• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2090
  • Last Modified:

Search sites redirect me and I have run Malwarebytes and Combofix

All my search sites redirect me to the wrong site and I have run Malwarebytes and Combofix.  All the recent Malwarebytes scans since Dec. have found no infections.  The Combofix scan yesterday quarantined some items (see below), but the redirects still happen.  What is the solution?

The Malwarebytes scan in Dec., 2010 found some infections.  Here are the significant results:
Registry Keys Infected:
HKEY_CURRENT_USER\Software\avSofT (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AVSuitE (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avSofT (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AVSuitE (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\documents and settings\Staff\local settings\temp\0.08592887983379205.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

COMBOFIX 4/8 Scan - QUARINTINE LOG:
2011-04-08 19:37:27 . 2011-04-08 19:37:27              912 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\AddRemove-WebCyberCoach_wtrb.reg.dat
2011-04-08 19:37:19 . 2011-04-08 19:37:19              552 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-sysguard.reg.dat
2011-04-08 19:37:18 . 2011-04-08 19:37:18              698 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-aiwlcsnk.reg.dat
2011-04-08 19:37:01 . 2011-04-08 19:37:01              171 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440}.reg.dat
2011-04-08 19:34:57 . 2011-04-08 19:34:57                0 ----a-w-  C:\Qoobox\Quarantine\Replicators\Replicator_3.txt
2011-04-08 19:33:17 . 2011-04-08 19:33:17            4,979 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-04-08 18:21:23 . 2011-04-08 18:21:23              512 ----a-w-  C:\Qoobox\Quarantine\MBR_HardDisk0.mbr
2009-01-30 23:00:05 . 2009-01-30 23:00:05              596 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-VnrPack23.reg.dat
2009-01-30 23:00:05 . 2009-01-30 23:00:05              684 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-updateMgr.reg.dat
2009-01-30 23:00:05 . 2009-01-30 23:00:05              668 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-swg.reg.dat
2009-01-30 23:00:05 . 2009-01-30 23:00:05              612 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-SiteAdvisor.reg.dat
2009-01-30 23:00:04 . 2009-01-30 23:00:04              698 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Google Desktop Search.reg.dat
2009-01-30 23:00:04 . 2009-01-30 23:00:04              596 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-GetPack28.reg.dat
2009-01-30 23:00:04 . 2009-01-30 23:00:04              618 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-AROReminder.reg.dat
2009-01-30 23:00:04 . 2009-01-30 23:00:04              612 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-56702283152166359537783227108105.reg.dat
2009-01-30 22:57:22 . 2011-04-08 19:10:25              276 ----a-w-  C:\Qoobox\Quarantine\catchme.log
2009-01-28 14:31:47 . 2009-01-28 14:31:47          544,893 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\GetPack\dictame.gz.vir
2009-01-28 14:31:44 . 2009-01-28 14:31:44            8,769 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\GetPack\trgtame.gz.vir
2009-01-27 14:02:41 . 2009-01-28 14:31:38          160,171 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\VnrPack\dicts.gz.vir
2009-01-27 14:02:40 . 2009-01-27 14:02:40               26 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\VnrPack\trgts.gz.vir
2008-11-15 19:28:08 . 2008-11-15 19:28:09                8 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\wiaserviv.log.vir
2008-10-03 18:37:25 . 2008-10-03 18:37:26           61,224 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\Staff\GoToAssistDownloadHelper.exe.vir
2000-10-27 22:23:18 . 2000-10-27 22:23:18           50,688 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\system32\BSZIP.DLL.vir
1998-09-04 07:09:08 . 1998-09-04 07:09:08          119,400 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\system32\MDM.EXE.vir mbam-log-2010-12-14--11-40-01-.txt
ComboFix-quarantined-files.txt
0
tcexperts77
Asked:
tcexperts77
  • 7
  • 7
  • 2
  • +2
1 Solution
 
nobusCommented:
run spybot  :     Spybot :        http://www.download.com/3000-8022-10122137.html
0
 
burrcmCommented:
Check your hosts file - c:\Windows\System32\drivers\etc\hosts
The only uncommented line (not starting with a #) should be
127.0.0.1       localhost
If this is not the case rename the file to hosts.old and create a new one with notepad containing just this line.
Avoid the .txt extension by naming the file in inverted commas - "hosts"
The original file will be read only, you will need to remove this attribute before you can rename it.

Chris B
0
 
rpggamergirlCommented:
Have you tried TDSSKiller also,... if not maybe this is a router infection in which you would need to reset the router....
I'll look at the CF log and post back.

You can try TDSSKiller
TDSSKiller:
http://support.kaspersky.com/viruses/solutions?qid=208280684


“Google Hijack” — Google Search Gets Redirected
http://www.experts-exchange.com/Virus_and_Spyware/Latest_Threats/A_3299-Google-Hijack-Google-Search-Gets-Redirected.html



0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
rpggamergirlCommented:
Can you please post the Combofix log, that one is the quarantine log.
the log should be  in the C:\Combofix.txt
0
 
rpggamergirlCommented:
ComboFix should already have resetted the Hosts file.
we should also check the mbr status as the redirect symptoms can be also caused by TDL3/4 rootkit.
0
 
tcexperts77Author Commented:
The hosts file was reset by Combofix and is OK.
I am attaching the Combofix scan log.
I have 3 additional Combofix logs from 2009 if you want them.
ComboFix.txt
0
 
tcexperts77Author Commented:
I will try TDSSKiller and spybot later today.
0
 
nobusCommented:
did you run spybot?  any results?
0
 
rpggamergirlCommented:
The ComboFix log states it found and disinfected a TDL4 bootkit and it still redirects?

c:\documents and settings\Staff\Local Settings\Application Data\gjbtygucu

Also check if the above folder is still present and delete if it is, it's under a hidden directory so you would need to show hidden files and folders.

Let's look at the TDSSKiller log.
0
 
tcexperts77Author Commented:
Spybot found some insignificant "infections".  I checked after fixing the problems and the redirect still happened.

I had explorer show hidden and protected OS files, but the file/folder (c:\documents and settings\Staff\Local Settings\Application Data\gjbtygucu) was not found.

TDSSKiller did not find anything either.  I am including the log.

Help!
TDSSKiller.2.4.21.0-10.04.2011-2.txt
0
 
rpggamergirlCommented:
Are you connecting via a router? If so, are there other PC connecting to it and are they also redirected?
If so, you may have to try resetting the router.

Also try running this tool to check the status of the mbr.
Download aswMBR.exe ( 511KB ) to your desktop.
http://public.avast.com/~gmerek/aswMBR.exe

Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
On completion of the scan click "save log", save it to your desktop and post in your next reply.

0
 
tcexperts77Author Commented:
The other computer is being redirected.  The router is a Netgear wireless "n" 4-port.  I tried to upgrade the firmware on it - failed.  Do I just push the reset button on it?

I am attaching the aswMBR log.
aswMBR.txt
0
 
CacheMon33Commented:
Have you retried resetting the IE advanced settings yet?  If you are using IE8 then you should also check for any foreign BHO's in your add-ons.  I would also ensure that all remnants of the infected items have been removed from your computer by running subsequent scans of Malwarebytes and ComboFix.  You may also want to run CCleaner to clean up the registry, remove any unknown startup entries, and delete suspicious Program Files folders.  
0
 
tcexperts77Author Commented:
The first thing I usually do is to check the startup programs, reset IE advanced settings, clean out all temps. look for unusual IE addons or other programs.  All this had no effect on this PC.  I also get redirected when using Mozilla Firefox.  I have tried running all the usual scans (AVG, Malwarebytes, ComboFix) but I haven't run any "cleaners" on the registry.  Rpggamergirl seems to be on the right track, although I've never heard of a router being infected.
0
 
rpggamergirlCommented:
You need to clean each PCs before resetting the router, because it will get infected again(if this is router infection), as only one of the PCs need to be infected while the symptom affects all PCs in the network.


So once all the PCs are clean then reset the router..... Does the router has a default username and password?
A router infection only happens when a router has default username and password.

•Consult this link to find out what is the default username and password of your Router and note down them:
http://www.routerpasswords.com/
0
 
CacheMon33Commented:
Have you tried to ping common websites to see if it returns the correct results.  If the resulting IP addresses are incorrect there may be an issue with the DNS server.  I would try to break down the problem into segments and rule out any factors (Router, PC, DNS....).
0
 
tcexperts77Author Commented:
rpggamergirl is the only one with the correct answer.  She knows her stuff and saved me hours of work.  Resetting the router solved the problem - I will also use a admin password that is not a "default" password.  Please have her e-mail me at ***email address removed***.  I would like to maintain contact with someone who knows a lot.
0
 
tcexperts77Author Commented:
You would not believe how many people missed that answer.  I can't count all the hours I spent in the past looking for this solution.  I've also tried to join "Just Answer" (paid em $ up front, but got a full refund when they failed).  I'm telling all my friends about Experts Exchange.  Hopefully you will be around in the future.  You definitely deserve the rank of "Genius".  
0
 
rpggamergirlCommented:
Router infection is easily missed... when the system is showing symptoms of viruses, it's only natural for us to think that the PC is infected.

It's been a pleasure working with you, glad I could help.
And I hope to have the opportunity to work with you in the future.
Thanks for the compliments and excellent feedback.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 7
  • 7
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now