Browser Search Redirects (Bing)

Posted on 2011-04-21
Last Modified: 2013-12-06

I have an issue with a computer running WinXP SP3 with IE8.  Random links seem to redirect consistently when searching on Bing.  What I mean is the search result hyperlinks do not go to the correct website, they never redirect to the same site twice.  The sponsored links tend to do it the most in Bing.

Also, when I search in Google from homepage I get an immediate 404 error.  I believe this is related to the Search Provider settings in IE, but could be relevant so I'm mentioning it.

Malwarebytes reports nothing.  AVG is clean, too.  Below is a HiJackThis Log, please help!  The SAAZOD listings are a legit monitoring agent we use from a company called Zenith.  LogMeIn is also installed.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:31:53 PM, on 4/21/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
c:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [picon] "C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" -startup
O4 - HKLM\..\Run: [ChangeTPMAuth] C:\Program Files\Wave Systems Corp\Common\ChangeTPMAuth.exe /T:NTRU12
O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: appstartup.bat.lnk = C:\scripts\appstartup.bat
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = (I removed the real domain)
O17 - HKLM\Software\..\Telephony: DomainName = (I removed the real domain)
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = (I removed the real domain)
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\Browseui.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Dell ControlPoint System Manager (dcpsysmgrsvc) - Dell Inc. - c:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: SAAZDPMACTL - Zenith Infotech Ltd - C:\PROGRA~1\SAAZOD\SAAZDPMACTL.exe
O23 - Service: SAAZRemoteSupport - Zenith Infotech Ltd - C:\PROGRA~1\SAAZOD\SAAZRemoteSupport.exe
O23 - Service: SAAZScheduler - Zenith Infotech Ltd - C:\PROGRA~1\SAAZOD\SAAZScheduler.exe
O23 - Service: SAAZServerPlus - Zenith Infotech Ltd - C:\PROGRA~1\SAAZOD\SAAZServerPlus.exe
O23 - Service: SAAZWatchDog - Zenith Infotech Ltd - C:\PROGRA~1\SAAZOD\SAAZWatchDog.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: Smith Micro Connection Manager Service (SMManager) - Smith Micro Software, Inc. - C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe
O23 - Service: NTRU TSS v1.2.1.29 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
O23 - Service: Intel(R) Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe

End of file - 5476 bytes
Question by:alcoahd
    LVL 8

    Expert Comment

    by:Sean Scissors
    It sounds like it is possibly a host file issue. I want you to do 3 things in this order. Run CCleaner to remove all temp files, cookies, and clear the cache. Then run HitmanPro as it is good at finding proxies that could be causing the redirects. After that check your host file to see if it is modified. I attached a normal host file so you can see what it should look like.

    CCleaner -
    HitmanPro -
    Host File location - C:\WINDOWS\system32\drivers\etc
    LVL 1

    Accepted Solution

    So Hitman Pro does not seem to be an option because a colleague used the trial and it's expired.  I'm trying to remove it and manually remove registry data to reset the trial data....any alternatives? (not ComboFix, either.  It crashes these systems for some reason)
    LVL 1

    Author Comment

    Yeah that did not work and I don't want to try and hack shareware :)  Any other advice is appreciated.
    LVL 15

    Expert Comment

    Download [color=red]OTL[/color] to your desktop.
    - Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    - When the window appears, underneath Output at the top change it to Minimal Output.
    - Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    - When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
    - Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
    LVL 8

    Expert Comment

    by:Sean Scissors
    With hitmanpro you get a license for free. It's always a "trial" but it works for free just by accepting the license. You checked the host file and it was fine? Also did you remove your cookies/clear your cache?
    LVL 1

    Author Comment

    I got it fixed.  Here's how:

    I was able to reinstall Hitman Pro but it still wanted me to put in a serial to remove the threat it found.

    I got the idea to google what it found -- Alureon -- a Rootkit that's driver was causing Malwarebytes to return no threats (from what I read).

    Kaspersky has a free tool that removes it.  I downloaded and ran it with System Restore turned off, worked great.

    Giving points to scissors since he/she led me to check Hitman Pro.

    LVL 8

    Expert Comment

    by:Sean Scissors
    You mentioned Kaspersky and Rootkit...I am assuming you downloaded their tool TDSSkiller. MB sometimes catches Rootkits as does HitmanPro but TDSSkiller is probably the top notch. I didn't even think that a Rootkit would be the cause of a redirect though. Glad you were able to fix it.
    LVL 1

    Author Closing Comment

    Partial answers, gave me the idea which led to fix.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Some of the most commonly posted questions in the "Virus & Malware" Zones are related to the family of rogue malware with the date "2012" somewhere in the title. Examples: XP Antispyware 2012 XP Antivirus 2012 XP Security 2012   XP Home Sec…
    First let me explain that I am extremely paranoid about computer security issues and computer backup issues.  This means that I only feel safe if I am running unknown programs and visiting unknown sites in a virtual machine.  In that way, if anythin…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now