Google search redirects, possible malware?

Status
Not open for further replies.

FreeGamesBlog

Posts: 10   +0
Ok,
So over the last few days I have noticed my google searches have started getting ridiculously slow, and about half of them end up taking me to a search page where all the links actually point to something along the lines of "adwordsredirector.google.com", and if clicked they sit there for about 60 seconds, then go to the "Could not find server" error message.

I have used the techspot forums before in finding helpful information about malware removal, but this is my first post. Please don't think I'm a complete noob (I actually wrote a utility to help remove Windows Police Pro when my wife got infected, see http://security.blogsite.org), I just don't have much experience with identifying browser hijacks unfortunately.

Here's the situation so far:
I run AVG 9 free edition. There is a scheduled task to check for updates every 2 hours so it is always up to date. Full scan runs daily. It has found nothing.

Spybot search & Destroy found nothing.

F-Secure Blacklight found nothing.

MalwareBytes found a trojan.dropper in the first scan (logfile attached) and it was successfully removed.

Then I followed the 8 steps Guide from Techspot. Here were my preliminary results:

Antivirus: Again, using AVG free edition, nothing found.

*Installed ZoneAlarm, then had to uninstall it due to NO internet connectivity (I told it to allow FireFox access, but it still froze on loading pages)

Still using Windows XP OS firewall.

Ran CCleaner twice. Even ran the registry cleaner to get rid of ZoneAlarm traces (uninstaller would NOT work, had to manually delete files/shortcuts)

Turned off AVG Resident shield.
Uninstalled eMule/Limewire (couldn't tell you the last time I used either of these programs anyway, so why keep them if they're such a security risk? :)

Ran MalwareBytes for the second time after updating. Nothing found, logfile attached.

Ran SuperAntiSpyware after updating. Nothing found, logfile attached.

Java was already updated to the latest version (I'm pretty good at keeping everything up to date, though I did have to uninstall 1 previous version that was still present on the system)

Ran HiJackThis, logfile attached. This is what I'm really not sure about what should or should not be there, so hopefully someone here can tell me if there is a problem and what it is.

As of this time, I haven't noticed any search redirects (yet) this morning, but Google searches are still running EXTREMELY slow. I'm sure if I do enough searches, I'll still be getting redirects also, because it was on probably 1 out of every 3 or 4 searches on average that I was being redirected.

If it helps, I'm running FireFox 3.6.3, which I have also noticed seems to crash quite a lot, sometimes with an error message, sometimes it just goes away as though I closed the program even though I didn't. Not sure if this is relevant, but thought I'd include it in case it was helpful.

My logfiles are attached below, and I anxiously await your help! :D

Thanks!
 

Attachments

  • mbam-log-2010-04-06 (18-49-02).txt
    1.6 KB · Views: 1
  • mbam-log-2010-04-09 (01-13-07).txt
    897 bytes · Views: 2
  • SUPERAntiSpyware Scan Log - 04-09-2010 - 03-11-39.log
    466 bytes · Views: 2
  • hijackthis 4-9-2010 3.02pm.txt
    5.7 KB · Views: 1
Glad you decided to take a chance on us, FreeGames- although your user name might well be a source of malware! I won't call you a 'noob', but I will caution you about doing this:
I have used the techspot forums before in finding helpful information about malware removal,

Malware removal instructions are specific for the member who starts the thread. Although we may run some of the same follow up programs, what we do with them is for that person only. It is much better to come here and ask for help instead of looking for a lot of programs to run- which as you see, don't necessarily find the malware.

And please either uninstall or disable the Registry cleaner. Most of us don't recommend anyone using a Registry cleaner and if you are making registry changed while we are cleaning, it can disrupt the entire process.

It is possible from your description that there is a problem with your internet connection/server/ISP- all or one of them. 'Can't find page' is NOT a redirect. Slow Google searches are NOT a redirect. But let's see what lurking on the system:

Please download ComboFix HERE:
  • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    Important! Save the renamed download to your desktop.
  • Please disable all security programs, such as antiviruses, antispywares, and firewalls.
  • Double click on the setup file on the desktop to run
  • If prompted to download and install the Recovery Console, please do so.
    (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
  • If prompted to update, please allow.
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
Notes:

  • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run.
.
Then run the Eset online scanner. Please note that we do NOT want you to check the line for removal:
Run Eset NOD32 Online AntiVirus Scanner HERE
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
There will also be some entries in the HJT log I will have you remove later. Please leave the Combofix report and Eset log in your next reply.

Please do not run any other cleaning programs while I am helping you, unless I ask you to do so. Do not use a Registry cleaner or make any registry changes.
 
Ok,

Gonna clarify a few things you addressed in your reply :)

FreeGamesBlog is a website I am working on where I do reviews/critiques of free online games, like flash/shockwave games. Was actually going to use GamesBlogAdmin for a user name, but your forum would not allow it, I assume since it has "Admin" in it :)

As for using the forums in the past, they are where I learned about MalwareBytes and SuperAntiSpyware, which I run periodically just to make sure everything is as it should be in addition to my normal AVG protection. I don't normally just run random fixes for things I don't know for sure I have.

The registry cleaner I ran is the one built into CCleaner. But I won't do anything other than the steps you are telling me. That's why I came here and asked for help.

The internet connection is fine: There are 2 other PC's running off the same router, 1 wired, 1 wireless, and both work just fine. I have swapped cables with the one that is running slowly and that did not resolve the problem.

I know slow searches aren't a redirect, but they are running significantly slower than they should, ie 60-90 seconds for a search, vs 1-3 seconds on the other computers on my network (all of which have roughly the same processor/ram specs)

The redirects are, for example, I search Google for "bananas". The links that come up go to various pages, such as "Banana Republic" or the wikipedia on the fruit banana. But if you mouse over/click the links, they say they are connecting to "adwordsredirector.google.com", which times out after about 2 minutes, instead of going to the correct site, BananaRepublic or wikipedia.

Hope this clarifies what I was trying to say earlier :)

And, now that I've cleared things up a bit, I'm going to start following your directions. Will post a reply once I'm done with these steps. :)
 
What I left for you was suppose to be informational, not confrontational. But I will say that if you search for something as vague as 'bananas', any search engine is going to throw vague results.

I understood what you said. Please understand that there is a wide range of knowledge in those who ask for help. We get many members stopping here because their computer is 'slow', where it could be system problems either in addition to or instead of, malware. So we try to point out some highlights.
 
Hey,

No worries. I didn't think you sounded confrontational, I just more thought I sounded like a *****, so I was trying to make sure I had explained myself enough so you knew what I meant. :)

I have finished the ComboFix scan, I think it found some stuff, but some of the things in the log I might as well be reading a foreign language, hehe.

The ESET scan is about halfway done, it's found a couple things it doesn't like as well. Hopefully it will be done in the next hour or so, it's been running for like 55 minutes already. I was excited when it first started, the thing went from 0 to 20% in about 15 seconds, but now it's just crawling along. Oh well, not that I really expected a fast virus scan, more that I just don't like when my computer is sick... :)

When we finish cleaning up this beast, I am definitely going to check out some more of the forums. This looks like a great place to hang out and babble about programming nonsense where someone might understand me (my wife just mostly nods and smiles when I start talking about variables and sprites, etc, lol)

I gotta work on sounding less upset when I post online. Again, part of that is just that I hate when my computer is acting up. I appreciate all the help I've gotten so far, because I was pretty much to the end of my experience in the area of "browser acting funny", and I'm REALLY not looking forward to backing up about 80GB of data and doing a system wipe *shudder*.

Again, I'll post a new reply when the ESET scan finishes. Keep up the being awesome! :D
 
Alright, finished the ComboFix and the ESET scans, logfiles attached.

In the ESET results, I know about the 2 copies of the pwdump file; It is found by a couple different AV programs as malware. It's used to dump Windows SAM files to retrieve password hashes, used in recovering lost Windows login passwords. But if you think it's necessary to remove it anyway, just let me know.

Thanks for all the help, and I await your analysis! :)
 

Attachments

  • ComboFix.txt
    23.1 KB · Views: 1
  • ESET log.txt
    883 bytes · Views: 2
Go ahead and run the HelpAssistant removal program. This is a tough one to get rid of. I'll be working on the next removal. The system is heavily infected.

Please print the instructions below for this program. You will not have access to the directions once you have started

Please download HelpAsst mebroot fix.exe by noahdefrea and save to your desktop
  • Close out all other open programs and windows.
  • Double-click on it to run the tool and follow any prompts.
  • If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
  • Upon restarting, please wait about 5 minutes, go to > Run..., and in the Open dialog box, type: helpasst -mbrt
    Make sure you leave a space between helpasst -mbrt.
  • Click OK or press Enter.
  • HelpAsst fix will create and open a log when done.
  • Copy and paste the contents of that log into your next reply.
In the event the tool does not detect an mbr infection and completes, do this:
  • Go to > Run> in the Open dialog box type: mbr -f
  • Click OK or press Enter.
  • Now, please do the Start > Run > mbr -f command a second time.
  • Shut down the computer (do not restart, but shut it down). Wait about five minutes, then start it back up.
  • After restart go to > Run> in the Open dialog box, type: helpasst -mbrt
    Make sure you leave a space between helpasst and -mbrt.
  • Click OK or press Enter.
  • HelpAsst fix will create and open a log when done.
  • Copy and paste the contents of that log into your next reply.

-- Important note to Dell users: Fixing the mbr may prevent access to the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a few known fixes for this, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually. You will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).
Source: BleepingComputer

Please do not use any other cleaning programs while I am helping you unless I ask you to. Do not use a registry cleaner or make any Registry changes

P2P Warning: I recommend that you remove Limewire. IF you choose not to remove it, do not use it while I am helping clean the system.
 
Alright, I ran the HelpAsst fix. Near as I can tell, it found and removed the mbr infection and the program/directories.

Logfile has been attached below.

Also, LimeWire has been uninstalled during the 8 steps process (see previous posts), but the download directories are still present. Anything that is listed as bad that needs to be removed from those directories I will do so, just let me know. I saw the ESET scan said a few of the files there were malicious, but I haven't done anything to them yet (waiting for your instructions :D)

I look forward to hearing back soon!
 

Attachments

  • HelpAsst.log
    3.7 KB · Views: 1
Looks like there is an additional MBR step:
copy of MBR has been found in sector 0x012A14C00
malicious code @ sector 0x012A14C03 !
PE file found in sector at 0x012A14C19 !
Use "Recovery Console" command "fixmbr" to clear infection !

You'll find guidance for Recovery Consold and fixmbr Command here: http://www.kellys-korner-xp.com/win_xp_rec.htm
========================
When finished, do this:
Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    :Processes	
    C:\51dffa3380d4a17f5e37
    :Services
    
    :RegNull
    [HKEY_USERS\S-1-5-21-839522115-2052111302-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
    [HKEY_USERS\S-1-5-21-839522115-2052111302-725345543-1003\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
    
    
    :Files  
    C:\Documents and Settings\Psychosis\Desktop\C++ Projex\hello\DeskIconsLib.dll
    C:\Documents and Settings\Psychosis\My Documents\LimeWire\Saved\Les Claypool\les claypool
    C:\Documents and Settings\Psychosis\My Documents\LimeWire\Saved\Les Claypool\les claypool (rare cover).au
    C:\Documents and Settings\Psychosis\My Documents\LimeWire\Saved\Ween\Ween - Voodoo lady(1).mp3
    C:\Program Files\ophcrack\pwdump\pwdump6_setup.exe	
    C:\Program Files\ophcrack\pwdump\servpw.exe	
    c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please rescan with the Eset online scanner when finished with fixmbr and OTMoveIt. Leave new logs in next reply.
 
Ok, I ran Recovery Console fixmbr. It said it was successful.
I ran OTMoveIt, it seems to have not moved a couple things based on the log, possible typo in the cut/paste code I think on one of the mp3's.
I ran ESET again. I did NOT tell it to clear threats yet (because I didn't know if I was supposed to at this point or not)

Logfiles attached. :)
 

Attachments

  • 04112010_101438.log
    5.5 KB · Views: 2
  • ESET log 4-11-10.txt
    819 bytes · Views: 2
Please run Combofix again. I'll set the entries up for removal from that.

I'd also like to have the whole Eset log.
 
I ran combofix again, logfile attached.
At first I was confused about the ESET log, because I told it to export the scanner results to a log file, and that's what I uploaded. Then I re-read your first directions and went to the program folder and attached THAT log file, so now you should have everything you asked for.
I guess I'm more of a noob than I thought sometimes, hehe.
 

Attachments

  • ComboFix 4-12-10.txt
    20.7 KB · Views: 1
  • ESET log 4-11-10 full.txt
    4.9 KB · Views: 1
Glad we got you started for HelpAssistant right off! Now we have to get rid of the backup!


  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:

Code:
KillAll::
File::
c:\windows\System32\appdrvrem01.exe svc
C:\HelpAsst_backup\
C\DOCUME~1\HELPAS~1\Desktop\C++ Projex\hello\DeskIconsLib.dll

Folder::
DirLook::
C:\HelpAsst_backup

Registry::

Driver::
appdrvrem01
Isaecsdps
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
 
Ran the combofix again, log attached. Had to zip it, cuz it was around 1.7 megs of txt file.
 

Attachments

  • ComboFix 4-12-10 Scan 2.zip
    168.7 KB · Views: 1
Set the History number of days in Firefox to zero. You can reset it after we remove this.
Run this first: TFC (Temp File Cleaner)

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC. There is no log to leave.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
=======================================

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:

Code:
KillAll::
File::
c:\helpasst_backup\C\DOCUME~1\HELPAS~1\Start Menu
c:\helpasst_backup\C\DOCUME~1\HELPAS~1\My Documents
c:\helpasst_backup\C\DOCUME~1\HELPAS~1\Local Settings\Temporary Internet Files
c:\helpasst_backup\C\DOCUME~1\HELPAS~1\Local Settings\Temp
c:\helpasst_backup\C\DOCUME~1\HELPAS~1\Local Settings\History\History.IE5\desktop.ini
c:\helpasst_backup\C\DOCUME~1\HELPAS~1\Local Settings\History\History.IE5\index.dat
c:\helpasst_backup\C\DOCUME~1\HELPAS~1\Local Settings\History\desktop.ini
c:\helpasst_backup\C\DOCUME~1\HELPAS~1\Local Settings\Application Data
c:\helpasst_backup\C\DOCUME~1\HELPAS~1\Desktop\Randomness

Folder::

Registry::

Driver::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.

Let's try this. Be sure to empty the recycle bin. When we have finished, I will have you delete the contents of the Recycler which is where the deleted items go. Remind me about that if I don't tell you.

If the entries from the HelpAssistant backup don't get moved, I'll have you run the removal program again. This one is really a beast!
 
Ok, I ran ComboFix, logfile attached.
I checked the Recycle Bin, but there were no files in it, so nothing there to empty.
You said something about emptying the recycler as well. If I need to do this, just let me know how :)
Hope to hear back soon. Sorry for the delay, my ISP decided they needed a day off yesterday apparently, lol.
 

Attachments

  • ComboFix 4-14-10.txt
    22.3 KB · Views: 2
I need you to bear with me for a couple of hours. I want to consult with Broni about the HelpAssistant Backup which remains on the system. We're having quite a time getting all the files off the systems- it's very pervasive.
 
Okay- let's do this: Update and rescan with Malwarebytes.

Then do this online scan:
Open
Kaspersky Online Scanner in Internet Explorer


Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Click Accept and the web scanner will begin to load
  • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
  • You will be prompted to install an ActiveX component from Kaspersky, click Install
  • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT and then Scan Settings
  • In the scan settings make that the following are selected:
    [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
    [o] Scan Options: Scan Archives> Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    [o] Select My Computer
  • The program will start to scan your system.
  • Once the scan is complete, click on the Save as Text button and save the file to your desktop
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

Hopefully they will be clean and we can remove all the cleaning tools and logs! Leave both logs in next reply.
 
Ok, sorry for the delay in replying. I spent most of yesterday waiting on the guy to come fix my air conditioner... :)

Alright, updated & ran MalwareBytes again, log attached.
Ran Kaspersky Online scan again, log also attached.

Looks like neither scan found anything. I also looked at one of the previous posts, where you had combofix run this:

c:\windows\System32\appdrvrem01.exe svc
C:\HelpAsst_backup\
C\DOCUME~1\HELPAS~1\Desktop\C++ Projex\hello\DeskIconsLib.dll

I cannot manually find the first or last one. The c:\HelpAsst_backup folder was still present, with about 785MB of crap in it, which I deleted and did not have any problems/errors with just a click of the folder and hitting delete. :) Hope this is good news!

As a side note, the system overall is running way faster! Google searches haven't been redirected in days, and apps are loading in about 1/4 the time it was taking them before we started, which I didn't even notice was an issue :)

Anything else we need to clean up? :D
 

Attachments

  • mbam-log-2010-04-14 (22-51-22).txt
    899 bytes · Views: 1
  • Kaspersky Report.txt
    985 bytes · Views: 1
Don't worry about the delay- I'm running behind!
It sounds like you got all of HelpAssistant out. That alone should have restored space and speed!
There's one process to move. I went back and rechecked the Combofix report.

Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code:
File::
c:\program files\bios update\bios update\award\BS_Flash.sys

Driver::
BS_Flash
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt .
====================
You don't need to leave this log. Since the original problems have been resolved and you got a 'plus speed' you can remove the cleaning tools as below:
Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


Let me know if I can be of any more help.
 
Status
Not open for further replies.
Back