Search engine redirect issue

[Vulchur]

Search engine redirect issue. 8 steps followed

I've been having a hard time trying to sift through what's been going on with my computer. I'd recently run into problems with antivirus plus and had thought I'd gotten rid of it with Malwarebytes' Anti Malware. However, I'm having a lot of problems with getting redirected in searches now a few weeks later, as well as being unable to open pages I input the url in directly (makes research a pain). I'd already followed most of the steps in your 8 step recommendation. Couldn't follow step 5 of the eight steps: link wouldn't work open, had to get it off another computer. Any assistance or insight you all could provide would definitely help keep me up late at night.

 

[B00kWyrm]

HJT shows you are using McAfee and MS antimalware product(s)

From the other computer, dl all the other tools mentioned in the 8 steps. Neglect nothing.
Whatver AV / AntiSpy / Antimalware and FIrewall you are currently using, for the purpose of the eight steps _at__least_, you want to use the tools that are listed there.
Since they are free, it costs you nothing to take this advice.

Burn them to a cd to take to the infected computer, and install them to the desktop or other place you can easily find them.
NOTE: more than one av or antispy program will likely conflict with each other... meaning you need to uninstall whatever is currently running.

Some of the steps require running more than once, and sometime safe mode is required for part of the process ...
after safe mode, you will need to re-run per the instructions... follow them diligently.

I won't be around much for the next several days, but others will. When you are ready, repost with the new logs.

 

[Vulchur]

8 steps followed-revisited

I reposted, but I'll reply to thread again. Here are my logs.

 

[B00kWyrm]

Expert Guidance Needed from here.

Hey Vulchur...
Looks like you are off to a good start...
What I am noticing of concern at this point is

1. 2 AV products running. (Avira and MS). Two AV products can conflict, leaving you less secure. It would be good to run them separately / consecutively, noting what each finds (if anything). I am not familiar with the MS product, so I cannot help you unload it. Again, as posted by others in other threads, if it is a paid product, we don't want you throwing your money away... So, maybe an expert can give some guidance here.

2. I am seeing significant work that needs to be done with HJT, but again, an expert will serve you better. I am still learning the product. We don't want to break your computer by "checking" something we shouldn't!

So, of the several experts that watch this board, maybe one will have a chance to look in and help out soon.
Good Luck.

 

[Bobbye]

B00kWyrm is correct in pointing out that you have two programs which contain an antivirus application.I have outlined the entries below for you and identified them so you will understand the contents of each:

Windows OneCare Live: #Antivirus, antispyware, and firewall, Wireless networking security, Online identity theft protection

Cost is $50.00
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe>>> Microsoft Windows Defender Antispyware, the engine used by both OneCare and Defender.
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe>>> OcHealthMon.exe is known as "Windows One Care Health Monitor":
OneCare is a suite from Microsoft that protects your computer against threats.
Also it manages backup stuffs.
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe>>> msfwsvc.exe is Windows OneCare firewall service.
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe">>> belongs to Windows OneCare Live.

Avira AntiVir PersonalEdition Classic >>> Free Antivirus 9.0.0.394

C:\Program Files\Avira\AntiVir Desktop\sched.exe>>> manages the scheduled virus scans for the Avira AntiVir PersonalEdition Classic antivirus program.
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe>>> Antivirus System Tray Tool.
C:\Program Files\Avira\AntiVir Desktop\avguard.exe>>> AntiVir Real-time Scanner service
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

Sine the presence of more than one antivirus program can potentially cause conflicts which could reduce their security protection, you should remove one of them. Since you have paid for WindowsLive OneCare- unless it offers a trail version-you might want to remove the free Avira instead.

Step 5 is for free Superantispyware. The link displayed for me with no problem:
https://www.techspot.com/downloads/2695-superantispyware.html

Here is the cause of your redirects: This entry and all of the following 01 entries:

O1 - Hosts: 94.247.2.216 www.google.com

This means that whenever the URL to the right of the entries (Google) above is entered, instead of taking you to that site, you are being redirected to IP 94.247.2.216. This IP belongs to:
role: DATORU EXPRESS SERVISS HostMaster
address: 18. novembra street 319C
address: Daugavpils, LV-5413
address: Latvia

So we need to remove these entries as follows:
Remove bad HijackThis entries
• Run HijackThis
• Click on the System Scan Only button
• Put a check beside all of the items listed below (if present):

O1 - Hosts: 94.247.2.216 www.google.com
O1 - Hosts: 94.247.2.216 www.google.de
O1 - Hosts: 94.247.2.216 www.google.fr
O1 - Hosts: 94.247.2.216 www.google.co.uk
O1 - Hosts: 94.247.2.216 www.google.com.br
O1 - Hosts: 94.247.2.216 www.google.it
O1 - Hosts: 94.247.2.216 www.google.es
O1 - Hosts: 94.247.2.216 www.google.co.jp
O1 - Hosts: 94.247.2.216 www.google.com.mx
O1 - Hosts: 94.247.2.216 www.google.ca
O1 - Hosts: 94.247.2.216 www.google.com.au
O1 - Hosts: 94.247.2.216 www.google.nl
O1 - Hosts: 94.247.2.216 www.google.co.za
O1 - Hosts: 94.247.2.216 www.google.be
O1 - Hosts: 94.247.2.216 www.google.gr
O1 - Hosts: 94.247.2.216 www.google.at
O1 - Hosts: 94.247.2.216 www.google.se
O1 - Hosts: 94.247.2.216 www.google.ch
O1 - Hosts: 94.247.2.216 www.google.pt
O1 - Hosts: 94.247.2.216 www.google.dk
O1 - Hosts: 94.247.2.216 www.google.fi
O1 - Hosts: 94.247.2.216 www.google.ie
O1 - Hosts: 94.247.2.216 www.google.no
O1 - Hosts: 94.247.2.216 search.yahoo.com
O1 - Hosts: 94.247.2.216 us.search.yahoo.com
O1 - Hosts: 94.247.2.216 uk.search.yahoo.com

• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

Please download ComboFixHERE:
With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.

• Run Combo-Fix.exe and follow the prompts.

**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be completed.
• If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

When finished, please rescan with HijackThis and attach new log with Combofix report.

So the order you follow is:
1. Decide on which antivirus program you want to keep.
2. Uninstall the 'other AV program or the suite containing the AV program.
3. Open HJ, follow the removal entries.
4. Download and run Combofix.
5. Attach new HJ log and Combofix report.

NOTE on removing AV program,:
This is best done in Safe Mode:
Reboot the computer> let the logo load and then begin tapping the F8 key BEFORE Windows starts to load> continue tapping until Safe mode displays:
Start> Run> msconfig> enter> Selective Startup> Startup Menu> UNCHECK ALL entries for the AV/Security program you are NOT going to keep> Apply> OK.
IF you are removing Avira:
Start> Run> services.msc> find each Service below> double click to open> Change Startup type to Disabled> Stop the Service
Control Panel> Add/Remove Programs> highlight and then UNINSTALL THAT program.

Reboot into Normal Mode> ignore the nag message that come up and close it after checking 'don't show message again'. Stay in Selective Startup.

B00kWyrm, nice setup. thank you.

 

[Vulchur]

New logs

Here are the logs. Lot of the redirect issues in search engines are gone. Thanks alot. However, I'm still having a little trouble with a few sites. E-bay to name one.

 

[Bobbye]

I'm still having a little trouble with a few sites. E-bay to name one.

What is the problem you're having when you try to access the sites. Please be specific.

Regarding entries in Combofix:
I notice you have some open ports, any reason?
The Universal Plug N' Play (UPnP) system operates over two ports: UDP/1900 and TCP/5000.

Re Port 5000
The FBI has Strongly Recommended that
All Users Immediately Disable Windows'
Universal Plug n' Play Support
http://www.grc.com/unpnp/unpnp.htm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

The is also an entry left from McAfee: and should be removed.
Using Avira:
2009-04-21 00:44 . 2008-12-14 00:16 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee


Your Adobe Reader is out of date. Most current version: Adobe Reader 9.1Vulnerabilities can be exploited. Click here to download the latest version : https://www.techspot.com/downloads/345-adobe-reader.html
OR
Install the FoxIt Reader: this does the same thing as Adobe, but doesn’t have the bloat: http://www.foxitsoftware.com/pdf/rd_intro.php

After either updating Adobe or installing FoxIt, you should uninstall the earlier version 7 in Add/Remove Programs.

I don't see any malware in the HJ log. If the original problem has been resolved, we can remove the cleaning tools and old restore points:

Download OTCleanIt HERE & save it to your desktop.

Double click on OTCleanIt.exe.
Click on CleanUp!.
It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).
You will receive a prompt that it needs to restart the computer to remove the files>
Click Yes.
It will restart your computer automatically. If it doesn't, please restart your computer manually.

Clear your existing System Restore points and establish a new clean restore point:

Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
* Next, go to Start > Run and type in cleanmgr
"Ensure the selection is on C:\ and click on OK"-
* Select the *More options* tab
* Choose the option to clean up System Restore and OK it.
* This will remove all restore points except the new one you just created.

Please let me know if I can be of more help.

 

[Vulchur]

No I don't recall opening any ports recently. Adobe has been updated and McAfee files have been deleted. Waiting on OTCleanIT. The issue with certain sites is that my browser won't load them. ie: the site you just posted grc.com/unpnp/unpnp.htm I get the message "Internet Explorer cannot display the webpage " Even in Firefox I get a "Failed to Connect Screen."

 

[Bobbye]

Okay, I get http://www.grc.com/unpnp/unpnp.htm with no problem on Firefox.
I also get it on IE6, but with third party Cookie Alerts because of the way my security is set. When I block each or all these Cookies, the sites load.

So my guess is that some setting you have in the browsers is blocking the URLs, but "can't display' sound like the phishing filter and 'can't connect' sound more like a server problem.

the ports are setting for portforwarding:
5000-5001,5050 tcp applications Yahoo Messenger Chat Portforward
5000-5001 tcp applications Yahoo Messenger Voice Chat Portforward

I think this is discouraged because of a security risk. I am going to consult another help about this though. will be back.

 

[Bobbye]

For some reason, I had in my head that you had the Kerio firewall. But I don't see it. That means you need to get a firewall ASAP to block those open ports. Here is one recommendation:

Download the Comodo Firewall Pro 3.5.57173.439 HERE and Save to your desktop..
Double-click the set-up on the desktop and run the program.
Follow the onscreen prompts.
It "should" block these ports.

Please update and run Combofix again to mke sure the ports are closed.
Follow with new scan with HJ. Attach both report and log.

IF clean, you can go ahead with and remove the cleaning tools- but let me review the logs first.