Hijacking my links from search - ran 8 steps

[chanmomi]

Hi - Ran the 8 steps and still having the original problem where any links displayed in my Google search results jump to other web sites. Can only get to the sites I want by typing the URL into IE directly. Have attached requested files below.

 

[Bobbye]

You have an active Vundo(Virtumado) malware infection:

Please download VundoFix.exe HERE and save to your desktop:

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the ‘Fix Vundo’ button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
--------
Then please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
• Important! Save the renamed download to your desktop.
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
• Double click on the setup file on the desktop to run
• If prompted to download and install the Microsoft Windows Recovery Console, please allow.
• If prompter to update, allow
• Click on Yes, to continue scanning for malware.
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.

---------------
Then Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include these in your post.

When finished all, please attach Combofix report, Vundo log, Eset log and log from new HijackThis scan.

 

[chanmomi]

Hijacking my links from search - followed Bobbye's advice

Hi Bobbye. Ran additional steps as outlined. VundoFix did not find anything so I think it didn't produce a log? Have attached all other logs. Quick check of google search found I'm still having my links hijacked (did a reboot after all steps first).

 

[chanmomi]

Can anyone pick off where Bobbye left off? I'm still having problems, ran through all recommendations so far but need someone to look at these logs and figure out what more I need to be done?

 

[Bobbye]

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files  
  C:\Documents and Settings\Annie & Molly\Shared\Girl Talk - Feed The Animals [2008].mp3
  c:\documents and settings\Annie & Molly\Start Menu\Programs\Startup\
  PowerReg Scheduler.exe [2008-4-26 189952]
  
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

How do you get out of safe mode?

Usually you just reboot and it will go into Normal Mode.

You need to verify the presence of Rootkit infection:

Please go to this TechNet page and carefully read the instructions for running the Rootkit Revealer:

There are steps laid out here as well as screen shots that will help you>
Start here for the program: Using RootkitRevealer
The download link is at the bottom of the page

Using RootkitRevealer

• 
  
  1. Please study the RKR web page carefully. Don't use your computer while RKR is scanning.
  
  2. Start RKR> wait about 10 seconds> click Scan.Leave computer untouched until it completes. An idle machine will minimise the possibility of false positive reports caused by changes to the system during the scan. Background processes may still make intermittent changes, but resulting discrepancies tend to be obvious from their registry or file system branch; on a re-scan many may not recur.
  
  3. Save the discrepancy list to text file as needed.
  Using the File->Save dialog, select "My Computer" and work down to a suitable folder. The "My Documents" and "Desktop" buttons point to a System user's folders.
  
  4. Use the search feature in the RKR forums.
  For questionable discrepancies, search using a distinctive part of the registry key or path name. Very frequently the same item has appeared before and been commented upon. Often they turn out to be innocuous.
  
  5. Search Google.
  Googling a distinctive part of the registry key, especially the CLSID, can often lead to forum reports of the application responsible. Similarly, googling file names may lead to removal advice if malicious. If using long strings copied from posts, ensure that no extra blanks have become embedded in the search string.
  
  6. When posting a log, ATTACH either the full text log or a representative subsection if it's too large.

Observations from your logs:
You have two of these entries:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

You schedules AdAware to update 4X a day, plus weekly:
2010-02-21 c:\windows\Tasks\Ad-Aware Update (Daily 1,2,3,4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 03:08]

You are loading all of these on boot- none need to be there:
QuickTime, Real Player, Canon camera, web cam, Epsom printer, HP Digital imagine, burning software

You have multiple programs set to auto-update> none need to:
HP, Java, iTunes plus others.

 

[chanmomi]

Ran OTMoveit3. Ran RootkitRevealer. From my searches it looks like everything listed is a false positive or not a problem (swearware, IE temp stuff, etc.). Logs posted below for review. Cleaned up the AdAware scheduled tasks. Will clean up things started on boot. Questions on two things you mentioned:

The HijackThis entry that you say you see twice. I don't see two entries in the program files directory, so what does this mean? Should I be doing something about this?

You referenced programs doing auto updates. One was Java. I checked my set up for Java updates and it is set to check updates once a month and notify me, not auto download. Your comment suggests otherwise. Should the setting be something else? Or do I have a setting somewhere else overriding this?

The OTM log is attached. I'm having trouble attaching the RKR log. I've tried saving it a number of times on the desktop, in my documents, etc. and it successfully saves, but I can't see it in the directory or upload it. I know it's there because if I try to save it again, I can see the previous ones there in the Save as window. Help!

Thanks

 

[Bobbye]

You referenced programs doing auto updates. One was Java. I checked my set up for Java updates and it is set to check updates once a month and notify me, not auto download. Your comment suggests otherwise. Should the setting be something else? Or do I have a setting somewhere else overriding this?

I do not allow anything to auto-update except the antivirus program. When auto-updating is set, it means the process starts on boot and runs in the background. It means the process can access the internet looking for updates. some programs may update frequently, but most (with the exception of the AV) don't. Why should I allow any program access when I can check myself-once?

Java is very pushy. Anytime you access Java directly, to install, uninstall or update, it sets itself to auto-update. I prefer the little extra trouble of resetting to not auto-update. Other may prefer not to be bothered with the responsibility. So I guess it comes down to how much control you want over your system and how much responsibility you are willing to take. I want the closest thing to total control that I can get and this does not include auto-updating.

See if you can find the RKR log in Safe Mode. Copy it and save to your desktop. Reboot back into Normal Mode and see if you can then attach it.

Please also include a log from a new HJT scan.

 

[chanmomi]

Still not able to find RKR log even in safe mode. I can attach screen prints saved as TIFF files, if that is ok?

Hijackthis log attached

 

[Bobbye]

No, no screen print for that.
Unnecessary programs starting on boot and running in the background:
Printer/scanner: Canon, Epsom.
Webcam
Real Player
HP Update
Dell Media Launcher
Roxio Liveshare
Apply/iPod/Bonjour/itunes processes

Please delete the Combofix report you have on the desktop, then run Combofix again. Follow with a new Eset online scan. Leave the new logs.

If anything still shows up, I'll have you run a different root check.
Are you still experiencing the same redirect problem?

 

[chanmomi]

Two logs attached. I am stilling having the redirect problem.

Thanks

 

[Bobbye]

Please uninstall RKR and delete any file it left.

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:
  

  File::
  c:\windows\system32\1349B9041B.sys
  c:\windows\system32\1B04B94913.sys
  c:\program files\dl_Cats
  
  Folder::
  C:\VundoFix Backups
  c:\program files\Common Files\AnswerWorks 5.0
  c:\documents and settings\Annie & Molly\IETldCache
  c:\documents and settings\LocalService\IETldCache
  
  Registry::
  Driver::
  1349B9041B
  1B04B94913

  Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
  Refering to the picture above, drag CFScript into ComboFix.exe
  
  When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
  
  Please check the AdAware Update schedukle. You now have it set: Ad-Aware Update Daily. That' much too often.
  
  Please download GMER HERE and save it to your desktop.
  • Double click set up to run gmer.exe
  • Select Rootkit tab
  • Click the "Scan" button.
  • Save the log and include in next reply.
  Warning ! Please, do not select the "Show all" checkbox during the scan.
  
  The screenshot HERE will show you how the display will come up.
  Please copy the scan result using Copy button> paste to Notepad and attach here.
  Warning ! Please, do not select the "Show all" checkbox during the scan.
  

 

[chanmomi]

Oh no! I copied the script and ran ComboFix as directed. When it asked to reboot, it results in the dreaded blue screen and will not reboot in safe mode. I googled the Stop error codes but Google finds nada. Here is the code:

STOP: 0x0000007B (0xF79AD528, 0xC0000034, 0x00000000, 0x00000000)

After all this should I just give up and reimage the machine from scratch? Hate to do that.

 

[chanmomi]

limited the google search to just the first error code and it does find a variety of errors most likely the virus one for which it recommends a complete reinstall.

 

[chanmomi]

Sorry for the multiple posts. I spoke to soon. I was able to reboot from a prior configuration, Combofix ran again. Removed Adaware completely as it seems to have a mind of its own with auto updates! Ran GMER. Logs attached. However something in the configuration is very sensitive now as even closing a browser window resulted in a blue screen. It will reboot successfully though.

 

[Bobbye]

This thread hasn't gone well. Programs don't run, logs aren't available, you feel that the finds are 'false positives.'

The BSOD can have multiple causes. Here' what I'd like you to do. When you get one of the blue screen, note the time on the computer clock. then do the following:

Please download VEW and save it to your Desktop:

Setting up the program

Double-click VEW.exe then under Select log to query, select:

• Application
  [*] System
  
  
  Under Select type to list, select:
  
• Critical (Vista only)
• Error
  
  Click the radio button for Number of events
  
• Type 20 in the 1 to 20 box
• Then click the Run button.
• Notepad will open with the output log.
  
  Load the log
  
• In Notepad, click Edit> Select all
• Then press Edit > Copy
• Press Ctrl+V on your keyboard to paste the log to your next reply.

(Courtesy rev-Olie)

But I would like you to move to the Forum specifically for BSOD. Start a new thread, describe the problem, reference this thread and attach the event log. I think you will find more appropriate help there. You will be giving them ready made information to work with.