Search engine redirect, Windows Update blocking

[joepat]

Hi,
I have recently picked up something that is redirecting google and yahoo search results and at the same time I get connection errors when trying to access windows updates.

I've attached the results of the 8 step virus removal instructions.

Thanks in advance for your help

joepat

 

[Bobbye]

Joe, there is a Rootkit malware infection on the system. Please run the follpwing:

Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
===============================
Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please leave the logs in your next reply.
Also, we ask for your patience. This is a very busy forum.

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[joepat]

Here they are.

Thanks Bobbye

 

[joepat]

Hi Bobbye,

The redirecting appears to be fixed. I was also able to install the latest windows update.

 

[Bobbye]

Not quite throught yet!

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  ${Memory}
  :Services
  
  :Reg
  
  :Files  
  C:\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll	
  C:\Program Files\ZoneAlarmSB\bar\1.bin\NPZONESB.DLL	
  C:\Program Files\ZoneAlarmSB\bar\1.bin\Z4PLUGIN.DLL	
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=========================================
Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\windows\system32\drivers\avgldx86.sys 
c:\windows\system32\drivers\avgtdix.sys 
c:\progra~1\AVG\AVG8\avgemc.exe 
c:\progra~1\AVG\AVG8\avgwdsvc.exe 
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
Folder::

Registry::
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= -
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= -
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=-
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=-

Driver::
AvgLdx86
AvgTdiX
avg8emc
avg8wd

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Go to Scheduled Tasks in the Control Panel> remove the following tasks:
Norton Security Scan
Symantec NetDetect
==============================
Download the HijackThis Installer HERE and save to the desktop:

1. Double-click on HJTInstall.exe to run the program.
2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
3. Accept the license agreement by clicking the "I Accept" button.
4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
5. Click "Save log" to save the log file and then the log will open in notepad.
6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

 

[joepat]

Here are the logs. None of the components of AVG are currently active after these steps. Is that intended?

 

[Bobbye]

This was in the header of the Combofix log:
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
Since you had the ZoneAlarm Security Suite, I put AVG v8 in the script to be removed. You are suppose to turn the security back on after the scan. Please make sure ZA is running now.

 

[joepat]

Hi,
I had been relying on AVG and I had downloaded a trial of Zone Alarm in the past. I am not sure why that shows up because if I start Zone Alarm it gives me the buy now button and informs me my pc is not protected. At this point I'll just reinstall AVG or do you suggest another product?

 

[Bobbye]

Okay, I'll take the blame for doing that! But you may end up the better for it. I would recommend one of the following for the AV. Both are free and good- and both are better than AVG:
Avira Free
Avast Home

Or of course, if you would rather, reinstall AVG, but get the current version. You might also want to consider using a free firewall: either of these if free and good:
Comodo
Zone Alarm

 

[joepat]

OK then. I've downloaded Avira and Comodo.
Thanks for the help!

 

[Bobbye]

Sorry for the extra work but I think you're safer now:

Please reopen HijackThis to 'do system scan only.' Check each of the following, if present:

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Close all Windows except HijackThis and click on "Fix Checked."
==========================================
Since you have the Comodo firewall now, you can remove the ZoneAlarm True vector (vsmon) Service as follows:

Please run Notepad and copy the following text into a new file:

sc config [b]vsmon[/b] start= disabled
sc stop [b]vsmon[/b]
sc delete [b]vsmon[/b]

• Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".
• Locate remove.bat on the Desktop and double-click on it to run it.
• A DOS box will open and close, that is normal.
• If any errors errors encountered please post.
• When done you can delete the remove.bat file.

Now its time to delete the service. Follow these steps.

• Start> Run> CMD> enter> Type this command: sc delete vsmon
• Then press Enter
• If the deletion was successful, you'll see the following response.
  [SC] DeleteService SUCCESS
• Type Exit to close the command prompt
• Open Hijackthis and review a log, the service should be gone.

Let me know if the redirecting has stopped and if there are any other malware related problems.

 

[Bobbye]

Adding questions from the HJT log:

1.Do you know who this Proxy Server is and did you set it? I can't identify the domain and it appears to be a remote connection.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy1.fore.com:8080

2. Are you aware this process is running and it is with your permission?
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server

3. Did you put this Domain in the Trusted Zone? Are you aware that nothing needs to be in the Trusted Zone and that the security for that zone is lower than other zones?
O15 - Trusted Zone: *.line6.net

4. I've never seen the following type of configuring before. Are you aware that Netscape's browser was discontinued altogether on March 1, 2008?

N3 - Netscape 7: # Mozilla User Preferences
/* Do not edit this file.
*
* If you make changes to this file while the application is running,
* the changes will be overwritten when the application exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/
user_pref("aim.session.screenname", "yrrabp");
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.download.dir", "D:\\downloads_old");
user_pref("browser.history.last_page_visited", "http://channels.netscape.com/ns/pf/edit_portfolio.jsp?MPPrevPage=myns");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage_override.mstone", "rv:1.8.1.2");
user_pref("browser.turbo.showDialog", true);
user_pref("dom.disable_open_during_load", true);
user_pref("intl.charsetm