Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google/Browser Hijack by search-star.net


  • Please log in to reply
3 replies to this topic

#1 biruviannation

biruviannation

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 25 August 2010 - 09:22 AM

I am running Windows Vista.

My google searches are being hijacked and redirected to a site search-star.net. This happens in firefox (version 3.6.8) and ie (version 7.0.6002.18005) for google and yahoo searches, particularly when I use the google search in the address bar (upper right corner of browser). Also, often when I click on search results or even specifically enter a web site I am redirected to an advertisement or the page simply times out (this happens most often).

I have searched for days on google to try to find a solution. I updated and ran full system scans of each of the following in the past 24 hours:
Adaware 8.3.1
Malwarebytes' Anti-Malware 1.46
SUPERAntiSpyware 4.41.1000

I am at a loss - please help!!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:12 PM

Posted 25 August 2010 - 01:39 PM

Hello and welcome,let's do this next.

Please read and follow all these instructions.
  • Please download GooredFix and save it to your Desktop.
  • Double-click GooredFix.exe to run it.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

Online scan:
ESET
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the ESET Online Scanner button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Export to text file... to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Eset Smart Installer icon on your desktop.
  • Check the "YES, I accept the Terms of Use"
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push "List of found threats"
  • Push "Export to text file", and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the "<<Back" button.
  • Push Finish
In your next reply, please include the following:
  • Eset Scan Log


NOTE: In some instances if no malware is found there will be no log produced.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 biruviannation

biruviannation
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 26 August 2010 - 03:26 PM

Thanks for your help. I couldn't get 'run as administrator' to work on my normal user account (even though it is administrator), so I switched to the admin login, which I've never used before, and ran these programs from there. Does it matter that I ran these with a different user account?

Also, since the last scan I have run McAfee and uninstalled java and JRE completely.

Log from GooredFix:

GooredFix by jpshortstuff (03.07.10.1)
Log created at 08:02 on 26/08/2010 (hpadmin)
Firefox version 3.6.8 (en-US)

========== GooredScan ==========

(none)
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{7C571C05-9DBF-4B0D-B487-5FB5C733FFFA} -> Success!
Deleting C:\Users\biros\AppData\Local\{7C571C05-9DBF-4B0D-B487-5FB5C733FFFA} -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [07:11 10/02/2010]

C:\Users\Administrator\Application Data\Mozilla\Firefox\Profiles\8jtg9hao.default\extensions\
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [11:45 14/05/2009]

-=E.O.F=-



There was no log from ESET as no malware was found


From Malwarebytes:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4484

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

8/26/2010 12:02:01 PM
mbam-log-2010-08-26 (12-02-01).txt

Scan type: Quick scan
Objects scanned: 150145
Time elapsed: 9 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\system32\Drivers\ilisti.sys (Rootkit.Bubnix) -> Quarantined and deleted successfully.


I should note that every time I've run Malwarebytes that exact infected file is found and supposedly fixed, but the infection is still found after reboot.


The browser hijack is still happening when I used the search bar in the upper right of firefox (next to address bar). I also get new tabs opening with advertisements.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:12 PM

Posted 26 August 2010 - 03:37 PM

Yes these rootkits need special attention and tools.
We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic(Titled Rootkit.Bubnix) explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users