asked on

Search sites redirect me and I have run Malwarebytes and Combofix

All my search sites redirect me to the wrong site and I have run Malwarebytes and Combofix. All the recent Malwarebytes scans since Dec. have found no infections. The Combofix scan yesterday quarantined some items (see below), but the redirects still happen. What is the solution?

The Malwarebytes scan in Dec., 2010 found some infections. Here are the significant results:
Registry Keys Infected:
HKEY_CURRENT_USER\Software\avSofT (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AVSuitE (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avSofT (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AVSuitE (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\documents and settings\Staff\local settings\temp\0.08592887983379205.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

COMBOFIX 4/8 Scan - QUARINTINE LOG:
2011-04-08 19:37:27 . 2011-04-08 19:37:27 912 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-WebCyberCoach_wtrb.reg.dat
2011-04-08 19:37:19 . 2011-04-08 19:37:19 552 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-sysguard.reg.dat
2011-04-08 19:37:18 . 2011-04-08 19:37:18 698 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-aiwlcsnk.reg.dat
2011-04-08 19:37:01 . 2011-04-08 19:37:01 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440}.reg.dat
2011-04-08 19:34:57 . 2011-04-08 19:34:57 0 ----a-w- C:\Qoobox\Quarantine\Replicators\Replicator_3.txt
2011-04-08 19:33:17 . 2011-04-08 19:33:17 4,979 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-04-08 18:21:23 . 2011-04-08 18:21:23 512 ----a-w- C:\Qoobox\Quarantine\MBR_HardDisk0.mbr
2009-01-30 23:00:05 . 2009-01-30 23:00:05 596 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-VnrPack23.reg.dat
2009-01-30 23:00:05 . 2009-01-30 23:00:05 684 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-updateMgr.reg.dat
2009-01-30 23:00:05 . 2009-01-30 23:00:05 668 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-swg.reg.dat
2009-01-30 23:00:05 . 2009-01-30 23:00:05 612 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-SiteAdvisor.reg.dat
2009-01-30 23:00:04 . 2009-01-30 23:00:04 698 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Google Desktop Search.reg.dat
2009-01-30 23:00:04 . 2009-01-30 23:00:04 596 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-GetPack28.reg.dat
2009-01-30 23:00:04 . 2009-01-30 23:00:04 618 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-AROReminder.reg.dat
2009-01-30 23:00:04 . 2009-01-30 23:00:04 612 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-56702283152166359537783227108105.reg.dat
2009-01-30 22:57:22 . 2011-04-08 19:10:25 276 ----a-w- C:\Qoobox\Quarantine\catchme.log
2009-01-28 14:31:47 . 2009-01-28 14:31:47 544,893 ----a-w- C:\Qoobox\Quarantine\C\Program Files\GetPack\dictame.gz.vir
2009-01-28 14:31:44 . 2009-01-28 14:31:44 8,769 ----a-w- C:\Qoobox\Quarantine\C\Program Files\GetPack\trgtame.gz.vir
2009-01-27 14:02:41 . 2009-01-28 14:31:38 160,171 ----a-w- C:\Qoobox\Quarantine\C\Program Files\VnrPack\dicts.gz.vir
2009-01-27 14:02:40 . 2009-01-27 14:02:40 26 ----a-w- C:\Qoobox\Quarantine\C\Program Files\VnrPack\trgts.gz.vir
2008-11-15 19:28:08 . 2008-11-15 19:28:09 8 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\wiaserviv.log.vir
2008-10-03 18:37:25 . 2008-10-03 18:37:26 61,224 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Staff\GoToAssistDownloadHelper.exe.vir
2000-10-27 22:23:18 . 2000-10-27 22:23:18 50,688 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\BSZIP.DLL.vir
1998-09-04 07:09:08 . 1998-09-04 07:09:08 119,400 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\MDM.EXE.vir mbam-log-2010-12-14--11-40-01-.txt
ComboFix-quarantined-files.txt

nobus

run spybot : Spybot : http://www.download.com/3000-8022-10122137.html

Chris B

Check your hosts file - c:\Windows\System32\drivers\etc\hosts
The only uncommented line (not starting with a #) should be
127.0.0.1 localhost
If this is not the case rename the file to hosts.old and create a new one with notepad containing just this line.
Avoid the .txt extension by naming the file in inverted commas - "hosts"
The original file will be read only, you will need to remove this attribute before you can rename it.

Chris B

rpggamergirl

Have you tried TDSSKiller also,... if not maybe this is a router infection in which you would need to reset the router....
I'll look at the CF log and post back.

You can try TDSSKiller
TDSSKiller:
http://support.kaspersky.com/viruses/solutions?qid=208280684

“Google Hijack” — Google Search Gets Redirected
https://www.experts-exchange.com/Virus_and_Spyware/Latest_Threats/A_3299-Google-Hijack-Google-Search-Gets-Redirected.html

rpggamergirl

Can you please post the Combofix log, that one is the quarantine log.
the log should be in the C:\Combofix.txt

rpggamergirl

ComboFix should already have resetted the Hosts file.
we should also check the mbr status as the redirect symptoms can be also caused by TDL3/4 rootkit.

tcexperts77

ASKER

The hosts file was reset by Combofix and is OK.
I am attaching the Combofix scan log.
I have 3 additional Combofix logs from 2009 if you want them.
ComboFix.txt

tcexperts77

ASKER

I will try TDSSKiller and spybot later today.

nobus

did you run spybot? any results?

rpggamergirl

The ComboFix log states it found and disinfected a TDL4 bootkit and it still redirects?

c:\documents and settings\Staff\Local Settings\Application Data\gjbtygucu

Also check if the above folder is still present and delete if it is, it's under a hidden directory so you would need to show hidden files and folders.

Let's look at the TDSSKiller log.

tcexperts77

ASKER

Spybot found some insignificant "infections". I checked after fixing the problems and the redirect still happened.

I had explorer show hidden and protected OS files, but the file/folder (c:\documents and settings\Staff\Local Settings\Application Data\gjbtygucu) was not found.

TDSSKiller did not find anything either. I am including the log.

Help!
TDSSKiller.2.4.21.0-10.04.2011-2.txt

rpggamergirl

Are you connecting via a router? If so, are there other PC connecting to it and are they also redirected?
If so, you may have to try resetting the router.

Also try running this tool to check the status of the mbr.
Download aswMBR.exe ( 511KB ) to your desktop.
http://public.avast.com/~gmerek/aswMBR.exe

Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
On completion of the scan click "save log", save it to your desktop and post in your next reply.

tcexperts77

ASKER

The other computer is being redirected. The router is a Netgear wireless "n" 4-port. I tried to upgrade the firmware on it - failed. Do I just push the reset button on it?

I am attaching the aswMBR log.
aswMBR.txt

CacheMon33

Have you retried resetting the IE advanced settings yet? If you are using IE8 then you should also check for any foreign BHO's in your add-ons. I would also ensure that all remnants of the infected items have been removed from your computer by running subsequent scans of Malwarebytes and ComboFix. You may also want to run CCleaner to clean up the registry, remove any unknown startup entries, and delete suspicious Program Files folders.

tcexperts77

ASKER

The first thing I usually do is to check the startup programs, reset IE advanced settings, clean out all temps. look for unusual IE addons or other programs. All this had no effect on this PC. I also get redirected when using Mozilla Firefox. I have tried running all the usual scans (AVG, Malwarebytes, ComboFix) but I haven't run any "cleaners" on the registry. Rpggamergirl seems to be on the right track, although I've never heard of a router being infected.

ASKER CERTIFIED SOLUTION

rpggamergirl

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

CacheMon33

Have you tried to ping common websites to see if it returns the correct results. If the resulting IP addresses are incorrect there may be an issue with the DNS server. I would try to break down the problem into segments and rule out any factors (Router, PC, DNS....).

tcexperts77

ASKER

rpggamergirl is the only one with the correct answer. She knows her stuff and saved me hours of work. Resetting the router solved the problem - I will also use a admin password that is not a "default" password. Please have her e-mail me at ***email address removed***. I would like to maintain contact with someone who knows a lot.

tcexperts77

ASKER

You would not believe how many people missed that answer. I can't count all the hours I spent in the past looking for this solution. I've also tried to join "Just Answer" (paid em $ up front, but got a full refund when they failed). I'm telling all my friends about Experts Exchange. Hopefully you will be around in the future. You definitely deserve the rank of "Genius".

rpggamergirl

Router infection is easily missed... when the system is showing symptoms of viruses, it's only natural for us to think that the PC is infected.

It's been a pleasure working with you, glad I could help.
And I hope to have the opportunity to work with you in the future.
Thanks for the compliments and excellent feedback.