BleepingComputer.com: Google redirect woes

Greetings hpilgrim3,

I would like to take a look at the Master Boot Record to look for signs of infection. Please perform the following:


===================================================


aswMBR

--------------------

Please download aswMBR and save it to your desktop.

• Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
  
• If you need help to disable your protection programs see here and here.
  
• Double click the aswMBR.exe file to run it. Please allow when you are asked to download AVAST antivirus engine defs.
  
• Wait until the AV update is done, then click on the Scan button to start. The program will launch a scan.
  
• When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.
  
• Please post the contents of the log in your next reply.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment.

• aswMBR log
  
• How is your machine running now?

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-01 21:28:20
-----------------------------
21:28:20.005 OS Version: Windows 6.0.6002 Service Pack 2
21:28:20.005 Number of processors: 2 586 0xF0D
21:28:20.005 ComputerName: FRIEND UserName: Me
21:28:23.187 Initialize success
21:46:07.611 AVAST engine defs: 12020101
21:49:20.879 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
21:49:20.879 Disk 0 Vendor: Hitachi_HTS542512K9SA00 BB2OC31P Size: 114473MB BusType: 3
21:49:20.910 Disk 0 MBR read successfully
21:49:20.926 Disk 0 MBR scan
21:49:20.926 Disk 0 unknown MBR code
21:49:20.926 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 9993 MB offset 63
21:49:20.957 Disk 0 Partition 2 80 (A) 06 FAT16 NTFS 52371 MB offset 20467712
21:49:20.988 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 52107 MB offset 127723520
21:49:20.988 Disk 0 scanning sectors +234438656
21:49:21.020 Disk 0 scanning C:\Windows\system32\drivers
21:49:34.342 Service scanning
21:49:36.074 Modules scanning
21:49:44.794 Disk 0 trace - called modules:
21:49:44.825 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
21:49:44.841 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8540dac8]
21:49:44.841 3 CLASSPNP.SYS[885a88b3] -> nt!IofCallDriver -> [0x8487af08]
21:49:44.856 5 acpi.sys[8069e6bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0x84879b98]
21:49:45.699 AVAST engine scan C:\Windows
21:49:49.474 AVAST engine scan C:\Windows\system32
21:53:43.661 AVAST engine scan C:\Windows\system32\drivers
21:53:57.951 AVAST engine scan C:\Users\Me
21:57:44.073 AVAST engine scan C:\ProgramData
21:58:58.922 Scan finished successfully
22:03:46.554 Disk 0 MBR has been saved successfully to "C:\Users\Me\Documents\MBR.dat"
22:03:46.570 The log file has been saved successfully to "C:\Users\Me\Documents\aswMBR.txt"


So far, the computer seems to be running okay... :-)
Thanks so much!

Greetings hpilgrim3,

Things are looking much better now! I would like you to update a couple of items then run 2 scans for me.

Nice work on your part. It has been a little bit of a roller coaster ride for you but the finish line appears in sight.


===================================================


Update Adobe Reader

--------------------

Your Adobe Reader is out of date and a security concern.

Please download Adobe Reader

After installing the latest Adobe Reader, uninstall all previous versions.

• If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed Uncheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

• When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other addons.

===================================================


Update Java

-------------------

Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

• Microsoft: ‘Unprecedented Wave of Java Exploitation’
  
• Drive-by Trojan preying on out-of-date Java installations
  
• Ghosts of Java Haunt Users

Please follow these steps to remove older version Java components and update:

• Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  
• Look for "Java Platform, Standard Edition".
  
• Click the "Download JRE" button to the right.
  
• Read the License Agreement, and then check the box that says: "Accept License Agreement".
  
• From the list, select your OS and Platform (32-bit or 64-bit).
  
• If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  
• Close any programs you may have running - especially your web browser.

Go to > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.

• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  
• Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-7-windows-i586.exe to install the newest version.
  
• If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  
• When the Java Setup - Welcome window opens, click the Install > button.
  
• If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  
• The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.

To disable the JQS service if you don't want to use it:

• Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  
• Click Ok and reboot your computer.

===================================================


ESET Online Scanner

--------------------

I'd like us to scan your machine with ESET OnlineScan

• Hold down Control and click on this link to open ESET OnlineScan in a new window.
  
• Click the button.
  
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  
  
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    
  • Double click on the icon on your desktop.
  
  
  
  
  
• Check "YES, I accept the Terms of Use."
  
• Click the Start button.
  
• Accept any security warnings from your browser.
  
• Under scan settings, check "Scan Archives" and "Remove found threats"
  
• Click Advanced settings and select the following:
  
  
  • Scan potentially unwanted applications
    
  • Scan for potentially unsafe applications
    
  • Enable Anti-Stealth technology
  
  
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  
• When the scan completes, click List Threats
  
• Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  
• Click the Back button.
  
• Click the Finish button.

===================================================


Rerun Malwarebytes

--------------------

Temporarily disable your antivirus program.

• Please locate your Malwarebytes icon and launch the program
  
• Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  
• If an update is found, the program will automatically update itself. Press the OK button and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  
• Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  
• Click on the Scan button.
  
• When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked and then click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
  
• The log is automatically saved and can be viewed by clicking the Logs tab.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  
• Exit Malwarebytes when done.

Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.


===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment.

• ESET Scan report
  
• MBAM log
  
• How is your machine running now?

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.01.13.04

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.19170
Me :: FRIEND [administrator]

2/2/2012 11:08:59 PM
mbam-log-2012-02-02 (23-08-59).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 171189
Time elapsed: 5 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


C:\Program Files\FREEzeFlip\bin\1.0.4.0\FREEzeFlipSAHook.dll probably a variant of Win32/Adware.180Solutions application cleaned by deleting - quarantined
C:\Program Files\FREEzeFlip\bin\1.0.4.0\FREEzeFlipUninstaller.exe Win32/Adware.HotBar.E application deleted - quarantined
C:\ProgramData\Spybot - Search & Destroy\Recovery\WinFraudPack.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\Search Toolbar\SearchToolbar.dll.vir Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\Users\Me\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\53784821-38d31825 a variant of Java/TrojanDownloader.Agent.NDJ trojan deleted - quarantined
C:\Users\Me\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\322d8965-4536ea1a Java/Exploit.CVE-2011-3544.H trojan deleted - quarantined
C:\Users\Me\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\e5a51ab-4407b1b8 multiple threats deleted - quarantined



Seems to be running okay - I will check it more thoroughly tomorrow.
THANKS!
Holly

Greetings hpilgrim3,


===================================================


OTL Clean-Up

--------------------

We need to clean up the OTL program we used.

• Double click on your desktop.
  
  
• Click on
  
  
• You will be prompted to reboot your system. Please do so.

===================================================


All Clean

--------------

Your machine appears to be clean. Please take the time to read below on how to secure the machine and take the necessary steps to keep it clean

Please do the following to remove the remaining programs from your PC:

• Delete the tools used during the disinfection:
  
  
  • Press windows key + r on your keyboard at the same time. In the run box type combofix /uninstall, press OK.
    
    
    
    
  • This will remove Combofix and other tools we used from your computer.

Please read the following in order to prevent reinfecting your PC:

• Install and update the following programs regularly:
  
  
  • Outbound firewall.
    If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
    A comprehensive tutorial and a list of possible firewalls can be found here.
    
  • AntiVirus Software
    It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    
  • Anti-Spyware program
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    
  • Spyware Blaster
    A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
  
  
• Keep Windows (and your other Microsoft software) up to date!
  
  
  • I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    
  • Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  
  
• Keep your other software up to date as well
  
  
  • Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine
  .
  
• Stay up to date!
  
  
  • The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

• Miekies' prevention suggestions
  
• So How did I get infected?
  
• Microsoft - 'Security at home'
  
• Calendar of Updates: See which updates have been released.
  
• How to backup your Data with Cobian Backup: because you never know, when your harddisk might fail
  
• Commonly Used Freeware Replacements: a nice list of freeware programs in all categories, that are regarded as useful by the users of this forum.
  
• osalt: Find (free) open source alternatives to known commercial software.

Please let me know if your computer is working fine. If so, this topic will be closed shortly thereafter.

Thank you for placing your trust in BleepingComputer. It was a pleasure serving you.

Okay, one last question... do I need to uninstall ESET, aswMBR, and gmer?

I also want to thank you VERY MUCH for all your patience, for your wonderful DETAILED instructions, your speedy replies,and for your willingness to answer my dumb questions.. You all offer a great service, and have shown me there are still GOOD GUYS in computer-land.. :-)

Sincerely,
Holly
hpilgrim3

Greetings hpilgrim3,

Based on your question it seems your computer is running just fine!

Yes, feel free to uninstall those programs.

It was truly my pleasure to help you. Hopefully you don't come back real soon but you are always welcome to.

BTW none of your questions were dumb. You should hear mine

Good luck!


Oh My!

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.