Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google and Yahoo search results redirected


  • This topic is locked This topic is locked
17 replies to this topic

#1 bezman

bezman

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 09 November 2009 - 01:05 AM

Google and yahoo search results are redirected to unrelated advertisers site. This is happening at random and started after I had a few worms and Trojans which I was able to remove using a combination of tools - Malwarebytes' Anti-Malware and superspyware as the worms/Trojans had disabled spybot and McAfee.


I am running windows 2003 server. I can't run the DDS as it says it is not compatible with my OS.

Any help would be greatly appreciated!



RootRepeal log
Attached File  ark.txt   37.03KB   13 downloads

Hijackthis log
Attached File  hijackthis.log   13.18KB   20 downloads


Additional information:
When I go into my firefox history I see the following entries:

go.Php -
hxxp://87.118.120.224/go.php?data=ytAWQc3d8F3C0MRLvv%2FKjowaCsbVWU3UIsqxu8kmqvbLInvux7DDvNU1oUJXCOzrId78IuPwJKsUhGsIoshFb0bVcgkNmhsv8JoM%2Bb584jeMxBvDIVR73lXt9%2FjEuIijv4J4G4rjlO%2FkpWTk2ciybNxOLTOiLGVqOXMr6ml8O15Ocyv32zgcyPoviGn7IHtKZ11WLLbDxSfxC2miX%2BytkQC2DFhAflRUz7AMxDtlNxp4VIFym9hI1Ne2XAOvhEMEKkoPpFwVdtYBUmaRL71zfwQIQsqHV5d%2BUoI5GvQFqS%2BuOKXjLzaL2JlF8mrqXzN3DIf85xF%2FQFsAUA4aU3JVIUPmJmVPf284mXTVvZ0Xi8Qia3JBanhuo2ZZ6ZjsIR2GoZkLvM1lAgDOml6zrGN3ObyXfJ2HTjyIGbIcPT5giqEOOQ3TKEc%2BgU24%2FYxqIaoX6Z01ZxU2lf5XWvRQkir0QydNAW8FHD89whNmFDTgYjMjvq6n2qxw2NwVM13qJWcL5v9Ng5mjkd3ciwnrRF8VC4bVrrkF6B0t9xL0RV3z7N0R9LdZs6M0YABwPSUzVOCqbD%2B1sG0rPWpAzaYJv4B6OdhLSfXagPoJ

findwhat.dll
hxxp://atl.mv.bidsystem.com/bin/findwhat.dll?clickthrough&y=76131&x=Xp9CpLVb2ZOrKo0wFetKmN94348q1pkg1ytluTYE2O2GsTivryDxE;mRcjoLM62nJPtOpN6V5o0w6T77QdmG06VHsb092h86HLxcwLiebE6SuvcV1HS5pLtNRqt2;mWGPE5K5mx4AdqQvZ0HuhD5bk0t26W2IEAYPND2NhugZhtvYoIhJ354e4mj16i5Ns26zs8sc6PGs0Z9y35y6;G$2

findwhat.dll
hxxp://kc.mv.bidsystem.com/bin/findwhat.dll?clickthrough&y=76131&x=pjKAh:Lpa642bVR6KSJYHmKG3TMzW2CVWrJoZrXDanxQUC:NGCd40W;dY3uckYxEyQJehmSrMVR69C1x:;;QrYLqUTR0a1MXlAeuT::9fKSUZmvrW4ATh:JbS8J175ZQOKfYMneGQ;mFd6RqZBdTfjRRaVZ1tWtSOmd1z1iVCBJNVY7IyBfG8T;7WV:TzAxXc:MkYVBQUgT0S:fh9:eeT:mYp&c=170EA83C%2D92CD%2D4459%2D8740%2DB8F75D7217B4

search.aspx
hxxp://www.allthebrands.com/search.aspx?q=dentist+search&creativeid=FAF0A237%2D39BF%2D4A4E%2DA445%2DC0AF32103D75&referrer=Miva-B&camp=Miva-B-Goose-ATB&group=Dentist+Search&keyword=dentist+search&sm=1

search.htm
hxxp://mysearchitnow.com/search.htm?key=google%20search%20results%20redirected&said=65536027

aclk
hxxp://74.55.39.44/aclk?sid=1588709&cai=d5e4352521950014c5b5c591a581f0400613737565249582751517d1500004a1c04410517450e0907493f1e1d1a44265f182a0b050a2f1a4a013a2f19552d130e1a272e0a072b40381f1b1e553f110e3422342e19012f5e1a0f232312372f2f173413265d0d1b31130755222b232b3d1704580910204021102d7c384d012d0f0926510a06233d000d3b34214140342b635b4b5400525703005516423d363d4e5356495b5e5e1e5d4b594b4e400212120c4444094f581614004101094b0a00080607070b06170d12171843100c0c580c0f19530906421e04110504544a504c575e57051e120

Edited by Orange Blossom, 09 November 2009 - 10:49 PM.
Deactivate links. ~ OB


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:23 PM

Posted 15 November 2009 - 05:31 AM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Please run RSIT and post the log
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Posted Image
m0le is a proud member of UNITE

#3 bezman

bezman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 15 November 2009 - 11:34 AM

Hello,
Thank you for looking into this.

When I ran the program i get "For some reason your system denied write access to the hosts file. If any hijacked domains are in this file, HijackThis may not be able to fix this. If this happens you need to edit the file yourself..."

I know once I had tried to modify the hosts file but I couldn't. So I am not sure if I can do the above.

When I clicked continue I got autoit Error line -1: Error: Variable used without being declared. When I click continue the program closed and I did not get any logs.

#4 bezman

bezman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 15 November 2009 - 03:38 PM

Hello M0le,

I figured out why I couldn't change the host file. the file didn't have write access. I fixed that I tried running RSIT again. This time it passed that error message but I still get AutoIT error Error line -1: Error: Variable used without being declared. When I click continue the program closed and I did not get any logs. This is happening listing services and drivers"

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:23 PM

Posted 15 November 2009 - 04:17 PM

There's a lot of click hijacker evidence on the PC.


Let's start with a specific infection check

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
Thanks :(
Posted Image
m0le is a proud member of UNITE

#6 bezman

bezman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 15 November 2009 - 11:34 PM

Here is log.

GooredFix by jpshortstuff (09.11.09.1)
Log created at 20:31 on 15/11/2009 (idsadm)
Firefox version 3.5.5 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [21:06 08/11/2009]
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [02:42 09/10/2008]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
(Key not found)

-=E.O.F=-

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:23 PM

Posted 16 November 2009 - 08:40 AM

Nothing showing on Goored so this is a straight hijacker.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#8 bezman

bezman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 16 November 2009 - 09:23 PM

hello,
I am running windows 2003 server. Combo fix says is not compatible with windows 2003 server.

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:23 PM

Posted 17 November 2009 - 08:29 AM

Windows 2003 user, sorry. There's so many operating systems out there at the moment :(

The HijackThis log looks surprisingly clean.

I am interested in what MBAM removed the first time round, can you open MBAM and click on the Logs tab and paste the latest log - if there are more than one then please attach the others.

Thanks.

Edited by m0le, 17 November 2009 - 08:30 AM.

Posted Image
m0le is a proud member of UNITE

#10 bezman

bezman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 17 November 2009 - 11:50 PM

Hi M0Le;

I am not sure what you mean by MBAM as I don't remember running that program.

Bezman

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:23 PM

Posted 18 November 2009 - 07:15 PM

I am not sure what you mean by MBAM as I don't remember running that program.


Sorry, MBAM is an abbreviation for Malwarebytes Antimalware. You mentioned it in the first post.

Can you find the log(s).
Posted Image
m0le is a proud member of UNITE

#12 bezman

bezman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 18 November 2009 - 10:02 PM

here are the logs.
I've also included the logs for superantispyware

Attached Files



#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:23 PM

Posted 19 November 2009 - 07:11 PM

MBAM has been working its way through some large amount of malware on the PC.

It seems to have finally removed everything from the PC. If there are still redirections happening then there's still something left that's causing the problem. Hosts files are usually where we start. Let me know if this fixes the problem.

Please download HostsXpert 4.3
  • Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Restore MS Hosts File".
  • Click OK at the confirmation box.
  • Click "Make Read Only".
  • Click the X to exit the program.
-- Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Edited by m0le, 19 November 2009 - 07:13 PM.

Posted Image
m0le is a proud member of UNITE

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:23 PM

Posted 22 November 2009 - 07:52 PM

You still there, bezman?
Posted Image
m0le is a proud member of UNITE

#15 bezman

bezman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 22 November 2009 - 11:12 PM

hi m0le,

Sorry I am still here. I've tried a few searches and I think everything is good and working.

Thank you for your help.

Bezman




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users