Google search redirect to nothing IP 85.255.120.226

[jcjtr]

i believe i'm infected with malware of some sort. everytime when i perform a google search and then click on the link, i get redirected to a blank web page with the following address:

85.255.120.###

i usually have click back and click on the link 2-3 times before i get to the page i want.

the problem still persists after using lavasoft and spybot s&d. i've attached my HJT log.

TIA

 

[kritius]

Hi jcjtr, :wave:

I need you to follow all the steps HERE and then post back with the three requested logs as attachments

• AVG antispyware
• ComboFix
• Hijackthis (step 15)

Dont forget to make sure that AVG is set to quarantine the results, that HJT is the last step and to let us know the results of the antirootkit scan.

Good luck and welcome to techspot.

This thread is for the use of jcjtr only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Bobbye]

Yes, you are being redirected to a site in the RIPE Network . based in Amsterdam. The IP belongs to netname: UkrTeleGroup in the Ukraine. You can send an abuse report to:
abuse@ukrtelegroup.com.ua

This network appears to be one of a group participating in known spamming. If you would like to read more:
http://www.offensivecomputing.net/?q=node/669

 

[Blind Dragon]

In addition to the advice given by kritius above:

Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.


: Download and Run FixWarout
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://download.bleepingcomputer.com/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems

Attach the logfile C:\fixwareout\report.txt

 

[jcjtr]

Thanks, Kritius (and TechSpot) for your help...

I follow your steps first, Kritius, before i follow blind dragon's...

i'm still having the same redirect problem when using google. also, i had to change from my wireless router to a direct LAN line because of slow or no connectivity, but that might be a problem with my router and nothing more (my other wireless laptop can't connect right now too).

at Step 12, Combofix never opened so i proceeded with Deckard's System Scanner and have attached the main.txt and extra.txt logs as requested.

Panda Antirootkit resulted scanned ~ 6000 files and found no infection.

again, thanks in advance for all your help.

jcjtr

 

[kritius]

Please follow Blind Dragons steps now.

 

[jcjtr]

OK, thanks Kritius and Blind Dragon....

I followed BDs steps. The google result redirect still occurs but here's the log from BDs fixit....

TIA

 

[jcjtr]

bumpity bump bump

 

[Bobbye]

There are busy volunteers here jctr. Bumping a thread is frowned on. You are not the only one with a problem.

 

[Blind Dragon]

sorry its been a few days can you run a fresh Hijackthis log

 

[jcjtr]

sorry its been a few days can you run a fresh Hijackthis log

i never got the automatic email informing me that a reply has been posted. sorry for the delay and sorry for the bump...

it appeared that the problem "just went away" for a couple of weeks where i had no pop ups or google redirect, and then....

the past two days i'm getting some ad-ware advertisement or fake warning pop ups and the google search is redirecting me the 85.255.120.### sites.

attached is my most recent HJT log. i've run scans again with lavasoft, avg and spybot S&D and they found nothing (just some tracking cookies)
TIA

 

[jcjtr]

let's try that again...here's the HJT log. thanks

 

[Blind Dragon]

I still see Trojan Downloader on there

Malwarebytes' Anti-Malware

• Please download Malwarebytes' Anti-Malware to your desktop.
  
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Launch AVG AS and select the SHIELD ICON then at the top of the left pane change "Resident Shield is ..." from Active to Inactive


Combofix

• Download Combofix to your desktop.
• Double click combofix.exe & follow the prompts.
• A window will open with a warning.
• When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

 

[Bobbye]

Blind, how about removing the following?

O2 - BHO: (no name) - {002C8652-044D-420D-9498-ED2ACB807DA2} - C:\WINDOWS\system32\cabine.dll
Malware detected as Trojan-Dropper.Win32.Agent.bxm

(http://www.castlecops.com/tk37894-cabine_dll_dmserve_dll.html)

O4 - HKCU\..\Run: [MSI Configuration] msiconf.exe
msiconf.exe: Identified as a variant of the Trojan.Fakealert Trojan.
File Location: %System%

http://www.bleepingcomputer.com/startups/msiconf.exe-22104.html

Also, verify who set this override:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

 

[Blind Dragon]

Bobbye,

I don't want to remove any bad entries until seeing two things

1) What infections MBAM gets rid of.
2) What else is shown through the Combolog

No point in manually removing a part of an infection when we have tools to remove the whole infection, then show us a log of what was removed. If there are left overs or the tools suggested can't remove the infections then I would suggest manually removing them

Also, the user most likely wont know who set the override
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

It almost always is a spam filter or certain web filters that use this setting to block out ads and popups.

 

[jcjtr]

thanks, BD (and everyone else) for your help...

attached are the 3 logs:
malwarebytes
combofix
HJT (repeat)

 

[jcjtr]

quick question:

friend of mine is recommending upgrading IE to IE7.0 (i'm currently using IE6.0). he says it is safer. thoughts?

in the past i've used firefox but never switched over when i got my new laptop. perhaps that is safer?

tia

 

[Blind Dragon]

Perfect, one infection left that is easily removed with SDFix

Download and Install SDFix

• Download SDFix and save it to your Desktop.
  
• Double click SDFix.exe and it will extract the files to %systemdrive%
  (Drive that contains the Windows Directory, typically C:\SDFix)

Boot into safe mode by tapping F8 before windows loads

Run SDFix

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
• Attach Report.txt back here

Firefox and opera are considered more secure than IE. However it is up to you whether you want IE6 or IE7, either way if you do decide to use IE please ensure the following settings are there.

Make your Internet Explorer more secure - This can be done by following these simple instructions:

1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
   • Change the Download signed ActiveX controls to Prompt
     
   • Change the Download unsigned ActiveX controls to Disable
     
   • Change the Initialize and script ActiveX controls not marked as safe to Disable
     
   • Change the Installation of desktop items to Prompt
     
   • Change the Launching programs and files in an IFRAME to Prompt
     
   • Change the Navigate sub-frames across different domains to Prompt
     
   • When all these settings have been made, click on the OK button.
     
   • If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.

Attach SDFix back here with another Hijackthis log ran after

 

[jcjtr]

thanks yet again, BD. you guys amaze me....

here's the SDFix and HJT logs.

 

[Blind Dragon]

That got the other entry off there. Lets see what kaspersky says

Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

 

[Bobbye]

quick question:

friend of mine is recommending upgrading IE to IE7.0 (i'm currently using IE6.0). he says it is safer. thoughts?

in the past i've used firefox but never switched over when i got my new laptop. perhaps that is safer?

tia

IE7 is not an upgrade to IE6. IT is a new version. and it came with some problems of it's own. It should not be installed to handle problems that occur in IE6. Of the 2 browses mentioned, I recommend staying with Firefox. You can leave IE6 on the system for those few sites that require it, but overall, Firefox is the safer of the two. Keep current as new versions are release. Firefox is now in v2.0.0.14.

BD, in checking the proxy override, I got the impression that it could be a source of malware, depending on who or what set it up. One of the other two are gone, but I still see O4 - HKCU\..\Run: [MSI Configuration] msiconf.exe which reports as as a variant of the Trojan.Fakealert Trojan. Would this be found in the remaining scan you suggested?

 

[Blind Dragon]

Where do you see the MSI Configuration in the newest HJT log

You can see everything that is removed by SDFix http://downloads.andymanchesta.com/RemovalTools/SDFix_Changelog.htm

Notice that entry IS listed

 

[Bobbye]

My apology, BD. I must have inadvertently clicked on the log in #16 instead of #19. It is indeed gone.-sorry for the trouble,

 

[jcjtr]

hi BD. here's kaspersky report.

 

[Blind Dragon]

Looks good! All it found was a false positive on one of our tools, and an infected restore point which we will now clear.

Uninstall Combofix
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

-----------------------------------------------------------------------
Cleanup using OTMoveit2 by OldTimer
Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

1. Double click OTMoveIt2.exe to launch it.
If using Vista Right-Click OTMoveIt and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

* When finished exit out of OTMoveIt2
* Hijackthis can be removed from Add/remove programs
-----------------------------------------------------------------------------

Set correct settings for files

• Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
• Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
• If unchecked please check Hide protected operating system files (Recommended)
• If necessary check "Display content of system folders"
• If necessary Uncheck Hide file extensions for known file types.
• Click OK

clear system restore points

• 
  This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Select the More options tab
  • Choose the option to clean up system restore and OK it.
  This will remove all restore points except the new one you just created.

--------------------------------------------------------------------------------

• Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
  
  See this link for a listing of some online & their stand-alone antivirus programs:
  
  Virus, Spyware, and Malware Protection and Removal Resources
  
  
• Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
  
• Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
  
  For a tutorial on Firewalls and a listing of some available ones see the link below:
  
  Understanding and Using Firewalls
  
  
• Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
  
  A tutorial on installing & using this product can be found here:
  
  Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
  
  
• Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
  
  A tutorial on installing & using this product can be found here:
  
  Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
  
  
• Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
  
  A tutorial on installing & using this product can be found here:
  
  Using SpywareBlaster to protect your computer from Spyware and Malware
  
  
• Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

• IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.
• Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software