.149.210.109 www.google.pt
O1 - Hosts: 89.149.210.109 www.google.dk
O1 - Hosts: 89.149.210.109 www.google.fi
O1 - Hosts: 89.149.210.109 www.google.ie
O1 - Hosts: 89.149.210.109 www.google.no
O1 - Hosts: 89.149.210.109 search.yahoo.com
O1 - Hosts: 89.149.210.109 us.search.yahoo.com
O1 - Hosts: 89.149.210.109 uk.search.yahoo.com

Close all Windows except for HijackThis and click on "Fix Checked"

Then do the following: It is important that you follow these steps exactly so please print them out if you can:

You will need to do a DNS Flush, then reset your router.
Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

Exit the Command prompt when finished and shut the system down.-

• 
  [1]. Shut down your computer, and any other computer connected to your router.
  [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
  [3]. Unplug the router. Wait sixty seconds.
  [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
  [5].With the router unplugged, start your computer. Run MBAM again.
  [6].Connect to the router again. The turn the router back on.
  [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
  [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.

Rescan with HijackThis and leave new log in next reply.

User Robin had a site saved in Favorites for 'OnlineSecurity Test'. Open the Favorites and do a right click> Delete on this. Don't open with a left click- it's infected.

 

[chompalomp2]

Hi Bobbye,

Thanks very much for your reply! I followed all your instructions carefully and have just tested a few Google searches and they seem to be working fine again, as well as iGoogle!

Here is the log as requested.

 

[Bobbye]

That sure looks better!

Question: Do you have a web cam running? Vmicro webcam USB utility - allows the webcam to initiate data transfer to a program. Create a shortcut and start it manually when needed.

The following two processes are running. They have been reported out as False Positives occasionally, so I want to make sure. IF you do, suggest you take it off of the startup menu. IF you don't, your should have HijackThis remove them:
O4 - HKLM\..\Run: [ZSSnp211] C:\Windows\ZSSnp211.exe
O4 - HKLM\..\Run: [Domino] C:\Windows\Domino.exe

Let's make sure there are no left overs from the browser hijack:
Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  
• Run Combo-Fix.exe and follow the prompts.
  (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
• Wait for the scan to be completed.
• If it requires a reboot, please do it.

• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

The run online scan:
Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please include Combofix report and scan log in your next reply.

 

[chompalomp2]

Hi again,

For the Combo-Fix scan, I tried disabling Windows Live OneCare by changing the settings in the program all to 'Off', however, when I started the scan, Combo-Fix still was asking me to disable OneCare. I tried a few other things unsuccessfully, and then ran the scan and left it for about 40 minutes and it was still not complete. Is there any way I can more comprehensively shut down OneCare to try the scan again.

Sorry for the inconvenience

 

[Bobbye]

From Microsoft: give this a try:

To disable Windows Live OneCare, follow these steps:

• 
  1. Click Start> Run> type CMD> click OK.
  2. At the command prompt, type the following commands one at a time, and then press ENTER after each command.
  
  Note You may receive a message that states that the computer might be at risk when you run these commands and disable the Windows Live OneCare firewall and antivirus programs.
• sc config msfwhlpr start= disabled
• sc config msfwdrv start= disabled
• sc config msfwsvc start= disabled
• sc config mpfilter start= disabled
• sc config onecaremp start= disabled
• sc config winss start= disabled
  3. Restart the computer.

To re-enable Windows Live OneCare, follow these steps:

• 
  1. Click Start> Run> type CMD> click OK.
  2. At the command prompt, type the following commands one at a time, and then press ENTER after each command:
• sc config msfwhlpr start= system
• sc config msfwdrv start= auto
• sc config msfwsvc start= auto
• sc config mpfilter start= auto
• sc config onecaremp start= auto
• sc config winss start= auto
  3. Restart the computer.

 

[chompalomp2]

Thanks for that.

I entered the commands to disable OneCare but I still got the same message from ComboFix reading that OneCare is still active. This time the scan worked though, so all is good.

Once again, here are the logs as requested...

Also, I'm not sure what you mean by "Vmicro webcam USB utility - allows the webcam to initiate data transfer to a program". I unplugged the webcam as I hardly ever use it, but is there a problem with it?

 

[Bobbye]

CF Script:

1. Open Notepad: Go to Start> Run> type Notepad.exe and click OK to open Notepad.
It It must be Notepad, not Wordpad.
2. Copy the text in the below code box:

FCopy::
c:\windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys | c:\windows\System32\drivers\atapi.sys

3. Paste the entry into the Notepad window.
4. Then click File> Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Drag the CFScript into ComboFix.exe as seen below.

Important: Please follow this carefully.

This will start ComboFix again.

After reboot, (in case it asks to reboot), attach the contents of Combofix.txt in your next reply together with a new HijackThis log.

About the webcam: some of the software entries are still loading. Suggest you remove them from the Startup menu using msconfig. The entries are legitimate. If you don't use the web cam at all, you should uninstall it. But if you use occasionally, just take the entries off of Startup so they don't load and use resources.

The 2 processes I noted were:
ZSSnp211.exe
Domino.exe

 

[chompalomp2]

Hi again,

Have followed the instructions and attached the respective logs.

With regards to the webcam, I looked in msconfig under StartUp but there was nothing called Domino or ZSSnp211...

 

[Bobbye]

The 2 Webcam processes are now gone. Are you still having the redirects? Any other malware related problems?

Let's move the file in Eset:

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files  
  C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AD75H0XU\sl2[1].exe
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
---------------------------------------
IF the problems have been resolved, Remove all of the tools we used and the files and folders they created

• 
  
  Uninstall ComboFix.exe And all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    
    
  
  Download OTCleanIt by OldTimerhttp://oldtimer.geekstogo.com/OTC.exe
  • Save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  The tool will delete itself once it finishes.
  
  If you are prompted to Reboot during the cleanup, select Yes.
  
  You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
  • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
  • Click "OK" to select the partition or drive you desire.
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.
  
  More details and screenshots for Disk Cleanup in Windows Vista can be found here.
  
  Empty the Recycle Bin
  
  Please let me know if you need more help.
  
  Edit to add: Sorry, I forgot this. You have an entry in the HijackThis log for the IMVU 3D messenger. This has been known to cause problems and, unless it is something you really want to keep, I recommend you uninstall it using the Control Panel's Add/Remove Programs. The site/program has also been known to issue ads that are offensive to many.The HJT entry is:
  O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
  
  Try doing the uninstall first. Then use Windows Explorer to remove the program folder here:
  My Computer> Local Drive (C)> Programs> right click> delete the folder IMVU

 

[chompalomp2]

All the problems now seem to be fixed. Thanks very much for your help.

I had a few problems, though. When trying to uninstall ComboFix, I just get a message saying that "Windows cannot find 'Combofix'."

Secondly, I ran the OTCleanIt by OldTimer program before saving a copy of the OTMovit by Old Timer log somewhere else, so I think that has deleted it. Should I run the OTCleanIt program again to get a new log?

And finally, I could not find IMVU anywhere under Programs and Features, and there is no IMVU folder in the location you specified :S

 

[Bobbye]

I am confused! I don't need a log for OTCleanIt! It removes itself when through,

Delete the current log and rescan with the Eset online. If the entry is still there, I'll set up the removal again.