Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search engine redirect virus


  • Please log in to reply
5 replies to this topic

#1 cwise

cwise

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 14 January 2009 - 11:08 PM

I've been having some serious problems with search engines redirecting over the past few days. I managed to fix the problem in Google, but other search engines such as Ask and AltaVista still have the problem.

Here is the problem in a nutshell: Let's say I type the word "rugby" into Ask.com, and click on a link from a search result. Instead of visiting this website, I am redirected to unsavory sites involving gambling, advertising, etc.

Here are my system and browser details:

Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5
Boot mode: Normal

I can also post a HijackThis log if needed.

Any help would be greatly appreciated, as I am frustrated at how to fix this problem.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,116 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:16 AM

Posted 15 January 2009 - 11:21 AM

Use Super Antispyware to find and remove the malware. Download, install and UPDATE it regular mode then boot into safe mode to run the scan. Directions for its use are in the link below.
http://www.bleepingcomputer.com/forums/ind...t&p=1040160
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 cwise

cwise
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 16 January 2009 - 10:10 PM

Okay, I ran SUPERAntiSpyware, although I'm not sure if it updated before scanning because my computer kept denying the program internet access. Anyway, it detected a whole bunch of stuff. Here is the log file.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/16/2009 at 05:52 PM

Application Version : 4.24.1004

Core Rules Database Version : 3688
Trace Rules Database Version: 1664

Scan type : Complete Scan
Total Scan Time : 01:12:05

Memory items scanned : 228
Memory threats detected : 0
Registry items scanned : 5764
Registry threats detected : 7
File items scanned : 29292
File threats detected : 34

Unclassified.Unknown Origin
HKUS-1-5-21-1295952186-1820706820-735979488-1003SoftwareMicrosoftWindowsCurrentVersionExtStats{9C8A568E-4201-478A-8536-526CF371D2E2}

Rootkit.Cloaked/Service-GEN
HKLMsystemcontrolset002servicesmsqpdxserv.sys
C:WINDOWSSYSTEM32DRIVERSMSQPDXXJTYTKMT.SYS
HKLMsystemcontrolset003servicesmsqpdxserv.sys
HKLMsystemcontrolset004servicesmsqpdxserv.sys

Adware.Tracking Cookie
C:Documents and SettingsOwnerCookiesowner@iacas.adbureau[1].txt
C:Documents and SettingsOwnerCookiesowner@chitika[2].txt
C:Documents and SettingsOwnerCookiesowner@kontera[2].txt
C:Documents and SettingsOwnerCookiesowner@ads.osdn[2].txt
C:Documents and SettingsAdministratorCookiesadministrator@rotator.adjuggler[1].txt
C:Documents and SettingsAdministratorCookiesadministrator@interclick[2].txt
C:Documents and SettingsAdministratorCookiesadministrator@ads.addynamix[2].txt
C:Documents and SettingsAdministratorCookiesadministrator@server.iad.liveperson[2].txt
C:Documents and SettingsAdministratorCookiesadministrator@media.adrevolver[2].txt
C:Documents and SettingsAdministratorCookiesadministrator@media.adrevolver[1].txt
C:Documents and SettingsAdministratorCookiesadministrator@trafficmp[1].txt
C:Documents and SettingsAdministratorCookiesadministrator@imrworldwide[2].txt
C:Documents and SettingsAdministratorCookiesadministrator@adrevolver[1].txt
C:Documents and SettingsAdministratorCookiesadministrator@tremor.adbureau[2].txt
C:Documents and SettingsAdministratorCookiesadministrator@specificclick[1].txt
C:Documents and SettingsAdministratorCookiesadministrator@edge.ru4[1].txt
C:Documents and SettingsAdministratorCookiesadministrator@www.burstnet[1].txt
C:Documents and SettingsAdministratorCookiesadministrator@realmedia[2].txt
C:Documents and SettingsAdministratorCookiesadministrator@advertising[2].txt
C:Documents and SettingsAdministratorCookiesadministrator@ad.yieldmanager[2].txt
C:Documents and SettingsAdministratorCookiesadministrator@statse.webtrendslive[2].txt
C:Documents and SettingsAdministratorCookiesadministrator@tribalfusion[1].txt
C:Documents and SettingsAdministratorCookiesadministrator@adultadworld[2].txt
C:Documents and SettingsAdministratorCookiesadministrator@msnportal.112.2o7[1].txt
C:Documents and SettingsAdministratorCookiesadministrator@atdmt[2].txt
C:Documents and SettingsAdministratorCookiesadministrator@doubleclick[1].txt
C:Documents and SettingsAdministratorLocal SettingsTempCookiesadministrator@msnportal.112.2o7[1].txt

Trojan.DNS-Changer (Hi-Jacked DNS)
HKLMSYSTEMCONTROLSET002SERVICESTCPIPPARAMETERSINTERFACES{F95BBB8B-12C1-4593-B914-50163873160F}#NAMESERVER
HKLMSYSTEMCONTROLSET003SERVICESTCPIPPARAMETERSINTERFACES{F95BBB8B-12C1-4593-B914-50163873160F}#NAMESERVER
HKLMSYSTEMCONTROLSET004SERVICESTCPIPPARAMETERSINTERFACES{F95BBB8B-12C1-4593-B914-50163873160F}#NAMESERVER

Trojan.BotNet/Dropper
C:DOCUMENTS AND SETTINGSOWNERLOCAL SETTINGSTEMPTMP129.TMP
C:DOCUMENTS AND SETTINGSOWNERLOCAL SETTINGSTEMPTMP27.TMP

Trojan.Gen
C:WINDOWSUNIFISH3.EXE
C:PROGRAM FILESHASBRO INTERACTIVEHASBRO INTERACTIVEROLLERCOASTER TYCOONUNINSTALL ROLLERCOASTER TYCOON.LNK
C:PROGRAM FILESHASBRO INTERACTIVEROLLERCOASTER TYCOONROLLERCOASTER TYCOON - INSTALL FIRSTUNIFISH3.EXE

Rootkit.Agent/Gen-MSQP
C:WINDOWSSYSTEM32DRIVERSMSQPDXDGWULRNV.SYS

#4 buddy215

buddy215

  • Moderator
  • 13,116 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:16 AM

Posted 17 January 2009 - 06:16 AM

Try to update SAS and run the scan again. It is missing about 25 updates.

Best to use more than one program as no one program may find all of the malware.
Use MalwareByte's AntiMalware. Download, install, and UPDATE in regular mode then run a total scan.
Instructions for using MBAM are in the link below.
http://www.bleepingcomputer.com/forums/ind...st&p=944365
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 cwise

cwise
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 18 January 2009 - 10:34 PM

Okay, I downloaded and updated MBAM and also updated and did a Quick Scan with SAS.

Here are both log files.

Malwarebytes' Anti-Malware 1.33
Database version: 1666
Windows 5.1.2600 Service Pack 3

1/18/2009 6:57:51 PM
mbam-log-2009-01-18 (18-57-51).txt

Scan type: Quick Scan
Objects scanned: 62117
Time elapsed: 15 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:Program FilesMozilla Firefoxcomponentsiamfamous.dll (Spyware.Passwords) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOTAppID{8d71eeb8-a1a7-4733-8fa2-1cac015c967d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOTvideosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftadssite (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOTAppIDSidebar.DLL (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftHID_Layer (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREWakeNet (Trojan.Adware) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersNameServer (Trojan.DNSChanger) -> Data: 85.255.114.7,85.255.112.174 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESYSTEMControlSet002ServicesTcpipParametersNameServer (Trojan.DNSChanger) -> Data: 85.255.114.7,85.255.112.174 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESYSTEMControlSet003ServicesTcpipParametersNameServer (Trojan.DNSChanger) -> Data: 85.255.114.7,85.255.112.174 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESYSTEMControlSet004ServicesTcpipParametersNameServer (Trojan.DNSChanger) -> Data: 85.255.114.7,85.255.112.174 -> Quarantined and deleted successfully.

Folders Infected:
C:resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:Program FilesMozilla Firefoxcomponentsiamfamous.dll (Spyware.Passwords) -> Delete on reboot.
C:WINDOWSsystem32msqpdxvpabrpgk.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:WINDOWSsystem32WhoisCL.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:resycledboot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:WINDOWSTemptempo-2BD.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:WINDOWSTemptempo-FCF.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:WINDOWSTemptempo-FDD.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.


Here is the SAS log file from the quick scan. SAS is entirely updated now.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/18/2009 at 08:23 PM

Application Version : 4.24.1004

Core Rules Database Version : 3714
Trace Rules Database Version: 1689

Scan type : Quick Scan
Total Scan Time : 01:16:16

Memory items scanned : 507
Memory threats detected : 0
Registry items scanned : 515
Registry threats detected : 0
File items scanned : 12358
File threats detected : 2

Adware.Tracking Cookie
C:Documents and SettingsOwnerCookiesowner@tacoda[2].txt
C:Documents and SettingsOwnerCookiesowner@revsci[1].txt

#6 buddy215

buddy215

  • Moderator
  • 13,116 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:16 AM

Posted 19 January 2009 - 07:20 AM

How is the computer now? Are you noticing any problems?

You should update both programs this evening and run scans with both.

Allow Secunia online scanner to scan your computer for missing security updates. After installing the latest Sun Java go to Add/Remove program and remove ALL old Java programs.

Since you use the Firefox browser I suggest you get the NoScript and AdBlock Plus addons if you do not have them. They will protect you from driveby downloads of malware and many more.
AdBlock Plus
https://addons.mozilla.org/en-US/firefox/addon/1865
NoScript
https://addons.mozilla.org/en-US/firefox/addon/1865

You can block the Ad/Tracking cookies from ever installing on your computer. In Firefox 3---Tools, Options, Privacy Tab, Uncheck "accept third party cookies"

This applies to Internet explorer browsers.
Click on tools
click on internet options
click on privacy tab
click on advanced button
put a check in the box next to override automatic cookie handling
put a check in the box next to first party accept
put a check in the box next to block third party cookies (those are the ad/ tracking cookies that AVG deletes)
Click OK to exit

After blocking the third party cookies, run a quick scan with SAS to remove the ones that are now installed on your computer.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users