Search redirect problem

Status
Not open for further replies.

1heidrich

Posts: 9   +0
Hi,
I am new here. I have a serch redirect problem. I have run the 8 step and my logs are attached. One item though is that I was unable to disable Symantec Endpoint Security as it is controlled by our server.
I am using windows xp pro, internet explorer 8.
Symantec did not find anything on scan.
Please advise.
Thank you,
Rob
 

Attachments

  • hijackthis.log
    10.6 KB · Views: 2
  • mbam-log-2010-02-25 (09-56-33).txt
    868 bytes · Views: 3
  • SUPERAntiSpyware Scan Log - 02-25-2010 - 12-16-55.log
    25.4 KB · Views: 2
Welcome to TechSpot Rob. Hopefully we can work around the Symantec Endpoint running. I'd like you to reset the Cookies to prevent the Tracking Cookies: When the system has been cleaned, I'll will give you some tips for extra security: I'd also like to mention that frequently when we see so many Tracking Cookies on a system, it's an indication that the system isn't being maintained with features such as Disc Cleanup, Error Checking, Defrag, etc.

Reset Cookies
For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

There is malware in the System Restore points. I will have you remove them at the end, but for now, please do not use this feature as it could reinfect the system.

Is this a work computer? I note the following entries:I can't tell you whether they are legitimate because I don't know what they are.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb/
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = RTD.local
O17 - HKLM\Software\..\Telephony: DomainName = RTD.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = RTD.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = RTD.local

Can you give me more ides of the search problem? Since you question a Google Redirect, I'd like you to describe what's happening:
1. If you type a word in the Google search box, and then choose one of the sites that comes up, what happens?
2. Does a different site load?
3. Does any site load?
4. Are the sites the same/different?
5. Are you also having ads pop up?
6. Are you sure you're not seeing a Google page saying DNS server couldn't be contacted?

When you give me a bit more info, I will know better how to proceed.
 
Hi Bobbye. Thanks for the quick response. I can remove symantec endpoint while we are working on this problem if required. It is controlled at the server, so I can't turn it off.
This is a work computer. Company web is the web page for our server. Also RTD.local is the domain.
When I type a search in the search bar (google, yahoo, bing, or any other),
it appears the normal search results appear. When I choose one of the sites, I get a different site. They are different sites also. Some of the ones that have appered are luckyresults.com (this usually happens 1st), esmartliving.com, realtor.com, search.pro. Once it redirected to youtube.
I did see redirect flash by one time right as a different site was coming up, this was on the tab.
I am not having ads pop up. There is no page saying dns server couldn't be contacted.
I have reset the tracking cookies per your instructions, and turned off system restore.
Thank you,
Rob
 
Sorry, I didn't mean for you to turn off system Restore yet- just not use it. Please turn it back on. There can be a time in cleaning when the only way to get into a system is through system restore. That's why we don't drop them until the end.

Please download ComboFix HERE:
  • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

    Important! Save the renamed download to your desktop.
  • Please disable all security programs, such as antiviruses, antispywares, and firewalls. .
  • Double click on the setup file on the desktop to run
  • If prompted to download and install the Recovery Console, Please allow.
    (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
  • If prompted to update, please do so.
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
Notes:

  • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Run Eset NOD32 Online AntiVirus Scanner HERE
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
Follow with rescan using HijackThis. Attach Combofix report, Eset log and new HijackThis log in next reply
 
Scanned per instructed

I turned system restore back on, then scanned as per instructions. Attached are the log files for combo-fix, Eset, and HiJack This.
Thank you again.
 

Attachments

  • ComboFix.txt
    15 KB · Views: 2
  • log.txt
    789 bytes · Views: 3
  • hijackthis.log
    8.9 KB · Views: 2
Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    :Processes	
    
    :Services
    
    :Reg
    
    :Files  
    C:\Program Files\AIM\Sysfiles\WxBug.EXE
    C:\Program Files\Logitech\Video\ManifestEngine.exe" boot 
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Note 1: To disable the auto update settings for Shockwave, follow the steps below:
1 Navigate to the Shockwave Welcome page:http://www.adobe.com/shockwave/welcome/
2 Right click the Shockwave movie.
3 From the drop down menu choose "Properties".
4 Uncheck the box next to "Automatic Update Service" to disable the auto update feature.[/b]

Rob, are you still getting the redirects?

Questions: Does the AIM program or Toolbar have the WeatherBug on it?
 
Hi Bobbye,
Below is the log from OT Movit. I am still getting the redirects. Aim and toolbar do not have weatherbug. I do not use either one though, so I will remove them if it is okay. Thanks again for your continued assistance.
Rob

All processes killed
Error: Unable to interpret <Code:> in the current context!
Error: Unable to interpret <---------> in the current context!
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Program Files\AIM\Sysfiles\WxBug.EXE moved successfully.
File/Folder C:\Program Files\Logitech\Video\ManifestEngine.exe" boot C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Administrator.ENGINEERING
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: administrator.RTD
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 997283 bytes
->Java cache emptied: 13426062 bytes
->Flash cache emptied: 405 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 41 bytes

User: jmiracle
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 2693849 bytes
->Flash cache emptied: 1278 bytes

User: jwaring
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes
->Flash cache emptied: 300 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: ppensom
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 706575 bytes
->Flash cache emptied: 84 bytes

User: rrheidrich
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 249199623 bytes
->Java cache emptied: 2066398 bytes
->Flash cache emptied: 159063 bytes

User: rrheidrich.RTD
->Temp folder emptied: 5589528 bytes
->Temporary Internet Files folder emptied: 32428076 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 2778589 bytes

User: RRHEID~1~RTD

User: __sbs_netsetup__
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1138887 bytes
%systemroot%\System32 .tmp files removed: 9043968 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 511 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 36486 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 306.00 mb


OTM by OldTimer - Version 3.1.10.0 log created on 03022010_075457

Files moved on Reboot...

Registry entries deleted on Reboot...
 
Don't know that I've ever seen such a string of user accounts before! Did you notice that there was a total of 306MB cleaned?

I rewrote that file string several rime in OTMoveIt and I see it went right back to making one long string! Should have used something different:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code below into it:

Code:
File::
c:\docume~1\RRHEID~1.RTD\LOCALS~1\Temp\cpuz130\cpuz_x32.sys 
c:\\Program Files\\AIM\\aim.exe
c:\windows\system32\d3d9caps.dat
 
Folder::

Registry::

Driver::
cpuz130

Collect::
c:\windows\system32\drivers\ripbfpgy.sys
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.

Rescan with HJT and include new log with above report.
 
Hi Bobbye,
We have a few users using the same computer. I can get rid of some of them, and will take care of that later. There was a lot of items cleaned.
I did as you instructed, and the combo fix and Hijack logs are attached.
Take Care,
Rob
 

Attachments

  • ComboFix.txt
    16.3 KB · Views: 2
  • hijackthis.log
    8.9 KB · Views: 3
Question: Is this computer being used in a work setting? Are the other users co-workers?

It is not good that you're still being redirected.

Please download GMER and save it to your desktop.
  • Double click to Run gmer.exe
  • Select Rootkit tab and click the "Scan" button.
  • When GMER detects hidden service click "Delete the service"
  • Answer YES to all questions.

This screenshot will show you how the display will come up.
rustock.jpg


Warning ! Please, do not select the "Show all" checkbox during the scan.
 
Hi Bobbye,
This computer is used at work. The other users are co-workers. I don't need to have them on this computer though.
I ran the gmer scan, and it did not show any hidden services.
The redirect is still occurring.
The gmer scan took a long time.
Thanks
 
Because this is a work machine and because there are multiple workers using it, it would be in your best interest to have the person who is the IT for the company assist you.
 
Hi Bobbye,
As stated prior, none of the other users are active or use the machine. I can take them off. As far as IT department, we don't have one. I was trying to avoid paying over 100 dollars / hour for someone to come out.
Thanks for trying. Probably we will need to reload windows or something. What do you think?
Rob
 
I'm going to ask Broni to have a look at your logs. He might be able to help you. I'll send him PM.
 
With Broni's assistance:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code:
KillAll::

File::
c:\windows\system32\drivers\ripbfpgy.sys

Folder::

Driver::
ripbfpgy

Registry::

RegLockDel::

MBR::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply
 
Thank you for the update.
Please follow these simple steps to keep your computer clean and secure:
1.Disable and Enable System Restore: See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
2.Stay current on updates:
  • Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
  • Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
  • Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
3.Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.
4.Remove Temporary Internet Files regularly: Use ATF Cleaner by Atribune or TFC
5. Use an AntiVirus Software(only one)
See Virus, Spyware, and Malware Protection and Removal Resources

6.Use a good, bi-directional firewall(one software firewall) I recommend either of these software firewalls.- both are free and good:
Comodo or Zone Alarm
7.Consider these programs for Extra Security
  • Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
  • IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
  • Google Toolbar Get the free google toolbar to help stop pop up windows.

If I can be of further assistance, please let me know. .

Since this issue appears resolved, this topic will now be closed. If you need continued support, please PM your helper and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic in our Virus and Malware Removal Forums
 
Status
Not open for further replies.
Back