Links from Google search are hijacked to 3rd party sites

[stidesforty]

Hi and thanks in advance for your help. Over the weekend I started getting a number of the fake virus protection pop-ups and thought I was careful to avoid clicking on them. I run Vista on a Dell with McAfee security. I generally use IE, although I also have Firefox and Chrome installed. Even after scanning with McAfee and running AdAware, when using IE or Firefox (not sure with Chrome), links after a Google search were sending me to random sites/yellow pages/ etc and not to the linked page.

I have since followed the 8 step removal process, but links are still getting hijacked. Attached are the three logs requested. Thanks again!

 

[stidesforty]

Anyone have thoughts on my malware/virus situation? Thanks in advance.

 

[kritius]

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


[CENTER]

[/CENTER]


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

 

[stidesforty]

Kritius-

Thanks for jumping on my virus grenade. Ran Combofix. Had to run it twice as the first time it rebooted the computer after completing stage 3 (not sure if that is normal or now.) 2nd time got through all 50 stages and produced the attached log.

thanks

 

[kritius]

What is your AV status?

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

Folder::

Registry::

Driver::

MIA::
c:\windows\System32\drivers\atapi.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

[kritius]

Also,

I see that you use IObit Security 360, they used a stolen database from Malwarebytes Anti Malware to enhance their definitions, I would now consider this rogue software, if they stole another security vendors database, what else would they stoop to?

If I were you I would consider if I wanted this on my system.

 

[stidesforty]

Thanks. I have McAfee installed for AV.

I didn't know about IObit. I uninstalled.

Ran the script with ComboFix. Log is attached.

 

[kritius]

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

Folder::

Registry::

Driver::

FCopy::
c:\windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys | c:\windows\System32\drivers\atapi.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

[stidesforty]

OK. Couple things after runnning the last script.

1-Got a notice that PEV.cfxxe had stopped working
2-Auto reboot after Stage 50 and after completing log.
3-I think the attached log is the newest one- it was actually in a ComboFix folder on C:

thanks.

 

[kritius]

Go to start and then run and type cmd

COPY /Y/B/V %WINDIR%\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys C:\atapi.sys

Please verify that C:\atapi.sys exists.

 

[stidesforty]

I copied the "COPY...atapi.sys" into a command prompt and it said "1 file copied"

And it appears on the C: drive.

CF log attached

 

[kritius]

Good

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

Folder::

Registry::

Driver::

FCopy::
C:\atapi.sys | c:\windows\System32\drivers\atapi.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

[stidesforty]

Ran the script.
CF rebooted after stage50.
Log attached.

 

[kritius]

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
• Now click the Scan button. If you see a rootkit warning window, click OK.
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
• Click the Copy button and paste the results into your next reply.
• Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

 

[stidesforty]

OK. GMER crashed twice in Normal Mode, and finally went all the way through on 3rd try in Safe Mode. Log is attached. Thanks again!

 

[kritius]

We Need to check for Rootkits with RootRepeal

1. Download RootRepeal from the following location and save it to your desktop.
   • Zip Mirrors (Recommended)
     • Primary Mirror
     • Secondary Mirror
     • Secondary Mirror
   • Rar Mirrors - Only if you know what a RAR is and can extract it.
     • Primary Mirror
     • Secondary Mirror
     • Secondary Mirror
2. Extract RootRepeal.exe from the archive.
3. Open
   
   on your desktop.
4. Click the
   
   tab.
5. Click the
   
   button.
6. Check all seven boxes:
   
7. Push Ok
8. Check the box for your main system drive (Usually C, and press Ok.
9. Allow RootRepeal to run a scan of your system. This may take some time.
10. Once the scan completes, push the
    
    button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

 

[stidesforty]

How long does rootrepeal take to run the scan? I started one, and RR crashed. I tried running again and it wouldn't. So I uninstalled, restarted and downloaded a new copy. It's been stuck for 25 mins with nothing seemingly happening. Should I run it in safe mode?

 

[stidesforty]

ROOTREPEAL CRASH REPORT
-------------------------
Windows Version: Windows Vista SP2
Exception Code: 0xc0000005
Exception Address: 0x0040ab12
Attempt to write to address: 0x00000004

 

[kritius]

Thats not great.

Delete the copy of ComboFix that ou have on your desktop and redownload it.

Run it again and post the log.

 

[stidesforty]

I figured that wasn't a good sign. New version of CF and log is attached.

 

[stidesforty]

Tried to run RootRepeal today and it froze again in the same spot...when it is scanning C:/Windows/winsxs/Manifests. Not sure if that helps, but thought I'd pass it along.

 

[kritius]

Sorry for the delay, Internet died.

Delete current copy of ComboFix, redownload, scan and post the log.

Also, do you have Deamon Tools, Alcohol 120% etc installed?

 

[stidesforty]

Sorry for my delay. I was out of town the last 5 days.

I am now unable to download combofix from either of the sites. Can't save the file to my computer? Any thoughts?

I don't think i have either of the programs you mentioned - never heard of them.

Thanks

 

[kritius]

What happens when you try to download it?

 

[stidesforty]

In Google Chrome, a new tab opens up and it says: "This webpage is not available. The webpage at https://www.techspot.com/downloads/5587-combofix.html might be temporarily down or it may have moved permanently to a new web address."

In IE, i get the security warning, click on save, it appears to download, but then i get a vista pop-up "Destination Folder Access Denied...you need permission to perform this action."

I am logged on as same user with admin rights as before.