Internet Redirector Problem

[jwingpg]

Hello,

I just joined the site after finding the 8 steps to virus removal. Great site!

My problem started after I logged onto my laptop and noticed 24 open Internet Explorer windows. I never use IE which I found starnge. It appears that some type of antivirus tool had installed so I removed the program. I believe it was called Antivirus Plus. Since then I have had the redirection problems listed nelow.

I have run all of the steps but still have the same problems and these are happening using Mozilla, IE, Google and Google Chrome.

Problem 1 is when I type in an entry to search on the results returned are not what I would normally see and to access the site I want I need to enter the correct URL into the address bar.

Problem 2 is when I select any results from a search I am redirected to random sites such as Fresh Deals, all shopping sites.

I also ran HitmanPro3.5 and it found nothing.

I will attach my log files to this post and thanks in advance for any assistance in resolving this. I also had ran Malware prior to reading the 8 steps and will attach that file.

Cheers,

James

 

[jwingpg]

Ok, I think I have the redirector issue fixed now but the search function still does not work as I would expect. For instance certain sites I went to if I typed the name in the search, my first returned value was the correct site. Now the correct site is not even on the first page even when I type in for instance:

dodgecharger.com

Advanced System Care seemed to have fixed the redirecting issue.

I had installed HitmanPro3.5 yesterday and ran it. It did not find anything. On a restart of the PC hitmanpro ran again and this time came back with a rootkit virus located in C:\Windows\system32\atapi.sys as I recall. I was then prompted to purchase the program to fix the issue whiuch I did not.

How can I get rid of this rootkit virus as the other removal tools are not picking it up.

Thank you.

 

[Bobbye]

The best way for you to get rid of the malware is to stop running random programs and running them in random order! I stropped to check you logs, then saw you had added a rootkit scan and Hitman.

I will be glad to help you if you disable all but the original programs and don't run any other 'cleaning' programs unless instructed. I am working from the original logs:

Your Hosts files have been hijacked:
Please reopen HijackThis to 'do system scan only.' Check the following entries if present:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 78.159.125.60 www.google.no
O1 - Hosts: 78.159.125.60 www.google.nl
O1 - Hosts: 78.159.125.60 www.google.com
O1 - Hosts: 78.159.125.60 www.google.se
O1 - Hosts: 78.159.125.60 uk.search.yahoo.com
O1 - Hosts: 78.159.125.60 www.google.pt
O1 - Hosts: 78.159.125.60 www.google.es
O1 - Hosts: 78.159.125.60 www.google.ca
O1 - Hosts: 78.159.125.60 www.google.be
O1 - Hosts: 78.159.125.60 www.google.fi
O1 - Hosts: 78.159.125.60 www.google.com.br
O1 - Hosts: 78.159.125.60 www.google.co.uk
O1 - Hosts: 78.159.125.60 www.google.dk
O1 - Hosts: 78.159.125.60 www.google.co.jp
O1 - Hosts: 78.159.125.60 www.google.fr
O1 - Hosts: 78.159.125.60 www.google.co.za
O1 - Hosts: 78.159.125.60 www.google.de
O1 - Hosts: 78.159.125.60 www.google.ch
O1 - Hosts: 78.159.125.60 www.google.at
O1 - Hosts: 78.159.125.60 www.google.it
O1 - Hosts: 78.159.125.60 search.yahoo.com
O1 - Hosts: 78.159.125.60 www.google.ie
O1 - Hosts: 78.159.125.60 us.search.yahoo.com
O1 - Hosts: 78.159.125.60 www.google.gr
O1 - Hosts: 78.159.125.60 www.google.com.mx
O1 - Hosts: 78.159.125.60 www.google.com.au

Close all Windows except HijackThis and click on "Fix Checked."

Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.

• Double click on the setup file on the desktop to run
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
• When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
  
• Query- Recovery Console image
  
  
  
  
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
  
  
• Click on Yes, to continue scanning for malware.
  
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Follow with new HijackThis scan. Attach both Combofix report and new HJT log to next reply.

Please disable any other "cleaning" program you have installed. Do not run any other security programs unless instructed.

Bump up the AVG to v9.

 

[jwingpg]

Updated log files

Ok, I have attached the requested files.

Thank you!

 

[Bobbye]

I'd like you to disable Hitman until we are through. Additionally, disable C:\Program Files\IObit\IObit Security 360\IS360srv.exe. We're trying to find the malware and make sure all of it is removed. These programs could be working at cross-purpose to doing that.

I'd like to try and move some of the files found in Combofix:

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files
  c:\documents and settings\All Users.\documents\settings
  c:\documents and settings\All Users.\documents\settings\cbss.dll
  c:\documents and settings\All Users\Documents\Settings\cbss.dll
  c:\windows\system32\nvsvc32.exe
  c:\program files\Ask.com
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Run OTMoveIT again after running the above to make sure the files were removed..Attach new logs to next reply.
Please let me know if any of the redirecting has been stopped.

dodgecharger.com appears to just be an uuto site for car of same name.

 

[jwingpg]

New Results

Ok, I performed the steps as requested and it appears that my redirection problem has been resolved. Kudos to you ! Very impressive indeed. It must be nice to have this knowledge.

Here are the results of the first log and I have attached the second log file.



All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File/Folder c:\documents and settings\All Users.\documents\settings not found.
File/Folder c:\documents and settings\All Users.\documents\settings\cbss.dll not found.
File/Folder c:\documents and settings\All Users\Documents\Settings\cbss.dll not found.
File/Folder c:\windows\system32\nvsvc32.exe not found.
c:\program files\Ask.com folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: James
->Temp folder emptied: 401 bytes
->Temporary Internet Files folder emptied: 34623 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 150811524 bytes
->Google Chrome cache emptied: 50027004 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Shari

 

[Bobbye]

Okay, scan with Eset online virus scan:
Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Follow with rescan of HJT. Attach both logs. If clean,I'll have you remove the cleaning tools and old restore points.

Don't forget you need to update AVG to v9.

 

[jwingpg]

Scan Results

Here are the latest scan results!

Thanks!

 

[Bobbye]

Let's move these files found in the Eset scan:

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files  
  C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws1.zip	
  C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip		
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Run the Eset scan again to make sure they got moved. I've had 3 people today with some kind of Worm saved in the Spybot recovery. I've been checking their forum to see if there is anything reported there- nothing. So we'll move them. If they come up again, you may have to find them in Spybot and remove.

HijackThis is good. Do any of the original malware problem remain? If not and if those files get moved okay, I'll have you remove the cleaning tools and old restore points.

 

[jwingpg]

More files.

Here are the requested files. The redirector problem appears to be fixed but I still see virus activity in the attached logs.

Cheers,

 

[Bobbye]

The infected files show moved successfully The file showing C:\Qoobox\Quarantine.... is in the folder used by Combofix for the quarantined items. When I have you uninstall Combofix, it will be removed.

Otherwise the logs are good. If you have resolved the original problems and have no related problems, you can remove the cleaning tools:

Uninstall ComboFix.exe And all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

Remove all of the tools we used and the files and folders they created

• DownloadOTCleanIt by OldTimer
• Save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

If you are prompted to Reboot during the cleanup, select Yes.

You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:

• Go to Start > All Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
• Click "OK" to select the partition or drive you desire.
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

More details and screenshots for Disk Cleanup in Windows Vista can be found here.

Consider these programs for Extra Security

• Spywareblaster:
• SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
• IE/Spyad
• This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
• Google Toolbar Get the free google toolbar to help stop pop up windows.

If I can be of further assistance, please let me know.

 

[jwingpg]

The infected files show moved successfully The file showing C:\Qoobox\Quarantine.... is in the folder used by Combofix for the quarantined items. When I have you uninstall Combofix, it will be removed.

Otherwise the logs are good. If you have resolved the original problems and have no related problems, you can remove the cleaning tools:

Uninstall ComboFix.exe And all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

Remove all of the tools we used and the files and folders they created

• DownloadOTCleanIt by OldTimer
• Save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

If you are prompted to Reboot during the cleanup, select Yes.

You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:

• Go to Start > All Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
• Click "OK" to select the partition or drive you desire.
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

More details and screenshots for Disk Cleanup in Windows Vista can be found here.

Consider these programs for Extra Security

• Spywareblaster:
• SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
• IE/Spyad
• This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
• Google Toolbar Get the free google toolbar to help stop pop up windows.

If I can be of further assistance, please let me know.

Thanks for all of your help Bobbye. My computer is running great and I also installed all of the tools you suggested.

Cheers,

James

 

[Bobbye]

You're very welcome, James. Glad to hear you made use of the tips I left. Since you worked hard to clean the system up, you'll find they will help you keep it clean!