tcexperts77
asked on
Search sites redirect me and I have run Malwarebytes and Combofix
All my search sites redirect me to the wrong site and I have run Malwarebytes and Combofix. All the recent Malwarebytes scans since Dec. have found no infections. The Combofix scan yesterday quarantined some items (see below), but the redirects still happen. What is the solution?
The Malwarebytes scan in Dec., 2010 found some infections. Here are the significant results:
Registry Keys Infected:
HKEY_CURRENT_USER\Software \avSofT (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software \AVSuitE (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWAR E\avSofT (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWAR E\AVSuitE (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\documents and settings\Staff\local settings\temp\0.0859288798 3379205.ex e (Trojan.Downloader) -> Quarantined and deleted successfully.
COMBOFIX 4/8 Scan - QUARINTINE LOG:
2011-04-08 19:37:27 . 2011-04-08 19:37:27 912 ----a-w- C:\Qoobox\Quarantine\Regis try_backup s\AddRemov e-WebCyber Coach_wtrb .reg.dat
2011-04-08 19:37:19 . 2011-04-08 19:37:19 552 ----a-w- C:\Qoobox\Quarantine\Regis try_backup s\MSConfig StartUp-sy sguard.reg .dat
2011-04-08 19:37:18 . 2011-04-08 19:37:18 698 ----a-w- C:\Qoobox\Quarantine\Regis try_backup s\MSConfig StartUp-ai wlcsnk.reg .dat
2011-04-08 19:37:01 . 2011-04-08 19:37:01 171 ----a-w- C:\Qoobox\Quarantine\Regis try_backup s\WebBrows er-{D4027C 7F-154A-40 66-A1AD-42 43D8127440 }.reg.dat
2011-04-08 19:34:57 . 2011-04-08 19:34:57 0 ----a-w- C:\Qoobox\Quarantine\Repli cators\Rep licator_3. txt
2011-04-08 19:33:17 . 2011-04-08 19:33:17 4,979 ----a-w- C:\Qoobox\Quarantine\Regis try_backup s\tcpip.re g
2011-04-08 18:21:23 . 2011-04-08 18:21:23 512 ----a-w- C:\Qoobox\Quarantine\MBR_H ardDisk0.m br
2009-01-30 23:00:05 . 2009-01-30 23:00:05 596 ----a-w- C:\Qoobox\Quarantine\Regis try_backup s\MSConfig StartUp-Vn rPack23.re g.dat
2009-01-30 23:00:05 . 2009-01-30 23:00:05 684 ----a-w- C:\Qoobox\Quarantine\Regis try_backup s\MSConfig StartUp-up dateMgr.re g.dat
2009-01-30 23:00:05 . 2009-01-30 23:00:05 668 ----a-w- C:\Qoobox\Quarantine\Regis try_backup s\MSConfig StartUp-sw g.reg.dat
2009-01-30 23:00:05 . 2009-01-30 23:00:05 612 ----a-w- C:\Qoobox\Quarantine\Regis try_backup s\MSConfig StartUp-Si teAdvisor. reg.dat
2009-01-30 23:00:04 . 2009-01-30 23:00:04 698 ----a-w- C:\Qoobox\Quarantine\Regis try_backup s\MSConfig StartUp-Go ogle Desktop Search.reg.dat
2009-01-30 23:00:04 . 2009-01-30 23:00:04 596 ----a-w- C:\Qoobox\Quarantine\Regis try_backup s\MSConfig StartUp-Ge tPack28.re g.dat
2009-01-30 23:00:04 . 2009-01-30 23:00:04 618 ----a-w- C:\Qoobox\Quarantine\Regis try_backup s\MSConfig StartUp-AR OReminder. reg.dat
2009-01-30 23:00:04 . 2009-01-30 23:00:04 612 ----a-w- C:\Qoobox\Quarantine\Regis try_backup s\MSConfig StartUp-56 7022831521 6635953778 3227108105 .reg.dat
2009-01-30 22:57:22 . 2011-04-08 19:10:25 276 ----a-w- C:\Qoobox\Quarantine\catch me.log
2009-01-28 14:31:47 . 2009-01-28 14:31:47 544,893 ----a-w- C:\Qoobox\Quarantine\C\Pro gram Files\GetPack\dictame.gz.v ir
2009-01-28 14:31:44 . 2009-01-28 14:31:44 8,769 ----a-w- C:\Qoobox\Quarantine\C\Pro gram Files\GetPack\trgtame.gz.v ir
2009-01-27 14:02:41 . 2009-01-28 14:31:38 160,171 ----a-w- C:\Qoobox\Quarantine\C\Pro gram Files\VnrPack\dicts.gz.vir
2009-01-27 14:02:40 . 2009-01-27 14:02:40 26 ----a-w- C:\Qoobox\Quarantine\C\Pro gram Files\VnrPack\trgts.gz.vir
2008-11-15 19:28:08 . 2008-11-15 19:28:09 8 ----a-w- C:\Qoobox\Quarantine\C\WIN DOWS\wiase rviv.log.v ir
2008-10-03 18:37:25 . 2008-10-03 18:37:26 61,224 ----a-w- C:\Qoobox\Quarantine\C\Doc uments and Settings\Staff\GoToAssistD ownloadHel per.exe.vi r
2000-10-27 22:23:18 . 2000-10-27 22:23:18 50,688 ----a-w- C:\Qoobox\Quarantine\C\WIN DOWS\syste m32\BSZIP. DLL.vir
1998-09-04 07:09:08 . 1998-09-04 07:09:08 119,400 ----a-w- C:\Qoobox\Quarantine\C\WIN DOWS\syste m32\MDM.EX E.vir mbam-log-2010-12-14--11-40-01-.txt
ComboFix-quarantined-files.txt
The Malwarebytes scan in Dec., 2010 found some infections. Here are the significant results:
Registry Keys Infected:
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\documents and settings\Staff\local settings\temp\0.0859288798
COMBOFIX 4/8 Scan - QUARINTINE LOG:
2011-04-08 19:37:27 . 2011-04-08 19:37:27 912 ----a-w- C:\Qoobox\Quarantine\Regis
2011-04-08 19:37:19 . 2011-04-08 19:37:19 552 ----a-w- C:\Qoobox\Quarantine\Regis
2011-04-08 19:37:18 . 2011-04-08 19:37:18 698 ----a-w- C:\Qoobox\Quarantine\Regis
2011-04-08 19:37:01 . 2011-04-08 19:37:01 171 ----a-w- C:\Qoobox\Quarantine\Regis
2011-04-08 19:34:57 . 2011-04-08 19:34:57 0 ----a-w- C:\Qoobox\Quarantine\Repli
2011-04-08 19:33:17 . 2011-04-08 19:33:17 4,979 ----a-w- C:\Qoobox\Quarantine\Regis
2011-04-08 18:21:23 . 2011-04-08 18:21:23 512 ----a-w- C:\Qoobox\Quarantine\MBR_H
2009-01-30 23:00:05 . 2009-01-30 23:00:05 596 ----a-w- C:\Qoobox\Quarantine\Regis
2009-01-30 23:00:05 . 2009-01-30 23:00:05 684 ----a-w- C:\Qoobox\Quarantine\Regis
2009-01-30 23:00:05 . 2009-01-30 23:00:05 668 ----a-w- C:\Qoobox\Quarantine\Regis
2009-01-30 23:00:05 . 2009-01-30 23:00:05 612 ----a-w- C:\Qoobox\Quarantine\Regis
2009-01-30 23:00:04 . 2009-01-30 23:00:04 698 ----a-w- C:\Qoobox\Quarantine\Regis
2009-01-30 23:00:04 . 2009-01-30 23:00:04 596 ----a-w- C:\Qoobox\Quarantine\Regis
2009-01-30 23:00:04 . 2009-01-30 23:00:04 618 ----a-w- C:\Qoobox\Quarantine\Regis
2009-01-30 23:00:04 . 2009-01-30 23:00:04 612 ----a-w- C:\Qoobox\Quarantine\Regis
2009-01-30 22:57:22 . 2011-04-08 19:10:25 276 ----a-w- C:\Qoobox\Quarantine\catch
2009-01-28 14:31:47 . 2009-01-28 14:31:47 544,893 ----a-w- C:\Qoobox\Quarantine\C\Pro
2009-01-28 14:31:44 . 2009-01-28 14:31:44 8,769 ----a-w- C:\Qoobox\Quarantine\C\Pro
2009-01-27 14:02:41 . 2009-01-28 14:31:38 160,171 ----a-w- C:\Qoobox\Quarantine\C\Pro
2009-01-27 14:02:40 . 2009-01-27 14:02:40 26 ----a-w- C:\Qoobox\Quarantine\C\Pro
2008-11-15 19:28:08 . 2008-11-15 19:28:09 8 ----a-w- C:\Qoobox\Quarantine\C\WIN
2008-10-03 18:37:25 . 2008-10-03 18:37:26 61,224 ----a-w- C:\Qoobox\Quarantine\C\Doc
2000-10-27 22:23:18 . 2000-10-27 22:23:18 50,688 ----a-w- C:\Qoobox\Quarantine\C\WIN
1998-09-04 07:09:08 . 1998-09-04 07:09:08 119,400 ----a-w- C:\Qoobox\Quarantine\C\WIN
ComboFix-quarantined-files.txt
run spybot : Spybot : http://www.download.com/3000-8022-10122137.html
Check your hosts file - c:\Windows\System32\driver s\etc\host s
The only uncommented line (not starting with a #) should be
127.0.0.1 localhost
If this is not the case rename the file to hosts.old and create a new one with notepad containing just this line.
Avoid the .txt extension by naming the file in inverted commas - "hosts"
The original file will be read only, you will need to remove this attribute before you can rename it.
Chris B
The only uncommented line (not starting with a #) should be
127.0.0.1 localhost
If this is not the case rename the file to hosts.old and create a new one with notepad containing just this line.
Avoid the .txt extension by naming the file in inverted commas - "hosts"
The original file will be read only, you will need to remove this attribute before you can rename it.
Chris B
Have you tried TDSSKiller also,... if not maybe this is a router infection in which you would need to reset the router....
I'll look at the CF log and post back.
You can try TDSSKiller
TDSSKiller:
http://support.kaspersky.com/viruses/solutions?qid=208280684
“Google Hijack” — Google Search Gets Redirected
https://www.experts-exchange.com/Virus_and_Spyware/Latest_Threats/A_3299-Google-Hijack-Google-Search-Gets-Redirected.html
I'll look at the CF log and post back.
You can try TDSSKiller
TDSSKiller:
http://support.kaspersky.com/viruses/solutions?qid=208280684
“Google Hijack” — Google Search Gets Redirected
https://www.experts-exchange.com/Virus_and_Spyware/Latest_Threats/A_3299-Google-Hijack-Google-Search-Gets-Redirected.html
Can you please post the Combofix log, that one is the quarantine log.
the log should be in the C:\Combofix.txt
the log should be in the C:\Combofix.txt
ComboFix should already have resetted the Hosts file.
we should also check the mbr status as the redirect symptoms can be also caused by TDL3/4 rootkit.
we should also check the mbr status as the redirect symptoms can be also caused by TDL3/4 rootkit.
ASKER
The hosts file was reset by Combofix and is OK.
I am attaching the Combofix scan log.
I have 3 additional Combofix logs from 2009 if you want them.
ComboFix.txt
I am attaching the Combofix scan log.
I have 3 additional Combofix logs from 2009 if you want them.
ComboFix.txt
ASKER
I will try TDSSKiller and spybot later today.
did you run spybot? any results?
The ComboFix log states it found and disinfected a TDL4 bootkit and it still redirects?
c:\documents and settings\Staff\Local Settings\Application Data\gjbtygucu
Also check if the above folder is still present and delete if it is, it's under a hidden directory so you would need to show hidden files and folders.
Let's look at the TDSSKiller log.
c:\documents and settings\Staff\Local Settings\Application Data\gjbtygucu
Also check if the above folder is still present and delete if it is, it's under a hidden directory so you would need to show hidden files and folders.
Let's look at the TDSSKiller log.
ASKER
Spybot found some insignificant "infections". I checked after fixing the problems and the redirect still happened.
I had explorer show hidden and protected OS files, but the file/folder (c:\documents and settings\Staff\Local Settings\Application Data\gjbtygucu) was not found.
TDSSKiller did not find anything either. I am including the log.
Help!
TDSSKiller.2.4.21.0-10.04.2011-2.txt
I had explorer show hidden and protected OS files, but the file/folder (c:\documents and settings\Staff\Local Settings\Application Data\gjbtygucu) was not found.
TDSSKiller did not find anything either. I am including the log.
Help!
TDSSKiller.2.4.21.0-10.04.2011-2.txt
Are you connecting via a router? If so, are there other PC connecting to it and are they also redirected?
If so, you may have to try resetting the router.
Also try running this tool to check the status of the mbr.
Download aswMBR.exe ( 511KB ) to your desktop.
http://public.avast.com/~gmerek/aswMBR.exe
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
On completion of the scan click "save log", save it to your desktop and post in your next reply.
If so, you may have to try resetting the router.
Also try running this tool to check the status of the mbr.
Download aswMBR.exe ( 511KB ) to your desktop.
http://public.avast.com/~gmerek/aswMBR.exe
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
On completion of the scan click "save log", save it to your desktop and post in your next reply.
ASKER
The other computer is being redirected. The router is a Netgear wireless "n" 4-port. I tried to upgrade the firmware on it - failed. Do I just push the reset button on it?
I am attaching the aswMBR log.
aswMBR.txt
I am attaching the aswMBR log.
aswMBR.txt
Have you retried resetting the IE advanced settings yet? If you are using IE8 then you should also check for any foreign BHO's in your add-ons. I would also ensure that all remnants of the infected items have been removed from your computer by running subsequent scans of Malwarebytes and ComboFix. You may also want to run CCleaner to clean up the registry, remove any unknown startup entries, and delete suspicious Program Files folders.
ASKER
The first thing I usually do is to check the startup programs, reset IE advanced settings, clean out all temps. look for unusual IE addons or other programs. All this had no effect on this PC. I also get redirected when using Mozilla Firefox. I have tried running all the usual scans (AVG, Malwarebytes, ComboFix) but I haven't run any "cleaners" on the registry. Rpggamergirl seems to be on the right track, although I've never heard of a router being infected.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Have you tried to ping common websites to see if it returns the correct results. If the resulting IP addresses are incorrect there may be an issue with the DNS server. I would try to break down the problem into segments and rule out any factors (Router, PC, DNS....).
ASKER
rpggamergirl is the only one with the correct answer. She knows her stuff and saved me hours of work. Resetting the router solved the problem - I will also use a admin password that is not a "default" password. Please have her e-mail me at ***email address removed***. I would like to maintain contact with someone who knows a lot.
ASKER
You would not believe how many people missed that answer. I can't count all the hours I spent in the past looking for this solution. I've also tried to join "Just Answer" (paid em $ up front, but got a full refund when they failed). I'm telling all my friends about Experts Exchange. Hopefully you will be around in the future. You definitely deserve the rank of "Genius".
Router infection is easily missed... when the system is showing symptoms of viruses, it's only natural for us to think that the PC is infected.
It's been a pleasure working with you, glad I could help.
And I hope to have the opportunity to work with you in the future.
Thanks for the compliments and excellent feedback.
It's been a pleasure working with you, glad I could help.
And I hope to have the opportunity to work with you in the future.
Thanks for the compliments and excellent feedback.