mickery

Search Redirect persists after Emsi AM scan & cleanup

Recommended Posts

Search redirect malware issue in Florida. Yesterday ran Emsi MW smart scan, followed by a custom scan for rootkits only. Search redirect from Google, Bing, Yahoo results persists even after quarantines of traces followed by full deletion of those that remained on next smart scan. Redirect seemed to be clear for an hour. This morning search redirect is again active.

Attached are 3 reports from EEK:

EmsiSoft Smart Scan - (no suspect files) a2scan_120824-102710-FL-Win7x64-01.txt

OTL report - OTL-FL-Win7x64-01.Txt

Extras - Extras-FL-Win7x64-01.Txt

Redirects are currently active after these scans.

Best Regards.

mickery, Florida, USA

Share this post


Link to post
Share on other sites

Your logs show that you are bypassing Adobe product online activation. This indicates that Adobe Creative Suite 5 and Adobe Acrobat X Pro are not properly licensed and activated. We have a strict no piracy policy. You will be required to uninstall all unlicensed copies of Adobe software before you will receive any further assistance.

Share this post


Link to post
Share on other sites

Done. Ran Emsisoft Smart Scan again (no suspect files) and also OTL; however, OTL only creates otl.txt and not extras.txt. What is the reason?

The 2 new reports are attached:

Smart Scan = a2scan_120825-095858-FL-Win7x64-02.txt

OTL = OTL-FL-Win7x64-02.Txt

OTL did not output an "EXTRAS.TXT"

Share this post


Link to post
Share on other sites

javaicon.gif Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java:

  • Download the latest version of JRE 7 Update 6.
  • Click the "Download JRE" button to the right.
  • Accept the license agreement.
  • Click on the download link for your system and save it to your desktop. Users of Windows Vista/7 64-bit can install both the 32-bit and 64-bit JRE without conflicts.
    Windows x86 Offline (jre-7u6-windows-i586.exe)
    Windows x64 (jre-7u6-windows-x64.exe)
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on the download to install the newest version.(Vista/7 users, right click on the JRE download and select "Run as an Administrator.")

Using Programs and Features in the Control Panel; uninstall the following:

Java(TM) 6 Update 14 (64-bit)
Java(TM) 6 Update 23

Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    SEE ATTACHED OTLfix.txt

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL (C:\_OTL). (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

Thank you for your response and the OTL mod file. The browser redirects stopped after the OTLfix.txt run but began again after 1/2 hour of random test browsing. I will be glad to run some diagnostic scans if that will help:

  1. run OTL scan
  2. rerun OTLfix.txt code already prepared
  3. run OTL scan again
  4. random browse for testing
  5. if redirect begins again run OTL once again

Please let me know if this will help pin the redirect issue down. Formatting is not our favorite sport :-).

Thank you for your efforts,

mickery in Florida (hurricane Isaac approaching - might be slow to reply if I'm on a generator)

Share this post


Link to post
Share on other sites

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1

Link 2

* IMPORTANT !!! Save ComboFix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on Combo-Fix & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

  • ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

Ran ComboFix. Log attached. Qoobox directory was also created w/ two subdirectories, two text files and a .dat file 1.3 MB.

Browser still redirects when search result is clicked, first to my home page (about:blank) then rapidly to ihavenet.com, then again to another random ad site like Norton, google, hotel booking, etc, often with relevance.

mickery, Florida, USA

Share this post


Link to post
Share on other sites

Read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Double-click on TDSSKiller.exe to run the application.
    tdss1.png
  • Click Change parameters
    tdss2.png
  • Check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
    tdss3.png
  • Click on the Start Scan button to begin the scan and wait for it to finish.
    NOTE: Do not use the computer during the scan!
  • During the scan it will look similar to the image below:
    tdss4.jpg
  • When it finishes, you will either see a report that no threats were found like below:
    tdss5.jpg
    If no threats are found at this point, just click the Report selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.
  • If any infection or suspected items are found, you will see a window similar to below:
    tdss7.jpg
    • If you have files that are shown to fail signature check do not take any action on these. Make sure you select Skip. I will tell you what to do with these laater. They may not be issues at all.
    • If Suspicious objects are detected, the default action will be Skip. Leave the default set to Skip.
    • If Malicious objects are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
      Make sure that Cure is selected. Important! - If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed to do so.

    [*]Click Continue to apply selected actions.

    [*]A reboot may be required to complete disinfection. A window like the below will appear:

    tdss6.jpg

    Reboot immediately if TDSSKiller states that one is needed.

    [*]Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run.

    [*]Attach this log to your next reply.

Share this post


Link to post
Share on other sites

TDSSKiller log attached. 21 suspicious files found -- all are unsigned files except one locked file. No action taken. Browser behavior unchanged.

Regards,

mickery, Florida, USA

Share this post


Link to post
Share on other sites

Fresh OTL scan report attached. It would be nice to dig out and destroy this persistent bug. Its hard to believe that the search redirect issue has not been solved once and for all. I understand it has been removed from thousands of machines since 2005. Is there a workaround for infected machines? Perhaps a way to decode the search address and use the underlying url to make the Net call? Or cloak the search address to hide it from the redirect engine?

I know ideas are cheap. Just frustrated, I guess. This hijack is indiscriminate and frustrating. I'm C&P-ing and typing URLs as a workaround.

Share this post


Link to post
Share on other sites

Reset Firefox to default settings

  • At the top of the Firefox window, click the "Firefox" button,
  • Go over to the "Help" sub-menu
    (on Windows XP, click the Help menu at the top of the Firefox window) and select "Troubleshooting Information".
  • Click the "Reset Firefox" button in the upper-right corner of the Troubleshooting Information page.
  • Click "Reset Firefox" in the confirmation window that opens.
  • Firefox will close and be reset. When it's done. Click "Finish" and Firefox will open.

Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    O2:[b]64bit:[/b] - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE_64.dll File not found
    O2 - BHO: (no name) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No CLSID value found.
    O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O4 - Startup: C:\Users\AllenFizzMatic\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DellDock.exe - Shortcut.lnk =  File not found
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O16:[b]64bit:[/b] - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} http://i.dell.com/images/global/js/scanner/SysProExe.cab (Reg Error: Key error.)
    
    :Commands
    [Purity]
    [EmptyTemp]
    [EmptyFlash]
    [EmptyJava]
    [ResetHosts]
    [Reboot]

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL (C:\_OTL). (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

Attached 3 OTL reports for comparison:

OTLfix run as you requested, with your custom fix text

OTL run to verify state before test browsing

At this point I typed in a test search query to Google. Clicked first link on the results page - worked fine. Clicked another result link and was redirected to a random page with ad links. After that nearly every link redirected.

Ran OTL again to check state after test browsing failed

Regards,

mickery, Florida, USA

Share this post


Link to post
Share on other sites

Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    IE - HKLM\..\URLSearchHook: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No CLSID value found
    IE - HKLM\..\SearchScopes,DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b}
    IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2786678
    IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sear
    O2:[b]64bit:[/b] - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE_64.dll File not found
    O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O15 - HKLM\..Trusted Domains: isqft.com ([www] https in Trusted sites)
    O15 - HKCU\..Trusted Domains: isqft.com ([www] https in Trusted sites)
    O15 - HKCU\..Trusted Domains: lrplot.com ([]https in Trusted sites)
    O15 - HKCU\..Trusted Domains: lrplot.com ([pdm3] https in Trusted sites)
    O16:[b]64bit:[/b] - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} http://i.dell.com/images/global/js/scanner/SysProExe.cab (Reg Error: Key error.)
    O18:[b]64bit:[/b] - Protocol\Handler\msdaipp - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\msdaipp\0x00000001 - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\msdaipp\oledb - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value found
    O18:[b]64bit:[/b] - Protocol\Handler\skype4com - No CLSID value found
    [2012/08/16 19:52:55 | 000,000,000 | ---D | C] -- C:\Windows\Temp96D0724A-D5DB-1B93-A335-F0C1FAD770DF-Signatures
    [2010/08/26 18:32:55 | 000,000,000 | ---D | M] -- C:\Users\AllenFizzMatic\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
    [2010/08/26 22:37:27 | 000,000,000 | ---D | M] -- C:\Users\AllenFizzMatic\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
    
    :Commands
    [Purity]
    [EmptyTemp]
    [EmptyFlash]
    [EmptyJava]
    [Reboot]

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL (C:\_OTL). (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

Ran OTLfix w/ your latest custom fixes. Log attached.

Tested search links on Firefox 15.0. Made 5 searches and followed 10 search result links each for Google, Yahoo and Bing.

  • First 9 Google links did not redirect, then redirected on #10.
  • Ran same searches on Yahoo; all 10 links redirected except 2&3.
  • On Bing all redirected except 8&9.

So the search redirect problem is still here.

Ran OTL scan once again for comparison. Attached.

Thank you for your continuing efforts.

Regards,

mickery, Florida, USA

Share this post


Link to post
Share on other sites

In the Firefox address bar type about:config.

Click the "I'll be careful, I promise!" button.

In the Search box type browser.search.defaulturl

Right-click on browser.search.defaulturl, select Reset

Restart Firefox.

Still getting search redirects?

Share this post


Link to post
Share on other sites

My about:config only has *browser.search.defaultenginename*, which is Google. When I right-click, Reset is greyed-out. It looks like reset is only available for those entries in bold, apparently the ones I modded in the past.

Tx for posting. M

Share this post


Link to post
Share on other sites

Using Windows Explorer, navigate to:

c:\users\AllenFizzMatic\AppData\Roaming\Mozilla\Firefox\Profiles\x1cjyx0k.default

Using Notepad open prefs.js

Find and delete the entire line:

user_pref("browser.search.defaulturl", "http://search.conduit.com/ResultsExt.aspx?ctid=CT3072253&SearchSource=3&q={searchTerms}");

Save prefs.js

Exit Notepad

Restart Firefox

Still getting redirects?

Share this post


Link to post
Share on other sites

It looks like this google redirect problem is SOLVED! I've run a many random searches and followed 52 search result links - no redirect!

Here are some interesting notes:


  • After making the about:config tweak you posted in the previous comment I restarted Firefox but the redirects continued.

  • Looking through some other config lines I commented out a total of 3 others in sequence, restarting the browser between mods.

  • After each tweak the browser search behaved better, going 20-25 times before redirecting again.

  • After unsuccessfully trying to create a virgin prefs.js file, I simply renamed it and restarted Firefox again.

  • Redirects gone.

  • Went back to files and found that Firefox had not created a new prefs.js, it just ran without one, apparently having a backup hidden somewhere.

  • Restarted computer and substituted two older versions of backed up prefs.js file in sequence, restarting computer between mods. Started browser after reboot, no redirects no matter which prefs.js was active.

  • None of the various prefs.js had the browser.default.url line, so your fix must be the one that did the trick.

  • I have not tried testing with the original browser.default.url line reinstalled -- I do not want to push my luck :-)

Thank you very much for your assistance with this stubborn issue. If you need any files to study just ask. I'll keep you posted if redirects start again. Right now I am delighted to have my internet search back. Excellent work. Thank you again!

Share this post


Link to post
Share on other sites

It is time to do the final steps.

Now to remove most of the tools that we have used in fixing your machine:

  • Download OTC to your desktop and run it
  • A list of tool components used in the cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.

Delete the following from your Desktop (If they exist)

CFscript.txt

TDSSKiller.exe

Anything else I had you use

Delete the following files: (If they exist)

C:\ComboFix.txt

Delete the following folders: (If they exist)

C:\ComboFix

C:\Qoobox

C:\TDSSKiller_Quarantine

Empty the Recycle Bin

Download to your Desktop:

- CCleaner Portable

  • UnZip CCleaner Portable to a folder on your Desktop named CCleaner

Run CCleaner

  • Open the CCleaner Folder on your Desktop and double click CCleaner.exe (32-bit) or CCleaner64.exe (64-bit)
  • The following should be selected by default, if not, please select:
    4l5a4i.png
  • Click 16jox2o.png and choose 5x3nu8.gif
  • Uncheck amuvj8.gif
  • Then go back to 2jb4qyb.gif and click nf47ev.gif to run it.
  • Exit CCleaner.

Turn off System restore to flush all your restore points then turn system restore back on. See How To Enable and Disable System Restore.

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

Run Windows Update and update your Windows Operating System.

Run the Secunia Online Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated.

Articles to read:

How to Protect Your Computer From Malware

How to keep you and your Windows PC happy

Web, email, chat, password and kids safety

10 Sources of Malware Infections

That should take care of everything.

Safe Surfing!

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.