Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search hijack


  • This topic is locked This topic is locked
19 replies to this topic

#1 MindStab

MindStab

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 23 January 2010 - 03:54 AM

Hello!
My search engines are hijacked, redirecting me from anything to porn to the dictionary. Now after running spybot S&D, adaware, mbam, avira anti-virus, and most recently combofix, the problem persists. I've done a fair bit of searching through these forums and others in an attempt to find some sort of trend to help me fix the problem on my own, but nothing has worked and it has become clear that I simply do not have the know-how to fix this without some guidance. unsure.gif


Any help would be much appreciated!

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 AM

Posted 29 January 2010 - 02:24 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

Do you still require help?

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 AM

Posted 01 February 2010 - 12:37 PM

Hello.

Are you still there? Do you still require help?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 MindStab

MindStab
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 01 February 2010 - 07:02 PM

Hey! I'm here and I've still got the google redirect. I can't post new logs atm, but I will tomorrow. I just don't want this thread to close.

Thank you!

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 AM

Posted 01 February 2010 - 08:24 PM

Sure, okay. Thanks for letting me know.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 AM

Posted 06 February 2010 - 02:55 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 AM

Posted 12 February 2010 - 03:26 PM

Re-opened upon user's request. smile.gif
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 MindStab

MindStab
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 14 February 2010 - 12:45 PM

Hello again! My problem has not gone away and is just as annoying as ever. The latest update to my antivirus has led to the detection of a list of (similarly named) rootkits, but even after removal nothing has changed. Here are my latest logs. Please let me know if you need anything else and thank you again for the assistance!

Attached Files



#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 AM

Posted 14 February 2010 - 01:36 PM

Hello.

Let's get a GMER scan.

Download and Run GMER

We will use GMER to scan for rootkits.
  • Please download GMER from one of the following locations, and save it to your desktop:
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.

  • Close any and all open programs, as this process may crash your computer.
  • Double click or on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.

    If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system... Click NO.
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 MindStab

MindStab
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 14 February 2010 - 01:52 PM

Ran gmer as you asked (I think)
PC froze afterward and I had to reboot.


Also interesting - after running the defogger, I was no longer being redirected.

Attached Files

  • Attached File  gmer.log   27.79KB   12 downloads


#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 AM

Posted 14 February 2010 - 02:07 PM

Hello.

The infection is still there. It's the TDL3 rootkit.

Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

--
If you wish to continue disinfecting let me know.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 MindStab

MindStab
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 14 February 2010 - 02:22 PM

Thank you for confirming what I have begun to suspect. My facebook was logged into from some place in south carolina a couple days ago, far away from where I am, and not a single person besides me knows my login or pw, so I was figuring that something like this had happened.

That said, I'd like to try to disinfect if that is at all possible. I moved recently and do not have the required software to reformat without buying it again :\

Wow this sucks.

#13 MindStab

MindStab
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 14 February 2010 - 08:58 PM

I downloaded and ran a program called hitman pro.

It found 2 rootkits.

atapi.sys & some other one. OLD[a bunch of numbers].tmp

I am no longer being redirected.

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 AM

Posted 15 February 2010 - 12:50 PM

Hello.

Please do not change anything while you're being helped, it just causes more difficulty. You mentioned you didn't get re-directs after Defogger, now you mention you don't get redirect after running Hitman pro? You did have the TDL3 rootkit which was caused by an infected atapi driver file. Let's continue then.

Download and Run Combofix

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 MindStab

MindStab
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 15 February 2010 - 04:10 PM

Here's the log.

Attached Files

  • Attached File  logg.txt   24.67KB   2 downloads





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users