Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search engine redirect virus removal


  • Please log in to reply
9 replies to this topic

#1 Fefernuse

Fefernuse

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 24 December 2009 - 01:45 PM

I have the search engine redirect virus and have downloaded the detailed instructions on running Combofix from this site. It says not to run Combofix without a helper , so can someone help me? I am running MS XP Home.
Thank's

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,949 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:10 AM

Posted 25 December 2009 - 02:16 AM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Fefernuse

Fefernuse
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 25 December 2009 - 08:32 AM

I have a log to post from Combofix when should I post it?

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 AM

Posted 25 December 2009 - 03:17 PM

No. Please don't post the Combofix log.

Let's start with a GMER scan.

Download and Run GMER

We will use GMER to scan for rootkits.This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.

  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.

    If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system... Click NO.
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 Fefernuse

Fefernuse
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 26 December 2009 - 09:07 AM

Sorry for the delay, here is what I got after running GMER
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-26 07:46:51
Windows 5.1.2600 Service Pack 3
Running: u835oft8.exe; Driver: C:\DOCUME~1\DALEKO~1\LOCALS~1\Temp\uxlirpow.sys


---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
Device \Driver\iaStor \Device\Ide\iaStor0 863B61C8
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 863B61C8
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 863B61C8
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 AM

Posted 26 December 2009 - 10:05 AM

Hello.

Was that GMER run in normal mode or safe mode? Did you check the C:\ drive when running GMER?

--
We are going to run a scan with Malwarebytes. Where is it that you get redirected to, is it Internet Explorer, FireFox or both?

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

~EB
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 Fefernuse

Fefernuse
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 26 December 2009 - 10:25 AM

GMER was run in normal mode and the C:/ box was checked. Does GMER tell you when it is finished? When I ran it, it took a couple of hours and it never gave a message that it was finished it just wasn't listing anymore programs that it was looking at at the bottom of the screen , so I saved what was there to the desktop and posted it. Is that the way it normally runs? Or didn't it run completely?
I will continue with the next step and post my results.
Thank's

#8 Fefernuse

Fefernuse
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 26 December 2009 - 10:52 AM

For got to mention on previous post that I get redirected to either another search engine (don't recall the name ) or a totally unrelated site .
Here is the log from running MBAM
Malwarebytes' Anti-Malware 1.42
Database version: 3434
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/26/2009 9:42:58 AM
mbam-log-2009-12-26 (09-42-58).txt

Scan type: Quick Scan
Objects scanned: 160654
Time elapsed: 13 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\oCOR.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\E49LK0C7\eH988a4567V0100f070006R24727395102Td3bb3a4f201l0409Kef0e0cd5317P000800070[1] (Rootkit.MBR) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5\JUZHZK4N\eH988a4567V0100f070006R24727395102Td3bb3a4f201l0409Kef0e0cd5317P000800071[1] (Trojan.Downloader) -> Quarantined and deleted successfully.

#9 Fefernuse

Fefernuse
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 26 December 2009 - 02:13 PM

Just tested my search engine and it is now working! Thank you so much for the help. Is there any thing further I need to do? I am useing Microsoft Security Essentials for internet protection, should I be useing something else for better protection? Is there a way to financialy contribute to this site for the valuable help I have received?
Thank's again.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 AM

Posted 27 December 2009 - 12:08 PM

You're welcome. Currently neither BleepingComputer nor I accept donations via PayPal however there are a lot of other sites/people you can donate to. Take a look here: http://billy-oneal.com/donate.html

--
I would run a Kaspersky Online scan to make sure.

Download and Run ATFCleaner

Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users