Google Search results redirected

By BigBear ยท 26 replies
Apr 23, 2008
  1. Hi,

    I've been reading threads here for a long time but only just registered today. My computer is infected with multiple issues (possibly a rootkit in addition to trojans, etc) but I am not sure what to do next. I have the exact same symptoms as described in thread 69052 from this site (sorry it's not a link but I don't have 5 posts yet)

    What appear to be valid Google results come up, but when I click on them most of the time I am redirected to other sites (which IE is blocking).

    Hovering over the URL, it appears correct. However, after clicking on the search result the URL will first say something like: ?hl=en&q=sample+search+results&meta= (always seems to end in "&meta=")

    This then gets directed to another site. Most often it tries to send me to something called, which is on IE's blacklist. Also multiple warnings from ESET anti-virus of trojans, BHO's, etc, and fake virus warnings have reappeared as well. I thought I had this system cleaned up but apparently not!!

    I've attached an HJT log. Wasn't sure if I should do a ComboFix one or not; I've never used that program.

    I am very grateful for any help you're able to offer. Thanks so much.

  2. kritius

    kritius TS Guru Posts: 2,084


    Go to add/remove programs and unistall HijackThis, your version is out of date,


    I need you to follow all the steps HERE and then post back with the three requested logs as attachments
    • AVG antispyware
    • ComboFix
    • Hijackthis (step 15)

    Dont forget to make sure that AVG is set to quarantine the results, that HJT is the last step and to let us know the results of the antirootkit scan.
  3. BigBear

    BigBear TS Rookie Topic Starter

    Hey there,

    Thank you for the response. I've gone through the 15 steps as requested... whew... that was quite the lengthy exercise! My ESET scan in safe mode took a good 16 hours all on it's own!

    I've had a number of indications of both Virtumundo and a trojan called Pakes appear, though all's been quiet since late Friday night.

    Attached are the 3 requested logs. Note, I have a dual boot system. The C: drive is XP Home and is not really used anymore, but it remains on my system just in case I forgot a file and need to go find it at some point. But I think by now it's safe to say anything on C: that is problematic can be removed, the drive can be formatted if needed, whatever. The H: drive is where XP Pro is hosted, but I use G: for data. Confusing and strange, I know. :)

    A big, big thank you in advance!!

    Attached Files:

  4. BigBear

    BigBear TS Rookie Topic Starter

    Brief updates on the situation....

    - Forgot to mention that the Panda Antirootkit scan came up negative
    - There IS still something going on with browser hijacks. Approx. 50% of the time when I click on a Google result I get sent somewhere else, most often to a page that won't load, but occasionally to a completely different site. It seems to happen most often on the first click on a Google result (ie. I click, get the wrong or unloadable site, then click Back, and click on the exact same link again, and this time get the correct site).

  5. BigBear

    BigBear TS Rookie Topic Starter

    Anyone? Things seem quite a bit improved but I'm still not convinced it's clean as the Google search results remain screwy.

  6. BigBear

    BigBear TS Rookie Topic Starter

    I guess not huh?
  7. jobeard

    jobeard TS Ambassador Posts: 11,158   +986

    AVG found Not-A-Virus.PSWTool.Win32.MailPassView.130 and Cleaned with backup (quarantined).

    this is an unknow routine -- highly suspect

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62EFE262-8E45-2C26-297D-0508E2EDAAF7}]
    2008-04-22 15:54 114688 --a------ H:\WINDOWS\system32\wtcxainb.dll​

    these ports are open and you need to validate that you want this!
    "54925:UDP"= 54925:UDP:Brother MFC-440CN Network Scanning
    "54926:UDP"= 54926:UDP:Brother MFC-440CN Network PC-Fax Receiving
    "67:UDP"= 67:UDP:DHCP Discovery Service
    "59687:TCP"= 59687:TCP:Tight1
    "59587:TCP"= 59587:TCP:Tight2
    "59999:TCP"= 59999:TCP:FTP DNS-323
  8. BigBear

    BigBear TS Rookie Topic Starter

    Hi Joe,

    Thank you for the reply. Actually, I know what a few of those entries are.

    The "not-a-virus" one is a tool I have to reveal Outlook Express and other Windows passwords - it shows what is starred out by Windows (doesn't always work). It's not a threat but virus software is always triggered by it. I use it as I have clients who sometimes forget their email passwords - I do not use this tool to do evil. :)

    All of the port numbers except for 67 are intentional. The first 2 are for my all-in-one printer/scanner/fax. The 4th and 5th are for TightVNC. The last is for my FTP box. So I should look into why 67 is there I guess.

    The "wtcxainb.dll" file WAS problematic I think. I believe this was the trojan, and from what I've read since posting this, it appears it picks random names such as this. I actually deleted this one on my own after posting the log and a number of issues went away.

    Also, since posting this log, I found I believe the component that was actually misdirecting my Google results - a malicious BHO (Browser Helper Object for those unfamiliar). This was actually a very simple fix once I found it. It was located in IE in Tools / Internet Options / Programs / Manage Add-Ons. In that list almost every item lists a publisher, but there were one or two that didn't. One looked particularly suspicious so I disabled it, and the redirects completely went away. Convinced it was fixed, I later returned and deleted it altogether and things have been fine ever since.

    Hopefully this info is helpful to someone else who has the same issue. Again, the two things that cured my ills (after doing all 15 steps) were:

    1) Delete the suspicious looking .DLL that has no name. In my case it was: O2 - BHO: (no name) - {62EFE262-8E45-2C26-297D-0508E2EDAAF7} - H:\WINDOWS\system32\wtcxainb.dll

    2) Delete the suspicious looking BHO listed in the Manage Add-Ons section listed above.

  9. jobeard

    jobeard TS Ambassador Posts: 11,158   +986

    Port 53 & 67 are perfectly safe -- leave it alone :)
  10. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    you are far from clean will post instructions shortly

    First lets install the recovery console.

    Go to Microsoft's website here -->
    Select the download that's appropriate for your Operating System

    Windows XP SP2

    Download the file and save it as it's original name to your desktop

    Close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please attach that log here.

  11. BigBear

    BigBear TS Rookie Topic Starter

    Thank you for your reply Blind Dragon, much appreciated.

    Attached log as instructed.

  12. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Ok, now that you have the recovery console on your computer we can check a few things.

    Your logs are much better than before by the way.

    Download haxfix.exe
    and save it to your desktop.

    * Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
    • Checkmark "Create a desktop icon"
    • Click "Next"
    • When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
    • Click "Finish"

    A red "dos window" (dos box) will open with options:

    1. Make logfile
    2. Run auto fix
    3. Run manual fix
    E. Exit Haxfix
    • Select option 1. Make logfile by typing 1 and then pressing Enter
    • Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt
    • Copy the contents of that logfile and paste it into this thread. (c:\haxfix.txt)
  13. BigBear

    BigBear TS Rookie Topic Starter

    Hi Blind Dragon,

    OK, downloaded Haxfix, but it didn't ask me to make a desktop icon or pick a directory for installation. Only 3 options on the screen too:

    1) Create a log file
    2) Uninstall Haxfix
    E) Exit

    Created a log file which I think is short enough I can just paste it here. Looks like it found a couple things. Dangerous?



    HAXFIX logfile - by Marckie

    version 5.01.1
    Mon May.05.2008 14:16:51.82
    running from H:\HaxFix

    --- Checking for Haxdoor ---

    checking for a3d files
    a3d files not found

    checking for matching notify keys
    matching notify keys found

    checking for matching services
    no matching services found

    checking for matching safeboot services
    no matching safeboot services found

    --- Checking for Goldun ---

    checking for SSODL keys
    no ssodl keys found

    checking for notify keys
    no notify keys found

    checking for services
    no services found

    checking iexplore.exe
    iexplore.exe is not infected

    --- Checking for other Goldun and Haxdoor files ---
    no other Haxdoor or Goldun files found

    --- Catchme logfile - thank you Gmer ---

    catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
    Rootkit scan 2008-05-05 14:17:28
    Windows 5.1.2600 Service Pack 2 NTFS

    detected NTDLL code modification:

    scanning hidden processes ...

    scanning hidden services & system hive ...

    scanning hidden registry entries ...

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 6

    --- Analysing Catchme logfile ---

    no matching regkeys found

  14. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    • Double click on the haxfix.exe.
    • Close all other open windows since this step requires a reboot.
    • Select option 2. Run auto fix by typing 2 and then pressing Enter.

    If an infection is found, youll get a message to close all other open windows.
    • Close all open windows except the red dos window from haxfix and then press Enter.
    • The computer will reboot.
    • After reboot a logfile ("c:\haxfix.txt") will open.
    • Post the contents of that logfile along with a new HijackThis log.
  15. BigBear

    BigBear TS Rookie Topic Starter


    Ran HaxFix, no infections found, system did not reboot.

    Attached both requested log files.

    Thanks again,
  16. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Good, lets remove the file anyways.


    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.


    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply


    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
  17. BigBear

    BigBear TS Rookie Topic Starter


    Completed both tasks, but when I went to upload Kaspersky it weighed in at 2.7MB, so it can't be sent (unless I break it into 27 messages). :haha: It did say it found 7 viruses and 19 infected objects, though a lot of them look like they are already in virus vaults or are really not threats at all. Maybe not all of them though. There are literally thousands of lines that show "Object is locked - skipped" but don't indicate a virus. I've gone through and edited the report to only include the 19 lines in the report that have the word "infected" on them. If you need more info let me know.

  18. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    As fun as going through 27 pages of kaspersky logs sounds, go ahead and click my name and select send an email to blind dragon - attach it there.

    usually it's a page or maybe 2. I am guessing your problem lies in there.

    'The Avenger by Swandog46'

    • Download The Avenger by Swandog46 from here.
    • Unzip/extract it to a folder on your desktop.
    • Double click on avenger.exe to run The Avenger.
    • Click OK.
    • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
    • Click the Execute button.
    • You will be asked No script has been entered. Do you want to execute a rootkit scan only?.
    • Click Yes.
    • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
    • Click Yes.
    • Your PC will now be rebooted.
    • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
    • Please post this log, along with a new HijackThis log in your next reply.
  19. BigBear

    BigBear TS Rookie Topic Starter

    Avenger report:

    Logfile of The Avenger Version 2.0, (c) by Swandog46

    Platform: Windows XP


    Script file opened successfully.
    Script file read successfully.

    Backups directory opened successfully at H:\Avenger


    Beginning to process script file:

    Rootkit scan active.
    No rootkits found!

    Completed script processing.


    Finished! Terminate.
  20. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    the kaspersky you emailed me was only 2kb and was blank?
  21. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Was still blank, so I want you to look through it.

    Open it up in Notepad

    Hit ctrl + F (type infected) Click next as it goes down the list finding lines with infected in them copy and paste the infected lines into a 2nd Notepad


    Delete all the lines except for the ones that say infected

    We need to also look and see what is making the log so long, there is usually one folder that will do this to a log
  22. BigBear

    BigBear TS Rookie Topic Starter

    Ummm...what you're asking for is exactly what I did about 3 messages ago. Every line that I included in kaspersky2.txt has the word "infected" in it (and then I cut n pasted the info from the top of the report in because I thought it might also be helpful). All the other thousands of lines that I left out say "File is locked - skipped".

    I don't know why the emails are going through blank but I'd assume it's my email provider doing something.... I don't think they allow attachments of over 1GB.

    Annnnnnnyways....I can tell you that 99% of the lines in the report are indicating files on my C: drive, which is XP Home, which I never use anymore. For some reason it seems nearly everything on C: somehow got locked. Does it have anything to do with it being a dual-boot system? There are hardly any files on G:, H:, Q: or T: that are locked - and all four of these drive letters are located on the same physical drive, whereas C: is on a separate physical drive.
  23. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    If a line says Object is locked, that means that kaspersky didn't find an infection there, I skip all these

    if it says "infected XXXXXXXX skipped" then it found an infection there
  24. BigBear

    BigBear TS Rookie Topic Starter

    Right. So....?

    Check the kaspersky2.txt file about 5 messages back and you will see all the ones that indicate "infected".
  25. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I just saw the log in the other post and will work from that.

    Most of it is in backups and Quarantine folders will post back shortly

    Did you install the VNC program, its a remote administration program where others can access your system and have control over your mouse ect.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...