Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search results are redirected


  • This topic is locked This topic is locked
12 replies to this topic

#1 Engineerly

Engineerly

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta, GA
  • Local time:02:34 PM

Posted 12 March 2010 - 02:51 PM

Using IE7 on Windows XP
Malwarebytes and ad-aware free don't get rid of it.
Google (or yahoo, and probably others) seem to give valid search results.
But when I click on any one of them I am taken to some random ad, fake site.
Clicking on the same search result again will go to a totally different random place than the first time.
Yesterday afternoon I did a windows update to get latest security fixes and chose to install IE8.
IE8 had the same problem so I uninstalled it, but left all the other security updates intact.
This morning, the windows update site is non functional from my computer but works from my neighbor's so I think this hijack software has targeted the MS site to disallow any updates.
I can go to microsoft.com (or any site) if I type the url directly into my browser address bar, but the link on that site to updates does not work. (I got taken to some yellow pages in Alexandia Virginia .. lol)
Most of the time, links within a website work fine though.

Attached is Hijackthis.log, dds.txt, attach.txt and Ark.txt (I'll post the Ark.txt file later, it it taking a loooong time to run)

Thank you very much,
Ron

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:34 PM

Posted 14 March 2010 - 07:51 AM

Hi Ron,

In addition to GMER results I'd like to see log from ComboFix run that you seem to have also done (not recommended without supervision!). The log should be in c:\ComboFix.txt file.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Engineerly

Engineerly
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta, GA
  • Local time:02:34 PM

Posted 15 March 2010 - 08:12 AM

QUOTE(Blade81 @ Mar 14 2010, 08:51 AM) View Post
In addition to GMER results I'd like to see log from ComboFix run that you seem to have also done (not recommended without supervision!). The log should be in c:\ComboFix.txt file.


Yeah I tried to run combofix but obviously didn't follow the directions good enough since the computer hung up in the process. There is no combofix.txt file on my computer. So I'll have to run it again later.

This is my work computer so I started running GMER on Friday before leaving but when I pressed to ctrl-alt-del and entered my password to unlocked my computer this morning, GMER was not running anymore and I don't think it left a log file anywhere. I have temporarily turned off the desktop autolock and it is now running in the background while I work.

Is there ANYthing you can tell me from the files already attached?

also... by the way .. this other thread describes my symptoms almost exactly (including the Chrome "kill/wait" issue)
http://www.bleepingcomputer.com/forums/t/302253/browsers-redirect-cant-access-windows-update/

<*edit*> The computer unexpectedly rebooted before gmer.exe finished so I could not save its log file. So, wanting to give you something to help more with, I followed the directions for ComboFix and managed to create the log file for it, which is attached. It said that it found "rootkit activity" and rebooted before it went through all its stages. That's good news right?


Thanks for your help, Ron

Attached Files


Edited by Engineerly, 15 March 2010 - 01:18 PM.


#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:34 PM

Posted 15 March 2010 - 01:21 PM

Hi,

You should had told in first place that this is work computer. Does your company have IT support?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 Engineerly

Engineerly
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta, GA
  • Local time:02:34 PM

Posted 15 March 2010 - 03:16 PM

We have no local IT support for PCs. Corporate has some enterprise version of McAfee and e-mail scrubbers installed which catches most stuff I guess, but the standard answer for this kind of rootkit (or whatever) problem would be "Put your computer in a box and ship it to us for refurbishing, we will send you an equivalent (or better) replacement and you'll have to reinstall all your applications and backup data. Shame on you for getting on the internet for other than timesheets and our corporate sites."

They have a good point: it's just too complicated to resolve remotely if it's not your specialty.

So I'm on my own to figure it out and glean from third party experts (like you guys). And the good news is ComboFix might have done it already! The redirection seems to have gone away and I can access the Microsoft update page now. How can I finish sanitizing my PC to be sure the bug is gone?

Thanks, Ron

#6 Engineerly

Engineerly
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta, GA
  • Local time:02:34 PM

Posted 15 March 2010 - 03:31 PM

Update 2010-03-16 8:00AM
GMER.exe successfully ran overnight (this is after ComboFix fixed something yesterday)
The ark.txt logfile is attached.
I apologize for this being out of order or confusing, and sincereley appreciate your volunteer help.

Attached Files

  • Attached File  ark.txt   8.46KB   7 downloads

Edited by Engineerly, 16 March 2010 - 07:01 AM.


#7 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:34 PM

Posted 16 March 2010 - 10:03 AM

Hi again,

It does look better now. Were you familiar C:\start.bat file that was removed by ComboFix?


Open notepad and copy/paste the text in the quotebox below into it:

CODE
edited



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Uninstall old Adobe Reader versions and get the latest one (9.3 + update 9.3.1) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.

Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.


Uninstall this outdated Java:
Java 2 Runtime Environment, SE v1.4.2_11


Download ATF (Atribune Temp File) Cleanerę by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Edited by Blade81, 18 March 2010 - 09:28 AM.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#8 Engineerly

Engineerly
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta, GA
  • Local time:02:34 PM

Posted 18 March 2010 - 07:59 AM

Yes, I know about the start.bat. We need it for one of our apps that needs a "P:" drive mapping.

Attached, in the order they were executed:
ComboFix.txt (new, using your short CFScript)
KAS.txt
DDS.txt (new)
Attach.txt (you did not ask for this but it was created at the same time as dds.txt so I included it)

None of the three threats found by Kas were acted on (I don't see a "remove" button anywhere). Also, with Kas, I aborted a "My Computer" scan after a couple of hours when I realized it was scanning our mapped "N:" drive which is a huge on-line backup of everybody's computers. So I chose "C:\" which is the only hard drive I have on this system.

All of the other tasks were done in the order you requested, but I had to install an older version of Java (5.x) since the newest version is incompatible with one of our legacy apps.

Thanks again, Ron

Attached Files


Edited by Engineerly, 18 March 2010 - 08:06 AM.


#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:34 PM

Posted 18 March 2010 - 09:35 AM

Hi,

Let's do something before we clear findings in system restore.


Open notepad and copy/paste the text in the quotebox below into it:

CODE
DeQuarantine::
c:\qoobox\quarantine\C\start.bat.vir
Ignore::
C:\start.bat



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & dequarantine.txt log. How's the system running?

Edited by Blade81, 18 March 2010 - 09:36 AM.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#10 Engineerly

Engineerly
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta, GA
  • Local time:02:34 PM

Posted 18 March 2010 - 10:59 AM

Done! I left the regular combofix output named log.txt and attached it and the DeQuarantine.txt

The computer is working fine. The main problem of hijacking my serach resutls went away the first time I successfully ran ComboFix.exe. Other than having to downgrade my Java I've had no problems.

I think it all started when I was researching tire prices to make sure what my mechanic quoted was reasonable for that make/model of tire. I clicked on a "shopping" site that I had never heard of and things went downhill fast from there. mad.gif

But I think I'm good now.. what's next?

Attached Files



#11 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:34 PM

Posted 18 March 2010 - 11:51 AM

Hi,

Seems that there are final steps left. System restore reset below will flush bad Kaspersky finding down.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis




Now lets uninstall ComboFix:
  • Click START then RUN
  • Now copy-paste Combofix /uninstall in the runbox and click OK


You may delete DDS files too.



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
  • hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!
    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    1. Click the start button (at the lower left hand corner of your screen)
    2. Click run
    3. In the dialog box, type services.msc
    4. hit enter, then locate dns client
    5. Highlight it, then double-click it.
    6. On the dropdown box, change the setting from automatic to manual.
    7. Click ok
  • Run Secunia vulnerability check here and fix its findings.


  • Just a final reminder for you. I am trying to stress these two points.
    UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
    Make sure all of your security programs are up to date.
    Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


    Once again, please post and tell me how things are going with your system... problems etc.

    Have a great day,
    Blade cool.gif

    Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


    #12 Engineerly

    Engineerly
    • Topic Starter

    • Members
    • 7 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Atlanta, GA
    • Local time:02:34 PM

    Posted 18 March 2010 - 01:37 PM

    You're the dude!

    I cleared the system restore, uninstalled those tools, updated IE to version 8 (more secure apparently), secured my IE and installed that HOSTS file.

    I was not able to run that Secunia analysis because it requires JRE 1.6.x which (as best as I can tell) comes with Java 6 which I can't use due to incompatibility with legacy work apps. So I have to skip that.

    I don't remember changing it, but for some reason the automatic updates were off on my computer (before we started). I only noticed when a coworker needed help loading a new MSWord .docx format and I saw she had XP-Pro SP1 and her auto-updates were turned off. After fixing her, I noticed mine was off too. That won't happen again since at home I routinely keep things up to date. At work, I assumed that Corporate IT was on top of things and remotely keeping us all "secure", but nope!

    Your directions were very concise and doable, it was a pleasure "working" with you.

    So thanks again big time - give yourself a raise!

    Edited by Engineerly, 18 March 2010 - 01:39 PM.


    #13 Blade81

    Blade81

      Bleepin' Rocker


    • Malware Response Team
    • 6,465 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Finland
    • Local time:09:34 PM

    Posted 19 March 2010 - 08:22 AM

    Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. smile.gif

    If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

    Everyone else please begin a New Topic.

    Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users