Search engine redirecting, amongst other problems

By Advaya · 17 replies
Nov 27, 2008
  1. My browsers seem to be hijacked. When I search I am redirected to a variety of websites such as search engines and auction websites. Also, I can copy an address and go directly to the web page through copy and paste, but if I actually click on the address it just opens in a new tab and every link on the first page indicates I have clicked on them. I tried to scan with spybot but it won't let me connect to a server, and avg will not update. Websites that seem like they could possibly help me (symantic, spybot) will not load at all, it just says the page can not be displayed.

    I ran hijack this, so it's attached below.

  2. rf6647

    rf6647 TS Maniac Posts: 829

    Welcome to TS. I am trying to anticipate your needs. HJT indicates protection from AVG is present on the computer. HJT listing of services is remarkably short. Advance settings use 'ignore' to shorten results displayed in HJT.

    In case of difficulty, attempt this method
    Note, one user reported the need to restart in safe mode with networking, as the relief was temporary. This refers to message #1.
    Additional note: Message #3 link to 'fixit download' has demonstrated its effectiveness in many cases. Explicit link to 'fixit download'

    Genreal Remark: - React to unanswered items appearing in scan logs
    • NO Action’ - Remove Selected when offered by MBAM
    • 'Delete on Reboot’ - Restart the computer after concluding the scan
    Proceeding along a typical path.
    • Update both MBAM & SAS. Rerun them both.
    • This effort is complete when logs report NO infections/threats, or reporting something it can not clean.
    • Restart the computer. Scan with HJT.
    • Posts logs. Report progress & what changes are observed.
  3. Advaya

    Advaya TS Rookie Topic Starter

    Thanks for your help. I had uninstalled AVG because whatever was/is on my computer prevented it from updating so it wasn't working. I installed AVIRA, and Comodo firewall. Both seem to be working well. I am no longer being redirected to random webpages either. I do get a weird pop up when I restart which is a script error from msn or internet explorer. It doesn't seem to affect anything though. I followed the first step above and immediately AVIRA started having about a billion trojan warnings. I initially quarantined them because I was unsure of what action to take since I hadn't started the 8 steps yet.

    I don't have time tonight to run anything twice tonight, but I will go ahead and attach the initial scans.

    Your help is appreciated.

    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Mbam has removed some malware. Did you reboot after running the program to complete the deletions?

    NOTE: malware is in the System Restore points. DO NOT use system Restore. When the system is clean we will remove the old restore points and set a new one.

    SAS found the Rootkit.TDSServ.
    Have Avira remove the entries that are quarantined.

    rf6647 may want you to turn off the Comodo firewall while running the programs. I'll leave that up to him.
  5. rf6647

    rf6647 TS Maniac Posts: 829

    Advaya, I will try to summarize so you can understand the direction we are taking. I am a newbie here. Bobbye’s reply called attention to significant findings in the logs that affect our next steps.

    1. First scans
      • MBAM log contained the phrase > ‘delete on reboot’. In this case, a restart of the computer is needed.
      • SAS log reporting Rootkit.TDSS items is unusual, given that current version of MBAM ordinarily cleans these. If a restart was performed, then this oddity is significant
      • TrekBlue, LLC is publisher of this software; possible false positive
        • Malware.SpywareNuker > C:\WINDOWS\SYSTEM32\DRIVERS\PSHOOK11.SYS
        • Was this software installed ever?

    2. After cleaning the infection, removing old System Restore points is recommended.

    3. Purging the virus vault reduces the effort to review logs. (User reports Avira quarantined files )

    4. Turn off Comodo FW – Bobbye recognizes something I have not picked up on where it is a resource hog or causes difficulty.
      • I am OK with running it.

    5. New scan logs will inform us if earliers scans uncovered other infections.

    6. User report:
      • weird pop up when I restart
      • followed the first step above and immediately AVIRA started having about a billion trojan warnings >> good sign

    7. Open Issues:
      • Run the next round of scans & post new logs
      • Is the Plug and Play ‘tdssserv.sys’ driver uninstalled by these scans?
      • Investigate if this is a case where a ‘disabled TDSSserv Trojan’ escapes full treatment from MBAM & SAS
      • tdssserv.sys is NOT among the deleted files in any log
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Nicely done, rf6647!
  7. Advaya

    Advaya TS Rookie Topic Starter

    I am so confused about this! I thought everything was better but evidently not.

    I ran Avira and it came up clean, I'll post the log in case I missed something, which is totally possible!!

    Malwarebytes' Anti-Malware came up clean as well.

    SuperAntiSpyware did not come up clean. In fact, I ran it and it came up with 11 detections. It instructed me to restart. I restarted and reran it, and it came up with 13 detections! I will attach logs.

    I do not remember if spywarenuker or whatever was ever installed, it sounds familiar but I honestly can't say. It certainly isn't installed now.

    To be honest, I already deleted all restore points. Is this going to be a problem? I researched a result I got during one of my scans and someone explained how to do that step. My boyfriend tells me to turn off the restore option, but I don't know if I should or how to do that.

    Also, hijack this shows a lot from AVAST antivirus, which I had tried to install but couldn't get to work when the virus or whatever was blocking updates. I don't know why it's there, either.

    Thanks for all your help.
  8. Advaya

    Advaya TS Rookie Topic Starter


    I am in virus hell. I don't know if I should just start a new post about this, since I'm not having the same problems as before.

    I can barely use the computer now. I am continuously bombarded with AVIRA warnings about the TR/Vundo.gen Trojan, as well as TR/Spyagent.euy. Oh, hey, here is a new one right now. TR/Dldr.Agent.aiyu.2

    I don't know what to do; I don't know where they keep coming from. I don't understand how I can send a virus to quarantine and have the exact same warning keep popping up forever.

    My boyfriend sent me a tool to remove VUNDO, but it couldn't find it when I scanned it in safe mode, so it didn't do anything at all.

    I am getting pop up ads. At least it's not porn though, looking on the bright side of things. It's some skiing ad.

    Do I need to repost logs? I feel like every time I do, things are completely different than they were before and it's going to be a never ending cycle :(
  9. rf6647

    rf6647 TS Maniac Posts: 829

    The quickest route to cleaning this infection is to run ComboFix. The first run of this tool should delete the rootkit.trojan - tdssserv.sys. The second run of ComboFix is a view if any other infection has been uncovered. Post both logs and another HJT log.

    If you are interested in helping my study of what role 'disabling the TDSSserv.sys trojan' plays, then I offer a mini-procedure.

    • Confirm 'TDSSserv.sys' is disabled. As was done here.. Cancel to exit
    • Run ComboFix. Near the end of the log, confirm message 'Completion time: ....... - machine was rebooted'
    • Scan with SAS
    • Confirm 'TDSSserv.sys' does not appear in the device manager.
    • Run ComboFix
    • Scan with MBAM & SAS
    • Scan with HJT
    Post all logs. Please share your observations.

  10. Advaya

    Advaya TS Rookie Topic Starter

    Thanks for your help! I have completed the first part of your suggestion, I will start on the second part now and post those later.

    Here are the initial two combofix logs and a new hijackthis log.
  11. rf6647

    rf6647 TS Maniac Posts: 829

    As per my usual, my communication style is very confusing. It was an either-or proposition. I was trying to demonstrate that the first combofix cleaned the infection. Therefore, nothing remained for SAS to report & the device was gone.

    MBAM, SAS, & HJT scans are still needed to confirm progress. The second combofix is used to validate these scans.

    Thanks for your support.

    Log1 caught more that expected.
    Log 2 gives a clear indication.

    Our 2 replys crossed. Your's is similar to another case. A disabled TDSS trojan still has some capabilites. It appears it reached out to attracted a few old infections caught in log1.
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    rf6647, I worked with someone the past couple of days with the TDServer malware. We used the following combination and all entries were found and removed. Please check the directions out and if you think it's appropriate, suggest it here:
  13. Advaya

    Advaya TS Rookie Topic Starter

    Again, thanks for all your help. I'm sorry I misunderstood your instructions for the procedure; I would have followed them!

    I am attaching new scans. I ran SAS overnight and it found 8 detections, I ran MBAM this morning and it found 14. After that I re-ran SAS and it came up clean.

    I am still having an error when I restart my computer, could it be related to these entries in my hijack this log? I don't understand these, so I thought I would just ask.

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = (I deleted the URLS here, I wasn't sure if it was a good idea to have them)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

    The error is just a script error for a msn website, even though when I first use my computer an internet browser is not open. It asks if I want to keep running the script.
  14. rf6647

    rf6647 TS Maniac Posts: 829

    Advaya, this is a partial reply & not well thought out.

    I believe you are clean. The flash from SAS is noted. This is where I grasp at straws.
    • Disconnect all computers from the router (local network).
    • Power cycle the router (remove power, restore power).
    • Power cycle the infected computer.
    • move step
    • Scan with MBAM, SAS, ComboFix,
    • Restart the computer, scan with SDFix
    • Restart the computer, scan with HJT.
    • intentionally blank
    • Connect only the infected computer to the router.

    R1 - ok to ignore

    • Go to the MSN Messenger application.
    • Find the tick box that admits this as a startup item. Untick.
    • Close application
    • Restart Computer.
    • Run the MSN Messenger application. Minimize (puts it into the notification) section of task bar.
    • Did the error occur as before? Did the error occur after starting Messenger?

    Bobbye, in the review of that thread, I saw only logs for steps 9 +10. It was less clear what results were presented for the other steps. I am definitely the lazy type. I was looking for something not covered by ComboFix. Any of those non- PnP devices are using the same exploit, and disabling the non-PnP drivers gives relief of symptoms. Based on a single reply, ComboFix put down TDSSserv. So the question I have is how much work can be avoided?
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Sorry, I should have stayed out. I didn't go over all the logs, just saw mention of the TDSServ and thought it was still an issue.

    Some focus by the poster is needed here.

    rf6647, you gave 2 or 3 well thought out step by step guides. they should be followed.

    As for the script error, not panic time there. Just turn off 'display script errors' in the browser. In the grand scheme of things, nothing to worry about. Sometimes I think a poster expects us to solve each and every problem- small or what they think is large, instead of just cleaning out the malware!
  16. Advaya

    Advaya TS Rookie Topic Starter

    Thanks guys for your help. I think everything is fine now. I just wasn't sure if the browser error was related to the virus or not, that was my only question. If it wasn't then I wasn't going to panic, just wanted to verify.
  17. Advaya

    Advaya TS Rookie Topic Starter

    Also, I tried following all the guides posted. Did I do them incorrectly? I admit I am not a computer expert by any means, but I thought I did an alright job following them, except for the mistake of not completing the procedure which I thought was separate, which I have apologized for. I'm confused about the comment about the need for focus by the poster. Regardless, thanks everyone for helping me, sorry for the lack of clarity. Communication is difficult in this medium.
  18. rf6647

    rf6647 TS Maniac Posts: 829

    Bobbye, apology is not expected. I invite you and all members of the team to make contrbutions. I am not an ‘originalist’. I am the copycat, and mimic what is working for others. It is better to give corrective suggestions earlier rather than later. Part of the rationale comes from the saw about training, old dogs, and new tricks.

    Advaya, Message 11 & 14 are obersvations from status updates. To me these indicate that some ‘folk remedies’ are needed. This appears to be “contamination from unknown origin”. The ‘power cycle’ technique cleans the router. The scans are needed to reclean the computer (all scan tools pre-installed ). Then reconnect to the router. SDFix is optional. It gives me information about the coverage from ComboFix.

    I offer some consideration of the folklore. Some feedback about the power cycle (poc) of the router would be helpful. This is different than the ‘hard reset’ using the microswitch somewhere on the router. The latter technique forces factory defaults & it a guaranteed cleaning. POC cleans volatile memory on the router. Once the exploits alter saved router settings, the hard reset is indicated. Passwords assigned by user are better than leaving it defaulted.

    Here is what I found about uninstalling AVG

Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...