Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Browser Search Redirects (Bing)

Posted on 2011-04-21
8
Medium Priority
?
1,322 Views
Last Modified: 2013-12-06
Greetings,

I have an issue with a computer running WinXP SP3 with IE8.  Random links seem to redirect consistently when searching on Bing.  What I mean is the search result hyperlinks do not go to the correct website, they never redirect to the same site twice.  The sponsored links tend to do it the most in Bing.

Also, when I search in Google from google.com homepage I get an immediate 404 error.  I believe this is related to the Search Provider settings in IE, but could be relevant so I'm mentioning it.

Malwarebytes reports nothing.  AVG is clean, too.  Below is a HiJackThis Log, please help!  The SAAZOD listings are a legit monitoring agent we use from a company called Zenith.  LogMeIn is also installed.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:31:53 PM, on 4/21/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
c:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\PROGRA~1\SAAZOD\SAAZDPMACTL.exe
C:\PROGRA~1\SAAZOD\SAAZRemoteSupport.exe
C:\PROGRA~1\SAAZOD\SAAZScheduler.exe
C:\PROGRA~1\SAAZOD\SAAZServerPlus.exe
C:\PROGRA~1\SAAZOD\SAAZWatchDog.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WORLDOX\WDA.EXE
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\PROGRA~1\SAAZOD\RMHLPDSK.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [picon] "C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" -startup
O4 - HKLM\..\Run: [ChangeTPMAuth] C:\Program Files\Wave Systems Corp\Common\ChangeTPMAuth.exe /T:NTRU12
O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: appstartup.bat.lnk = C:\scripts\appstartup.bat
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = companydomain.com (I removed the real domain)
O17 - HKLM\Software\..\Telephony: DomainName = companydomain.com (I removed the real domain)
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = companydomain.com (I removed the real domain)
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\Browseui.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Dell ControlPoint System Manager (dcpsysmgrsvc) - Dell Inc. - c:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: SAAZDPMACTL - Zenith Infotech Ltd - C:\PROGRA~1\SAAZOD\SAAZDPMACTL.exe
O23 - Service: SAAZRemoteSupport - Zenith Infotech Ltd - C:\PROGRA~1\SAAZOD\SAAZRemoteSupport.exe
O23 - Service: SAAZScheduler - Zenith Infotech Ltd - C:\PROGRA~1\SAAZOD\SAAZScheduler.exe
O23 - Service: SAAZServerPlus - Zenith Infotech Ltd - C:\PROGRA~1\SAAZOD\SAAZServerPlus.exe
O23 - Service: SAAZWatchDog - Zenith Infotech Ltd - C:\PROGRA~1\SAAZOD\SAAZWatchDog.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: Smith Micro Connection Manager Service (SMManager) - Smith Micro Software, Inc. - C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe
O23 - Service: NTRU TSS v1.2.1.29 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
O23 - Service: Intel(R) Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe

--
End of file - 5476 bytes
0
Comment
Question by:alcoahd
  • 4
  • 3
8 Comments
 
LVL 8

Expert Comment

by:Sean Scissors
ID: 35444930
It sounds like it is possibly a host file issue. I want you to do 3 things in this order. Run CCleaner to remove all temp files, cookies, and clear the cache. Then run HitmanPro as it is good at finding proxies that could be causing the redirects. After that check your host file to see if it is modified. I attached a normal host file so you can see what it should look like.


CCleaner - http://www.piriform.com/ccleaner
HitmanPro - http://www.surfright.nl/en/downloads
Host File location - C:\WINDOWS\system32\drivers\etc
hosts.txt
0
 
LVL 1

Accepted Solution

by:
alcoahd earned 0 total points
ID: 35445211
So Hitman Pro does not seem to be an option because a colleague used the trial and it's expired.  I'm trying to remove it and manually remove registry data to reset the trial data....any alternatives? (not ComboFix, either.  It crashes these systems for some reason)
0
 
LVL 1

Author Comment

by:alcoahd
ID: 35445216
Yeah that did not work and I don't want to try and hack shareware :)  Any other advice is appreciated.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
LVL 15

Expert Comment

by:greyknight17
ID: 35445221
Download [color=red]OTL[/color] to your desktop.
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- When the window appears, underneath Output at the top change it to Minimal Output.
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
0
 
LVL 8

Expert Comment

by:Sean Scissors
ID: 35445228
With hitmanpro you get a license for free. It's always a "trial" but it works for free just by accepting the license. You checked the host file and it was fine? Also did you remove your cookies/clear your cache?
0
 
LVL 1

Author Comment

by:alcoahd
ID: 35445448
I got it fixed.  Here's how:

I was able to reinstall Hitman Pro but it still wanted me to put in a serial to remove the threat it found.

I got the idea to google what it found -- Alureon -- a Rootkit that's driver was causing Malwarebytes to return no threats (from what I read).

Kaspersky has a free tool that removes it.  I downloaded and ran it with System Restore turned off, worked great.

Giving points to scissors since he/she led me to check Hitman Pro.

Ref: http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller
0
 
LVL 8

Expert Comment

by:Sean Scissors
ID: 35445600
You mentioned Kaspersky and Rootkit...I am assuming you downloaded their tool TDSSkiller. MB sometimes catches Rootkits as does HitmanPro but TDSSkiller is probably the top notch. I didn't even think that a Rootkit would be the cause of a redirect though. Glad you were able to fix it.
0
 
LVL 1

Author Closing Comment

by:alcoahd
ID: 35465301
Partial answers, gave me the idea which led to fix.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question