Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search redirect on Firefox 7.0.1


  • Please log in to reply
28 replies to this topic

#1 requireassistance

requireassistance

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 04 October 2011 - 06:08 PM

Hello,

Today I began to have a problem in which AVG found multiple malware infections that were moved to the Virus Vault: "Win32/Kryptik.TNG ; TR/Crypt.XPACK.Gen2 ; Unknown Virus in C:\Windows\SYSWOW64\RUNDLL32.EXE ; and TROJ_VUNDO.SMIB.

Malwarebytes' Anti Malware found and quarantined threats as well:
Files Infected:
c:\Users\DW\AppData\LocalLow\Sun\Java\deployment\cache\6.0\11\3528520b-3e3cb5f3 (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\Users\DW\AppData\LocalLow\Sun\Java\deployment\cache\6.0\32\41e34420-62a7398f (Trojan.Exploit.Drop) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\deployment\cache\6.0\32\41e34420-26b5cca9 (Trojan.Exploit.Drop) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\deployment\cache\6.0\32\41e34420-26b5cca9 (Trojan.Exploit.Drop) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MouseUpdateProfile (Trojan.SHarpro.PGen) -> Value: MouseUpdateProfile -> Quarantined and deleted successfully.

Presently if I do a google search the results will randomly redirect to websites such as "http://www.comparedby.us" "http://63.209.69.107" and some other sites.

I am running Windows 7 Home Premium 64 bit os that came preinstalled with computer purchased from Dell.

Recent changes to the computer include a Verizon Fios Installation technician plugging his usb thumb drive into it last friday 09/30/2011.

Yesterday, 10/03/2011, I bridged a wireless connection from the fios box to a Vonage router at my computer for fax machine use.

No other changes recently until I began downloading virus checking programs when this started happening.

The redirections do not happen when using other systems on the same router.

Internet Explorer opens but will freeze if I attempt to go to a website.

Thank you for any assistance.

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 AM

Posted 04 October 2011 - 06:10 PM

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 requireassistance

requireassistance
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 04 October 2011 - 08:10 PM

Wow thanks for the fast response! I walked out the door after the initial post thinking it might take a while.

After downloading and running GooredFix I received the following:

GooredFix by jpshortstuff (03.07.10.1)
Log created at 21:09 on 04/10/2011 (DW)
Firefox version 7.0.1 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files (x86)\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [01:32 27/09/2011]
{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [07:38 07/06/2011]

C:\Users\DW\Application Data\Mozilla\Firefox\Profiles\5w8wf5jt.default\extensions\
{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [01:33 20/08/2011]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{1E73965B-8B48-48be-9C8D-68B920ABC1C4}"="C:\Program Files (x86)\AVG\AVG10\Firefox4\" [07:34 07/06/2011]

---------- Old Logs ----------
GooredFix[01.06.26_05-10-2011].txt

-=E.O.F=-




Thanks for looking

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 AM

Posted 04 October 2011 - 08:27 PM

Download this file and save it to your desktop:

http://download.bleepingcomputer.com/grinler/rkill.scr

Double-click the file to run it. A command window will open briefly. Then run a quick scan with Malwarebytes. Post the Malwarebytes log and let me know if there is any improvement..
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 requireassistance

requireassistance
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 04 October 2011 - 08:39 PM

Rkill: Nothing found

Malwarebytes log file:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7869

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

10/4/2011 9:35:29 PM
mbam-log-2011-10-04 (21-35-29).txt

Scan type: Quick scan
Objects scanned: 197033
Time elapsed: 1 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Still redirecting to spam websites after a google search.

Thanks again

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 AM

Posted 04 October 2011 - 08:49 PM

Try this:

http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 requireassistance

requireassistance
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 04 October 2011 - 08:57 PM

TDSSKiller Downloaded, renamed, and executed. The following was reported in log file:

============================================================
21:55:00.0345 0524 Scan finished
21:55:00.0345 0524 ============================================================
21:55:00.0349 6412 Detected object count: 0
21:55:00.0349 6412 Actual detected object count: 0


I can post entire log if you would like

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 AM

Posted 04 October 2011 - 09:03 PM

Don't worry about the entire log.

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 requireassistance

requireassistance
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 04 October 2011 - 09:12 PM

After running MiniToolBox with the requested settings I received the following:

nslookup.exe error popped up stating "The ordinal 1108 could not be located in the dynamic library WSOCK32.dll."


Log File:

MiniToolBox by Farbar
Ran by DW (administrator) on 04-10-2011 at 22:11:06
Windows 7 Home Premium Service Pack 1 (X64)

***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
ProxyServer: http=127.0.0.1:58545

========================= FF Proxy Settings: ==============================

"network.proxy.type", 4
Hosts file not detected in the default directory
========================= IP Configuration: ================================The following helper DLL cannot be loaded: WSHELPER.DLL.


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : MININT-5O5OQ1O
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : home

Ethernet adapter Network Bridge:

Connection-specific DNS Suffix . : home
Description . . . . . . . . . . . : MAC Bridge Miniport
Physical Address. . . . . . . . . : 7A-2B-CB-8F-B7-4C
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::90d4:2d89:8589:e384%18(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.8(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Tuesday, October 04, 2011 3:55:32 PM
Lease Expires . . . . . . . . . . : Wednesday, October 05, 2011 8:09:47 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 561654731
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-66-99-6F-78-2B-CB-8F-B7-4C
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:3cba:2730:b809:2e69(Preferred)
Link-local IPv6 Address . . . . . : fe80::3cba:2730:b809:2e69%12(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.home:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : home
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Pinging google.com [72.14.204.104] with 32 bytes of data:
Reply from 72.14.204.104: bytes=32 time=14ms TTL=252
Reply from 72.14.204.104: bytes=32 time=14ms TTL=252

Ping statistics for 72.14.204.104:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 14ms, Maximum = 14ms, Average = 14ms

Pinging yahoo.com [98.137.149.56] with 32 bytes of data:
Reply from 98.137.149.56: bytes=32 time=101ms TTL=250
Reply from 98.137.149.56: bytes=32 time=96ms TTL=250

Ping statistics for 98.137.149.56:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 96ms, Maximum = 101ms, Average = 98ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
18...7a 2b cb 8f b7 4c ......MAC Bridge Miniport
1...........................Software Loopback Interface 1
12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.8 10
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.8 266
192.168.1.8 255.255.255.255 On-link 192.168.1.8 266
192.168.1.255 255.255.255.255 On-link 192.168.1.8 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.8 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.8 266
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
12 58 ::/0 On-link
1 306 ::1/128 On-link
12 58 2001::/32 On-link
12 306 2001:0:4137:9e76:3cba:2730:b809:2e69/128
On-link
18 266 fe80::/64 On-link
12 306 fe80::/64 On-link
12 306 fe80::3cba:2730:b809:2e69/128
On-link
18 266 fe80::90d4:2d89:8589:e384/128
On-link
1 306 ff00::/8 On-link
12 306 ff00::/8 On-link
18 266 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 mswsock.dll [File Not found] ()
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 mswsock.dll [File Not found] ()
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 07 C:\Windows\SysWOW64\wshbth.dll [36352] (Microsoft Corporation)
Catalog9 01 mswsock.dll [File Not found] ()
Catalog9 02 mswsock.dll [File Not found] ()
Catalog9 03 mswsock.dll [File Not found] ()
Catalog9 04 mswsock.dll [File Not found] ()
Catalog9 05 mswsock.dll [File Not found] ()
Catalog9 06 mswsock.dll [File Not found] ()
Catalog9 07 mswsock.dll [File Not found] ()
Catalog9 08 mswsock.dll [File Not found] ()
Catalog9 09 mswsock.dll [File Not found] ()
Catalog9 10 mswsock.dll [File Not found] ()
Catalog9 11 mswsock.dll [File Not found] ()
x64-Catalog5 01 mswsock.dll [File Not found] ()
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 mswsock.dll [File Not found] ()
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 07 C:\Windows\System32\wshbth.dll [47104] (Microsoft Corporation)
x64-Catalog9 01 mswsock.dll [File Not found] ()
x64-Catalog9 02 mswsock.dll [File Not found] ()
x64-Catalog9 03 mswsock.dll [File Not found] ()
x64-Catalog9 04 mswsock.dll [File Not found] ()
x64-Catalog9 05 mswsock.dll [File Not found] ()
x64-Catalog9 06 mswsock.dll [File Not found] ()
x64-Catalog9 07 mswsock.dll [File Not found] ()
x64-Catalog9 08 mswsock.dll [File Not found] ()
x64-Catalog9 09 mswsock.dll [File Not found] ()
x64-Catalog9 10 mswsock.dll [File Not found] ()
x64-Catalog9 11 mswsock.dll [File Not found] ()

**** End of log ****

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 AM

Posted 04 October 2011 - 09:46 PM

Rerun MiniToolBox:

Checkmark the following checkboxes:
  • Reset IE Proxy Settings
  • Reset FF Proxy Settings
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

Reset your Hosts file here: http://support.microsoft.com/kb/972034

Then let me know if there is any improvement.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 requireassistance

requireassistance
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 04 October 2011 - 10:03 PM

MiniToolBox by Farbar
Ran by DW (administrator) on 04-10-2011 at 22:52:26
Windows 7 Home Premium Service Pack 1 (X64)

***************************************************************************

"Reset IE Proxy Settings": IE Proxy Settings were reset.

"Reset FF Proxy Settings": Firefox Proxy settings were reset.


**** End of log ****


Host files reset using the Microsoft Fixit at the link you provided. Restarted computer as per the Fixit and after restarting opened firefox. First search result in google I clicked on redirected to a spam website so no luck.

#12 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 AM

Posted 04 October 2011 - 10:11 PM

Do you use a router?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#13 requireassistance

requireassistance
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 04 October 2011 - 10:13 PM

Yes a wireless Verizon Fios modem/router that was installed last Friday.

#14 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:25 AM

Posted 04 October 2011 - 10:15 PM

Reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). If you donít know the router's default password, you can look it up HERE.
Note: After resetting your router, it is important to set a non-default password, and if possible, username, on the router. This will assist in eliminating the possibility of the router being hijacked again.

You also need to reconfigure any security settings you had in place prior to the reset. Check out this site HERE for video tutorials on how to properly configure your router's encryption and security settings. You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.

Let me know if the reset improves things.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#15 requireassistance

requireassistance
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 04 October 2011 - 10:34 PM

Fios router reset and when network was back up tried a test search on google.

Clicked on first search result and was redirected to "http://60316.xml.admanage.com/xml/click/?m=60316&f=442278&r=906061033&p=0&h=bargains.shopica.com" which then redirected to "http://www.shopica.com/rssearch.php?q=test+search"

Also other computers on the wireless network are not having the same redirect issue.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users