Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search results redirected


  • This topic is locked This topic is locked
35 replies to this topic

#1 mud3

mud3

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 15 April 2012 - 11:21 PM

This is my first post.

When I search for something with Google I get a list of appropriate results when I click on one I am redirected to some other site. I have Trend Micro PC-cillin that I have run and picked up some trojans. But the search redirects persisted. I have Malwarbytes on my computer that I had installed from a previous problem that I have also run I couldn't tell if it did anything. My web browsing, for which I use firefox, is brutally slow and is often interrupted and shuts down with message to send error report.

I saw a listing that was similar to this in that the individual had very persistent search redirects. I almost just followed the steps given to them, and downloaded combofix (spelling?)but did not install it. As I read on it seemed quite involved. I decided to sign up and get some specific help.

thanks in advance!

Edited by mud3, 15 April 2012 - 11:23 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:25 AM

Posted 16 April 2012 - 12:54 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.


Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 mud3

mud3
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 16 April 2012 - 08:05 PM

Ok Gringo,

I've started got everything backed up on external HD.

I got the Defogger run.
I got the the Security check run see the log below:

Security check log

Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Trend Micro PC-cillin Internet Security 12
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Java™ 6 Update 26
Java version out of date!
Adobe Flash Player 11.1.102.63
Adobe Reader 9 Adobe Reader out of date!
Mozilla Firefox (11.0.)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
Trend Micro Internet Security 12 pccguide.exe
Trend Micro Internet Security 12 TMAS_OE TMAS_OEMon.exe
TRENDM~1 INTERN~1 PcCtlCom.exe
TRENDM~1 INTERN~1 Tmntsrv.exe
TRENDM~1 INTERN~1 tmproxy.exe
TRENDM~1 INTERN~1 TmPfw.exe
``````````End of Log````````````


I then turned off Malware bytes and Trend Micro (wasn't sure if Trend Micro would interfere so I turned it off to make sure)
I downloaded DDS and ran it, as it says in the window it should only take about 3 min. well it froze up I couldn't close the window moving to another window, tried control alt delete with no response. I had to physically hold the button on the tower down to shut down then restarted and am posting progress to you seeking further instruction on how to proceed since the DDS was not able to complete it's full process.

Computer function: Things are going slow because my computer is running very slow and and I am still intermittently losing browser functionality, and for example when I try to come to this site I see the browser being redirected to other sites on a tab at the bottom of the window and then eventually it "fights" (not sure how else to describe it) it's way through.

thanks again...

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:25 AM

Posted 16 April 2012 - 09:37 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 mud3

mud3
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 17 April 2012 - 12:16 AM

Sorry Gringo,

I wasn't paying close enough attention and did not close the browser before I tried to run combofix. It gave me a message that I could not save it as combofix(1) I guess because I had downloaded it previously, although without running it prior to registering to get specific help.

I then saved it to my desk top closed the browser and double clicked and it started but I got this error message:

(transcription not copy and pasted)

Error opening file for writing
c:\32788R22FWJFW\License\iexplore.exe
(there were three option to proceed)

Abort retry Ignore

I clicked retry and it was not able to proceed then I clicked abort, so that I could report back to you before I screwed things up anymore sorry.

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:25 AM

Posted 17 April 2012 - 12:36 AM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 mud3

mud3
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 17 April 2012 - 02:24 AM

Hello Gringo,

I had shut down my computer for the night when you responded last and I decided to start it up and try the TDSSkiller. When I started it up again the security and malware were back on and so I turned them off so that they would not interfere.

I then downloaded TDSSkiller saved to desk top double clicked and waited, 30 min + maybe, double clicked again finally. Nothing happened, was not given prompt to start scan. Web browser became totally unresponsive during this waiting couldn't close it couldn't move the window on the screen to get it out of the way. Eventually closed with a unable to run script message options to continue or stop script. Stop script chosen. Was able to the get the browser up again to post an update. At times having considerable lag between key strokes and when letters appear on screen had another script error message while trying to complete this. Stop script chosen and have been able to get back to this message to post it.

Just as I am finishing typing this Internet Explorer opened on it own. I'm going to post this and crash can't work on it any more tonight have to get up pretty early for work tomorrow.

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:25 AM

Posted 17 April 2012 - 02:53 AM

Hello

I would like you to run this tool for me - fixTDSS

download it to your desktop and start the program

Follow the prompts and Ok any security prompts

when it is complete it will say the infection was cleared or no infection was found - let me know what it says

after it is complete I want you to restart the computer and try to rerun TDSSKiller for me and send me the report

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 mud3

mud3
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 17 April 2012 - 09:26 PM

Gringo,

I tried to carry out your last instructions but was unable to download the fixTDSS.

My computer is running very slowly the browser freezes up.
Malwarebytes is giving the the Message:
Successfully blocked access to potentially malicious website:
206.161.121.4
Type: outgoing
the last number changes to .2 also.


I have access to a laptop from work that I am actually using to make this post as I am not really able to get on the forum on my desk top. Things seem to be getting worse.

Edited by mud3, 17 April 2012 - 09:28 PM.


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:25 AM

Posted 17 April 2012 - 09:33 PM

can you download the fixtdss from the laptop and move to the infected computer with a pen drive


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 mud3

mud3
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 17 April 2012 - 09:36 PM

yes

should I do that now?

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:25 AM

Posted 17 April 2012 - 09:56 PM

yes please do


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 mud3

mud3
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 17 April 2012 - 10:05 PM

Gringo,

It seemed clear that is the next step. I have it on a pen drive and it is now on the desk top.

I ran it
it restarted and ran

***Infected MBR detected
repair succeeded

The computer responded very slowly while trying to restart. I am waiting for it to restart and run TDSSkiller. I will post again as soon as it has run and gives me a log to pass along to you.

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:25 AM

Posted 17 April 2012 - 10:15 PM

Hello


I want you to reset the DMA you can do this by this script here - Reset DMA

If you have problems when you click on the link try to right click on the link and select "Save Target As" and then save to your desktop.
Once it is on your desktop right click on the file and select "Run"

If you still can't run it then you can go here "Reset DMA" to see what I want to do



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 mud3

mud3
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:25 PM

Posted 17 April 2012 - 10:51 PM

I am back on the desk top running a little quicker.

No threats found

I tried to right click and copy the text from the report screen but nothing happens.

I then double click the Reset DMA link and a new tab on the browser opened with the following text:

' Visual Basic Script program to reset the DMA status of all ATA drives

' Copyright 2006 Hans-Georg Michna

' Version 2007-04-04

' Works in Windows XP, probably also in Windows 2000 and NT.
' Does no harm if Windows version is incompatible.

If MsgBox("This program will now reset the DMA status of all ATA drives with Windows drivers." _
& vbNewline & "Windows will redetect the status after the next reboot, therefore this procedure" _
& vbNewline & "should be harmless.", _
vbOkCancel, "Program start message") _
= vbOk Then

RegPath = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\"
ValueName1Master = "MasterIdDataChecksum"
ValueName1Slave = "SlaveIdDataChecksum"
ValueName2Master = "UserMasterDeviceTimingModeAllowed"
ValueName2Slave = "UserSlaveDeviceTimingModeAllowed"
ValueName3 = "ResetErrorCountersOnSuccess"
MessageText = "The following ATA channels have been reset:"
MessageTextLen0 = Len(MessageText)
ConsecutiveMisses = 0
Set WshShell = WScript.CreateObject("WScript.Shell")

For i = 0 to 999
RegSubPath = Right("000" & i, 4) & "\"

' Master

Err.Clear
On Error Resume Next
WshShell.RegRead RegPath & RegSubPath & ValueName1Master
errMaster = Err.Number
On Error Goto 0
If errMaster = 0 Then
On Error Resume Next
WshShell.RegDelete RegPath & RegSubPath & ValueName1Master
WshShell.RegDelete RegPath & RegSubPath & ValueName2Master
On Error Goto 0
MessageText = MessageText & vbNewLine & "Master"
End If

' Slave

Err.Clear
On Error Resume Next
WshShell.RegRead RegPath & RegSubPath & ValueName1Slave
errSlave = Err.Number
On Error Goto 0
If errSlave = 0 Then
On Error Resume Next
WshShell.RegDelete RegPath & RegSubPath & ValueName1Slave
WshShell.RegDelete RegPath & RegSubPath & ValueName2Slave
On Error Goto 0
If errMaster = 0 Then
MessageText = MessageText & " and "
Else
MessageText = MessageText & vbNewLine
End If
MessageText = MessageText & "Slave"
End If

If errMaster = 0 Or errSlave = 0 Then
On Error Resume Next
WshShell.RegWrite RegPath & RegSubPath & ValueName3, 1, "REG_DWORD"
On Error Goto 0
ChannelName = "unnamed channel " & Left(RegSubPath, 4)
On Error Resume Next
ChannelName = WshShell.RegRead(RegPath & RegSubPath & "DriverDesc")
On Error Goto 0
MessageText = MessageText & " of " & ChannelName & ";"
ConsecutiveMisses = 0
Else
ConsecutiveMisses = ConsecutiveMisses + 1
If ConsecutiveMisses >= 32 Then Exit For ' Don't search unnecessarily long.
End If
Next ' i

If Len(MessageText) <= MessageTextLen0 Then
MessageText = "No resettable ATA channels with Windows drivers found. Nothing changed."
Else
MessageText = MessageText & vbNewline _
& "Please reboot now to reset and redetect the DMA status."
End If

MsgBox MessageText, vbOkOnly, "Program finished normally"

End If ' MsgBox(...) = vbOk

' End of Visual Basic Script program

I didn't know if this did what it was supposed to so I went on the save to my desk top and try again but there wasn't a run just an open which I did. Nothing really seemed to happen except the same script as above is opened in a notepad window. I then went to the last link and wasn't sure how to proceed as it wasn't a click to download link it was another forum listing explanations and process to reset the DMA. Should I try and follow those instructions? please advise and thanks for hanging in there with me...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users