Google search redirects browser. Cannot locate Trojan/Malware? Pls Help

[ronanokelly]

Hi there,

so I've been struggling with this for a couple of days and have finally got to a friend's computer to post the 1,2,3 of Step 8.

Everytime I do a google search and click on a website I get redirected to some junk website trying to sell me something or cripple my machine. I did a search through the system and found a possible cause of 'SkypeNames.exe' (as I had recentlyinstalled skype). But then I noticed extra 'svchost.exe' files and the antivirus was blocking trojans every five minutes. I also think the first scan I did included 'Trojan.Dropper' and 'Trojan.Downloader: JS/Renos' but I haven't seen them since.

I know it's dumb of me but I forgot to renew the antivirus so had been running 'commando' for quite sometime. I have the free version of Avast now.

I've included my logs. If you could help I would be much appreciated.

All the best,

Ro.

 

[Tmagic650]

First things first... DELETE OR TAKE ACTION on anything found in the Malwarebytes log... We NEVER like to see "No action taken"

 

[ronanokelly]

Sorry about that. Scanned again.Here are the updated logs. Thanks. Ro

 

[AnonymousSurfer]

I'm trying a new test that i found could lead to the redirecting. Go to

• 
  C:\WINDOWS\system32\drivers\etc and open hosts.
• It will then prompt you to select what to open it with, click on notepad.
• Copy and paste everything that is inside onto the forums.

 

[ronanokelly]

Here ya go:

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
::1 localhost

 

[Tmagic650]

So, are you good now?

 

[AnonymousSurfer]

No the log didn't show anything wrong. He should still be getting the redirects.

 

[ronanokelly]

Seems to be working ok now. Thanks very much! Any other house cleaning you can recommend to protect the computer. ie. would I need Ad-aware and Avast running at the same time?
Many thanks again. Ro.

 

[ronanokelly]

Ok, scrap that last comment, it's started doing it again... Avast just blocked another Trojan and the website redirect is in effect once more. It doesn't do it everytime. For instance it's only when I open up internet explorer, type my search into Google then whatever I link I click on redirects me to another site. Today I had explorer open for the whole morning and it was fine, but now it's started up again. Don't know whether it helps but the name of the one Avast just had blocked was called 'JS: FakeAV-CN [Trj]'.

Should I do another scan?

Thanks. Ro

 

[Bobbye]

Ro, please repeat all three of the scans since it's been several days. Be sure to update Mbam and check lines in both Mbam and SAS to remove what the find.

You can include a log from Avast with the other logs.

I'll help you complete the cleaning this time, then remove the cleaning tools and old restore points. Will also include some tips to help keep the system safe.

 

[ronanokelly]

Hi Bobby, and seasons greetings!

I've included the updated logs. I think I fixed some of it, it doesn't redirect everytime
now although I suspect there is something still hiding in there as the laptop sometimes shuts down without even touching anything?? I couldn't work out how to get the log from Avast.

Many thanks. Ro

 

[Bobbye]

Argg! Get control of those Tracking Cookies! Do this on each account:

Reset Cookies

For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

About Avast log: I think you can access it by clicking on the tray icon. These logs are clean except for the tracking Cookies- since you never went through the cleaning originally, please do the following:

Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  
• Run Combo-Fix.exe and follow the prompts.
  (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
• Wait for the scan to be completed.
• If it requires a reboot, please do it.

• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Follow with online scan:
Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please include the Combofix report and Eset log in your next reply.

I would like to mention that: you have a great number of processes running related to these programs:
D:\Program Files\PowerDVD9\PDVD9Serv.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
D:\Program Files\PowerISO\PWRISOVM.EXE

The processes are all legitimate, but none need to start on boot. I would think loading all of them on Start then having them all run in the background would take a toll on the system resources. Each of them could be accessed as needed through All Programs. In addition to the above, there are 9 other processes.

 

[ronanokelly]

Hi there,

Ok, I've included the ESET log but the combo-fix won't let me upload the file? It's in a .dat form but can be opened with notepad. I tried to save as a .txt file instead but again it refuses to upload it? Do you want me to paste it in the thread instead?

As for the PowerDVD, PowerISO etc, I'm happy to uninstall them if needs be.

Many thanks again.

Ro

 

[Bobbye]

The only malware entry in Eset is in the Qoobox. This is where Combofix puts it's quarantined files. It will be deleted on the uninstall:

Uninstall ComboFix.exe And all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

The download and run again, paying particular attention to this:

With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

Please attach Combofix report.

 

[ronanokelly]

Ok, I think I've done this right now. It was saving the log in the C drive rather than the Combo-Fix folder. I don't know whether this is relevant or not but after CF finished running the only way I could connect to the internet would be to restart the computer without any prompts from the program. Is that normal? Ro.

 

[Bobbye]

As for the PowerDVD, PowerISO etc, I'm happy to uninstall them if needs be.

If this is still an option, I suggest you do it. You are using a large number of resources to have these programs start on boot and run in the background. If you don't use the programs, then uninstall them> look in All Programs for each and see if it has it's own uninstaller. If so, use that. If not, use Add/Remove Programs in the Control Panel.

Please rescan with HijackThis and paste a new log in your next reply.

Let me know if the original problem has been resolved.

 

[ronanokelly]

Hi Bobbye,

have included the log. The original problem does seem to have stopped which is good! I had to manually remove PowerDVD 8/9 though as I couldn't find a uninstaller. Is there any last bits of housecleaning that you can recommend to protect the system? Regular scans, upadates etc?

Many thanks,

Ro

 

[Tmagic650]

Keep the Internet cookies and temp files in control... I use Advance SystemCare and Avast free. Ad Aware is pretty much useless these days. I would delete it

 

[Bobbye]

Good job! Let's Remove the cleaning tools and old restore points:

Uninstall ComboFix.exe And all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

Remove all of the tools we used and the files and folders they created

• DownloadOTCleanIt by OldTimer
• Save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

If you are prompted to Reboot during the cleanup, select Yes.

You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:

• Go to Start > All Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
• Click "OK" to select the partition or drive you desire.
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

More details and screenshots for Disk Cleanup in Windows Vista can be found here.
-------------------------------------------------------
As requested, til to keep you safe.
Please follow these simple steps to keep your computer clean and secure:
1.Disable and Enable System Restore: This will help you to drop the old restore points and set a new, clean one:

System Restore Guide

2.Stay current on updates:

• Visit the Microsoft Download Sitefrequently.
  You should get All updates marked Critical and the current SP updates:Windows 2000> SP4, Windows XP> SP2, SP3, Vista> SP2
• Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
• Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

3.Make Internet Explorer safer. Follow the suggestions HERE
This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

4.Remove Temporary Internet Files regularly: Use

• ATF Cleaner by Atribune or
• TFC

5. Use an AntiVirus Software(only one)

• This can save you a lot of trouble with malware in the future.It should be kept updated and used to scan regularly.
• See This link for a listing of some online & their stand-alone antivirus programs:
  Virus, Spyware, and Malware Protection and Removal Resources

6.Use a good, bi-directional firewall(one software firewall)
See Understanding and Using Firewalls including links to download a firewall.

7.Consider these programs for Extra Security

• Spywareblaster:
• SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
• IE/Spyad
• This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
• Google Toolbar Get the free google toolbar to help stop pop up windows.

 

[ronanokelly]

Many many thanks! Everything is all good now.

Ro

 

[Bobbye]

You're welcome. Stay safe and enjoy computing!