Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

redirected searches infection


  • This topic is locked This topic is locked
23 replies to this topic

#1 tcylinder

tcylinder

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 01 March 2009 - 01:35 PM

Hello,

I started having a problem today where any search results I click on go to a page other than the page I chose and instead sends me to a page listing more results which seems to be running off of keywords from the previous search.

Only changes made recently was removing a trojan that kept prompting me with a message that I might be infected and which then opened a browser with a virus protection software to purchase (name I can't remember). I removed the trojan with Malewarebytes.

Today I upgraded IE from ver. 6 to 7 and installed Windows Defender but I believe the redirection problem was occuring before the downloads.

I'm running Windows XP pro service pack 3.

Thanks for your help.

Rusty

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:55 AM

Posted 01 March 2009 - 03:04 PM

Hello please run these next and psot back 2 logs so we can see what we have to deal with .

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Now Rerun MBAM like this

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 tcylinder

tcylinder
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 01 March 2009 - 07:24 PM

hi boopme,

i'm almost done running the scans on my laptop that I was having the redirection problem with per your instructions but now I have a new problem that I can't figure out. I can't connect to the internet. I'm on my older machine now and can't post my scan results.

I'm getting a proxy error message in my browser. Any idea why this may be happening? I see that my proxy is set to automatic as it always has been. Not sure what's going on and pretty frustrated.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:55 AM

Posted 01 March 2009 - 10:15 PM

See if this fixes your Net issues .

Go to Start ... Run and type in cmd
A dos Window will appear.
Type in the dos window: netsh winsock reset
Click on the enter key.

Reboot your system to complete the process.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 tcylinder

tcylinder
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 01 March 2009 - 10:53 PM

Hey, the command didn't work, still getting a proxy error. Interestingly, the default page that was attempting to be loaded was the following URL: www.seochat.com/seotools/google-vs-yahoo

The gist of my Super and Malbytes scans (because I can't email or transfer them from my laptop) are:

Super caught 3 items as follows:

2 registry threats -

Adware.Vundo/Variant MSFAKE
(NFR) c:\windows\system32\NFR.dll

c:\windows\system32\NFR.dll

1 file threat -

Adware.vundovariant


Malbytes found nothing.

Thanks

#6 tcylinder

tcylinder
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 02 March 2009 - 01:16 AM

fixed the Net issue by doing the following:

Check the connection settings: Tools > Options > Advanced : Network : Connection : "Direct connection to the internet"

settings were set to manual proxy configuration. http proxy: localhost, port:7070

i never touched these and wonder why they changed?

anyway, net is back on which is nice.

how are the scans i posted?

thanks

#7 tcylinder

tcylinder
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 02 March 2009 - 12:29 PM

complete scans:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/01/2009 at 06:28 PM

Application Version : 4.25.1014

Core Rules Database Version : 3779
Trace Rules Database Version: 1738

Scan type : Complete Scan
Total Scan Time : 02:19:12

Memory items scanned : 203
Memory threats detected : 0
Registry items scanned : 6032
Registry threats detected : 2
File items scanned : 47748
File threats detected : 1

Adware.Vundo/Variant-MSFake
[nfr] C:\WINDOWS\SYSTEM32\NFR.DLL
C:\WINDOWS\SYSTEM32\NFR.DLL

Adware.Vundo Variant
HKU\S-1-5-21-583907252-113007714-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4AA49418-D47E-47EB-AAD9-3FA5155F3025}


------------------------------------------------------------

Malwarebytes' Anti-Malware 1.34
Database version: 1798
Windows 5.1.2600 Service Pack 3

3/1/2009 10:26:46 PM
mbam-log-2009-03-01 (22-26-46).txt

Scan type: Full Scan (C:\|)
Objects scanned: 121948
Time elapsed: 46 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:55 AM

Posted 02 March 2009 - 02:18 PM

Hey good work there!
Now MBAM needs updating. Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

EDIT:
Also run part 1 of S!Ri's SmitfraudFix

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Edited by boopme, 02 March 2009 - 02:20 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 tcylinder

tcylinder
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 02 March 2009 - 11:14 PM

I couldn't update Malbytes. Seems like something is preventing it from connecting to the internet. I downloaded a file somebody posted a link to here in the forums called mbam rules which apparently updates the software. Here's the scan:

Malwarebytes' Anti-Malware 1.34
Database version: 1793
Windows 5.1.2600 Service Pack 3

3/2/2009 11:12:09 PM
mbam-log-2009-03-02 (23-12-09).txt

Scan type: Quick Scan
Objects scanned: 68080
Time elapsed: 6 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

#10 tcylinder

tcylinder
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 02 March 2009 - 11:39 PM

SmitFraudFix v2.398

Scan done at 23:37:46.62, Mon 03/02/2009
Run from C:\Documents and Settings\John\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Updater.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\John


C:\DOCUME~1\John\LOCALS~1\Temp


C:\Documents and Settings\John\Application Data


Start Menu


C:\DOCUME~1\John\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


RK



DNS

Description: Wireless-G Notebook Adapter WPC54G V3 - Packet Scheduler Miniport
DNS Server Search Order: 24.29.103.15
DNS Server Search Order: 24.29.103.16

Description: Wireless-G Notebook Adapter WPC54G V3 - Packet Scheduler Miniport
DNS Server Search Order: 68.237.161.12
DNS Server Search Order: 71.243.0.12

HKLM\SYSTEM\CCS\Services\Tcpip\..\{684B6AB9-1D68-48D8-927B-A27A9E0F3309}: DhcpNameServer=68.237.161.12 71.243.0.12
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E704BB88-A7AB-42F3-8617-AD36A687BE3E}: DhcpNameServer=24.29.103.15 24.29.103.16
HKLM\SYSTEM\CS1\Services\Tcpip\..\{684B6AB9-1D68-48D8-927B-A27A9E0F3309}: DhcpNameServer=68.237.161.12 71.243.0.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E704BB88-A7AB-42F3-8617-AD36A687BE3E}: DhcpNameServer=24.29.103.15 24.29.103.16
HKLM\SYSTEM\CS2\Services\Tcpip\..\{684B6AB9-1D68-48D8-927B-A27A9E0F3309}: DhcpNameServer=68.237.161.12 71.243.0.12
HKLM\SYSTEM\CS2\Services\Tcpip\..\{E704BB88-A7AB-42F3-8617-AD36A687BE3E}: DhcpNameServer=24.29.103.15 24.29.103.16
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.15 24.29.103.16
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.15 24.29.103.16
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.15 24.29.103.16


Scanning for wininet.dll infection


End

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:55 AM

Posted 03 March 2009 - 10:26 AM

I think we should update and Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 tcylinder

tcylinder
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 03 March 2009 - 12:17 PM

I can't update Mbam. I get an error: "Update failed. Make sure you are connected to the internet and your firewall is set to allow Malwarebytes' Anti-malware to access the internet."

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:55 AM

Posted 03 March 2009 - 12:37 PM

Ok try this
Manually Downloading Updates:
Manually download them from HERE and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 tcylinder

tcylinder
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 03 March 2009 - 04:16 PM

I can't connect to the HERE link in your post. Get this:

Address Not Found

Firefox can't find the server at "http.

The browser could not find the host server for the provided address.

* Did you make a mistake when typing the domain? (e.g. "ww.mozilla.org" instead of "www.mozilla.org")
* Are you certain this domain address exists? Its registration may have expired.
* Are you unable to browse other sites? Check your network connection and DNS server settings.
* Is your computer or network protected by a firewall or proxy? Incorrect settings can interfere with Web browsing.


I tried the other method on my clean machine (windows 2000). I downloaded Malbytes, followed the file path and get stuck after the all users folder as there's no application folder that follows it.

I tried doing a search for the rules.ref file and it wasn't found.


Infected machine behaving strange. The fan cpu cooling fan is revving in strange random ways. I went into bios and set the cpu performance speed to battery to slow/cool it down which has worked before but isn't working this time.

Thanks for any further suggestions/solutions.

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:55 AM

Posted 03 March 2009 - 04:24 PM

Odd , try this
http://malwarebytes.gt500.org/mbam-rules.exe
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users