Search sites redirect me and I have run Malwarebytes and Combofix

All my search sites redirect me to the wrong site and I have run Malwarebytes and Combofix.  All the recent Malwarebytes scans since Dec. have found no infections.  The Combofix scan yesterday quarantined some items (see below), but the redirects still happen.  What is the solution?

The Malwarebytes scan in Dec., 2010 found some infections.  Here are the significant results:
Registry Keys Infected:
HKEY_CURRENT_USER\Software\avSofT (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AVSuitE (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avSofT (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AVSuitE (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\documents and settings\Staff\local settings\temp\0.08592887983379205.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

COMBOFIX 4/8 Scan - QUARINTINE LOG:
2011-04-08 19:37:27 . 2011-04-08 19:37:27              912 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\AddRemove-WebCyberCoach_wtrb.reg.dat
2011-04-08 19:37:19 . 2011-04-08 19:37:19              552 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-sysguard.reg.dat
2011-04-08 19:37:18 . 2011-04-08 19:37:18              698 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-aiwlcsnk.reg.dat
2011-04-08 19:37:01 . 2011-04-08 19:37:01              171 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440}.reg.dat
2011-04-08 19:34:57 . 2011-04-08 19:34:57                0 ----a-w-  C:\Qoobox\Quarantine\Replicators\Replicator_3.txt
2011-04-08 19:33:17 . 2011-04-08 19:33:17            4,979 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-04-08 18:21:23 . 2011-04-08 18:21:23              512 ----a-w-  C:\Qoobox\Quarantine\MBR_HardDisk0.mbr
2009-01-30 23:00:05 . 2009-01-30 23:00:05              596 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-VnrPack23.reg.dat
2009-01-30 23:00:05 . 2009-01-30 23:00:05              684 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-updateMgr.reg.dat
2009-01-30 23:00:05 . 2009-01-30 23:00:05              668 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-swg.reg.dat
2009-01-30 23:00:05 . 2009-01-30 23:00:05              612 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-SiteAdvisor.reg.dat
2009-01-30 23:00:04 . 2009-01-30 23:00:04              698 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Google Desktop Search.reg.dat
2009-01-30 23:00:04 . 2009-01-30 23:00:04              596 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-GetPack28.reg.dat
2009-01-30 23:00:04 . 2009-01-30 23:00:04              618 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-AROReminder.reg.dat
2009-01-30 23:00:04 . 2009-01-30 23:00:04              612 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-56702283152166359537783227108105.reg.dat
2009-01-30 22:57:22 . 2011-04-08 19:10:25              276 ----a-w-  C:\Qoobox\Quarantine\catchme.log
2009-01-28 14:31:47 . 2009-01-28 14:31:47          544,893 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\GetPack\dictame.gz.vir
2009-01-28 14:31:44 . 2009-01-28 14:31:44            8,769 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\GetPack\trgtame.gz.vir
2009-01-27 14:02:41 . 2009-01-28 14:31:38          160,171 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\VnrPack\dicts.gz.vir
2009-01-27 14:02:40 . 2009-01-27 14:02:40               26 ----a-w-  C:\Qoobox\Quarantine\C\Program Files\VnrPack\trgts.gz.vir
2008-11-15 19:28:08 . 2008-11-15 19:28:09                8 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\wiaserviv.log.vir
2008-10-03 18:37:25 . 2008-10-03 18:37:26           61,224 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\Staff\GoToAssistDownloadHelper.exe.vir
2000-10-27 22:23:18 . 2000-10-27 22:23:18           50,688 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\system32\BSZIP.DLL.vir
1998-09-04 07:09:08 . 1998-09-04 07:09:08          119,400 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\system32\MDM.EXE.vir mbam-log-2010-12-14--11-40-01-.txt
ComboFix-quarantined-files.txt
tcexperts77Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nobusCommented:
run spybot  :     Spybot :        http://www.download.com/3000-8022-10122137.html
0
Chris BRetiredCommented:
Check your hosts file - c:\Windows\System32\drivers\etc\hosts
The only uncommented line (not starting with a #) should be
127.0.0.1       localhost
If this is not the case rename the file to hosts.old and create a new one with notepad containing just this line.
Avoid the .txt extension by naming the file in inverted commas - "hosts"
The original file will be read only, you will need to remove this attribute before you can rename it.

Chris B
0
rpggamergirlCommented:
Have you tried TDSSKiller also,... if not maybe this is a router infection in which you would need to reset the router....
I'll look at the CF log and post back.

You can try TDSSKiller
TDSSKiller:
http://support.kaspersky.com/viruses/solutions?qid=208280684


“Google Hijack” — Google Search Gets Redirected
http://www.experts-exchange.com/Virus_and_Spyware/Latest_Threats/A_3299-Google-Hijack-Google-Search-Gets-Redirected.html



0
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

rpggamergirlCommented:
Can you please post the Combofix log, that one is the quarantine log.
the log should be  in the C:\Combofix.txt
0
rpggamergirlCommented:
ComboFix should already have resetted the Hosts file.
we should also check the mbr status as the redirect symptoms can be also caused by TDL3/4 rootkit.
0
tcexperts77Author Commented:
The hosts file was reset by Combofix and is OK.
I am attaching the Combofix scan log.
I have 3 additional Combofix logs from 2009 if you want them.
ComboFix.txt
0
tcexperts77Author Commented:
I will try TDSSKiller and spybot later today.
0
nobusCommented:
did you run spybot?  any results?
0
rpggamergirlCommented:
The ComboFix log states it found and disinfected a TDL4 bootkit and it still redirects?

c:\documents and settings\Staff\Local Settings\Application Data\gjbtygucu

Also check if the above folder is still present and delete if it is, it's under a hidden directory so you would need to show hidden files and folders.

Let's look at the TDSSKiller log.
0
tcexperts77Author Commented:
Spybot found some insignificant "infections".  I checked after fixing the problems and the redirect still happened.

I had explorer show hidden and protected OS files, but the file/folder (c:\documents and settings\Staff\Local Settings\Application Data\gjbtygucu) was not found.

TDSSKiller did not find anything either.  I am including the log.

Help!
TDSSKiller.2.4.21.0-10.04.2011-2.txt
0
rpggamergirlCommented:
Are you connecting via a router? If so, are there other PC connecting to it and are they also redirected?
If so, you may have to try resetting the router.

Also try running this tool to check the status of the mbr.
Download aswMBR.exe ( 511KB ) to your desktop.
http://public.avast.com/~gmerek/aswMBR.exe

Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
On completion of the scan click "save log", save it to your desktop and post in your next reply.

0
tcexperts77Author Commented:
The other computer is being redirected.  The router is a Netgear wireless "n" 4-port.  I tried to upgrade the firmware on it - failed.  Do I just push the reset button on it?

I am attaching the aswMBR log.
aswMBR.txt
0
CacheMon33Commented:
Have you retried resetting the IE advanced settings yet?  If you are using IE8 then you should also check for any foreign BHO's in your add-ons.  I would also ensure that all remnants of the infected items have been removed from your computer by running subsequent scans of Malwarebytes and ComboFix.  You may also want to run CCleaner to clean up the registry, remove any unknown startup entries, and delete suspicious Program Files folders.  
0
tcexperts77Author Commented:
The first thing I usually do is to check the startup programs, reset IE advanced settings, clean out all temps. look for unusual IE addons or other programs.  All this had no effect on this PC.  I also get redirected when using Mozilla Firefox.  I have tried running all the usual scans (AVG, Malwarebytes, ComboFix) but I haven't run any "cleaners" on the registry.  Rpggamergirl seems to be on the right track, although I've never heard of a router being infected.
0
rpggamergirlCommented:
You need to clean each PCs before resetting the router, because it will get infected again(if this is router infection), as only one of the PCs need to be infected while the symptom affects all PCs in the network.


So once all the PCs are clean then reset the router..... Does the router has a default username and password?
A router infection only happens when a router has default username and password.

•Consult this link to find out what is the default username and password of your Router and note down them:
http://www.routerpasswords.com/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CacheMon33Commented:
Have you tried to ping common websites to see if it returns the correct results.  If the resulting IP addresses are incorrect there may be an issue with the DNS server.  I would try to break down the problem into segments and rule out any factors (Router, PC, DNS....).
0
tcexperts77Author Commented:
rpggamergirl is the only one with the correct answer.  She knows her stuff and saved me hours of work.  Resetting the router solved the problem - I will also use a admin password that is not a "default" password.  Please have her e-mail me at ***email address removed***.  I would like to maintain contact with someone who knows a lot.
0
tcexperts77Author Commented:
You would not believe how many people missed that answer.  I can't count all the hours I spent in the past looking for this solution.  I've also tried to join "Just Answer" (paid em $ up front, but got a full refund when they failed).  I'm telling all my friends about Experts Exchange.  Hopefully you will be around in the future.  You definitely deserve the rank of "Genius".  
0
rpggamergirlCommented:
Router infection is easily missed... when the system is showing symptoms of viruses, it's only natural for us to think that the PC is infected.

It's been a pleasure working with you, glad I could help.
And I hope to have the opportunity to work with you in the future.
Thanks for the compliments and excellent feedback.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows XP

From novice to tech pro — start learning today.