Posted 13 January 2011 - 12:39 PM
As a newbie to posting in bleepingcomputer.com (but not a newbie for reading the forums; learned a lot, thank you!), I pass the following on for whatever help it might be to someone else; admins please delete, relocate or whatever as desired; sorry if I didn't get it right.
Scenario; acquired a nasty Browser Redirect problem, along with a 'permanent' disabling of Windows Defender about 3 weeks ago. Affected both Bing and Google running on IE8, but NOT Google running on Chrome, so I knew it was related to Internet Explorer, and not Google (many forums had topics on "Google Redirect Virus"; may not really be the issue, or may truly be a separate infection; don't know). Running Google Chrome (or perhaps FireFox, etc.) would be a way to check where the problem really sits (and would let you do some searching for help).
The system I am running is;
Running Windows XP Home, v5.1, sp3 with Internet Explorer 8.0.6001.18702. Also have current version of Google Chrome browser.
Security programs (all free versions) Avast Antivirus, ZoneAlarm Firewall and Spybot Search & Destroy; also had Windows Defender running 'cause it flags registry changes.
Full scans with latest updates for Avast & Spybot S&D didn't find or fix it (but more about Spybot S&D later). Couldn't run Windows defender.
Read many related bleepingcomputer forums (and others), and tried AdAware, CCleaner, MalwareBytes, Eusing Registry Cleaner, SpywareBlaster. SUPERAntiSpyware, TDDSKiller (and a few others I didn't remember); found some minor miscellaneous junk, but no recognition of or fix for main problem.
Looked at HiJackThis logs, and even tried several recommended ComboFix solutions; ComboFix gave me the infamous Blue Screen of Death twice, so could never complete a run there; don't know if it might have worked otherwise; fortunately no permanent effects from BSOD.
While digging on the Windows Defender problem, found and ran Microsoft Windows Live OneCare safety scanner (MS WLOCSS); took a while, but it FOUND & FIXED the browser redirect issue. Also believe it fixed the disabling of Windows Defender, but MS says that running the WLOCSS will disable Defender anyway, so haven't checked; would have to delete the WLOCSS to try it.
FYI, the files it found (and deleted) were;
As a side note, Spybot S&D was the ONLY program to identify and try to fix the disabling of Windows Defender; it identified the problem in plain english, and actually told you what registry entry was the problem; a registry entry allowing WD to start had been changed from '2' to '4'. Unfortunately, every time it fixed it, it changed the registry entry to allow start, but it (and nothing except the MS WLOCSS) found the actual malicious program changing the entry, so the bug kept disabling the entry.
Still, hats off to the Spybot S&D crew for alerting to the disabling of a security program.
Hope maybe this might be of help to someone; the Microsoft safety scan is free, and written by the people that wrote the operating system and browser, so you may want to add it to your toolkit.